Merge branch 'main' into CVE-2020-2036

2026-01-31 15:53:33 +08:00 · 2025-03-23 16:23:39 +05:30
parent 494d19f9ee af1c302115
commit f898d16ffe
4 changed files with 29 additions and 8 deletions
--- a/.nuclei-ignore
+++ b/.nuclei-ignore
@@ -26,7 +26,7 @@ tags:

 files:
  - http/cves/2019/CVE-2019-14696.yaml
-  - http/cves/2020/CVE-2020-28351.yaml
+  - http/cves/2020/CVE-2020-2036.yaml
  - http/cves/2021/CVE-2021-28164.yaml
  - http/fuzzing/wordpress-themes-detect.yaml
  - http/fuzzing/mdb-database-file.yaml
--- a/cves.json
+++ b/cves.json
@@ -995,7 +995,7 @@
 {"ID":"CVE-2020-28185","Info":{"Name":"TerraMaster TOS \u003c 4.2.06 - User Enumeration","Severity":"medium","Description":"User Enumeration vulnerability in TerraMaster TOS \u003c= 4.2.06 allows remote unauthenticated attackers to identify valid users within the system via the username parameter to wizard/initialise.php.\n","Classification":{"CVSSScore":"5.3"}},"file_path":"http/cves/2020/CVE-2020-28185.yaml"}
 {"ID":"CVE-2020-28188","Info":{"Name":"TerraMaster TOS - Unauthenticated Remote Command Execution","Severity":"critical","Description":"TerraMaster TOS \u003c= 4.2.06 is susceptible to a remote code execution vulnerability which could allow remote unauthenticated attackers to inject OS commands via /include/makecvs.php via the Event parameter.","Classification":{"CVSSScore":"9.8"}},"file_path":"http/cves/2020/CVE-2020-28188.yaml"}
 {"ID":"CVE-2020-28208","Info":{"Name":"Rocket.Chat \u003c3.9.1 - Information Disclosure","Severity":"medium","Description":"Rocket.Chat through 3.9.1 is susceptible to information disclosure. An attacker can enumerate email addresses via the password reset function and thus potentially access sensitive information, modify data, and/or execute unauthorized operations.","Classification":{"CVSSScore":"5.3"}},"file_path":"http/cves/2020/CVE-2020-28208.yaml"}
-{"ID":"CVE-2020-28351","Info":{"Name":"Mitel ShoreTel 19.46.1802.0 Devices - Cross-Site Scripting","Severity":"medium","Description":"Mitel ShoreTel 19.46.1802.0 devices and their conference component are vulnerable to an unauthenticated attacker conducting reflected cross-site scripting attacks via the PATH_INFO variable to index.php due to insufficient validation for the time_zone object in the HOME_MEETING\u0026 page.","Classification":{"CVSSScore":"6.1"}},"file_path":"http/cves/2020/CVE-2020-28351.yaml"}
+{"ID":"CVE-2020-28351","Info":{"Name":"Mitel ShoreTel 19.46.1802.0 Devices - Cross-Site Scripting","Severity":"medium","Description":"Mitel ShoreTel 19.46.1802.0 devices and their conference component are vulnerable to an unauthenticated attacker conducting reflected cross-site scripting attacks via the PATH_INFO variable to index.php due to insufficient validation for the time_zone object in the HOME_MEETING\u0026 page.\n","Classification":{"CVSSScore":"6.1"}},"file_path":"http/cves/2020/CVE-2020-28351.yaml"}
 {"ID":"CVE-2020-28429","Info":{"Name":"geojson2kml - Command Injection","Severity":"critical","Description":"Detects command injection vulnerability by checking if `hacked.txt` is created and contains the expected content.\n","Classification":{"CVSSScore":"9.8"}},"file_path":"http/cves/2020/CVE-2020-28429.yaml"}
 {"ID":"CVE-2020-28871","Info":{"Name":"Monitorr 1.7.6m - Unauthenticated Remote Code Execution","Severity":"critical","Description":"Monitorr 1.7.6m is susceptible to a remote code execution vulnerability. Improper input validation and lack of authorization leads to arbitrary file uploads in the web application. An unauthorized attacker with web access to could upload and execute a specially crafted file, leading to remote code execution within the Monitorr.","Classification":{"CVSSScore":"9.8"}},"file_path":"http/cves/2020/CVE-2020-28871.yaml"}
 {"ID":"CVE-2020-28976","Info":{"Name":"WordPress Canto 1.3.0 - Blind Server-Side Request Forgery","Severity":"medium","Description":"WordPress Canto plugin 1.3.0 is susceptible to blind server-side request forgery. An attacker can make a request to any internal and external server via /includes/lib/detail.php?subdomain and thereby possibly obtain sensitive information, modify data, and/or execute unauthorized administrative operations in the context of the affected site.","Classification":{"CVSSScore":"5.3"}},"file_path":"http/cves/2020/CVE-2020-28976.yaml"}
--- a/cves.json-checksum.txt
+++ b/cves.json-checksum.txt
@@ -1 +1 @@
-cfb16c86f58b3c0fe08aa00deaea8c9d
+6d48378dd0e545d78fef4899d9892dd9
--- a/http/cves/2020/CVE-2020-28351.yaml
+++ b/http/cves/2020/CVE-2020-28351.yaml
@@ -4,7 +4,8 @@ info:
  name: Mitel ShoreTel 19.46.1802.0 Devices - Cross-Site Scripting
  author: pikpikcu
  severity: medium
-  description: Mitel ShoreTel 19.46.1802.0 devices and their conference component are vulnerable to an unauthenticated attacker conducting reflected cross-site scripting attacks via the PATH_INFO variable to index.php due to insufficient validation for the time_zone object in the HOME_MEETING& page.
+  description: |
+    Mitel ShoreTel 19.46.1802.0 devices and their conference component are vulnerable to an unauthenticated attacker conducting reflected cross-site scripting attacks via the PATH_INFO variable to index.php due to insufficient validation for the time_zone object in the HOME_MEETING& page.
  impact: |
    Successful exploitation of this vulnerability could allow an attacker to execute arbitrary scripts in the victim's browser, leading to session hijacking, defacement, or theft of sensitive information.
  remediation: |
@@ -27,9 +28,29 @@ info:
    max-request: 1
    vendor: mitel
    product: shoretel
-  tags: cve,cve2020,packetstorm,shoretel,xss,mitel
+    fofa-query: body="ShoreTel" && icon_hash="268280373"
+  tags: cve,cve2020,shoretel,xss,mitel
+
+flow: http(1) && http(2)

 http:
+  - method: GET
+    path:
+      - "{{BaseURL}}"
+      - "{{BaseURL}}/server-common/cgi-bin/login"
+
+    stop-at-first-match: true
+    redirects: true
+    matchers:
+      - type: word
+        part: body
+        words:
+          - "Mitel Networks Corporation"
+          - "ShoreTel"
+        case-insensitive: true
+        condition: or
+        internal: true
+
  - method: GET
    path:
      - "{{BaseURL}}/index.php/%3C%2Fscript%3E%3Cscript%3Ealert%28document.domain%29%3C%2Fscript%3E?page=HOME"
@@ -45,11 +66,11 @@ http:
          - '</script><script>alert(document.domain)</script>'

      - type: word
-        part: header
+        part: content_type
        words:
-          - 'Content-Type: text/html'
+          - 'text/html'

      - type: status
        status:
          - 200
-# digest: 4b0a00483046022100d6dd73280a0d4553ee7cf8f1f6efa5867116696752321c5d1f05140fc52de3e4022100bf30c686c113ce0b2ce46a1d8803bd025c9d03caabb70f20ee423c5e708ad41f:922c64590222798bb761d5b6d8e72950
+# digest: 4b0a00483046022100d6dd73280a0d4553ee7cf8f1f6efa5867116696752321c5d1f05140fc52de3e4022100bf30c686c113ce0b2ce46a1d8803bd025c9d03caabb70f20ee423c5e708ad41f:922c64590222798bb761d5b6d8e72950