Skip to content

v10.0.4

Latest
Compare
Choose a tag to compare
@princechaddha princechaddha released this 18 Nov 06:26
· 137 commits to main since this release

What's Changed

🔥 Release Highlights 🔥


Bug Fixes

False Negatives

No updates

False Positives

Enhancements

Template Updates

New Templates Added: 74 | CVEs Added: 26 | First-time contributions: 7

  • [CVE-2024-51483] Changedetection.io <= 0.47.4 - Path Traversal (@iamnoooob, @rootxharsh, @pdresearch) [medium]
  • [CVE-2024-50340] Symfony Profiler - Remote Access via Injected Arguments (@dhiyaneshdk) [high] 🔥
  • [CVE-2024-48360] Qualitor <= v8.24 - Server-Side Request Forgery (@s4e-io) [high]
  • [CVE-2024-36117] Reposilite >= 3.3.0, < 3.5.12 - Arbitrary File Read (@iamnoooob, @rootxharsh, @pdresearch) [high]
  • [CVE-2024-35219] OpenAPI Generator <= 7.5.0 - Arbitrary File Read/Delete (@iamnoooob, @rootxharsh, @pdresearch) [high] 🔥
  • [CVE-2024-10915] D-Link NAS - Command Injection via Group Parameter (@s4e-io) [critical]
  • [CVE-2024-10914] D-Link NAS - Command Injection via Name Parameter (@s4e-io) [critical] 🔥
  • [CVE-2024-10081] CodeChecker <= 6.24.1 - Authentication Bypass (@iamnoooob, @rootxharsh, @pdresearch) [critical]
  • [CVE-2024-9487] GitHub Enterprise - SAML Authentication Bypass (@iamnoooob, @rootxharsh, @pdresearch) [critical] 🔥
  • [CVE-2024-8963] Ivanti Cloud Services Appliance - Path Traversal (@johnk3r) [critical] 🔥
  • [CVE-2024-8673] Z-Downloads < 1.11.7 - Cross-Site Scripting (@Splint3r7) [low]
  • [CVE-2024-6420] Hide My WP Ghost < 5.2.02 - Hidden Login Page Disclosure (@JPG0mez) [high]
  • [CVE-2024-6049] Lawo AG vsm LTC Time Sync (vTimeSync) - Path Traversal (@s4e-io) [high] 🔥
  • [CVE-2024-4841] LoLLMS WebUI - Subfolder Prediction via Path Traversal (@s4e-io) [medium]
  • [CVE-2023-49494] DedeCMS v5.7.111 - Cross-Site Scripting (@ritikchaddha) [medium]
  • [CVE-2022-31260] ResourceSpace - Metadata Export (@ritikchaddha) [medium]
  • [CVE-2022-28033] Atom.CMS 2.0 - SQL Injection (@ritikchaddha) [critical]
  • [CVE-2022-0479] Popup Builder Plugin - SQL Injection and Cross-Site Scripting (@ritikchaddha) [critical]
  • [CVE-2021-44260] WAVLINK AC1200 - Information Disclosure (@ritikchaddha) [high]
  • [CVE-2021-24934] Visual CSS Style Editor < 7.5.4 - Cross-Site Scripting (@Splint3r7) [medium]
  • [CVE-2019-1003000] Jenkins Script Security Plugin <=1.49 - Sandbox Bypass (@sttlr) [high]
  • [CVE-2019-0192] Apache Solr - Deserialization of Untrusted Data (@hnd3884) [critical] 🔥
  • [CVE-2018-10383] Lantronix SecureLinx Spider (SLS) 2.2+ - Cross-Site Scripting (@ritikchaddha) [medium]
  • [CVE-2017-18590] Timesheet Plugin < 0.1.5 - Cross-Site Scripting (@Spling3r7) [medium]
  • [CVE-2016-10976] Safe Editor Plugin < 1.2 - CSS/JS-injection (@Splint3r7) [medium]
  • [CVE-2014-0160] OpenSSL Heartbleed Vulnerability (@pussycat0x) [high]
  • [stack-notification-disabled] CloudFormation Stack Notification - Disabled (@dhiyaneshdk) [medium]
  • [stack-policy-not-inuse] CloudFormation Stack Policy - Not In Use (@dhiyaneshdk) [medium]
  • [stack-termination-disabled] CloudFormation Termination Protection - Disabled (@dhiyaneshdk) [medium]
  • [cloudfront-compress-object] CloudFront Compress Objects Automatically (@dhiyaneshdk) [low]
  • [cloudfront-custom-certificates] Cloudfront Custom SSL/TLS Certificates - In Use (@dhiyaneshdk) [medium]
  • [cloudfront-geo-restriction] CloudFront Geo Restriction - Not Enabled (@dhiyaneshdk) [info]
  • [cloudfront-insecure-protocol] CloudFront Insecure Origin SSL Protocols (@dhiyaneshdk) [medium]
  • [cloudfront-integrated-waf] CloudFront Integrated With WAF (@dhiyaneshdk) [medium]
  • [cloudfront-logging-disabled] Cloudfront Logging Disabled (@dhiyaneshdk) [medium]
  • [cloudfront-origin-shield] CloudFront Origin Shield - Not Enabled (@dhiyaneshdk) [info]
  • [cloudfront-security-policy] CloudFront Security Policy (@dhiyaneshdk) [medium]
  • [cloudfront-traffic-unencrypted] CloudFront Traffic To Origin Unencrypted (@dhiyaneshdk) [medium]
  • [cloudfront-viewer-policy] CloudFront Viewer Protocol Policy (@dhiyaneshdk) [medium]
  • [secret-manager-not-inuse] Secrets Manager Not In Use (@dhiyaneshdk) [info]
  • [secret-rotation-interval] Secret Rotation Interval (@dhiyaneshdk) [medium]
  • [secrets-rotation-disabled] Secret Rotation Disabled (@dhiyaneshdk) [medium]
  • [aspnet-framework-exceptions] ASP.NET Framework Exceptions (@aayush Dhakal) [info]
  • [nodejs-framework-exceptions] Node.js Framework Exceptions (@aayush Dhakal) [info]
  • [bigant-default-login] BigAnt - Default Password (@ritikchaddha) [critical]
  • [minio-object-default-login] MinIO Console Object Store - Default Login (@johnk3r) [high]
  • [actifio-panel] Actifio Resource Center - Panel (@Splint3r7) [info]
  • [adapt-panel] Adapt Authoring Tool - Panel (@Splint3r7) [info]
  • [aethra-panel] Aethra Telecommunications Login - Panel (@Splint3r7) [info]
  • [akuiteo-panel] Akuiteo Login Panel - Detect (@righettod) [info]
  • [alamos-panel] Alamos GmbH Panel - Detect (@Splint3r7) [info]
  • [alfresco-panel] Alfresco Content App Panel - Detect (@Splint3r7) [info]
  • [alternc-panel] AlternC Desktop Panel - Detect (@Splint3r7) [info]
  • [anmelden-panel] Anmelden | OPNsense Panel - Detect (@Splint3r7) [info]
  • [cyberpanel-panel] Cyberpanel Login Panel - Detect (@mailler) [info]
  • [deepmail-panel] Advanced eMail Solution DEEPMail - Panel (@Splint3r7) [info]
  • [ghe-encrypt-saml] GitHub Enterprise - Encrypted SAML (@rootxharsh, @iamnoooob, @pdresearch) [info]
  • [hyperplanning-panel] HYPERPLANNING Login Panel - Detect (@righettod) [info]
  • [nexpose-panel] Rapid7 Nexpose VM Security Console - Detect (@johnk3r) [info]
  • [panos-management-panel] PAN-OS Management Panel - Detect (@bhutch) [info]
  • [pronote-panel] PRONOTE Login Panel - Detect (@righettod) [info]
  • [quest-panel] Quest Modem Configuration Login - Panel (@Splint3r7) [info]
  • [quivr-panel] Quivr Panel - Detect (@s4e-io) [info]
  • [thruk-panel] Thruk Login Panel - Detect (@ffffffff0x, @righettod) [info]
  • [ip-webcam] IP Webcam Viewer Page - Detect (@gy741) [low]
  • [azure-blob-core-detect] Azure Blob Core Service - Detect (@ProjectDiscoveryAI) [info]
  • [atlantis-dashboard] Atlantis Dashboard - Exposure (@dhiyaneshdk) [medium]
  • [pgwatch2-db-exposure] Pgwatch2 DBs to monitor - Exposure (@dhiyaneshdk) [high]
  • [amazon-ecs-defualt-page] Amazon ECS Sample App Default Page - Detect (@Splint3r7) [info]
  • [hubble-detect] Hubble - Detect (@righettod) [info]
  • [localai-detect] LocalAI - Detect (@s4e-io) [info]
  • [pghero-detect] PgHero - Detect (@righettod) [info]
  • [flexmls-idx-detect] Flexmls IDX - Detect (@rxerium, @sorrowx3) [info]
  • [lottie-backdoor] Lottie Player - Backdoor (@nagli-wiz) [critical]

New Contributors

Full Changelog: v10.0.3...v10.0.4