Improve detection for existing CVE checks#14
Open
UncleJ4ck wants to merge 1 commit into
Open
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Second focused split from #12, this one covering the "improve the check of some vulns" point. Each of these is an existing module whose detection was version-only or prone to a false positive; this swaps in a behavioral differential (timing delta, real side effect, or a negative control) so
--checkreflects the actual state of the target.CVE-2022-31061: differential-timing confirmation of the login LDAP-auth SQL injection.CVE-2022-35914: actually runs a shell command viahhook=execand matches an echoed token (unauth RCE), instead of inferring.CVE-2023-41323: unauthenticated username enumeration via aname[0]=LIKEdifferential.CVE-2024-27937: confirms the dropdown IDOR by leaking a bcrypt hash withdisplaywith=password.CVE-2024-37149: confirms the plugin-directory traversal is accepted (loader RCE reachable).CVE-2024-50339: recoversinstance_uuidunauth and reads a dashboard card with a forged embed token.CVE-2025-24799: differential-timing confirmation of the inventorydeviceidSQL injection.CVE-2025-32786: unauthenticated time-based SQLi viasetStatusmachineid.All use
self.get/self.postand keep the existing@author. Checks were exercised against live 10.0.x vulnerable/patched pairs.