Merge branch 'master' into snyk-fix-45537895660e2c31d984f2042b819b69

securestep9 · web-flow · commit 74c8ce94d57a · 2024-01-19T00:56:33.000Z
diff --git a/modules/vuln/ivanti_ics_cve_2023_46805.yaml b/modules/vuln/ivanti_ics_cve_2023_46805.yaml
@@ -0,0 +1,51 @@
+info:
+  name: ivanti_ics_cve_2023_46805_vuln
+  author: Jimmy Ly
+  severity: 8.2
+  description: CVE-2023-46805 is an authentication bypass that is usually chained with CVE-2024-21887 to perform remote code execution on Ivanti ICS 9.x, 22.x. This module checks whether the mitigations have been applied for CVE-2023-46805. 
+  reference: 
+    - https://forums.ivanti.com/s/article/CVE-2023-46805-Authentication-Bypass-CVE-2024-21887-Command-Injection-for-Ivanti-Connect-Secure-and-Ivanti-Policy-Secure-Gateways?language=en_US
+    - https://labs.watchtowr.com/welcome-to-2024-the-sslvpn-chaos-continues-ivanti-cve-2023-46805-cve-2024-21887
+  profiles:
+    - vuln
+    - vulnerability
+    - http
+    - high_severity
+    - cve
+    - ivanti
+    - ivanti_connect_secure
+    - invati_ics
+
+payloads:
+  - library: http
+    steps:
+      - method: get
+        timeout: 3
+        headers:
+          User-Agent: "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/112.0.5615.138 Safari/537.36"
+        allow_redirects: false
+        ssl: false
+        url:
+          nettacker_fuzzer:
+            input_format: "{{schema}}://{target}:{{ports}}/{{paths}}"
+            prefix: ""
+            suffix: ""
+            interceptors:
+            data:
+              paths:  
+                - "api/v1/configuration/users/user-roles/user-role/rest-userrole1/web/web-bookmarks/bookmark"
+              schema:
+                - "http"
+                - "https"
+              ports:
+                - 80
+                - 443
+        response:
+          condition_type: and
+          conditions:
+            status_code:
+              regex: '403'
+              reverse: false
+            content:
+              regex: '<html>'
+              reverse: true
diff --git a/modules/vuln/wp_plugin_cve_2023_6875.yaml b/modules/vuln/wp_plugin_cve_2023_6875.yaml
@@ -0,0 +1,51 @@
+info:
+  name: wp_plugin_cve_2023_6875_vuln
+  author: Captain-T2004
+  severity: 9
+  description: POST SMTP Mailer – Email log, Delivery Failure Notifications and Best Mail SMTP for WordPress <= 2.8.7 – Unauthenticated Stored Cross-Site Scripting via device
+  reference:
+    - https://nvd.nist.gov/vuln/detail/CVE-2023-6875
+    - https://www.wordfence.com/blog/2024/01/type-juggling-leads-to-two-vulnerabilities-in-post-smtp-mailer-wordpress-plugin/
+    - https://www.cve.org/CVERecord?id=CVE-2023-6875
+  profiles:
+    - vuln
+    - vulnerability
+    - http
+    - critical_severity
+    - cve2023
+    - cve
+    - wordpress
+    - wp_plugin
+
+payloads:
+  - library: http
+    steps:
+      - method: post
+        timeout: 3
+        headers:
+          User-Agent: "{user_agent}"
+        allow_redirects: false
+        ssl: false
+        url:
+          nettacker_fuzzer:
+            input_format: "{{schema}}://{target}:{{ports}}/wp-json/post-smtp/v1/connect-app"
+            prefix: ""
+            suffix: ""
+            interceptors:
+            data:
+              schema:
+                - "http"
+                - "https"
+              ports:
+                - 80
+                - 443
+        response:
+          success_conditions: content
+          condition_type: and
+          conditions:
+            content:
+              regex: "fcm_token"
+              reverse: false
+            status_code:
+              regex: "200"
+              reverse: false
