Vulnerability Research List

Stella Sebastian
Posted by Stella Sebastian April 21, 2022

superior_hosting_service

Vulnerability

Vulnerability Research OA/Middleware/Framework (Index). Open source products, foreign application software

Program List

Apache Airflow

Apache APISIX

Apache Axis

Apache Cocoon

Apache Druid

Apache Dubbo

Apache Flink

Apache Log4j

Apache HTTP Server

Apache JMeter

Apache JSPWiki

Apache OFBiz

Apache ShenYu

Apache Shiro

Apache SkyWalking

  • CVE-2021-44228 Apache SkyWalking RCE via Log4shell
  • CVE-2020-9483 Apache Skywalking SQL注入
  • CVE-2020-13921 Apache Skywalking SQL注入

Apache Solr

  • CVE-2021-44228 Apache Solr RCE via Log4shell

Apache Storm

  • CVE-2021-38294 Apache Storm 反序列化
  • CVE-2021-40865 Apache Storm 命令注入

Apache Struts2

  • CVE-2021-44228 Apache Struts2 RCE via Log4Shell

Atlassian Confluence

  • CVE-2019-3394 Atlassian Confluence 文件读取
  • CVE-2019-3395 Atlassian Confluence SSRF
  • CVE-2019-3396 Atlassian Confluence 路径穿越/代码执行
  • CVE-2020-4027 Atlassian Confluence SSTI
  • CVE-2021-26084 Atlassian Confluence OGNL注入
  • CVE-2021-26085 Atlassian Confluence 文件读取

Atlassian Crowd

  • CVE-2019-11580 Atlassian Crowd RCE

Atlassian Jira

  • CVE-2017-9506 Jira URL跳转
  • CVE-2019-8451 Jira SSRF
  • CVE-2019-8442 Jira 未授权/信息泄露
  • CVE-2019-3402 Jira XSS
  • CVE-2019-8444 Jira XSS
  • CVE-2019-11581 Jira SSTI
  • CVE-2020-29453 Jira 文件读取
  • CVE-2020-14181 Jira 用户名枚举
  • CVE-2021-26086 Jira 文件读取
  • CVE-2021-39115 Jira SSTI

Citrix

  • CVE-2020-8209 Citrix XenMobile 目录遍历/文件读取
  • CVE-2021-44228 Citrix XenMobile RCE via Log4shell

Cisco

  • CVE-2020-3452 Cisco ASAFTD 任意文件读取

Django

Docker

ECShop

  • CVE-20xx-xxxxx ECShop v2.x/3.x 远程代码执行
  • CVE-20xx-xxxxx ECShop v3.0 SQL注入-flow.php
  • CVE-20xx-xxxxx ECShop v2.6.1 SQL注入-uc.php
  • CVE-20xx-xxxxx ECShop v4.1.0 SQL注入-/ecshop/delete_cart_goods.php
  • CVE-2021-43679 ECShop v2.7.3 SQL注入

Exchange

  • CVE-2021-26855 + CVE-2021-27065 ProxyLogon
  • CVE-2021-31195 + CVE-2021-31196 ProxyOracle
  • CVE-2021-34473 + CVE-2021-34523 + CVE-2021-31207 ProxyShell
  • CVE-2021-41349 Exchange XSS

F5 BIG-IP

Gitlab

  • CVE-2021-22214 Gitlab CI Lint API SSRF
  • CVE-2021-22205 Gitlab RCE

Grafana

  • CVE-2021-xxxx Grafana 文件读取-/public/plugins/grafana-clock-panel/

Harbor

  • CVE-2019-16097 任意管理员注册

H2Database

  • CVE-2021-42392 H2 Database Console JNDI Injection

Lanproxy

  • CVE-2020-3019 Lanproxy 目录遍历/文件读取

Laravel

Linux

  • CVE-2021-3156 Linux 本地提权
  • CVE-2021-4034 Linux 本地提权

Moodle

  • CVE-2022-0332 Moodle SQL injection

Metabase

  • CVE-2021-41277 Metabase文件读取

MeterSphere

  • CVE-2021-45789 MeterSphere Post-auth 文件读取
  • CVE-2021-45790 MeterSphere Pre-auth 文件上传
  • CVE-2021-xxxxx MeterSphere Plugin Pre-auth RCE

Jboss

  • CVE-2006-5750
  • CVE-2007-1036
  • CVE-2010-0738
  • CVE-2010-1871 JBoss Seam Framework远程代码执行
  • CVE-2015-7501 JBoss JMXInvokerServlet 反序列化
  • CVE-2013-4810
  • CVE-2017-7504 JBoss 4.x JBossMQ JMS 反序列化
  • CVE-2017-12149 JBOSS AS 5.x/6.x 反序列化

Jellyfin

Jetty

  • CVE-2021-28169 Jetty URI路径限制绕过
  • CVE-2021-28164 Jetty URI路径限制绕过

Spring

  • CVE-xxxx-xxxx SpringBoot Actuator 未授权访问
  • CVE-2018-1271 Spring MVC Directory Traversal
  • CVE-2019-3799 Spring Cloud Config Server Directory Traversal/文件读取
  • CVE-2020-5405 Spring Cloud Config Server Directory Traversal
  • CVE-2020-5410 Spring Cloud Config Directory Traversal
  • CVE-2020-5412 Spring Cloud Netflix Hystrix Dashboard SSRF
  • CVE-2021-21234 Spring Boot Actuator Logview Directory Traversal
  • CVE-2010-1622 Spring Framework RCE

Tomcat

  • CVE-2020-9484 Tomcat RCE via Session Persistence
  • CVE-2022-23181 Tomcat 权限提升(TOCTOU)

Typecho

  • CVE-xxxx-xxxxx Typecho v1.0 SSRF
  • CVE-2018-18753 Typecho v1.1 反序列化

ThinkPHP 3.x

  • ThinkPHP3.2.x 文件包含->RCE

Thinkadmin

  • CVE-2020-25540 目录遍历/文件读取
  • CNVD-2020-33163

VMware

  • CVE-2021-44228 VMware Product RCE via Log4Shell
  • CVE-2021-22017 VMware vCenter rhttpproxy Bypass
  • CVE-2021-22005 VMware vCenter 文件上传
  • CVE-2021-21985 VMware vCenter 远程代码执行
  • CVE-2021-21972 VMware vCenter 远程命令执行
  • CVE-2021-21973 VMware vCenter SSRF – /sdk
  • CVE-2021-21975 VMware vRealize Operations Manager SSRF
  • CVE-2021-22056 VMware Workspace ONE Access SSRF
  • CVE-2020-4006 VMware Workspace ONE Access 命令注入(post-auth)-/cfg/ssl/installSelfSignedCertificate
  • CVE-2021-21978 VMware View Planner 远程代码执行
  • CVE-2021-00000 VMware vCenter 文件读取 – /eam/vib?id=
  • CVE-2021-00000 VMware vCenter SSRF/文件读取 – /ui/vcav-bootstrap/rest/vcav-providers/provider-logo?url=

Weblogic

Application List

Billion Mail

  • Billion Mail Remote Command Execution (CNVD-2021-26422)-/webadm/?q=moni_detail.do&action=gragh

Fan Ruan

  • FanRuan Report 2012 Information Leakage 2021-05
  • FanRuan report SSRF/file reading 2021-05
  • FanRuan report v8 file reading (CNVD-2018-04757)2021-05
  • FanRuan report v8 directory traversal2021-08
  • FanRuan report v9 file upload (CNVD-2021-34467)2021-05

New H3C

  • H3C IMC dynamiccontent.properties.xhtm remote command execution2021-05
  • H3C Next Generation Firewall Arbitrary File Read2021-05
  • H3C SecPath operation and maintenance audit system login by any user2021-05

Kingdee

  • Kingdee EAS server_file directory traversal

Kingsoft Terminal Security System

  • Kingsoft Terminal Security Management System v8 file upload-upload.php
  • Kingsoft Terminal Security Management System v8 file read-downfile.php
  • Kingsoft Terminal Security Management System v8 command execution-pdf_maker.php

Gold and OA

  • Gold and OA C6 administrator default passwords
  • Jinhe OA C6 download.asp file download

Lanling OA

  • Bluelink OA EKP background SQL injection (CNVD-2021-01363)
  • Bluelink OA SSRF/File Read-custom.jsp
  • Lanling OA SSRF+XMLDecoder=RCE
  • Lanling OA SSRF+JNDI=RCE
  • Bluelink OA SQL Injection (CNVD-2020-62240)-/admin/list/list.aspx

Pan micro OA

  • Panwei e-mobile expression injection (CNVD-2017-03561)-login.do
  • Fanwei OA file download (CNVD-2019-29900)
  • Panwei OA file reading (CNVD-2019-29902)
  • Panwei OA remote command execution (CNVD-2019-32204)
  • Panwei OA SQL Injection (CNVD-2019-34241)-WorkflowCenterTreeData.jsp
  • Panwei OA SQL Injection (CNVD-2019-40989)-SyncUserInfo.jsp
  • Panwei OA SQL Injection (CNVD-2019-40989)-WorkflowCenterTreeData.jsp
  • Panwei OA SQL Injection (CNVD-2019-41610)-validate.jsp
  • Panwei e-bridge directory traversal/file reading (CNVD-2020-59520)
  • Panwei OA Information Disclosure-DBconfigReader.jsp
  • Panwei OA Information Disclosure-gethrmkq.jsp
  • Pan Micro OA SSRF
  • Fanwei Eoffice information disclosure – mysql_config.ini
  • Panwei OA SQL injection-/js/hrm/getdata.jsp
  • Panwei e-mobile6.6 RCE
  • Fanwei OA file upload-sysinterface/codeEdit.jsp
  • Fanwei OA V9 file upload-uploadOperation.jsp
  • Panwei OA XStream deserialization
  • Fanwei OA file upload – cloudstore
  • Fanwei OA v8 file download
  • Fanwei OA file upload – KtreeUploadAction
  • Fanwei OA file upload – ExcelUploadServlet
  • Panwei Eoffice v10 SQL Injection-leave_record.php
  • Fanwei Eoffice v9 file upload (CNVD-2021-49104)-UploadFile.php
  • Panwei OA SQL injection-/Api/portal/elementEcodeAddon/getSqlData

However, collaborative OA

  • However, the synergy system v4.6.1 SQL injection
  • However, the collaborative system v4.6.1 SQL injection -> file deletion
  • However, the collaborative system v4.6.1 SQL injection -> file download
  • However, the collaborative system v4.6.1 SQL injection – file deletion -> RCE
  • Ranzhi Collaboration System v4.6.1 Noise Chat System RCE

Zhiyuan OA

  • Zhiyuan OA Session leaked-/yyoa/ext/https/getSessionList.jsp
  • Zhiyuan OA Fanruan report component XXE
  • Zhiyuan OA FanRuan report v8.0 background file upload
  • Zhiyuan OA A6 Information Disclosure-createMysql
  • Zhiyuan OA A6 Information Disclosure-DownExcelBeanServlet
  • Zhiyuan OA A6 Information Disclosure-initDataAssess
  • Zhiyuan OA A6 SQL Injection-setextno.jsp
  • Zhiyuan OA A6 SQL Injection-test.jsp
  • Zhiyuan OA A6 SQL Injection-search_result.jsp
  • Zhiyuan OA A6 file download-webmail.do
  • Zhiyuan OA A8 user password modification
  • Zhiyuan OA A8 Username & Password Enumeration-/seeyon/getAjaxDataServlet
  • Zhiyuan OA A8 file read-/seeyon/management/status.jsp
  • Zhiyuan OA A8 Remote Code Execution-htmlofficeservlet
  • Zhiyuan OA unauthorized access + file upload – ajax.do
  • Zhiyuan OA Cookie Leak + File Upload
  • Zhiyuan OA Fastjson deserialization

Wanhu OA

  • Wanhu OA file upload-/defaultroot/upload/fileUpload.controller
  • Wanhu OA file upload-/defaultroot/officeserverservlet

call OA

  • Call OA v2.1.7 background SQL injection-typeid
  • Call OA v2.2.8 Background file operation -> RCE
  • Call OA v2.2.8 background SQL injection -> RCE
  • Call OA v2.3.0 background configuration file -> RCE

Jiusi OA

  • Jiusi OA file read-/GetRawFile

Master OA

  • Tongda OA v11.9 front-end SQL injection-get_datas.php
  • Mastery OA file deletion + file upload = RCE
  • Mastery OA file upload + file inclusion = RCE
  • Tongda OA <vv11.5 version any user login
  • Tongda OA v11.2 background RCE
  • Master OA v11.7 background SQL injection
  • Mastery OA v11.7 RCE
  • Master OA v11.8 background low-privilege Getshell

Qizhi fortress machine

  • Any user of Qizhi Fortress can log in

Ruijie

  • Ruijie EWEB network management system command injection-/guest_auth/guestIsUp.php
  • Ruijie unified online behavior management audit system information leakage (CNVD-2021-14536)
  • Ruijie EG Easy Gateway Remote Command Execution-branch_passw.php
  • Ruijie EG Easy Gateway Remote Command Execution-cli.php
  • Ruijie EG Easy Gateway Background Arbitrary File Read-download.php

Zoe

  • RuoYi background template injection
  • RuoYi <= v4.6.2 (backend) deserialization-snakeyaml
  • RuoYi <= v4.6.1 (backend) SQL injection – /system/role/list
  • RuoYi <= v4.5.0 (background) file download-/common/download/resource
  • RuoYi <= v4.4.0 Shiro Permission Authentication Bypass
  • RuoYi <= v4.3.0 Shiro deserialization
  • RuoYi <= v4.3.0 Shiro Permission Authentication Bypass
  • RuoYi <= v3.2.0 SQL Injection

Tianqing

  • 360 Tianqing SQL Injection
  • 360 Tianqing information leak

UF

  • UF Human Resource Management Software (e-HR) XXE
  • UF NC v5.7 XSS
  • UF ERP-NC file read-hrss/ELTextFile.load.d
  • UF NC file contains – NCFindWeb
  • UF NC XSS
  • UF TurboCRM file read-/ajax/getemaildata.php
  • UF UA-PWS XXE
  • UF FE SQL injection – addUser.jsp
  • UF FE SQL injection-codeMoreWidget.jsp
  • UF ICC file download-getfile.jsp
  • UF ICC XSS
  • UF NC-IUFO system XSS
  • UF TruboCRM SQL Injection – /background/
  • UF TruboCRM SQL Injection -/login/forgetpswd.php
  • UF GRP-U8 SQL Injection (CNVD-2020-49261)
  • UF NC bsh.servlet.BshServlet remote command execution
  • UF GRP-U8 SQL Injection
  • UF NCCloud-FS SQL injection
  • UF U8 OA test.jsp SQL injection
  • UF NC v6.5 file upload-FileReceiveServlet

convinced

  • Sangfor SSL VPN url command injection (CNVD-2020-57240)
  • Sangfor EDR terminal detection and response platform for any user to log in
  • Sangfor EDR Terminal Detection and Response Platform RCE

Billionaire

  • CNVD-2021-26058 Yisaitong Electronic Document Security Management System (CDG) RCE

Coremail

  • CNVD-2019-16798 Coremail Information Disclosure
  • Coremail any user password modification

D-Link

  • CVE-2020-25078 D-Link DCS-2530L Information Disclosure
  • CVE-2018-6530 D-Link Remote Command Execution
  • CVE-2019-7297 D-Link DIR-823G Command Injection
  • CVE-2019-7298 D-Link DIR-823G Command Injection
  • CVE-2019-13128 D-Link DIR-823G Command Injection
  • CVE-2019-15529 D-Link DIR-823G Command Injection
  • CVE-2019-17621 D-Link DIR-859 Remote Code Execution
  • CNVD-2018-01084 D-Link DIR-615/645/815 Command Injection
  • CVE-2018-17063 D-Link DIR-816 A2 Command Injection
  • CVE-2020-24581 D-link DSL-2888A Remote Code Execution

JEECMS

  • JEECMS file upload + SSTI = RCE
  • JEECMS v9.3 SSRF
  • JEECMS v9.3 file upload + SSTI = file read
  • JEECMS v9.3 deserialization (Shiro)

The Research List is a github repository by pen4uin

Source from
CVE-2022-29464

Tags: