projectdiscovery · ElromEvedElElyon · Mar 26, 2026 · Mar 26, 2026 · Mar 26, 2026 · Mar 26, 2026
diff --git a/http/cves/2017/CVE-2017-9248.yaml b/http/cves/2017/CVE-2017-9248.yaml
@@ -0,0 +1,61 @@
+id: CVE-2017-9248
+
+info:
+  name: Telerik UI for ASP.NET AJAX DialogHandler - Cryptographic Weakness
+  author: ElromEvedElElyon
+  severity: high
+  description: |
+    Telerik.Web.UI.dll in Progress Telerik UI for ASP.NET AJAX before R2 2017 SP1 and Sitefinity before 10.0.6412.0 does not properly protect Telerik.Web.UI.DialogParametersEncryptionKey or the MachineKey. Knowledge of these keys allows a remote attacker to craft a serialized ASP.NET AJAX dialog parameters payload to upload arbitrary files or execute arbitrary code on the server. This template verifies the cryptographic oracle by sending an invalid encrypted dialog parameter and confirming the server responds with a decryption error, proving the oracle is exploitable.
+  impact: |
+    An unauthenticated remote attacker can exploit the weak encryption to derive the dialog parameters key via an oracle attack, enabling file upload and remote code execution on the web server.
+  remediation: |
+    Upgrade Telerik UI for ASP.NET AJAX to R2 2017 SP1 or later. Alternatively, configure a strong, unique MachineKey in web.config and remove the DialogHandler from the HTTP handlers if not needed.
+  reference:
+    - https://nvd.nist.gov/vuln/detail/CVE-2017-9248
+    - https://www.exploit-db.com/exploits/43873
+    - https://github.com/bao7uo/dp_crypto
+    - https://www.telerik.com/support/kb/aspnet-ajax/details/cryptographic-weakness
+  classification:
+    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
+    cvss-score: 9.8
+    cve-id: CVE-2017-9248
+    cwe-id: CWE-310
+    epss-score: 0.97317
+    epss-percentile: 0.99879
+    cpe: cpe:2.3:a:telerik:ui_for_asp.net_ajax:*:*:*:*:*:*:*:*
+  metadata:
+    verified: true
+    max-request: 2
+    vendor: telerik
+    product: ui_for_asp.net_ajax
+    shodan-query: http.component:"Telerik"
+  tags: cve,cve2017,telerik,rce,crypto,kev,vkev,vuln
+
+flow: http(1) && http(2)
+
+http:
+  - raw:
+      - |
+        GET /Telerik.Web.UI.DialogHandler.aspx?dp=AAAA HTTP/1.1
+        Host: {{Hostname}}
+
+    matchers:
+      - type: dsl
+        dsl:
+          - 'status_code == 500'
+          - 'contains(body, "Index was outside the bounds of the array")'
+        condition: and
+        internal: true
+
+  - raw:
+      - |
+        GET /Telerik.Web.UI.DialogHandler.aspx?dp=BBBBBBBBBBBBBBB HTTP/1.1
+        Host: {{Hostname}}
+
+    matchers:
+      - type: dsl
+        dsl:
+          - 'status_code == 500'
+          - 'contains(body, "Index was outside the bounds of the array") || contains(body, "Cannot deserialize dialog parameters")'
+          - 'contains(body, "Telerik.Web.UI")'
+        condition: and
diff --git a/http/cves/2018/CVE-2018-2380.yaml b/http/cves/2018/CVE-2018-2380.yaml
@@ -0,0 +1,67 @@
+id: CVE-2018-2380
+
+info:
+  name: SAP CRM - Path Traversal to Code Execution
+  author: ElromEvedElElyon
+  severity: medium
+  description: |
+    SAP CRM versions 7.01, 7.02, 7.30, 7.31, 7.33, and 7.54 contain a path traversal vulnerability due to insufficient validation of path information provided by users. An authenticated attacker can traverse directories and access or upload arbitrary files, which can be chained to achieve remote code execution on the SAP application server.
+  impact: |
+    An authenticated attacker can read sensitive files from the server and potentially achieve code execution, leading to compromise of the SAP CRM system and access to business-critical customer data.
+  remediation: |
+    Apply SAP Security Note 2547431. Restrict access to the affected CRM endpoints.
+  reference:
+    - https://nvd.nist.gov/vuln/detail/CVE-2018-2380
+    - https://launchpad.support.sap.com/#/notes/2547431
+    - https://www.cisa.gov/known-exploited-vulnerabilities-catalog
+  classification:
+    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:L/A:L
+    cvss-score: 6.6
+    cve-id: CVE-2018-2380
+    cwe-id: CWE-22
+    cpe: cpe:2.3:a:sap:customer_relationship_management:*:*:*:*:*:*:*:*
+  metadata:
+    verified: true
+    max-request: 1
+    vendor: sap
+    product: customer_relationship_management
+    shodan-query: http.html:"SAP" http.html:"CRM"
+  tags: cve,cve2018,sap,crm,path-traversal,kev,vkev,vuln
+
+http:
+  - method: GET
+    path:
+      - "{{BaseURL}}/sap/public/info"
+
+    matchers-condition: and
+    matchers:
+      - type: word
+        part: body
+        words:
+          - "<COMPONENT>"
+          - "SAP_ABA"
+        condition: and
+
+      - type: dsl
+        dsl:
+          - 'compare_versions(version, ">= 7.0") && compare_versions(version, "<= 7.54")'
+
+      - type: status
+        status:
+          - 200
+
+    extractors:
+      - type: regex
+        name: version
+        part: body
+        group: 1
+        internal: true
+        regex:
+          - '<RELEASE>(\d+\.\d+)</RELEASE>'
+          - '<RELEASE>(\d+)</RELEASE>'
+      - type: regex
+        name: sap-component
+        part: body
+        group: 0
+        regex:
+          - '<COMPONENT>[^<]*CRM[^<]*</COMPONENT>'
diff --git a/http/cves/2019/CVE-2019-11539.yaml b/http/cves/2019/CVE-2019-11539.yaml
@@ -0,0 +1,60 @@
+id: CVE-2019-11539
+
+info:
+  name: Pulse Secure Connect/Policy Secure - Admin Command Injection
+  author: ElromEvedElElyon
+  severity: high
+  description: |
+    Pulse Connect Secure before 9.0R3.4 and Pulse Policy Secure before 9.0R3.2 allow authenticated administrators to inject and execute OS commands through the admin web interface. The vulnerability can be chained with pre-auth vulnerabilities to achieve unauthenticated RCE.
+  impact: |
+    An authenticated admin attacker can execute arbitrary OS commands on the VPN appliance, leading to complete device compromise, credential theft, and unauthorized access to internal networks for all VPN users.
+  remediation: |
+    Upgrade Pulse Connect Secure to 9.0R3.4 or later and Pulse Policy Secure to 9.0R3.2 or later. Restrict admin access to trusted networks.
+  reference:
+    - https://nvd.nist.gov/vuln/detail/CVE-2019-11539
+    - https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44101
+    - https://www.cisa.gov/known-exploited-vulnerabilities-catalog
+  classification:
+    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
+    cvss-score: 7.2
+    cve-id: CVE-2019-11539
+    cwe-id: CWE-78
+    cpe: cpe:2.3:a:pulsesecure:pulse_connect_secure:*:*:*:*:*:*:*:*
+  metadata:
+    verified: true
+    max-request: 1
+    vendor: pulsesecure
+    product: pulse_connect_secure
+    shodan-query: http.html:"Pulse Connect Secure"
+  tags: cve,cve2019,pulsesecure,vpn,command-injection,kev,vkev,vuln
+
+http:
+  - method: GET
+    path:
+      - "{{BaseURL}}/dana-na/auth/url_default/welcome.cgi"
+
+    matchers-condition: and
+    matchers:
+      - type: word
+        part: body
+        words:
+          - "Pulse Connect Secure"
+          - "Pulse Secure"
+        condition: or
+
+      - type: regex
+        part: body
+        regex:
+          - '(?i)(?:Pulse Connect Secure|PCS)\s+(?:8\.\d+[Rr]\d+|9\.0[Rr][0-2](?:\.\d+)?|9\.0[Rr]3\.[0-3])\b'
+
+      - type: status
+        status:
+          - 200
+
+    extractors:
+      - type: regex
+        name: version
+        part: body
+        group: 0
+        regex:
+          - '(?:Pulse Connect Secure|PCS)\s+\d+\.\d+[Rr]\d+[\.\d]*'
diff --git a/http/cves/2020/CVE-2020-3161.yaml b/http/cves/2020/CVE-2020-3161.yaml
@@ -0,0 +1,71 @@
+id: CVE-2020-3161
+
+info:
+  name: Cisco IP Phone - Web Server Remote Code Execution
+  author: ElromEvedElElyon
+  severity: critical
+  description: |
+    Cisco IP Phones 7800 Series, 8800 Series, and 8832 contain a vulnerability in the web server due to inadequate HTTP request validation. An unauthenticated remote attacker can send a crafted HTTP request to execute code with root privileges or cause the device to reset, resulting in a denial of service condition.
+  impact: |
+    An unauthenticated attacker can achieve remote code execution as root on the IP phone, potentially enabling eavesdropping on calls, credential theft, and using the device as a pivot point into the enterprise network.
+  remediation: |
+    Apply the Cisco security update. Upgrade IP Phone firmware to the latest available version. Restrict network access to the phone's web interface.
+  reference:
+    - https://nvd.nist.gov/vuln/detail/CVE-2020-3161
+    - https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-voip-phone-rce-aWCBcsRR
+    - https://www.cisa.gov/known-exploited-vulnerabilities-catalog
+  classification:
+    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
+    cvss-score: 9.8
+    cve-id: CVE-2020-3161
+    cwe-id: CWE-20
+    cpe: cpe:2.3:o:cisco:ip_phone_7800_series_firmware:*:*:*:*:*:*:*:*
+  metadata:
+    verified: true
+    max-request: 1
+    vendor: cisco
+    product: ip_phone_7800_series_firmware
+    shodan-query: http.html:"Cisco" http.html:"IP Phone"
+  tags: cve,cve2020,cisco,ip-phone,voip,rce,kev,vkev,vuln
+
+http:
+  - method: GET
+    path:
+      - "{{BaseURL}}/CGI/Java/Serviceability?adapter=device.statistics.configuration"
+
+    matchers-condition: and
+    matchers:
+      - type: word
+        part: body
+        words:
+          - "modelNumber"
+          - "versionID"
+        condition: and
+
+      - type: regex
+        part: body
+        regex:
+          - 'CP-[78]8\d{2}'
+
+      - type: dsl
+        dsl:
+          - 'compare_versions(version, "< 12.7.1")'
+
+      - type: status
+        status:
+          - 200
+
+    extractors:
+      - type: regex
+        name: version
+        part: body
+        group: 1
+        internal: true
+        regex:
+          - 'versionID[=>"\s]+(\d+[\.\-]\d+[\.\-\d]*)'
+      - type: regex
+        name: phone-model
+        part: body
+        group: 0
+        regex:
+          - 'CP-[78]8\d{2}[A-Z]*'
diff --git a/http/cves/2020/CVE-2020-8218.yaml b/http/cves/2020/CVE-2020-8218.yaml
@@ -0,0 +1,60 @@
+id: CVE-2020-8218
+
+info:
+  name: Pulse Connect Secure - Admin Code Injection
+  author: ElromEvedElElyon
+  severity: high
+  description: |
+    Pulse Connect Secure versions before 9.1R8 contain a code injection vulnerability. An authenticated administrator can exploit this to execute arbitrary code on the underlying operating system via the admin web interface.
+  impact: |
+    An authenticated admin can execute arbitrary code on the Pulse Connect Secure appliance, enabling persistent access, credential theft for all VPN users, and lateral movement into the internal network.
+  remediation: |
+    Upgrade Pulse Connect Secure to version 9.1R8 or later. Restrict admin access to trusted networks and enable multi-factor authentication for admin accounts.
+  reference:
+    - https://nvd.nist.gov/vuln/detail/CVE-2020-8218
+    - https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44516
+    - https://www.cisa.gov/known-exploited-vulnerabilities-catalog
+  classification:
+    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
+    cvss-score: 7.2
+    cve-id: CVE-2020-8218
+    cwe-id: CWE-94
+    cpe: cpe:2.3:a:pulsesecure:pulse_connect_secure:*:*:*:*:*:*:*:*
+  metadata:
+    verified: true
+    max-request: 1
+    vendor: pulsesecure
+    product: pulse_connect_secure
+    shodan-query: http.html:"Pulse Connect Secure"
+  tags: cve,cve2020,pulsesecure,vpn,code-injection,rce,kev,vkev,vuln
+
+http:
+  - method: GET
+    path:
+      - "{{BaseURL}}/dana-na/auth/url_default/welcome.cgi"
+
+    matchers-condition: and
+    matchers:
+      - type: word
+        part: body
+        words:
+          - "Pulse Connect Secure"
+          - "Ivanti Connect Secure"
+        condition: or
+
+      - type: regex
+        part: body
+        regex:
+          - '(?i)(?:Pulse|Ivanti) Connect Secure\s+(?:8\.\d+[Rr]\d+|9\.0[Rr]\d+|9\.1[Rr][0-7](?:\.\d+)?)\b'
+
+      - type: status
+        status:
+          - 200
+
+    extractors:
+      - type: regex
+        name: version
+        part: body
+        group: 0
+        regex:
+          - '(?:Pulse|Ivanti) Connect Secure\s+\d+\.\d+[Rr]\d+[\.\d]*'
diff --git a/http/cves/2020/CVE-2020-8260.yaml b/http/cves/2020/CVE-2020-8260.yaml
@@ -0,0 +1,60 @@
+id: CVE-2020-8260
+
+info:
+  name: Pulse Connect Secure - Arbitrary File Upload RCE
+  author: ElromEvedElElyon
+  severity: high
+  description: |
+    Pulse Connect Secure (PCS) before 9.1R9 allows authenticated administrators to execute arbitrary code via improper handling of gzip file extraction operations in the admin web interface. An attacker with admin credentials can upload a specially crafted file that results in code execution on the underlying operating system.
+  impact: |
+    An authenticated administrator can achieve remote code execution on the Pulse Connect Secure appliance, enabling persistent backdoor access, credential theft from all VPN users, and pivot into protected internal networks.
+  remediation: |
+    Upgrade Pulse Connect Secure to version 9.1R9 or later. Restrict admin interface access and enable MFA for admin accounts.
+  reference:
+    - https://nvd.nist.gov/vuln/detail/CVE-2020-8260
+    - https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44601
+    - https://www.cisa.gov/known-exploited-vulnerabilities-catalog
+  classification:
+    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
+    cvss-score: 7.2
+    cve-id: CVE-2020-8260
+    cwe-id: CWE-434
+    cpe: cpe:2.3:a:pulsesecure:pulse_connect_secure:*:*:*:*:*:*:*:*
+  metadata:
+    verified: true
+    max-request: 1
+    vendor: pulsesecure
+    product: pulse_connect_secure
+    shodan-query: http.html:"Pulse Connect Secure" || http.html:"Ivanti Connect Secure"
+  tags: cve,cve2020,pulsesecure,ivanti,vpn,fileupload,rce,kev,vkev,vuln
+
+http:
+  - method: GET
+    path:
+      - "{{BaseURL}}/dana-na/auth/url_default/welcome.cgi"
+
+    matchers-condition: and
+    matchers:
+      - type: word
+        part: body
+        words:
+          - "Pulse Connect Secure"
+          - "Ivanti Connect Secure"
+        condition: or
+
+      - type: regex
+        part: body
+        regex:
+          - '(?i)(?:Pulse|Ivanti) Connect Secure\s+(?:8\.\d+[Rr]\d+|9\.0[Rr]\d+|9\.1[Rr][0-8](?:\.\d+)?)\b'
+
+      - type: status
+        status:
+          - 200
+
+    extractors:
+      - type: regex
+        name: version
+        part: body
+        group: 0
+        regex:
+          - '(?:Pulse|Ivanti) Connect Secure\s+\d+\.\d+[Rr]\d+[\.\d]*'