diff --git a/code/privilege-escalation/linux/binary/privesc-pexec.yaml b/code/privilege-escalation/linux/binary/privesc-pexec.yaml
index 7b8de9dfc4e..065334a6624 100644
--- a/code/privilege-escalation/linux/binary/privesc-pexec.yaml
+++ b/code/privilege-escalation/linux/binary/privesc-pexec.yaml
@@ -7,7 +7,7 @@ info:
   description: |
     The term "pexec" typically refers to the "privileged execution" of a command or program.
   reference:
-    https://gtfobins.github.io/gtfobins/pexec/
+    - https://gtfobins.github.io/gtfobins/pexec/
   metadata:
     verified: true
     max-request: 3
diff --git a/file/audit/pfsense/configure-dns-server.yaml b/file/audit/pfsense/configure-dns-server.yaml
index 62182780fd7..9f75d776684 100644
--- a/file/audit/pfsense/configure-dns-server.yaml
+++ b/file/audit/pfsense/configure-dns-server.yaml
@@ -7,7 +7,7 @@ info:
   description: |
     DNS is recommended to be configured over TLS. This prevents intermediate parties and potential attackers from viewing the content of DNS queries and can also assure that DNS is being provided by the expected DNS servers.
   reference:
-    https://docs.netgate.com/pfsense/en/latest/recipes/dns-over-tls.html
+    - https://docs.netgate.com/pfsense/en/latest/recipes/dns-over-tls.html
   classification:
     cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N
     cvss-score: 0
diff --git a/file/audit/pfsense/configure-session-timeout.yaml b/file/audit/pfsense/configure-session-timeout.yaml
index cb14d9699eb..2002fb49b8b 100644
--- a/file/audit/pfsense/configure-session-timeout.yaml
+++ b/file/audit/pfsense/configure-session-timeout.yaml
@@ -7,7 +7,7 @@ info:
   description: |
     Configure sessions timeout is recommended to be enabled. An indefinite or even long session timeout window can increase the risk of an attacker abusing abandoned sessions and potentially being able to obtain sensitive information, modify data, and/or execute unauthorized operations.
   reference:
-    https://docs.netgate.com/pfsense/en/latest/config/advanced-admin.html
+    - https://docs.netgate.com/pfsense/en/latest/config/advanced-admin.html
   classification:
     cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N
     cvss-score: 0
diff --git a/file/audit/pfsense/enable-https-protocol.yaml b/file/audit/pfsense/enable-https-protocol.yaml
index fa2018363e6..b9dc9a58669 100644
--- a/file/audit/pfsense/enable-https-protocol.yaml
+++ b/file/audit/pfsense/enable-https-protocol.yaml
@@ -7,7 +7,7 @@ info:
   description: |
     PfSense Web Admin Management Portal is recommended to be accessible using only HTTPS protocol. HTTP transmits all data, including passwords, in clear text over the network and provides no assurance of the identity of the hosts involved, making it possible for an attacker to obtain sensitive information, modify data, and/or execute unauthorized operations.
   reference:
-    https://docs.netgate.com/pfsense/en/latest/config/advanced-admin.html
+    - https://docs.netgate.com/pfsense/en/latest/config/advanced-admin.html
   classification:
     cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N
     cvss-score: 0
diff --git a/file/audit/pfsense/password-protected-consolemenu.yaml b/file/audit/pfsense/password-protected-consolemenu.yaml
index c92be069fd6..33bad6e78c9 100644
--- a/file/audit/pfsense/password-protected-consolemenu.yaml
+++ b/file/audit/pfsense/password-protected-consolemenu.yaml
@@ -7,7 +7,7 @@ info:
   description: |
     PfSense password protection via the Console Menu is recommended to be configured. An unattended computer with an open Console Menu session can allow an unauthorized user access to the firewall management.
   reference:
-    https://docs.netgate.com/pfsense/en/latest/config/advanced-admin.html
+    - https://docs.netgate.com/pfsense/en/latest/config/advanced-admin.html
   classification:
     cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N
     cvss-score: 0
diff --git a/file/audit/pfsense/set-hostname.yaml b/file/audit/pfsense/set-hostname.yaml
index 63ac1849049..5b2c96affa2 100644
--- a/file/audit/pfsense/set-hostname.yaml
+++ b/file/audit/pfsense/set-hostname.yaml
@@ -7,7 +7,7 @@ info:
   description: |
     PfSense Hostname should be set so that other devices on the network can correctly identify it. The hostname is a unique identifier for the device.
   reference:
-    https://docs.netgate.com/pfsense/en/latest/config/general.html
+    - https://docs.netgate.com/pfsense/en/latest/config/general.html
   classification:
     cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N
     cvss-score: 0
diff --git a/file/malware/hash/turla-malware-hash.yaml b/file/malware/hash/turla-malware-hash.yaml
index d0b9813536a..1af0331d3b1 100644
--- a/file/malware/hash/turla-malware-hash.yaml
+++ b/file/malware/hash/turla-malware-hash.yaml
@@ -5,8 +5,8 @@ info:
   severity: info
   description: Detects Turla malware based on sample used in the RUAG APT case
   reference:
-    https://www.govcert.admin.ch/blog/22/technical-report-about-the-ruag-espionage-case
-    https://github.com/Yara-Rules/rules/blob/master/malware/APT_Turla_RUAG.yar
+    - https://www.govcert.admin.ch/blog/22/technical-report-about-the-ruag-espionage-case
+    - https://github.com/Yara-Rules/rules/blob/master/malware/APT_Turla_RUAG.yar
   tags: malware,turla,apt,ruag
 
 file:
diff --git a/file/malware/hash/unit78020-malware-hash.yaml b/file/malware/hash/unit78020-malware-hash.yaml
index 88e7268ccc6..b506a3e4241 100644
--- a/file/malware/hash/unit78020-malware-hash.yaml
+++ b/file/malware/hash/unit78020-malware-hash.yaml
@@ -6,8 +6,8 @@ info:
   description: |
     Detects malware by Chinese APT PLA Unit 78020 - Generic Rule
   reference:
-    http://threatconnect.com/camerashy/?utm_campaign=CameraShy
-    https://github.com/Yara-Rules/rules/blob/master/malware/APT_Unit78020.yar
+    - http://threatconnect.com/camerashy/?utm_campaign=CameraShy
+    - https://github.com/Yara-Rules/rules/blob/master/malware/APT_Unit78020.yar
   tags: malware,unit78020
 
 file:
diff --git a/http/cves/2014/CVE-2014-100004.yaml b/http/cves/2014/CVE-2014-100004.yaml
index 9c55fe72636..2d84a3c8474 100644
--- a/http/cves/2014/CVE-2014-100004.yaml
+++ b/http/cves/2014/CVE-2014-100004.yaml
@@ -1,15 +1,22 @@
-id: sitecore-xml-xss
+id: CVE-2014-100004
 
 info:
-  name: SiteCore XML Control Script Insertion
+  name: Sitecore CMS - Cross-Site Scripting
   author: DhiyaneshDK
   severity: medium
   description: |
-    Sitecores “special way” of displaying XML Controls directly allows for a Cross Site Scripting Attack – more can be achieved with these XML Controls
+    Sitecore CMS contains a cross-site scripting vulnerability via the "special way" of displaying XML Controls directly, which allows for a Cross Site Scripting Attack.
   reference:
     - https://vulners.com/securityvulns/SECURITYVULNS:DOC:30273
     - https://web.archive.org/web/20151016072340/http://www.securityfocus.com/archive/1/530901/100/0/threaded
+    - https://nvd.nist.gov/vuln/detail/CVE-2014-100004
   classification:
+    cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
+    cvss-score: 6.1
+    cve-id: CVE-2014-100004
+    epss-score: 0.00385
+    epss-percentile: 0.59034
+    cwe-id: CWE-79
     cpe: cpe:2.3:a:sitecore:sitecore.net:*:*:*:*:*:*:*:*
   metadata:
     verified: "true"
@@ -17,7 +24,7 @@ info:
     vendor: sitecore
     product: sitecore.net
     shodan-query: html:"Sitecore"
-  tags: xss,sitecore,cms
+  tags: cve,cve2014,xss,sitecore,cms,vuln
 
 http:
   - method: GET
@@ -39,4 +46,4 @@ http:
       - type: status
         status:
           - 200
-# digest: 4b0a00483046022100e1a5d9bb8833a1a078d73d226c6ea9da6b43c5e79eee307798007a40d6b4996d022100ae77daa481f74c23854134ef24a5c0864e3682f686e3ebd0d89f70563d3a2563:922c64590222798bb761d5b6d8e72950
\ No newline at end of file
+# digest: 4a0a00473045022100c97e57d30dceb78ef802a4f114eb2bbfcfe80edfc3eb1169e64483eeeda693bc02201c017e6a1dca8ada5d4394c93d1fdc9ab7d1a05127480852434075da10eb94c8:922c64590222798bb761d5b6d8e72950
\ No newline at end of file
diff --git a/http/cves/2015/CVE-2015-6477.yaml b/http/cves/2015/CVE-2015-6477.yaml
index ec36518b4dd..2d7292b2ef8 100644
--- a/http/cves/2015/CVE-2015-6477.yaml
+++ b/http/cves/2015/CVE-2015-6477.yaml
@@ -2,7 +2,7 @@ id: CVE-2015-6477
 
 info:
   name: Nordex NC2 - Cross-Site Scripting
-  author: geeknik
+  author: geeknik,daffainfo
   severity: medium
   description: Nordex NC2 contains a cross-site scripting vulnerability which allows an attacker to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and launch other attacks.
   impact: |
@@ -14,27 +14,30 @@ info:
     - https://ics-cert.us-cert.gov/advisories/ICSA-15-286-01
     - https://nvd.nist.gov/vuln/detail/CVE-2015-6477
     - http://packetstormsecurity.com/files/135068/Nordex-Control-2-NC2-SCADA-16-Cross-Site-Scripting.html
-    - http://seclists.org/fulldisclosure/2015/Dec/117
   classification:
     cvss-metrics: CVSS:2.0/AV:N/AC:M/Au:N/C:N/I:P/A:N
     cvss-score: 4.3
     cve-id: CVE-2015-6477
     cwe-id: CWE-79
-    epss-score: 0.3338
-    epss-percentile: 0.96688
+    epss-score: 0.3474
+    epss-percentile: 0.96816
     cpe: cpe:2.3:o:nordex:nordex_control_2_scada:*:*:*:*:*:*:*:*
   metadata:
     max-request: 1
+    verified: true
     vendor: nordex
     product: nordex_control_2_scada
-  tags: cve2015,cve,seclists,packetstorm,xss,iot,nordex,nc2
+    shodan-query: http.title:"Nordex Control - Wind Farm Portal"
+  tags: cve,cve2015,nordex,nc2,seclists,packetstorm,xss,iot,vuln
 
 http:
-  - method: POST
-    path:
-      - "{{BaseURL}}/login"
+  - raw:
+      - |
+        POST /login HTTP/1.1
+        Host: {{Hostname}}
+        Content-Type: application/x-www-form-urlencoded
 
-    body: 'connection=basic&userName=admin%27%22%29%3B%7D%3C%2Fscript%3E%3Cscript%3Ealert%28%27{{randstr}}%27%29%3C%2Fscript%3E&pw=nordex&language=en'
+        connection=basic&userName=admin%27%22%29%3B%7D%3C%2Fscript%3E%3Cscript%3Ealert%28document.domain%29%3C%2Fscript%3E&pw=nordex&language=en
 
     matchers-condition: and
     matchers:
@@ -46,5 +49,10 @@ http:
       - type: word
         part: body
         words:
-          - "</script><script>alert('{{randstr}}')</script>"
-# digest: 4a0a00473045022100931a43680b8786e206dccd77e69225a4fa3620429fb6435835b32ba4f90331f2022062f76ad7d3592c18ef5289a356efcb12e35e72f8200e80a2058cb984395a2c96:922c64590222798bb761d5b6d8e72950
\ No newline at end of file
+          - "</script><script>alert(document.domain)</script>"
+          - "var detailParams"
+        condition: and
+
+      - type: status
+        status:
+          - 200
\ No newline at end of file
diff --git a/http/cves/2021/CVE-2021-42565.yaml b/http/cves/2021/CVE-2021-42565.yaml
index e3a0ca5bf42..0ff10579d1f 100644
--- a/http/cves/2021/CVE-2021-42565.yaml
+++ b/http/cves/2021/CVE-2021-42565.yaml
@@ -2,38 +2,38 @@ id: CVE-2021-42565
 
 info:
   name: myfactory FMS - Cross-Site Scripting
-  author: madrobot
+  author: madrobot,daffainfo
   severity: medium
-  description: myfactory.FMS before 7.1-912 allows cross-site scripting via the UID parameter.
+  description: |
+    myfactory.FMS before 7.1-912 allows cross-site scripting via the UID parameter.
   impact: |
     Successful exploitation of this vulnerability could allow an attacker to execute malicious scripts in the context of a user's browser, potentially leading to session hijacking, defacement, or theft of sensitive information.
   remediation: |
     Upgrade to the latest version to mitigate this vulnerability.
   reference:
-    - https://nvd.nist.gov/vuln/detail/CVE-2021-42565
-    - https://www.redteam-pentesting.de/en/advisories/rt-sa-2021-001/-cross-site-scripting-in-myfactory-fms
     - https://www.redteam-pentesting.de/advisories/rt-sa-2021-001
     - https://github.com/ARPSyndicate/cvemon
-    - https://github.com/ARPSyndicate/kenzer-templates
+    - https://nvd.nist.gov/vuln/detail/CVE-2021-42565
   classification:
     cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
     cvss-score: 6.1
     cve-id: CVE-2021-42565
     cwe-id: CWE-79
-    epss-score: 0.0205
-    epss-percentile: 0.83156
+    epss-score: 0.01052
+    epss-percentile: 0.76872
     cpe: cpe:2.3:a:myfactory:fms:*:*:*:*:*:*:*:*
   metadata:
-    max-request: 2
+    verified: true
+    max-request: 1
     vendor: myfactory
     product: fms
-  tags: cve2021,cve,myfactory,xss
+    google-query: inurl:ie50/system/ intitle:"myfactory"
+  tags: cve2021,cve,myfactory,xss,vuln
 
 http:
   - method: GET
     path:
-      - '{{BaseURL}}/ie50/system/login/SysLoginUser.aspx?Login=Denied&UID=%3C%2Fscript%3E%3Cscript%3Ealert%28document.domain%29%3C%2Fscript%3E'
-      - '{{BaseURL}}/system/login/SysLoginUser.aspx?Login=Denied&UID=%3C%2Fscript%3E%3Cscript%3Ealert%28document.domain%29%3C%2Fscript%3E'
+      - '{{BaseURL}}/ie50/system/login/SysLoginUser.aspx?Login=Denied&UID=%22%3E%3C%2Fscript%3E%3Cscript%3Ealert%28document.domain%29%3C%2Fscript%3E'
 
     matchers-condition: and
     matchers:
@@ -41,6 +41,8 @@ http:
         part: body
         words:
           - "</script><script>alert(document.domain)</script>"
+          - 'name="txtUID"'
+          - 'function mOnLoad()'
         condition: and
 
       - type: word
@@ -50,5 +52,4 @@ http:
 
       - type: status
         status:
-          - 200
-# digest: 490a0046304402203d874d44461470d3db2a6cff1f541f60124c6d4bf185b9af11ddaab53cc4621f022031646314735b62c3e0ce1efbb35d57a61b1920d04eb78d5d2def56e26f0ddf1b:922c64590222798bb761d5b6d8e72950
\ No newline at end of file
+          - 200
\ No newline at end of file
diff --git a/http/cves/2021/CVE-2021-42566.yaml b/http/cves/2021/CVE-2021-42566.yaml
index f45883c689a..43d4887e94f 100644
--- a/http/cves/2021/CVE-2021-42566.yaml
+++ b/http/cves/2021/CVE-2021-42566.yaml
@@ -2,45 +2,46 @@ id: CVE-2021-42566
 
 info:
   name: myfactory FMS - Cross-Site Scripting
-  author: madrobot
+  author: madrobot,daffainfo
   severity: medium
-  description: myfactory.FMS before 7.1-912 allows cross-site scripting via the Error parameter.
+  description: |
+    myfactory.FMS before 7.1-912 allows cross-site scripting via the Error parameter.
   impact: |
     Successful exploitation of this vulnerability could allow an attacker to execute malicious scripts in the context of a victim's browser, potentially leading to session hijacking, defacement, or theft of sensitive information.
   remediation: |
     Upgrade to the latest version to mitigate this vulnerability.
   reference:
-    - https://nvd.nist.gov/vuln/detail/CVE-2021-42566
-    - https://www.redteam-pentesting.de/en/advisories/rt-sa-2021-001/-cross-site-scripting-in-myfactory-fms
-    - https://cve.mitre.org/cgi-bin/cvename.cgi?name=2021-42566
     - https://www.redteam-pentesting.de/advisories/rt-sa-2021-001
-    - https://github.com/ARPSyndicate/cvemon
+    - https://nvd.nist.gov/vuln/detail/CVE-2021-42566
   classification:
     cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
     cvss-score: 6.1
     cve-id: CVE-2021-42566
     cwe-id: CWE-79
-    epss-score: 0.0205
-    epss-percentile: 0.83156
+    epss-score: 0.01052
+    epss-percentile: 0.76872
     cpe: cpe:2.3:a:myfactory:fms:*:*:*:*:*:*:*:*
   metadata:
-    max-request: 2
+    verified: true
+    max-request: 1
     vendor: myfactory
     product: fms
-  tags: cve2021,cve,myfactory,xss
+    google-query: inurl:ie50/system/ intitle:"myfactory"
+  tags: cve,cve2021,myfactory,xss,vuln
 
 http:
   - method: GET
     path:
-      - '{{BaseURL}}/ie50/system/login/SysLoginUser.aspx?Login=Error&Error=%3C%2Fscript%3E%3Cscript%3Ealert%28document.domain%29%3C%2Fscript%3E'
-      - '{{BaseURL}}/system/login/SysLoginUser.aspx?Login=Error&Error=%3C%2Fscript%3E%3Cscript%3Ealert%28document.domain%29%3C%2Fscript%3E'
+      - '{{BaseURL}}/ie50/system/login/SysLoginUser.aspx?Login=Error&Error=%27%29%3Balert%28document%2Edomain%29%3B%2F%2F'
 
     matchers-condition: and
     matchers:
       - type: word
         part: body
         words:
-          - "</script><script>alert(document.domain)</script>"
+          - ';alert(document.domain);'
+          - 'name="txtUID"'
+          - 'function mOnLoad()'
         condition: and
 
       - type: word
@@ -50,5 +51,4 @@ http:
 
       - type: status
         status:
-          - 200
-# digest: 4a0a00473045022100f4a74eb5e1a907294f4283c930ab7b6bcfb3c42048b2c4ddb6373817773c738202205b297f01ae71d684f0cd48148d4d793dcc2659447c51efa978ebd235add0c77f:922c64590222798bb761d5b6d8e72950
\ No newline at end of file
+          - 200
\ No newline at end of file
diff --git a/http/exposed-panels/c2/covenant-c2.yaml b/http/exposed-panels/c2/covenant-c2.yaml
index 1af71a006fb..c0fbb029aa5 100644
--- a/http/exposed-panels/c2/covenant-c2.yaml
+++ b/http/exposed-panels/c2/covenant-c2.yaml
@@ -7,7 +7,7 @@ info:
   description: |
     Covenant is a .NET command and control framework that aims to highlight the attack surface of .NET, make the use of offensive .NET tradecraft easier,and serve as a collaborative command and control platform for red teamers.
   reference:
-    https://www.socinvestigation.com/shodan-filters-to-hunt-adversaries-infrastructure-and-c2/
+    - https://www.socinvestigation.com/shodan-filters-to-hunt-adversaries-infrastructure-and-c2/
   metadata:
     verified: true
     max-request: 1
diff --git a/http/exposed-panels/c2/deimos-c2.yaml b/http/exposed-panels/c2/deimos-c2.yaml
index 2ac148b1422..078b19a5482 100644
--- a/http/exposed-panels/c2/deimos-c2.yaml
+++ b/http/exposed-panels/c2/deimos-c2.yaml
@@ -7,7 +7,7 @@ info:
   description: |
     DeimosC2 is a post-exploitation Command & Control (C2) tool that leverages multiple communication methods in order to control machines that have been compromised. DeimosC2 server and agents works on, and has been tested on, Windows, Darwin, and Linux.It is entirely written in Golang with a front end written in Vue.js.
   reference:
-    https://twitter.com/MichalKoczwara/status/1551632627387473920
+    - https://twitter.com/MichalKoczwara/status/1551632627387473920
   metadata:
     verified: true
     max-request: 1
diff --git a/http/exposed-panels/c2/mythic-c2.yaml b/http/exposed-panels/c2/mythic-c2.yaml
index d9c8d1235ea..dfd6a20aeba 100644
--- a/http/exposed-panels/c2/mythic-c2.yaml
+++ b/http/exposed-panels/c2/mythic-c2.yaml
@@ -8,7 +8,7 @@ info:
     A cross-platform, post-exploit, red teaming framework built with python3, docker, docker-compose, and a web browser UI.
     It's designed to provide a collaborative and user friendly interface for operators, managers, and reporting throughout red teaming.
   reference:
-    https://www.socinvestigation.com/shodan-filters-to-hunt-adversaries-infrastructure-and-c2/
+    - https://www.socinvestigation.com/shodan-filters-to-hunt-adversaries-infrastructure-and-c2/
   metadata:
     verified: true
     max-request: 1
diff --git a/http/exposures/logs/opentsdb-status.yaml b/http/exposures/logs/opentsdb-status.yaml
index 4fe425b3be1..030f9193e90 100644
--- a/http/exposures/logs/opentsdb-status.yaml
+++ b/http/exposures/logs/opentsdb-status.yaml
@@ -4,9 +4,10 @@ info:
   name: OpenTSDB - Detect
   author: pussycat0x
   severity: low
-  description: OpenTSDB stats exposed which is commonly used in monitoring and observability scenarios where tracking and analyzing the performance of systems, applications, and infrastructure over time is essential.
+  description: |
+    OpenTSDB stats exposed which is commonly used in monitoring and observability scenarios where tracking and analyzing the performance of systems, applications, and infrastructure over time is essential.
   reference:
-    http://opentsdb.net/
+    - http://opentsdb.net/
   classification:
     cpe: cpe:2.3:a:opentsdb:opentsdb:*:*:*:*:*:*:*:*
   metadata:
diff --git a/http/misconfiguration/symfony/symfony-default-key-rce.yaml b/http/misconfiguration/symfony/symfony-default-key-rce.yaml
index 3ca254d54fd..ca54ec87c0b 100644
--- a/http/misconfiguration/symfony/symfony-default-key-rce.yaml
+++ b/http/misconfiguration/symfony/symfony-default-key-rce.yaml
@@ -8,10 +8,10 @@ info:
     Symfony servers support a "/_fragment" command that allows clients to provide custom PHP commands and return the HTML output.
     This template checks to see if they also use a popular default secret key for remote command execution.
   reference:
-    https://portswigger.net/daily-swig/symfony-based-websites-open-to-rce-attack-research-finds
-    https://medium.com/@m4cddr/how-i-got-rce-in-10-websites-26dd87441f22
-    https://al1z4deh.medium.com/how-i-hacked-28-sites-at-once-rce-5458211048d5
-    https://github.com/ambionics/symfony-exploits
+    - https://portswigger.net/daily-swig/symfony-based-websites-open-to-rce-attack-research-finds
+    - https://medium.com/@m4cddr/how-i-got-rce-in-10-websites-26dd87441f22
+    - https://al1z4deh.medium.com/how-i-hacked-28-sites-at-once-rce-5458211048d5
+    - https://github.com/ambionics/symfony-exploits
   metadata:
     max-request: 12
     shodan-query: http.html:"Symfony Profiler"
diff --git a/http/technologies/default-sitecore-page.yaml b/http/technologies/default-sitecore-page.yaml
index 7b051342aa3..64071b18fba 100644
--- a/http/technologies/default-sitecore-page.yaml
+++ b/http/technologies/default-sitecore-page.yaml
@@ -7,7 +7,7 @@ info:
   description: |
     Detect Sitecore Content Management System (CMS).
   reference:
-    https://www.sitecore.com/
+    - https://www.sitecore.com/
   classification:
     cpe: cpe:2.3:a:sitecore:experience_platform:*:*:*:*:*:*:*:*
   metadata:
diff --git a/http/technologies/sitecore-cms.yaml b/http/technologies/sitecore-cms.yaml
index df9eb458a10..6c14cfb54d9 100644
--- a/http/technologies/sitecore-cms.yaml
+++ b/http/technologies/sitecore-cms.yaml
@@ -7,7 +7,7 @@ info:
   description: |
     Detect Sitecore Content Management System (CMS) websites based on a redirect from the sitecore media handler URL pattern to the notfound.aspx page.
   reference:
-    https://www.sitecore.com
+    - https://www.sitecore.com
   classification:
     cpe: cpe:2.3:a:sitecore:cms:*:*:*:*:*:*:*:*
   metadata:
diff --git a/network/detection/rtsp-detect.yaml b/network/detection/rtsp-detect.yaml
index 00ac2feb0f6..959a54624ec 100644
--- a/network/detection/rtsp-detect.yaml
+++ b/network/detection/rtsp-detect.yaml
@@ -7,7 +7,7 @@ info:
   description: |
     RTSP was detected.
   reference:
-    https://nmap.org/nsedoc/scripts/rtsp-methods.html
+    - https://nmap.org/nsedoc/scripts/rtsp-methods.html
   classification:
     cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N
     cwe-id: CWE-200
diff --git a/network/jarm/c2/posh-c2-jarm.yaml b/network/jarm/c2/posh-c2-jarm.yaml
index f75ad968c87..011eb9cbbf5 100644
--- a/network/jarm/c2/posh-c2-jarm.yaml
+++ b/network/jarm/c2/posh-c2-jarm.yaml
@@ -7,7 +7,7 @@ info:
   description: |
     PoshC2 is a proxy aware C2 framework used to aid penetration testers with red teaming, post-exploitation and lateral movement.
   reference:
-    - - https://github.com/cedowens/C2-JARM
+    - https://github.com/cedowens/C2-JARM
     - https://twitter.com/MichalKoczwara/status/1551639708949692416
     - https://poshc2.readthedocs.io/en/latest/
   metadata:
diff --git a/ssl/c2/asyncrat-c2.yaml b/ssl/c2/asyncrat-c2.yaml
index f0a26bb9f2e..438c04f00f3 100644
--- a/ssl/c2/asyncrat-c2.yaml
+++ b/ssl/c2/asyncrat-c2.yaml
@@ -7,7 +7,7 @@ info:
   description: |
     AsyncRAT is a Remote Access Tool (RAT) designed to remotely monitor and control other computers through a secure encrypted connection. It is an open source remote administration tool, however, it could also be used maliciously because it provides functionality such as keylogger, remote desktop control, and many other functions that may cause harm to the victim’s computer. In addition, AsyncRAT can be delivered via various methods such as spear-phishing, malvertising, exploit kit and other techniques.
   reference:
-    https://malpedia.caad.fkie.fraunhofer.de/details/win.asyncrat
+    - https://malpedia.caad.fkie.fraunhofer.de/details/win.asyncrat
   metadata:
     verified: "true"
     max-request: 1
diff --git a/ssl/c2/covenant-c2-ssl.yaml b/ssl/c2/covenant-c2-ssl.yaml
index 8a2a959d4fd..1e733ea0f75 100644
--- a/ssl/c2/covenant-c2-ssl.yaml
+++ b/ssl/c2/covenant-c2-ssl.yaml
@@ -7,7 +7,7 @@ info:
   description: |
     Covenant is a .NET command and control framework that aims to highlight the attack surface of .NET, make the use of offensive .NET tradecraft easier,and serve as a collaborative command and control platform for red teamers.
   reference:
-    https://twitter.com/MichalKoczwara/status/1548685058403360770
+    - https://twitter.com/MichalKoczwara/status/1548685058403360770
   metadata:
     verified: "true"
     max-request: 1
diff --git a/ssl/c2/dcrat-server-c2.yaml b/ssl/c2/dcrat-server-c2.yaml
index 9b14c9e8621..9ffe59922ba 100644
--- a/ssl/c2/dcrat-server-c2.yaml
+++ b/ssl/c2/dcrat-server-c2.yaml
@@ -7,7 +7,7 @@ info:
   description: |
     DCRat uses a modular framework that deploys separate executables for each module, most of which are compiled . net binaries programmed in C#.
   reference:
-    https://github.com/thehappydinoa/awesome-censys-queries#dcrat--
+    - https://github.com/thehappydinoa/awesome-censys-queries#dcrat--
   metadata:
     verified: "true"
     max-request: 1
diff --git a/ssl/c2/gozi-malware-c2.yaml b/ssl/c2/gozi-malware-c2.yaml
index be8e73ec99c..5a927dff595 100644
--- a/ssl/c2/gozi-malware-c2.yaml
+++ b/ssl/c2/gozi-malware-c2.yaml
@@ -7,7 +7,7 @@ info:
   description: |
     Gozi is a banking Trojan that has been modified to include new obfuscation techniques, to evade detection. Previous breaches involving Gozi in the healthcare sector led to the compromise of data associated with 3.7 million patients costing $5.55 million.
   reference:
-    https://github.com/thehappydinoa/awesome-censys-queries#gozi-malware--
+    - https://github.com/thehappydinoa/awesome-censys-queries#gozi-malware--
   metadata:
     verified: "true"
     max-request: 1
diff --git a/ssl/c2/metasploit-c2.yaml b/ssl/c2/metasploit-c2.yaml
index 84de879312f..b40e60f366f 100644
--- a/ssl/c2/metasploit-c2.yaml
+++ b/ssl/c2/metasploit-c2.yaml
@@ -7,7 +7,7 @@ info:
   description: |
     A Metasploit Framework is a powerful tool that provides a universal interface to work with vulnerability exploit code. It has to exploit code for a wide range of vulnerabilities that impact web servers, OSes, network equipment, and everything in between. Metasploit which serves as both exploitation and C2 frameworks.
   reference:
-    https://www.socinvestigation.com/shodan-filters-to-hunt-adversaries-infrastructure-and-c2/
+    - https://www.socinvestigation.com/shodan-filters-to-hunt-adversaries-infrastructure-and-c2/
   metadata:
     verified: "true"
     max-request: 1
diff --git a/ssl/c2/mythic-c2-ssl.yaml b/ssl/c2/mythic-c2-ssl.yaml
index b1dbb40b523..7ecb18b1531 100644
--- a/ssl/c2/mythic-c2-ssl.yaml
+++ b/ssl/c2/mythic-c2-ssl.yaml
@@ -7,8 +7,8 @@ info:
   description: |
     Mythic is a multiplayer, command and control platform for red teaming operations
   reference:
-    https://docs.mythic-c2.net
-    https://www.team-cymru.com/post/mythic-case-study-assessing-common-offensive-security-tools
+    - https://docs.mythic-c2.net
+    - https://www.team-cymru.com/post/mythic-case-study-assessing-common-offensive-security-tools
   metadata:
     verified: "true"
     max-request: 1
diff --git a/ssl/c2/orcus-rat-c2.yaml b/ssl/c2/orcus-rat-c2.yaml
index 03f368e70d7..8510fca5876 100644
--- a/ssl/c2/orcus-rat-c2.yaml
+++ b/ssl/c2/orcus-rat-c2.yaml
@@ -7,7 +7,7 @@ info:
   description: |
     Orcus RAT is a type of malicious software program that enables remote access and control of computers and networks. It is a type of Remote Access Trojan (RAT) that has been used by attackers to gain access to and control computers and networks.
   reference:
-    https://github.com/thehappydinoa/awesome-censys-queries#orcusrat--
+    - https://github.com/thehappydinoa/awesome-censys-queries#orcusrat--
   metadata:
     verified: "true"
     max-request: 1
diff --git a/ssl/c2/quasar-rat-c2.yaml b/ssl/c2/quasar-rat-c2.yaml
index 65c477536c3..e5bdb85dd46 100644
--- a/ssl/c2/quasar-rat-c2.yaml
+++ b/ssl/c2/quasar-rat-c2.yaml
@@ -7,7 +7,7 @@ info:
   description: |
     Quasar RAT is a malware family written in .NET which is used by a variety of attackers. The malware is fully functional and open source, and is often packed to make analysis of the source more difficult.
   reference:
-    https://malpedia.caad.fkie.fraunhofer.de/details/win.quasar_rat
+    - https://malpedia.caad.fkie.fraunhofer.de/details/win.quasar_rat
   metadata:
     verified: "true"
     max-request: 1
diff --git a/ssl/c2/sliver-c2.yaml b/ssl/c2/sliver-c2.yaml
index dd9e958940f..417a209edf3 100644
--- a/ssl/c2/sliver-c2.yaml
+++ b/ssl/c2/sliver-c2.yaml
@@ -7,7 +7,7 @@ info:
   description: |
     Sliver is a Command and Control (C2) system made for penetration testers, red teams, and advanced persistent threats. It generates implants (slivers) that can run on virtually every architecture out there, and securely manage these connections through a central server
   reference:
-    https://malpedia.caad.fkie.fraunhofer.de/details/win.sliver
+    - https://malpedia.caad.fkie.fraunhofer.de/details/win.sliver
   metadata:
     verified: "true"
     max-request: 1
diff --git a/workflows/worksite-takeover-workflow.yaml b/workflows/worksite-takeover-workflow.yaml
index be1de188630..5b06433acc7 100644
--- a/workflows/worksite-takeover-workflow.yaml
+++ b/workflows/worksite-takeover-workflow.yaml
@@ -5,7 +5,8 @@ info:
   author: pdteam
   description: A simple workflow that runs DNS based detection to filter hosts running Worksite and do further HTTP based check to confirm takeover.
   reference:
-    - https://blog.melbadry9.xyz/dangling-dns/xyz-services/ddns-worksites
+    - https://melbadry9.gitbook.io/blog/dangling-dns/xyz-services/ddns-worksites
+
 workflows:
   - template: dns/worksites-detection.yaml
     subtemplates: