From 9ed84adaa6aca4377a7ee07dcc4b4832b1198a06 Mon Sep 17 00:00:00 2001 From: Prince Chaddha Date: Tue, 25 Oct 2022 19:10:49 +0530 Subject: [PATCH] fix-conflict --- cves/2017/CVE-2017-1000029.yaml | 2 +- cves/2019/CVE-2019-18957.yaml | 2 +- cves/2020/CVE-2020-17526.yaml | 2 +- cves/2021/CVE-2021-1499.yaml | 8 +++++--- cves/2021/CVE-2021-24236.yaml | 2 +- cves/2021/CVE-2021-45046.yaml | 2 +- cves/2022/CVE-2022-1574.yaml | 6 ++++-- cves/2022/CVE-2022-40684.yaml | 6 +++--- exposed-panels/laravel-filemanager.yaml | 9 ++++++++- exposed-panels/roxy-fileman.yaml | 9 ++++++++- misconfiguration/cx-cloud-upload-detect.yaml | 9 ++++++++- misconfiguration/unauthenticated-popup-upload.yaml | 9 ++++++++- vulnerabilities/apache/apache-ofbiz-log4j-rce.yaml | 4 ++-- vulnerabilities/apache/log4j/jamf-pro-log4j-rce.yaml | 2 +- vulnerabilities/other/aspnuke-openredirect.yaml | 2 +- vulnerabilities/other/goanywhere-mft-log4j-rce.yaml | 2 +- .../other/homeautomation-v3-openredirect.yaml | 2 +- vulnerabilities/other/opennms-log4j-jndi-rce.yaml | 2 +- vulnerabilities/other/ueditor-file-upload.yaml | 6 ++++-- .../weaver/ecology/ecology-arbitrary-file-upload.yaml | 5 ++++- .../wordpress/3dprint-arbitrary-file-upload.yaml | 7 +++++-- 21 files changed, 69 insertions(+), 29 deletions(-) diff --git a/cves/2017/CVE-2017-1000029.yaml b/cves/2017/CVE-2017-1000029.yaml index 8a8d8fcd355..892f8937562 100644 --- a/cves/2017/CVE-2017-1000029.yaml +++ b/cves/2017/CVE-2017-1000029.yaml @@ -31,4 +31,4 @@ requests: status: - 200 -# Enhanced by mp on 2022/06/09 +# Enhanced by mp on 2022/10/24 diff --git a/cves/2019/CVE-2019-18957.yaml b/cves/2019/CVE-2019-18957.yaml index 5fc00dcf023..bd5532aed50 100644 --- a/cves/2019/CVE-2019-18957.yaml +++ b/cves/2019/CVE-2019-18957.yaml @@ -6,11 +6,11 @@ info: severity: medium description: | MicroStrategy Library before 11.1.3 contains a cross-site scripting vulnerability. An attacker can inject arbitrary script in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and launch other attacks. + remediation: The issue can be resolved by downloading and installing 1.1.3, which has the patch. reference: - https://seclists.org/bugtraq/2019/Nov/23 - https://packetstormsecurity.com/files/155320/MicroStrategy-Library-Cross-Site-Scripting.html - https://nvd.nist.gov/vuln/detail/CVE-2019-18957 - remediation: The issue can be resolved by downloading and installing 1.1.3, which has the patch. classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N cvss-score: 6.1 diff --git a/cves/2020/CVE-2020-17526.yaml b/cves/2020/CVE-2020-17526.yaml index 33fae9deffa..4b03aaefda6 100644 --- a/cves/2020/CVE-2020-17526.yaml +++ b/cves/2020/CVE-2020-17526.yaml @@ -6,12 +6,12 @@ info: severity: high description: | Apache Airflow prior to 1.10.14 contains an authentication bypass vulnerability via incorrect session validation with default configuration. An attacker on site A can access unauthorized Airflow on site B through the site A session. + remediation: Change default value for [webserver] secret_key config. reference: - https://kloudle.com/academy/authentication-bypass-in-apache-airflow-cve-2020-17526-and-aws-cloud-platform-compromise - https://lists.apache.org/thread.html/rbeeb73a6c741f2f9200d83b9c2220610da314810c4e8c9cf881d47ef%40%3Cusers.airflow.apache.org%3E - http://www.openwall.com/lists/oss-security/2020/12/21/1 - https://nvd.nist.gov/vuln/detail/CVE-2020-17526 - remediation: Change default value for [webserver] secret_key config. classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N cvss-score: 7.7 diff --git a/cves/2021/CVE-2021-1499.yaml b/cves/2021/CVE-2021-1499.yaml index 9042a697e10..c340a728f66 100644 --- a/cves/2021/CVE-2021-1499.yaml +++ b/cves/2021/CVE-2021-1499.yaml @@ -1,15 +1,15 @@ id: CVE-2021-1499 info: - name: Cisco HyperFlex HX Data Platform - File Upload Vulnerability + name: Cisco HyperFlex HX Data Platform - Arbitrary File Upload author: gy741 severity: medium - description: A vulnerability in the web-based management interface of Cisco HyperFlex HX Data Platform could allow an unauthenticated, remote attacker to upload files to an affected device. This vulnerability is due to missing authentication for the upload function. An attacker could exploit this vulnerability by sending a specific HTTP request to an affected device. A successful exploit could allow the attacker to upload files to the affected device with the permissions of the tomcat8 user. + description: Cisco HyperFlex HX Data Platform contains an arbitrary file upload vulnerability in the web-based management interface. An attacker can send a specific HTTP request to an affected device, thus enabling upload of files to the affected device with the permissions of the tomcat8 user. reference: - https://swarm.ptsecurity.com/cisco-hyperflex-how-we-got-rce-through-login-form-and-other-findings/ - - https://nvd.nist.gov/vuln/detail/CVE-2021-1499 - https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-hyperflex-upload-KtCK8Ugz - http://packetstormsecurity.com/files/163203/Cisco-HyperFlex-HX-Data-Platform-File-Upload-Remote-Code-Execution.html + - https://nvd.nist.gov/vuln/detail/CVE-2021-1499 classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N cvss-score: 5.3 @@ -53,3 +53,5 @@ requests: - '"filename:' - '/tmp/passwd9' condition: and + +# Enhanced by md on 2022/10/20 diff --git a/cves/2021/CVE-2021-24236.yaml b/cves/2021/CVE-2021-24236.yaml index 61d3105c4d3..a58e6dad7ec 100644 --- a/cves/2021/CVE-2021-24236.yaml +++ b/cves/2021/CVE-2021-24236.yaml @@ -44,10 +44,10 @@ requests: ------WebKitFormBoundaryIYl2Oz8ptq5OMtbU Content-Disposition: form-data; name="url" - ------WebKitFormBoundaryIYl2Oz8ptq5OMtbU Content-Disposition: form-data; name="checkbox" + yes ------WebKitFormBoundaryIYl2Oz8ptq5OMtbU Content-Disposition: form-data; name="naam" diff --git a/cves/2021/CVE-2021-45046.yaml b/cves/2021/CVE-2021-45046.yaml index 651ced1cbb5..677a692f1e2 100644 --- a/cves/2021/CVE-2021-45046.yaml +++ b/cves/2021/CVE-2021-45046.yaml @@ -13,7 +13,7 @@ info: - https://nvd.nist.gov/vuln/detail/CVE-2021-44228 classification: cvss-metrics: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H - cvss-score: 9 + cvss-score: 9.0 cve-id: CVE-2021-45046 cwe-id: CWE-502 tags: cve,cve2021,rce,oast,log4j,injection diff --git a/cves/2022/CVE-2022-1574.yaml b/cves/2022/CVE-2022-1574.yaml index a57d5d4bf6e..e527846980d 100644 --- a/cves/2022/CVE-2022-1574.yaml +++ b/cves/2022/CVE-2022-1574.yaml @@ -1,11 +1,11 @@ id: CVE-2022-1574 info: - name: HTML2WP <= 1.0.0 - Unauthenticated Arbitrary File Upload + name: WordPress HTML2WP <=1.0.0 - Arbitrary File Upload author: theamanrawat severity: critical description: | - The HTML2WP WordPress plugin through 1.0.0 does not have authorisation and CSRF checks when importing files, and does not validate them, as a result, unauthenticated attackers can upload arbitrary files (such as PHP) on the remote server. + WordPress HTML2WP plugin through 1.0.0 contains an arbitrary file upload vulnerability. The plugin does not perform authorization and CSRF checks when importing files and does not validate them. As a result, an attacker can upload arbitrary files on the remote server. reference: - https://wpscan.com/vulnerability/c36d0ea8-bf5c-4af9-bd3d-911eb02adc14 - https://wordpress.org/plugins/html2wp/ @@ -50,3 +50,5 @@ requests: - "status_code_2 == 200" - "contains(body_2, 'File Upload success')" condition: and + +# Enhanced by md on 2022/10/20 diff --git a/cves/2022/CVE-2022-40684.yaml b/cves/2022/CVE-2022-40684.yaml index c2bb50aeb8a..d85e5cf41cf 100644 --- a/cves/2022/CVE-2022-40684.yaml +++ b/cves/2022/CVE-2022-40684.yaml @@ -14,9 +14,9 @@ info: - https://nvd.nist.gov/vuln/detail/CVE-2022-40684 classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H - cvss-score: 9.8 - cve-id: CVE-2022-40684 - cwe-id: CWE-306 + cvss-score: 9.6 + cve-id: CVE-2022-27593 + cwe-id: CWE-288 tags: cve,cve2022,fortinet,fortigate,fortios,fortiproxy,auth-bypass,kev requests: diff --git a/exposed-panels/laravel-filemanager.yaml b/exposed-panels/laravel-filemanager.yaml index b58f3bed62a..d43d2e54940 100644 --- a/exposed-panels/laravel-filemanager.yaml +++ b/exposed-panels/laravel-filemanager.yaml @@ -1,11 +1,16 @@ id: laravel-filemanager info: - name: Laravel FileManager Panel Detect + name: Laravel File Manager - Panel Detect author: princechaddha severity: info + description: Laravel File Manager panel was detected. reference: - https://github.com/UniSharp/laravel-filemanager + classification: + cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N + cvss-score: 0.0 + cwe-id: CWE-200 tags: laravel,filemanager,fileupload requests: @@ -23,3 +28,5 @@ requests: - type: status status: - 200 + +# Enhanced by md on 2022/10/20 diff --git a/exposed-panels/roxy-fileman.yaml b/exposed-panels/roxy-fileman.yaml index adac205766c..2dd56806d0a 100644 --- a/exposed-panels/roxy-fileman.yaml +++ b/exposed-panels/roxy-fileman.yaml @@ -1,9 +1,14 @@ id: roxy-fileman info: - name: Roxy Fileman Detect + name: Roxy File Manager - Detect author: liquidsec,DhiyaneshDk + description: Roxy File Manager was detected. severity: info + classification: + cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N + cvss-score: 0.0 + cwe-id: CWE-200 metadata: verified: true google-query: intitle:"Roxy file manager" @@ -32,3 +37,5 @@ requests: - type: status status: - 200 + +# Enhanced by md on 2022/10/20 diff --git a/misconfiguration/cx-cloud-upload-detect.yaml b/misconfiguration/cx-cloud-upload-detect.yaml index 57ddcab759f..6a2a36a1684 100644 --- a/misconfiguration/cx-cloud-upload-detect.yaml +++ b/misconfiguration/cx-cloud-upload-detect.yaml @@ -1,9 +1,14 @@ id: cx-cloud-upload-detect info: - name: CX Cloud Unauthenticated Upload Detect + name: CX Cloud Unauthenticated Upload - Detect author: dhiyaneshDk + description: CX Cloud unauthenticated upload was detected. severity: info + classification: + cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N + cvss-score: 0.0 + cwe-id: CWE-200 tags: fileupload requests: @@ -15,3 +20,5 @@ requests: words: - "Display file upload form to the user" condition: and + +# Enhanced by md on 2022/10/20 diff --git a/misconfiguration/unauthenticated-popup-upload.yaml b/misconfiguration/unauthenticated-popup-upload.yaml index 650c47958b7..5d8a722fc86 100644 --- a/misconfiguration/unauthenticated-popup-upload.yaml +++ b/misconfiguration/unauthenticated-popup-upload.yaml @@ -1,11 +1,16 @@ id: unauthenticated-popup-upload info: - name: Unauthenticated Popup File Uploader + name: Unauthenticated Popup File Upload - Detect author: DhiyaneshDk + description: Endpoints where files can be uploaded without authentication were detected. severity: info reference: - https://www.exploit-db.com/ghdb/6671 + classification: + cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N + cvss-score: 0.0 + cwe-id: CWE-200 tags: edb,fileupload requests: @@ -23,3 +28,5 @@ requests: - type: status status: - 200 + +# Enhanced by md on 2022/10/20 diff --git a/vulnerabilities/apache/apache-ofbiz-log4j-rce.yaml b/vulnerabilities/apache/apache-ofbiz-log4j-rce.yaml index 67fe1101dd9..2e90772b2b3 100644 --- a/vulnerabilities/apache/apache-ofbiz-log4j-rce.yaml +++ b/vulnerabilities/apache/apache-ofbiz-log4j-rce.yaml @@ -6,15 +6,15 @@ info: severity: critical description: | Apache OFBiz is affected by a remote code execution vulnerability in the bundled Apache Log4j logging library. Apache Log4j is vulnerable due to insufficient protections on message lookup substitutions when dealing with user controlled input. A remote, unauthenticated attacker can exploit this, via a web request, to execute arbitrary code with the permission level of the running Java process. + remediation: Upgrade to Apache OFBiz version 8.12.03 or later. reference: - https://issues.apache.org/jira/browse/OFBIZ-12449 - https://ofbiz.apache.org/ - https://logging.apache.org/log4j/2.x/security.html - https://nvd.nist.gov/vuln/detail/CVE-2021-44228 - remediation: Upgrade to Apache OFBiz version 8.12.03 or later. classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H - cvss-score: 10 + cvss-score: 10.0 cve-id: CVE-2021-44228 cwe-id: CWE-77 metadata: diff --git a/vulnerabilities/apache/log4j/jamf-pro-log4j-rce.yaml b/vulnerabilities/apache/log4j/jamf-pro-log4j-rce.yaml index a7581dc2921..f50b212d73d 100644 --- a/vulnerabilities/apache/log4j/jamf-pro-log4j-rce.yaml +++ b/vulnerabilities/apache/log4j/jamf-pro-log4j-rce.yaml @@ -16,7 +16,7 @@ info: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H cvss-score: 10 cve-id: CVE-2021-44228 - cwe-id: CWE-917 + cwe-id: CWE-77 metadata: shodan-query: title:"Jamf Pro" verified: "true" diff --git a/vulnerabilities/other/aspnuke-openredirect.yaml b/vulnerabilities/other/aspnuke-openredirect.yaml index 1968d00097b..3561f65aa6a 100644 --- a/vulnerabilities/other/aspnuke-openredirect.yaml +++ b/vulnerabilities/other/aspnuke-openredirect.yaml @@ -11,7 +11,7 @@ info: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N cvss-score: 6.1 cwe-id: CWE-601 - tags: packetstorm,aspnuke,redirect + tags: aspnuke,redirect requests: - method: GET diff --git a/vulnerabilities/other/goanywhere-mft-log4j-rce.yaml b/vulnerabilities/other/goanywhere-mft-log4j-rce.yaml index 33911ca9e5b..f67b3644e1b 100644 --- a/vulnerabilities/other/goanywhere-mft-log4j-rce.yaml +++ b/vulnerabilities/other/goanywhere-mft-log4j-rce.yaml @@ -12,8 +12,8 @@ info: classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H cvss-score: 10 - cve-id: CVE-2021-44228 cwe-id: CWE-77 + cve-id: CVE-2021-44228 metadata: shodan-query: http.html:"GoAnywhere Managed File Transfer" verified: "true" diff --git a/vulnerabilities/other/homeautomation-v3-openredirect.yaml b/vulnerabilities/other/homeautomation-v3-openredirect.yaml index eba4606e565..e150a1a59ce 100644 --- a/vulnerabilities/other/homeautomation-v3-openredirect.yaml +++ b/vulnerabilities/other/homeautomation-v3-openredirect.yaml @@ -12,7 +12,7 @@ info: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N cvss-score: 6.1 cwe-id: CWE-601 - tags: packetstorm,iot,redirect + tags: iot,redirect,homeautomation requests: - method: GET diff --git a/vulnerabilities/other/opennms-log4j-jndi-rce.yaml b/vulnerabilities/other/opennms-log4j-jndi-rce.yaml index 004e17b440c..54288f5ae9f 100644 --- a/vulnerabilities/other/opennms-log4j-jndi-rce.yaml +++ b/vulnerabilities/other/opennms-log4j-jndi-rce.yaml @@ -53,4 +53,4 @@ requests: regex: - '([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+' # Print extracted ${hostName} in output -# Enhanced by cs on 2022/10/06 +# Enhanced by cs on 2022/10/24 diff --git a/vulnerabilities/other/ueditor-file-upload.yaml b/vulnerabilities/other/ueditor-file-upload.yaml index 7707e6a4e8e..efd1a3f730a 100644 --- a/vulnerabilities/other/ueditor-file-upload.yaml +++ b/vulnerabilities/other/ueditor-file-upload.yaml @@ -1,10 +1,10 @@ id: ueditor-file-upload info: - name: UEditor Arbitrary File Upload + name: UEditor - Arbitrary File Upload author: princechaddha severity: high - description: A vulnerability in UEditor allows remote unauthenticated attackers to upload arbitrary files to the server, this in turn can be used to make the application to execute their content as code. + description: UEditor contains an arbitrary file upload vulnerability. An attacker can upload arbitrary files to the server, which in turn can be used to make the application execute file content as code, As a result, an attacker can possibly obtain sensitive information, modify data, and/or execute unauthorized operations. reference: - https://zhuanlan.zhihu.com/p/85265552 - https://www.freebuf.com/vuls/181814.html @@ -23,3 +23,5 @@ requests: words: - "没有指定抓取源" part: body + +# Enhanced by md on 2022/10/20 diff --git a/vulnerabilities/weaver/ecology/ecology-arbitrary-file-upload.yaml b/vulnerabilities/weaver/ecology/ecology-arbitrary-file-upload.yaml index 5c89a31b8f7..f4b26571ca6 100644 --- a/vulnerabilities/weaver/ecology/ecology-arbitrary-file-upload.yaml +++ b/vulnerabilities/weaver/ecology/ecology-arbitrary-file-upload.yaml @@ -1,9 +1,10 @@ id: ecology-arbitrary-file-upload info: - name: Ecology Arbitrary File Upload + name: Ecology - Arbitrary File Upload author: ritikchaddha severity: medium + description: Ecology contains an arbitrary file upload vulnerability. An attacker can upload arbitrary files to the server, which in turn can be used to make the application execute file content as code, As a result, an attacker can possibly obtain sensitive information, modify data, and/or execute unauthorized operations. reference: - https://mp.weixin.qq.com/s/wH5luLISE_G381W2ssv93g metadata: @@ -36,3 +37,5 @@ requests: - "status_code_1 == 200" - "contains(body_2, '319463310816') || status_code_2 == 200" condition: and + +# Enhanced by md on 2022/10/20 diff --git a/vulnerabilities/wordpress/3dprint-arbitrary-file-upload.yaml b/vulnerabilities/wordpress/3dprint-arbitrary-file-upload.yaml index a6b840b1f0b..aee32c56660 100644 --- a/vulnerabilities/wordpress/3dprint-arbitrary-file-upload.yaml +++ b/vulnerabilities/wordpress/3dprint-arbitrary-file-upload.yaml @@ -1,11 +1,12 @@ id: 3dprint-arbitrary-file-upload info: - name: 3DPrint Lite < 1.9.1.5 - Unauthenticated Arbitrary File Upload + name: 3DPrint Lite <1.9.1.5 - Arbitrary File Upload author: SecTheBit severity: high description: | - The p3dlite_handle_upload AJAX action of the plugin does not have any authorisation and does not check the uploaded file, allowing unauthenticated users to upload arbitrary file to the web server. However, there is a .htaccess, preventing the file to be accessed on Web servers such as Apache. + 3DPrint Lite before 1.9.1.5 contains an arbitrary file upload vulnerability. The p3dlite_handle_upload AJAX action of the plugin does not have any authorization and does not check the uploaded file. An attacker can upload arbitrary files to the server, which in turn can be used to make the application execute file content as code, As a result, an attacker can possibly obtain sensitive information, modify data, and/or execute unauthorized operations. + remediation: .htaccess prevents the files from being accessed on Web servers such as Apache. reference: - https://wpscan.com/vulnerability/c46ecd0d-a132-4ad6-b936-8acde3a09282 - https://www.exploit-db.com/exploits/50321 @@ -44,3 +45,5 @@ requests: - "status_code_2 == 200" - "contains(body_2, '3DPrint-arbitrary-file-upload')" condition: and + +# Enhanced by md on 2022/10/20