Merge pull request #11640 from halil-s4e/Update-some-templates

update author some templates

file/malware/hash/upstyle-malware-hash.yaml

@@ -2,7 +2,7 @@ id: upstyle-malware-hash
 
 info:
   name: Upstyle Malware Hash - Detect
-  author: Kazgangap
+  author: s4e-io
   severity: info
   reference:
     - https://github.com/volexity/threat-intel/blob/main/2024/2024-04-12%20Palo%20Alto%20Networks%20GlobalProtect/indicators/rules.yar
@@ -19,4 +19,4 @@ file:
           - "sha256(raw) == '0d59d7bddac6c22230187ef6cf7fa22bca93759edc6f9127c41dc28a2cea19d8'"
           - "sha256(raw) == '4dd4bd027f060f325bf6a90d01bfcf4e7751a3775ad0246beacc6eb2bad5ec6f'"
         condition: or
-# digest: 490a00463044022026e209b6094cf6069a82399850d689f4954b1bdf0894804064ea6a6b4e451d0702207f2d1c45b0535619b630538970f4b652f60d54cab768039e6b4ce41a31b0265a:922c64590222798bb761d5b6d8e72950
+# digest: 490a00463044022026e209b6094cf6069a82399850d689f4954b1bdf0894804064ea6a6b4e451d0702207f2d1c45b0535619b630538970f4b652f60d54cab768039e6b4ce41a31b0265a:922c64590222798bb761d5b6d8e72950

http/cnvd/2023/CNVD-2023-03903.yaml

@@ -2,7 +2,7 @@ id: CNVD-2023-03903
 
 info:
   name: EduSoho < v22.4.7 - Local File Inclusion
-  author: securityforeveryone
+  author: s4e-io
   severity: high
   description: |
     The edusoho education and training system <v22.4.7 has unauthorized file reading vulnerability. Through this vulnerability, an attacker can read the contents of the config/parameters.yml file and obtain sensitive information such as the secret value saved in the file and database account password. After the secret value is obtained, an attacker can implement RCE with symfony _fragment routing.
@@ -38,4 +38,4 @@ http:
       - type: status
         status:
           - 200
-# digest: 490a0046304402204bb26c6f170ed79cb05d5f7cfd550d4b5455165415ff3f5560a0cf344946656b0220078beead185be4f4a7db2b8aeb6ed3236ae0d03ffc8dca10a1585a758170b7af:922c64590222798bb761d5b6d8e72950
+# digest: 490a0046304402204bb26c6f170ed79cb05d5f7cfd550d4b5455165415ff3f5560a0cf344946656b0220078beead185be4f4a7db2b8aeb6ed3236ae0d03ffc8dca10a1585a758170b7af:922c64590222798bb761d5b6d8e72950

http/cves/2021/CVE-2021-38146.yaml

@@ -2,7 +2,7 @@ id: CVE-2021-38146
 
 info:
   name: Wipro Holmes Orchestrator 20.4.1 - Arbitrary File Download
-  author: securityforeveryone
+  author: s4e-io
   severity: high
   description: |
     The File Download API in Wipro Holmes Orchestrator 20.4.1 (20.4.1_02_11_2020) allows remote attackers to read arbitrary files via absolute path traversal in the SearchString JSON field in /home/download POST data.
@@ -53,4 +53,4 @@ http:
       - type: status
         status:
           - 200
-# digest: 490a00463044022026d73a798f5f3d3e3075b21f481e638f81ac25cb3599a8a398e7f507fd7b6f7202205c3a9e24910195fa39a068491157c5ad8f0989063f153067f0945006776f49bc:922c64590222798bb761d5b6d8e72950
+# digest: 490a00463044022026d73a798f5f3d3e3075b21f481e638f81ac25cb3599a8a398e7f507fd7b6f7202205c3a9e24910195fa39a068491157c5ad8f0989063f153067f0945006776f49bc:922c64590222798bb761d5b6d8e72950

http/cves/2021/CVE-2021-38147.yaml

@@ -2,7 +2,7 @@ id: CVE-2021-38147
 
 info:
   name: Wipro Holmes Orchestrator 20.4.1 - Information Disclosure
-  author: securityforeveryone
+  author: s4e-io
   severity: high
   description: |
     Wipro Holmes Orchestrator 20.4.1 (20.4.1_02_11_2020) allows remote attackers to download arbitrary files, such as reports containing sensitive information, because authentication is not required for API access to processexecution/DownloadExcelFile/Domain_Credential_Report_Excel, processexecution/DownloadExcelFile/User_Report_Excel, processexecution/DownloadExcelFile/Process_Report_Excel, processexecution/DownloadExcelFile/Infrastructure_Report_Excel, or processexecution/DownloadExcelFile/Resolver_Report_Excel.
@@ -43,4 +43,4 @@ http:
           - "contains(body, '<?xml version=')"
           - "status_code == 200"
         condition: and
-# digest: 4b0a00483046022100a74b6fff81dd6666e23a2e9ea4c7248fd6653784369d647ca839ee76347e9584022100e29c5a174a8a06882eee05c55e493f7b161c314ea14117d5f54d62ef3f4c7bdc:922c64590222798bb761d5b6d8e72950
+# digest: 4b0a00483046022100a74b6fff81dd6666e23a2e9ea4c7248fd6653784369d647ca839ee76347e9584022100e29c5a174a8a06882eee05c55e493f7b161c314ea14117d5f54d62ef3f4c7bdc:922c64590222798bb761d5b6d8e72950

http/cves/2021/CVE-2021-4436.yaml

@@ -2,7 +2,7 @@ id: CVE-2021-4436
 
 info:
   name: 3DPrint Lite < 1.9.1.5 - Arbitrary File Upload
-  author: securityforeveryone
+  author: s4e-io
   severity: critical
   description: |
     The plugin does not have any authorisation and does not check the uploaded file in its p3dlite_handle_upload AJAX action , allowing unauthenticated users to upload arbitrary file to the web server. However, there is a .htaccess, preventing the file to be accessed on Web servers such as Apache.
@@ -57,10 +57,10 @@ http:
         words:
           - '"jsonrpc":"2.0"'
           - '"filename":'
-          - '{{filename}}.php'
+          - "{{filename}}.php"
         condition: and
 
       - type: status
         status:
           - 200
-# digest: 490a0046304402206faebbf4e3694269bbeebf16f212ad041dd8ebe3a2ce690a7c3bb224360205b90220143ae50151d27c9f93aa6ef2d9e9809484036646165bacc385273ce0a9477757:922c64590222798bb761d5b6d8e72950
+# digest: 490a0046304402206faebbf4e3694269bbeebf16f212ad041dd8ebe3a2ce690a7c3bb224360205b90220143ae50151d27c9f93aa6ef2d9e9809484036646165bacc385273ce0a9477757:922c64590222798bb761d5b6d8e72950

http/cves/2022/CVE-2022-0424.yaml

@@ -2,7 +2,7 @@ id: CVE-2022-0424
 
 info:
   name: Popup by Supsystic < 1.10.9 - Subscriber Email Addresses Disclosure
-  author: Kazgangap
+  author: s4e-io
   severity: medium
   description: |
     The Popup by Supsystic WordPress plugin before 1.10.9 does not have any authentication and authorisation in an AJAX action, allowing unauthenticated attackers to call it and get the email addresses of subscribed users
@@ -46,10 +46,10 @@ http:
           - 'username":"'
           - 'email":'
           - 'hash":"'
-          - '_wpnonce'
+          - "_wpnonce"
         condition: and
 
       - type: status
         status:
           - 200
-# digest: 4a0a004730450220759eb8529773b8afa509fda265e53b1044be91665f1ced17ca3f3868b41ab9fb022100f8778121364c64b7bbe90afa0819a52cdac61263bca8e438186c675fb8dabe6a:922c64590222798bb761d5b6d8e72950
+# digest: 4a0a004730450220759eb8529773b8afa509fda265e53b1044be91665f1ced17ca3f3868b41ab9fb022100f8778121364c64b7bbe90afa0819a52cdac61263bca8e438186c675fb8dabe6a:922c64590222798bb761d5b6d8e72950

http/cves/2022/CVE-2022-1580.yaml

@@ -2,7 +2,7 @@ id: CVE-2022-1580
 
 info:
   name: Site Offline WP Plugin < 1.5.3 - Authorization Bypass
-  author: Kazgangap
+  author: s4e-io
   severity: medium
   description: |
     The plugin prevents users from accessing a website but does not do so if the URL contained certain keywords. Adding those keywords to the URL's query string would bypass the plugin's main feature.
@@ -39,7 +39,7 @@ http:
       - type: word
         internal: true
         words:
-          - 'Site Offline Or Coming Soon Or Maintenance Mode'
+          - "Site Offline Or Coming Soon Or Maintenance Mode"
 
   - method: GET
     path:
@@ -49,6 +49,6 @@ http:
       - type: dsl
         dsl:
           - 'contains_all(body, "wp-block", "author")'
-          - 'status_code == 200'
+          - "status_code == 200"
         condition: and
-# digest: 4a0a00473045022100e2c4e028559be4aae52567a21628ea83074504267ae7a54cd08ab9f50da3998002205b2c3f2095cf4e9aa560bb059f6fd71d41a7cffbb205c32e3b40141094152d5b:922c64590222798bb761d5b6d8e72950
+# digest: 4a0a00473045022100e2c4e028559be4aae52567a21628ea83074504267ae7a54cd08ab9f50da3998002205b2c3f2095cf4e9aa560bb059f6fd71d41a7cffbb205c32e3b40141094152d5b:922c64590222798bb761d5b6d8e72950

http/cves/2023/CVE-2023-2309.yaml

@@ -2,7 +2,7 @@ id: CVE-2023-2309
 
 info:
   name: wpForo Forum <= 2.1.8 - Cross-Site Scripting
-  author: securityforeveryone
+  author: s4e-io
   severity: medium
   description: |
     The wpForo Forum plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the ‘wpforo_debug’ function in versions up to, and including, 2.1.8 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.
@@ -39,6 +39,6 @@ http:
         dsl:
           - 'contains_all(body,"<script>alert(/document.domain/)</script>","wpforo")'
           - 'contains(header,"text/html")'
-          - 'status_code == 200'
+          - "status_code == 200"
         condition: and
-# digest: 4b0a00483046022100ddd9c2422faa3cbd4877abf6bac55d7a92c2a48ca8ce4d366fc838806636ee9e022100adc9cea0b19d7d47cd1949d9d0de218e6fb9f01713ecf3b90fb6857aea214d0a:922c64590222798bb761d5b6d8e72950
+# digest: 4b0a00483046022100ddd9c2422faa3cbd4877abf6bac55d7a92c2a48ca8ce4d366fc838806636ee9e022100adc9cea0b19d7d47cd1949d9d0de218e6fb9f01713ecf3b90fb6857aea214d0a:922c64590222798bb761d5b6d8e72950

http/cves/2023/CVE-2023-4220.yaml

@@ -2,7 +2,7 @@ id: CVE-2023-4220
 
 info:
   name: Chamilo LMS <= 1.11.24 - Remote Code Execution
-  author: securityforeveryone
+  author: s4e-io
   severity: medium
   description: |
     Unrestricted file upload in big file upload functionality in `/main/inc/lib/javascript/bigupload/inc/bigUpload.php` in Chamilo LMS <= v1.11.24 allows unauthenticated attackers to perform stored cross-site scripting attacks and obtain remote code execution via uploading of web shell.
@@ -53,6 +53,6 @@ http:
       - type: dsl
         dsl:
           - 'contains(body_2,"{{md5(num)}}")'
-          - 'status_code_1 == 200 && status_code_2 == 200'
+          - "status_code_1 == 200 && status_code_2 == 200"
         condition: and
-# digest: 4a0a00473045022100e0d78f61a3506d83f028da098dc4fe129778d1ea6e895c4dfc5a14e5703294fd02206737071a77fc31206b3dc709b62430376a2f216650f9094bda45ff10a5c6e01e:922c64590222798bb761d5b6d8e72950
+# digest: 4a0a00473045022100e0d78f61a3506d83f028da098dc4fe129778d1ea6e895c4dfc5a14e5703294fd02206737071a77fc31206b3dc709b62430376a2f216650f9094bda45ff10a5c6e01e:922c64590222798bb761d5b6d8e72950

http/cves/2023/CVE-2023-5003.yaml

@@ -2,7 +2,7 @@ id: CVE-2023-5003
 
 info:
   name: Active Directory Integration WP Plugin < 4.1.10 - Log Disclosure
-  author: Kazgangap
+  author: s4e-io
   severity: high
   description: |
     The Active Directory Integration / LDAP Integration WordPress plugin before 4.1.10 stores sensitive LDAP logs in a buffer file when an administrator wants to export said logs. Unfortunately, this log file is never removed, and remains accessible to any users knowing the URL to do so.
@@ -43,4 +43,4 @@ http:
       - type: status
         status:
           - 200
-# digest: 490a0046304402207b42a5ff26d6a026c2794f4f38a6de217068a35ef2b3343694c3de2b56fe62e30220476cf97fedab73f933446b92317ce23c3fadbb155f55180b26040a4b4ea68d81:922c64590222798bb761d5b6d8e72950
+# digest: 490a0046304402207b42a5ff26d6a026c2794f4f38a6de217068a35ef2b3343694c3de2b56fe62e30220476cf97fedab73f933446b92317ce23c3fadbb155f55180b26040a4b4ea68d81:922c64590222798bb761d5b6d8e72950

http/cves/2023/CVE-2023-5991.yaml

@@ -2,7 +2,7 @@ id: CVE-2023-5991
 
 info:
   name: Hotel Booking Lite < 4.8.5 - Arbitrary File Download & Deletion
-  author: Kazgangap
+  author: s4e-io
   severity: critical
   description: |
     The Hotel Booking Lite WordPress plugin before 4.8.5 does not validate file paths provided via user input, as well as does not have proper CSRF and authorisation checks, allowing unauthenticated users to download and delete arbitrary files on the server
@@ -51,4 +51,4 @@ http:
       - type: status
         status:
           - 200
-# digest: 4a0a00473045022100811243e9f68d9d7270577e7f2b074e073046db9fb8ed4ed9f69e11fe843e8adb02207465c85fc2cded6fb631c82cfe69b6f616afa554ce73ec2995819605fc4dccef:922c64590222798bb761d5b6d8e72950
+# digest: 4a0a00473045022100811243e9f68d9d7270577e7f2b074e073046db9fb8ed4ed9f69e11fe843e8adb02207465c85fc2cded6fb631c82cfe69b6f616afa554ce73ec2995819605fc4dccef:922c64590222798bb761d5b6d8e72950

http/cves/2023/CVE-2023-6065.yaml

@@ -2,7 +2,7 @@ id: CVE-2023-6065
 
 info:
   name: Quttera Web Malware Scanner <= 3.4.1.48 - Sensitive Data Exposure
-  author: Kazgangap
+  author: s4e-io
   severity: medium
   description: |
     The Quttera Web Malware Scanner WordPress plugin before 3.4.2.1 doesn't restrict access to detailed scan logs, which allows a malicious actor to discover local paths and portions of the site's code
@@ -49,4 +49,4 @@ http:
       - type: status
         status:
           - 200
-# digest: 4a0a00473045022100b5a635c6121be1144aeb262ffcde7720312a07b786fcc60608e9111562ea2283022002ff5a8acf273c43008b304146c3fa533a400a4e3726bc5ac1b2d7d6141f2601:922c64590222798bb761d5b6d8e72950
+# digest: 4a0a00473045022100b5a635c6121be1144aeb262ffcde7720312a07b786fcc60608e9111562ea2283022002ff5a8acf273c43008b304146c3fa533a400a4e3726bc5ac1b2d7d6141f2601:922c64590222798bb761d5b6d8e72950

http/cves/2023/CVE-2023-6389.yaml

@@ -2,7 +2,7 @@ id: CVE-2023-6389
 
 info:
   name: WordPress Toolbar <= 2.2.6 - Open Redirect
-  author: Kazgangap
+  author: s4e-io
   severity: medium
   description: |
     The plugin redirects to any URL via the "wptbto" parameter. This makes it possible for unauthenticated attackers to redirect users to potentially malicious sites if they can successfully trick them into performing an action.
@@ -37,4 +37,4 @@ http:
         part: header
         regex:
           - '(?m)^(?:Location\s*?:\s*?)(?:https?://|//)?(?:[a-zA-Z0-9\-_\.@]*)oast\.me.*$'
-# digest: 4a0a00473045022100ecab6f346c7465ff3d27689aed017c2118cfc8bcad8fceeed96f8f0768f7f51e02206e4f36736e919e3c57a0cc6ada3d83326fb6c9f119dc1d5e2cfc3a4963c2a13a:922c64590222798bb761d5b6d8e72950
+# digest: 4a0a00473045022100ecab6f346c7465ff3d27689aed017c2118cfc8bcad8fceeed96f8f0768f7f51e02206e4f36736e919e3c57a0cc6ada3d83326fb6c9f119dc1d5e2cfc3a4963c2a13a:922c64590222798bb761d5b6d8e72950

http/cves/2023/CVE-2023-6444.yaml

@@ -2,7 +2,7 @@ id: CVE-2023-6444
 
 info:
   name: Seriously Simple Podcasting < 3.0.0 - Information Disclosure
-  author: s4eio
+  author: s4e-io
   severity: medium
   description: |
     The Seriously Simple Podcasting WordPress plugin before 3.0.0 discloses the Podcast owner's email address (which by default is the admin email address) via an unauthenticated crafted request.
@@ -39,7 +39,7 @@ http:
       - type: dsl
         dsl:
           - 'contains(body,"/wp-content/plugins/seriously-simple-podcasting")'
-          - 'status_code == 200'
+          - "status_code == 200"
         condition: and
         internal: true
 
@@ -53,6 +53,6 @@ http:
         dsl:
           - 'contains_all(body,"<itunes:email>","</itunes:email>")'
           - 'contains(content_type,"text/xml")'
-          - 'status_code == 200'
+          - "status_code == 200"
         condition: and
-# digest: 4b0a00483046022100ec003c60c8c528f4b72e315d81a02c382c98687c9c20f807cb3489836159dcc1022100b9cd3892e9b50b36683974971379510d7b26514176de12efdbd16760ac4aa6c6:922c64590222798bb761d5b6d8e72950
+# digest: 4b0a00483046022100ec003c60c8c528f4b72e315d81a02c382c98687c9c20f807cb3489836159dcc1022100b9cd3892e9b50b36683974971379510d7b26514176de12efdbd16760ac4aa6c6:922c64590222798bb761d5b6d8e72950

http/cves/2023/CVE-2023-6505.yaml

@@ -2,7 +2,7 @@ id: CVE-2023-6505
 
 info:
   name: Prime Mover < 1.9.3 - Sensitive Data Exposure
-  author: securityforeveryone
+  author: s4e-io
   severity: high
   description: |
     Prime Mover plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 1.9.2 via directory listing in the 'prime-mover-export-files/1/' folder. This makes it possible for unauthenticated attackers to extract sensitive data including site and configuration information, directories, files, and password hashes.
@@ -37,11 +37,11 @@ http:
       - type: word
         part: body
         words:
-          - 'Index of /wp-content/uploads/prime-mover-export-files/1'
-          - '.wprime'
+          - "Index of /wp-content/uploads/prime-mover-export-files/1"
+          - ".wprime"
         condition: or
 
       - type: status
         status:
           - 200
-# digest: 4a0a00473045022100e84d8d86cb79a49bfd960092b4d50960ca75a521d2d9b3e246548f8a2357a1a7022009ad6ce73bf83b157d20f3a032804b41a8304fbae3e5b4649d9d5f5b3e9e4e9d:922c64590222798bb761d5b6d8e72950
+# digest: 4a0a00473045022100e84d8d86cb79a49bfd960092b4d50960ca75a521d2d9b3e246548f8a2357a1a7022009ad6ce73bf83b157d20f3a032804b41a8304fbae3e5b4649d9d5f5b3e9e4e9d:922c64590222798bb761d5b6d8e72950

http/cves/2023/CVE-2023-6786.yaml

@@ -2,7 +2,7 @@ id: CVE-2023-6786
 
 info:
   name: Payment Gateway for Telcell < 2.0.4 - Open Redirect
-  author: securityforeveryone
+  author: s4e-io
   severity: medium
   description: |
     The plugin does not validate the api_url parameter before redirecting the user to its value, leading to an Open Redirect issue
@@ -29,4 +29,4 @@ http:
         part: header
         regex:
           - '(?m)^(?:Location\s*?:\s*?)(?:https?://|//)?(?:[a-zA-Z0-9\-_\.@]*)oast\.me.*$'
-# digest: 4b0a004830460221009053f940939f3012a228f7f66614a47e3861401fd44dd7a355a6f18115811206022100e39ed945c7f6f9083fa6d015c5a0246adc217f52a1bc78e351852918cd8e0359:922c64590222798bb761d5b6d8e72950
+# digest: 4b0a004830460221009053f940939f3012a228f7f66614a47e3861401fd44dd7a355a6f18115811206022100e39ed945c7f6f9083fa6d015c5a0246adc217f52a1bc78e351852918cd8e0359:922c64590222798bb761d5b6d8e72950

http/cves/2023/CVE-2023-6989.yaml

@@ -2,7 +2,7 @@ id: CVE-2023-6989
 
 info:
   name: Shield Security WP Plugin <= 18.5.9 - Local File Inclusion
-  author: Kazgangap
+  author: s4e-io
   severity: critical
   description: |
     The Shield Security Smart Bot Blocking & Intrusion Prevention Security plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 18.5.9 via the render_action_template parameter. This makes it possible for unauthenticated attacker to include and execute PHP files on the server, allowing the execution of any PHP code in those files.
@@ -51,9 +51,9 @@ http:
       - type: word
         part: header
         words:
-          - 'application/json'
+          - "application/json"
 
       - type: status
         status:
           - 200
-# digest: 4a0a00473045022100e60113a54326d43b12d740d407bfe5472e33cfdf52716a25013cf94fb8341688022066e3d4b78185fdcdb61106061233f1ee47636cc616ca013fd32caaf03b4c7e17:922c64590222798bb761d5b6d8e72950
+# digest: 4a0a00473045022100e60113a54326d43b12d740d407bfe5472e33cfdf52716a25013cf94fb8341688022066e3d4b78185fdcdb61106061233f1ee47636cc616ca013fd32caaf03b4c7e17:922c64590222798bb761d5b6d8e72950

http/cves/2024/CVE-2024-0250.yaml

@@ -2,7 +2,7 @@ id: CVE-2024-0250
 
 info:
   name: Analytics Insights for Google Analytics 4 < 6.3 - Open Redirect
-  author: securityforeveryone
+  author: s4e-io
   severity: medium
   description: |
     The plugin is vulnerable to Open Redirect due to insufficient validation on the redirect oauth2callback.php file. This makes it possible for unauthenticated attackers to redirect users to potentially malicious sites if they can successfully trick them into performing an action.
@@ -32,4 +32,4 @@ http:
         part: header
         regex:
           - '(?m)^(?:Location\s*?:\s*?)(?:https?://|//)?(?:[a-zA-Z0-9\-_\.@]*)oast\.me.*$'
-# digest: 4b0a004830460221008f1525dd2f1d85257b83179741f962efdc8476930a5960658dd98a388a496fc2022100d3d5b77cee3412f381fa75ec8f25c839cce052eb0474cdb9a1e48fc34aa7abec:922c64590222798bb761d5b6d8e72950
+# digest: 4b0a004830460221008f1525dd2f1d85257b83179741f962efdc8476930a5960658dd98a388a496fc2022100d3d5b77cee3412f381fa75ec8f25c839cce052eb0474cdb9a1e48fc34aa7abec:922c64590222798bb761d5b6d8e72950