Merge pull request #33 from projectdiscovery/master

Updation

README.md

@@ -37,13 +37,13 @@ An overview of the nuclei template directory including number of templates assoc
 
 | Templates        | Counts                         | Templates       | Counts                          | Templates      | Counts                       |
 | ---------------- | ------------------------------ | --------------- | ------------------------------- | -------------- | ---------------------------- |
-| cves             | 254           | vulnerabilities | 117 | exposed-panels | 108 |
+| cves             | 258           | vulnerabilities | 117 | exposed-panels | 111 |
 | takeovers        | 65        | exposures       | 64       | technologies   | 51   |
-| misconfiguration | 54 | workflows       | 24         | miscellaneous  | 16  |
+| misconfiguration | 54 | workflows       | 25         | miscellaneous  | 16  |
 | default-logins   | 20 | exposed-tokens  | 9  | dns            | 8            |
-| fuzzing          | 6          | helpers         | 4         | iot            | 7            |
+| fuzzing          | 7          | helpers         | 6         | iot            | 8            |
 
-**79 directories, 833 files**.
+**79 directories, 845 files**.
 
 </td>
 </tr>

cves/2015/CVE-2015-3337.yaml

@@ -0,0 +1,25 @@
+id: CVE-2015-3337
+
+info:
+ name: Elasticsearch Head plugin LFI
+ author: pdteam
+ severity: high
+ description: Directory traversal vulnerability in Elasticsearch before 1.4.5 and 1.5.x before 1.5.2, when a site plugin is enabled, allows remote attackers to read arbitrary files via unspecified vectors.
+ reference: https://nvd.nist.gov/vuln/detail/CVE-2015-3337
+ tags: cve,cve2015,elastic,lfi
+
+requests:
+ - method: GET
+   path:
+    - "{{BaseURL}}/_plugin/head/../../../../../../../../../../../../../../../../etc/passwd"
+
+   matchers-condition: and
+   matchers:
+    - type: regex
+      regex:
+       - "root:[x*]:0:0"
+      part: body
+
+    - type: status
+      status:
+       - 200

cves/2019/CVE-2019-10092.yaml

@@ -4,6 +4,10 @@ info:
   name: Apache mod_proxy HTML Injection / Partial XSS
   author: pd-team
   severity: medium
+  description: In Apache HTTP Server 2.4.0-2.4.39, a limited cross-site scripting issue was reported affecting the mod_proxy error page. An attacker could cause the link on the error page to be malformed and instead point to a page of their choice. This would only be exploitable where a server was set up with proxying enabled but was misconfigured in such a way that the Proxy Error page was displayed.
+  reference: |
+    - https://github.com/DrunkenShells/Disclosures/tree/master/CVE-2019-10092-Limited%20Cross-Site%20Scripting%20in%20mod_proxy%20Error%20Page-Apache%20httpd
+    - https://httpd.apache.org/security/vulnerabilities_24.html
   tags: cve,cve2019,apache,htmli
 
 requests:

cves/2019/CVE-2019-11580.yaml

@@ -6,20 +6,21 @@ info:
   severity: critical
   tags: cve,cve2019,atlassian,rce
 
-  # Atlassian Crowd and Crowd Data Center
-  # had the pdkinstall development plugin incorrectly enabled in release builds.
-  # Attackers who can send unauthenticated or authenticated requests
-  # to a Crowd or Crowd Data Center instance can exploit this vulnerability
-  # to install arbitrary plugins, which permits remote code execution on
-  # systems running a vulnerable version of Crowd or Crowd Data Center.
-  # All versions of Crowd from version 2.1.0 before 3.0.5 (the fixed version for 3.0.x),
-  # from version 3.1.0 before 3.1.6 (the fixed version for 3.1.x),
-  # from version 3.2.0 before 3.2.8 (the fixed version for 3.2.x),
-  # from version 3.3.0 before 3.3.5 (the fixed version for 3.3.x),
-  # and from version 3.4.0 before 3.4.4 (the fixed version for 3.4.x) are affected by this vulnerability.
-  # -
-  # References:
-  # > https://github.com/jas502n/CVE-2019-11580
+  description: |
+    Atlassian Crowd and Crowd Data Center
+    had the pdkinstall development plugin incorrectly enabled in release builds.
+    Attackers who can send unauthenticated or authenticated requests
+    to a Crowd or Crowd Data Center instance can exploit this vulnerability
+    to install arbitrary plugins, which permits remote code execution on
+    systems running a vulnerable version of Crowd or Crowd Data Center.
+    All versions of Crowd from version 2.1.0 before 3.0.5 (the fixed version for 3.0.x),
+    from version 3.1.0 before 3.1.6 (the fixed version for 3.1.x),
+    from version 3.2.0 before 3.2.8 (the fixed version for 3.2.x),
+    from version 3.3.0 before 3.3.5 (the fixed version for 3.3.x),
+    and from version 3.4.0 before 3.4.4 (the fixed version for 3.4.x) are affected by this vulnerability.
+  reference:
+    - https://github.com/jas502n/CVE-2019-11580
+    - https://jira.atlassian.com/browse/CWD-5388
 
 requests:
   - method: GET

cves/2019/CVE-2019-11869.yaml

@@ -38,8 +38,8 @@ requests:
     matchers:
       - type: dsl
         dsl:
-          - 'contains(body_2, "<script>alert(0);</script>") == true'
+          - 'contains(body_2, "<script>alert(0);</script>")'
 
       - type: dsl
         dsl:
-          - "contains(tolower(all_headers_2), 'text/html') == true"
+          - "contains(tolower(all_headers_2), 'text/html')"

cves/2019/CVE-2019-12314.yaml

@@ -5,6 +5,11 @@ info:
   author: madrobot
   severity: high
   tags: cve,cve2019,lfi
+  description: Deltek Maconomy 2.2.5 is prone to local file inclusion via absolute path traversal in the WS.macx1.W_MCS/ PATH_INFO, as demonstrated by a cgi-bin/Maconomy/MaconomyWS.macx1.W_MCS/etc/passwd URI.
+  reference: |
+    http://packetstormsecurity.com/files/153079/Deltek-Maconomy-2.2.5-Local-File-Inclusion.html
+    https://github.com/JameelNabbo/exploits/blob/master/Maconomy%20Erp%20local%20file%20include.txt
+    https://github.com/ras313/CVE-2019-12314/security/advisories/GHSA-8762-rf4g-23xm
 
 requests:
   - method: GET

cves/2019/CVE-2019-14223.yaml

@@ -4,6 +4,10 @@ info:
   name: Alfresco Share Open Redirect
   author: pd-team
   severity: low
+  description: An issue was discovered in Alfresco Community Edition versions below 5.2.6, 6.0.N and 6.1.N. The Alfresco Share application is vulnerable to an Open Redirect attack via a crafted POST request. By manipulating the POST parameters, an attacker can redirect a victim to a malicious website over any protocol the attacker desires (e.g.,http, https, ftp, smb, etc.).
+  reference: |
+    - https://community.alfresco.com/content?filterID=all~objecttype~thread%5Bquestions%5D
+    - https://github.com/DrunkenShells/Disclosures/tree/master/CVE-2019-14223-Open%20Redirect%20in%20Alfresco%20Share-Alfresco%20Community
   tags: cve,cve2019,redirect
 
 requests:

cves/2019/CVE-2019-17506.yaml

@@ -4,7 +4,8 @@ info:
   name: DLINK DIR-868L & DIR-817LW Info Leak
   author: pikpikcu
   severity: critical
-  reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-17506
+  description: There are some web interfaces without authentication requirements on D-Link DIR-868L B1-2.03 and DIR-817LW A1-1.04 routers. An attacker can get the router's username and password (and other information) via a DEVICE.ACCOUNT value for SERVICES in conjunction with AUTHORIZED_GROUP=1%0a to getcfg.php. This could be used to control the router remotely.
+  reference: https://github.com/dahua966/Routers-vuls/blob/master/DIR-868/name%26passwd.py
   tags: cve,cve2019,dlink
 
 requests:

cves/2019/CVE-2019-19781.yaml

@@ -4,6 +4,8 @@ info:
   name: Citrix ADC Directory Traversal
   author: organiccrap
   severity: high
+  description: An issue was discovered in Citrix Application Delivery Controller (ADC) and Gateway 10.5, 11.1, 12.0, 12.1, and 13.0. They allow Directory Traversal.
+  reference: https://support.citrix.com/article/CTX267027
   tags: cve,cve2019,citrix,lfi
 
 requests:

cves/2019/CVE-2019-9733.yaml

@@ -3,6 +3,11 @@ info:
   name: Artifactory Access-Admin Login Bypass
   author: akshansh
   severity: critical
+  description: An issue was discovered in JFrog Artifactory 6.7.3. By default, the access-admin account is used to reset the password of the admin account in case an administrator gets locked out from the Artifactory console. This is only allowable from a connection directly from localhost, but providing a X-Forwarded-For HTTP header to the request allows an unauthenticated user to login with the default credentials of the access-admin account while bypassing the whitelist of allowed IP addresses. The access-admin account can use Artifactory's API to request authentication tokens for all users including the admin account and, in turn, assume full control of all artifacts and repositories managed by Artifactory.
+  reference: |
+    - http://packetstormsecurity.com/files/152172/JFrog-Artifactory-Administrator-Authentication-Bypass.html
+    - https://www.ciphertechs.com/jfrog-artifactory-advisory/
+    - https://www.jfrog.com/confluence/display/RTF/Release+Notes#ReleaseNotes-Artifactory6.8.6
   tags: cve,cve2019,artifactory
 
 requests:

cves/2019/CVE-2019-9955.yaml

@@ -5,6 +5,13 @@ info:
   author: pd-team
   severity: low
   tags: cve,cve2019,xss
+  description: On Zyxel ATP200, ATP500, ATP800, USG20-VPN, USG20W-VPN, USG40, USG40W, USG60, USG60W, USG110, USG210, USG310, USG1100, USG1900, USG2200-VPN, ZyWALL 110, ZyWALL 310, ZyWALL 1100 devices, the security firewall login page is vulnerable to Reflected XSS via the unsanitized 'mp_idx' parameter.
+  reference: |
+    http://packetstormsecurity.com/files/152525/Zyxel-ZyWall-Cross-Site-Scripting.html
+    http://seclists.org/fulldisclosure/2019/Apr/22
+    https://www.exploit-db.com/exploits/46706/
+    https://www.securitymetrics.com/blog/Zyxel-Devices-Vulnerable-Cross-Site-Scripting-Login-page
+    https://www.zyxel.com/support/reflected-cross-site-scripting-vulnerability-of-firewalls.shtml
 
 requests:
   - method: GET

cves/2020/CVE-2020-0618.yaml

@@ -5,16 +5,15 @@ info:
   author: joeldeleep
   description: A remote code execution vulnerability exists in Microsoft SQL Server Reporting Services when it incorrectly handles page requests, aka 'Microsoft SQL Server Reporting Services Remote Code Execution Vulnerability'.
   severity: high
-  reference: https://www.mdsec.co.uk/2020/02/cve-2020-0618-rce-in-sql-server-reporting-services-ssrs/
+  reference: |
+    - https://www.mdsec.co.uk/2020/02/cve-2020-0618-rce-in-sql-server-reporting-services-ssrs/
+    - https://github.com/euphrat1ca/CVE-2020-0618
   tags: cve,cve2020,rce
 
   # THIS TEMPLATE IS ONLY FOR DETECTING
   # To carry out further attacks, please see reference[1] below.
   # This template works by guessing user ID.
 
-  # References:
-  # - [1] https://github.com/euphrat1ca/CVE-2020-0618
-
 requests:
   - method: GET
     path:

cves/2020/CVE-2020-10546.yaml

@@ -3,7 +3,10 @@ info:
   name: rConfig 3.9.4 SQLi
   author: madrobot
   severity: high
-  reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-10546
+  description: rConfig 3.9.4 and previous versions has unauthenticated compliancepolicies.inc.php SQL injection. Because, by default, nodes' passwords are stored in cleartext, this vulnerability leads to lateral movement, granting an attacker access to monitored network devices.
+  reference: |
+    - https://github.com/theguly/exploits/blob/master/CVE-2020-10546.py
+    - https://theguly.github.io/2020/09/rconfig-3.9.4-multiple-vulnerabilities/
   tags: cve,cve2020,rconfig,sqli
 
 requests:

cves/2020/CVE-2020-10548.yaml

@@ -3,7 +3,10 @@ info:
   name: rConfig 3.9.4 SQLi
   author: madrobot
   severity: high
-  reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-10548
+  description: rConfig 3.9.4 and previous versions has unauthenticated devices.inc.php SQL injection. Because, by default, nodes' passwords are stored in cleartext, this vulnerability leads to lateral movement, granting an attacker access to monitored network devices.
+  reference: |
+    - https://github.com/theguly/exploits/blob/master/CVE-2020-10548.py
+    - https://theguly.github.io/2020/09/rconfig-3.9.4-multiple-vulnerabilities/
   tags: cve,cve2020,rconfig,sqli
 
 requests:

cves/2020/CVE-2020-10549.yaml

@@ -3,7 +3,10 @@ info:
   name: rConfig 3.9.4 SQLi
   author: madrobot
   severity: high
-  reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-10549
+  description: rConfig 3.9.4 and previous versions has unauthenticated snippets.inc.php SQL injection. Because, by default, nodes' passwords are stored in cleartext, this vulnerability leads to lateral movement, granting an attacker access to monitored network devices.
+  reference: |
+    - https://github.com/theguly/exploits/blob/master/CVE-2020-10549.py
+    - https://theguly.github.io/2020/09/rconfig-3.9.4-multiple-vulnerabilities/
   tags: cve,cve2020,rconfig,sqli
 
 requests:

cves/2020/CVE-2020-11710.yaml

@@ -4,6 +4,7 @@ info:
   name: Kong Admin Rest API Unauth
   author: pikpikcu
   severity: info
+  description: An issue was discovered in docker-kong (for Kong) through 2.0.3. The admin API port may be accessible on interfaces other than 127.0.0.1.
   reference: https://nvd.nist.gov/vuln/detail/CVE-2020-11710
   tags: cve,cve2020,kong
 

cves/2020/CVE-2020-15568.yaml

@@ -4,6 +4,7 @@ info:
   name: TerraMaster TOS v4.1.24 RCE
   author: pikpikcu
   severity: critical
+  description: TerraMaster TOS before 4.1.29 has Invalid Parameter Checking that leads to code injection as root. This is a dynamic class method invocation vulnerability in include/exportUser.php, in which an attacker can trigger a call to the exec method with (for example) OS commands in the opt parameter.
   reference: https://ssd-disclosure.com/ssd-advisory-terramaster-os-exportuser-php-remote-code-execution/
   tags: cve,cve2020,terramaster,rce
 

cves/2020/CVE-2020-16139.yaml

@@ -4,6 +4,8 @@ info:
   name: Cisco 7937G Denial-of-Service Reboot Attack
   author: pikpikcu
   severity: low
+  description: |
+    A denial-of-service in Cisco Unified IP Conference Station 7937G 1-4-4-0 through 1-4-5-7 allows attackers restart the device remotely through sending specially crafted packets. Note: We cannot prove this vulnerability exists. Out of an abundance of caution, this CVE is being assigned to better serve our customers and ensure all who are still running this product understand that the product is end of life and should be removed or upgraded.
   reference: https://blacklanternsecurity.com/2020-08-07-Cisco-Unified-IP-Conference-Station-7937G/
   tags: cve,cve2020,dos,cisco
 

cves/2020/CVE-2020-17453.yaml

@@ -0,0 +1,30 @@
+id: CVE-2020-17453
+
+info:
+  name: WSO2 Carbon Management Console - XSS
+  author: madrobot
+  severity: medium
+  description: Reflected XSS vulnerability can be exploited by tampering a request parameter in Management Console. This can be performed in both authenticated and unauthenticated requests.
+  tags: xss,wso2,cve2020,cve
+  reference: https://docs.wso2.com/display/Security/Security+Advisory+WSO2-2020-1132
+
+requests:
+  - method: GET
+    path:
+      - '{{BaseURL}}/carbon/admin/login.jsp?msgId=%27%3Balert(%27nuclei%27)%2F%2F'
+
+    matchers-condition: and
+    matchers:
+      - type: status
+        status:
+          - 200
+
+      - type: word
+        words:
+          - "'';alert('nuclei')//';"
+        part: body
+
+      - type: word
+        words:
+          - "text/html"
+        part: header

cves/2020/CVE-2020-17518.yaml

@@ -33,4 +33,4 @@ requests:
     matchers:
       - type: dsl
         dsl:
-          - 'contains(body, "test-poc") == true && status_code == 200' # Using CVE-2020-17519 to confirm this.
+          - 'contains(body, "test-poc") && status_code == 200' # Using CVE-2020-17519 to confirm this.

cves/2020/CVE-2020-21224.yaml

@@ -4,6 +4,7 @@ info:
   name: Inspur ClusterEngine V4.0 RCE
   author: pikpikcu
   severity: critical
+  description: A Remote Code Execution vulnerability has been found in Inspur ClusterEngine V4.0. A remote attacker can send a malicious login packet to the control server
   reference: https://github.com/NS-Sp4ce/Inspur/tree/master/ClusterEngineV4.0%20Vul
   tags: cve,cve2020,clusterengine,rce
 

cves/2020/CVE-2020-24223.yaml

@@ -4,6 +4,7 @@ info:
   name: Mara CMS  7.5 - Reflective Cross-Site Scripting
   author: pikpikcu
   severity: medium
+  description: Mara CMS 7.5 allows cross-site scripting (XSS) in contact.php via the theme or pagetheme parameters.
   reference: https://www.exploit-db.com/exploits/48777
   tags: cve,cve2020,mara,xss
 

cves/2020/CVE-2020-24571.yaml

@@ -3,6 +3,7 @@ info:
   name: NexusDB v4.50.22 Path Traversal
   author: pikpikcu
   severity: high
+  description: NexusQA NexusDB before 4.50.23 allows the reading of files via ../ directory traversal.
   reference: https://www.nexusdb.com/mantis/bug_view_advanced_page.php?bug_id=2371
   tags: cve,cve2020,nexusdb,lfi
 

cves/2020/CVE-2020-24579.yaml

@@ -4,6 +4,7 @@ info:
   name: DLINK DSL 2888a RCE
   author: pikpikcu
   severity: medium
+  description: An issue was discovered on D-Link DSL-2888A devices with firmware prior to AU_2.31_V1.1.47ae55. An unauthenticated attacker could bypass authentication to access authenticated pages and functionality.
   reference: https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/d-link-multiple-security-vulnerabilities-leading-to-rce/
   tags: cve,cve2020,dlink,rce
 

cves/2020/CVE-2020-27982.yaml

@@ -3,6 +3,7 @@ info:
   name: IceWarp WebMail Reflected XSS
   author: madrobot
   severity: medium
+  description: IceWarp 11.4.5.0 allows XSS via the language parameter.
   reference: https://packetstormsecurity.com/files/159763/Icewarp-WebMail-11.4.5.0-Cross-Site-Scripting.html
   tags: cve,cve2020,xss,icewarp
 

cves/2020/CVE-2020-35489.yaml

@@ -0,0 +1,30 @@
+id: CVE-2020-35489
+
+info:
+  name: WordPress Contact Form 7 Plugin - Unrestricted File Upload
+  author: soyelmago
+  severity: critical
+  description: The contact-form-7 (aka Contact Form 7) plugin before 5.3.2 for WordPress allows Unrestricted File Upload and remote code execution because a filename may contain special characters.
+  reference: https://nvd.nist.gov/vuln/detail/CVE-2020-35489
+  tags: cve,cve2020,wordpress,wp-plugin
+
+requests:
+  - method: GET
+    path:
+      - "{{BaseURL}}/wp-content/plugins/contact-form-7/readme.txt"
+
+    matchers-condition: and
+    matchers:
+      - type: status
+        status:
+          - 200
+
+      - type: word
+        words:
+          - "Contact Form 7"
+        part: body
+
+      - type: regex
+        regex:
+          - '^([0-4]\.|5\.[0-2]\.|5\.3\.[0-1]$)'
+        part: body

cves/2020/CVE-2020-5777.yaml

@@ -4,7 +4,8 @@ info:
   name: Remote Auth Bypass in MAGMI (Magento Mass Importer) Plugin <= v0.7.23
   author: dwisiswant0
   severity: high
-  description: "MAGMI versions prior to 0.7.24 are vulnerable to a remote authentication bypass due to allowing default credentials in the event there is a database connection failure."
+  description: MAGMI versions prior to 0.7.24 are vulnerable to a remote authentication bypass due to allowing default credentials in the event there is a database connection failure.
+  reference: https://github.com/dweeves/magmi-git/blob/18bd9ec905c90bfc9eaed0c2bf2d3525002e33b9/magmi/inc/magmi_auth.php#L35
   tags: cve,cve2020,magmi
 
   # Response code 503 indicates a potential successful "Too many connections" error

cves/2020/CVE-2020-5902.yaml

@@ -4,6 +4,19 @@ info:
   name: F5 BIG-IP TMUI RCE
   author: madrobot & dwisiswant0 & ringo
   severity: high
+  description: In BIG-IP versions 15.0.0-15.1.0.3, 14.1.0-14.1.2.5, 13.1.0-13.1.3.3, 12.1.0-12.1.5.1, and 11.6.1-11.6.5.1, the Traffic Management User Interface (TMUI), also referred to as the Configuration utility, has a Remote Code Execution (RCE) vulnerability in undisclosed pages.
+  reference: |
+    - http://packetstormsecurity.com/files/158333/BIG-IP-TMUI-Remote-Code-Execution.html
+    - http://packetstormsecurity.com/files/158334/BIG-IP-TMUI-Remote-Code-Execution.html
+    - http://packetstormsecurity.com/files/158366/F5-BIG-IP-TMUI-Directory-Traversal-File-Upload-Code-Execution.html
+    - http://packetstormsecurity.com/files/158414/Checker-CVE-2020-5902.html
+    - http://packetstormsecurity.com/files/158581/F5-Big-IP-13.1.3-Build-0.0.6-Local-File-Inclusion.html
+    - https://badpackets.net/over-3000-f5-big-ip-endpoints-vulnerable-to-cve-2020-5902/
+    - https://github.com/Critical-Start/Team-Ares/tree/master/CVE-2020-5902
+    - https://support.f5.com/csp/article/K52145254
+    - https://swarm.ptsecurity.com/rce-in-f5-big-ip/
+    - https://www.criticalstart.com/f5-big-ip-remote-code-execution-exploit/
+    - https://www.kb.cert.org/vuls/id/290915
   tags: cve,cve2020,bigip,rce
 
 requests: