Blog
-

5 min read

Nuclei Templates Monthly - July 2023 Edition

Nuclei & Templates
Nuclei Templates Monthly - July 2023 Edition

Share

Summary of Releases v9.5.5, v9.5.6, v9.5.7, v9.5.8, and v9.6.0

This month, we've released multiple versions of Nuclei Templates that bring numerous enhancements to Nuclei users.

Here are some highlighted stats from the combined releases:

🎉 255 new Templates added
🚀 15 first-time contributions
🔥 82 new CVEs added

Introduction

Welcome to the July 2023 edition of Nuclei Templates Monthly Release. This has been an exciting month with a lot of hot CVEs like Adobe ColdFusion - Pre-Auth Remote Code Execution, Ivanti EPMM - Authentication Bypass, and Metabase PreAuth RCE etc.

The CVEs added in this release have made headlines in cybersecurity. The Adobe ColdFusion vulnerabilities, particularly, have been a hot topic due to their potential for pre-authentication remote code execution and access control bypass. Similarly, the vulnerabilities in Ivanti EPMM, Metabase, and CasaOS have raised concerns due to their potential for authentication bypass.

New Templates Added

We are excited to announce the addition of 255 new templates to the Nuclei Templates project. These templates cover a wide range of security checks, from trending vulnerabilities to C2 server detection, empowering you to identify potential vulnerabilities efficiently. The contributions from our dedicated community have been immeasurably valuable in expanding the breadth of Nuclei's capabilities, and we extend our gratitude to all those involved.

New CVEs Added

This release incorporates 82 🔥 new CVEs, ensuring you remain current with the latest security vulnerabilities. By including these CVEs in the Nuclei Templates, we aim to provide you with the necessary tools to detect and mitigate potential risks proactively.

Highlighted CVE Templates

Here are some notable CVEs included in this release:

CVE-2023-35078 : Ivanti EPMM - Authentication Bypass
Ivanti EPMM is vulnerable to an authentication bypass. This vulnerability allows an attacker to bypass the authentication mechanism.
Template: GitHub Link
Author: @parthmalhotra, @ehsandeep

CVE-2023-38646: Metabase PreAuth RCE
Description: Metabase is vulnerable to a pre-authentication remote code execution (RCE). This vulnerability allows an attacker to execute arbitrary code without requiring authentication.
Template: GitHub Link
Author: @iamnoooob, @rootxharsh

CVE-2023-37265, CVE-2023-37266: CasaOS Authentication Bypass
Description: CasaOS is vulnerable to an authentication bypass allowing attackers access without first having to authenticate themselves.
Template: GitHub Link, GitHub Link
Author: @DhiyaneshDk

CVE-2023-35885: Cloudpanel 2 - Remote Code Execution
Description: Cloudpanel 2 is vulnerable to remote code execution allowing an attacker to execute arbitrary code.
Template: GitHub Link
Author: @DhiyaneshDk

CVE-2023-29300: Adobe ColdFusion - Pre-Auth Remote Code Execution
Description: Adobe ColdFusion versions 2018u16 (and earlier), 2021u6 (and earlier) and 2023.0.0.330468 (and earlier) are affected by a deserialization of untrusted data vulnerability that could result in Arbitrary code execution. Exploitation of this issue does not require user interaction.
Template: GitHub Link
Author: @iamnoooob, @rootxharsh

CVE-2023-29298: Adobe ColdFusion - Access Control Bypass
Description: An attacker is able to access every CFM and CFC endpoint within the ColdFusion Administrator path /CFIDE/, exposing 437 CFM files and 96 CFC files in a ColdFusion 2021 Update 6 install.
Template: GitHub Link
Author: @iamnoooob, @rootxharsh

CVE-2023-2982: Miniorange Social Login and Register <= 7.6.3 - Authentication Bypass
Description: The WordPress Social Login and Register (Discord, Google, Twitter, LinkedIn) plugin for WordPress is vulnerable to authentication bypass in versions up to, and including, 7.6.4. This is due to insufficient encryption on the user being supplied during a login validated through the plugin. This makes it possible for unauthenticated attackers to log in as any existing user on the site, such as an administrator, if they know the email address associated with that user. This was partially patched in version 7.6.4 and fully patched in version 7.6.5.
Template: GitHub Link
Author: @ritikchaddha

CVE-2023-24489: Citrix ShareFile StorageZones Controller - Unauthenticated Remote Code Execution
Description: A vulnerability has been discovered in the customer-managed ShareFile storage zones controller which, if exploited, could allow an unauthenticated attacker to remotely compromise the customer-managed ShareFile storage zones controller.
Template: GitHub Link
Author: @DhiyaneshDk, @dwisiswant0

CVE-2022-40127: AirFlow < 2.4.0 - Remote Code Execution
Description: A vulnerability in Example DAGs of Apache Airflow allows an attacker with UI access who can trigger DAGs, to execute arbitrary commands via manually provided run_id parameter. This issue affects Apache Airflow versions prior to 2.4.0.
Template: GitHub Link
Author: @DhiyaneshDk

CVE-2023-36934: MOVEit Transfer - SQL Injection
Description: MOVEit Transfer is vulnerable to SQL Injection. This vulnerability allows an attacker to manipulate SQL queries.
Template: GitHub Link
Author: @iamnoooob, @rootxharsh

CVE-2023-28121: WooCommerce Payments - Unauthorized Admin Access
Description: WooCommerce Payments is vulnerable to unauthorized admin access. This vulnerability allows an attacker to gain unauthorized access to the admin panel.
Template: GitHub Link
Author: @DhiyaneshDk

CVE-2023-0297: PyLoad 0.5.0 - Pre-auth Remote Code Execution (RCE)
Description: PyLoad 0.5.0 is vulnerable to a pre-authentication remote code execution (RCE). This vulnerability allows an attacker to execute arbitrary code without requiring authentication.
Template: GitHub Link
Author: @MrHarshvardhan, @DhiyaneshDk

CVE-2023-3460: The Ultimate Member WordPress plugin - Unauthorized Admin Access
Description: The Ultimate Member WordPress plugin before 2.6.7 does not prevent visitors from creating user accounts with arbitrary capabilities, effectively allowing attackers to create administrator accounts at will. This is actively being exploited in the wild.
Template: GitHub Link
Author: @DhiyaneshDk

Bug Fixes and Enhancements

This release has several bug fixes and implemented enhancements to improve the overall functionality of Nuclei Templates. The following contributions from our community members have been instrumental in making these improvements:

  • Updated CVEs with the following info in #7670 :
    - Added CPE under the classification
    - Added EPSS score under the classification
    - Added vendor, and product name under metadata
    - Added tags and references
  • Fixed 15+ templates producing false positive/negative results
  • Updated 12 XSS templates with weak matchers #7756
  • Removed hardcoded nuclei string from the templates in #6573

Community Spotlight

We express our sincere appreciation to the community members, including our first-time contributors for their contributions to the Nuclei Templates project.

News, Upcoming Features & Roadmap

We're thrilled to share some exciting news! The ProjectDiscovery team will be present at DEF CON, and we're counting down the days to Discovery. We can't wait to meet and connect with our valued community members in person!

To stay updated on all the details about the event, check out the website here: Countdown to Discovery - DEF CON

We look forward to engaging with you and making the most out of this fantastic opportunity to strengthen our bond with the community. See you at DEF CON!

You can Join the Nuclei Templates community on Discord, where you can actively participate, collaborate, and share valuable insights. Feel free to join the Discord server if you have any questions or suggestions for further improving Nuclei Templates.