Author Topic: Rules Updates: Changelog (Read 110329 times)

Cwaf_Team · « **Reply #120 on:** August 29, 2017, 11:29:31 AM »

2017.08.29
Rules for: Apache, LiteSpeed, Nginx, IIS
Version 1.136

- XSS vulnerability in Etoile Ultimate Product Catalog plugin 4.2.11 for WordPress (CVE-2017-12200)
- CSRF vulnerability in Clean Login plugin before 1.8 for WordPress (CVE-2017-8875)
- Possible arbitrary code execution in Cacti before 1.1.16 (CVE-2017-12065)
- CSRF vulnerability in the BigTree CMS through 4.2.18 (CVE-2017-9379)
- XSS vulnerability in XOOPS Core 2.5.8 (CVE-2017-12139)
- SQL injection vulnerability in Fiyo CMS 2.0.7 (CVE-2017-11412)
- CSRF vulnerability in the BigTree CMS through 4.2.17 (CVE-2017-7881)
- bl_domains update

Cwaf_Team · « **Reply #121 on:** September 05, 2017, 11:14:41 AM »

2017.09.05
Rules for: Apache, LiteSpeed, Nginx, IIS
Version 1.137

- XSS vulnerability in Etoile Ultimate Product Catalog plugin 4.2.11 for WordPress (CVE-2017-12200)
- XSS vulnerability in Easy Testimonials plugin 3.0.4 for WordPress (CVE-2017-12131)
- CSRF vulnerability in WHIZZ plugin before 1.1.1 for WordPress (CVE-2017-8099)
- SQL injection vulnerability in the Podlove Podcast Publisher plugin 2.5.3 for WordPress (CVE-2017-12949)
- SQL injection vulnerability in Easy Modal plugin before 2.1.0 for WordPress (CVE-2017-12946,CVE-2017-12947)
- SQL injection vulnerability in Web-Dorado Photo Gallery by WD - Responsive Photo Gallery plugin before 1.3.51 for WordPress (CVE-2017-12977)
- XSS vulnerability in Cacti 1.1.17 (CVE-2017-12927)
- SQL injection vulnerability in Fiyo CMS 2.0.7 (CVE-2017-11417)
- bl_domains update

Cwaf_Team · « **Reply #122 on:** September 20, 2017, 11:52:16 AM »

2017.09.20
Rules for: Apache, LiteSpeed, Nginx, IIS
Version 1.138

- XSS vulnerability in Participants Database plugin before 1.7.5.10 for WordPress (CVE-2017-14126)
- XSS vulnerability in the Photocrati NextGEN Gallery plugin 2.1.15 for WordPress (CVE-2015-9229)
- Unrestricted file upload vulnerability in the Photocrati NextGEN Gallery plugin 2.1.10 for WordPress (CVE-2015-9228)
- SQLi vulnerability in Photocrati image-gallery-with-slideshow v1.5.2 plugin for WordPress (CVE-2017-1002012)
- SQL injection vulnerability in Dolibarr ERP/CRM version 6.0.0 (CVE-2017-14242)
- SQL injection vulnerability in Dolibarr ERP/CRM version 6.0.0 (CVE-2017-14238)
- bl_domains update

Cwaf_Team · « **Reply #123 on:** September 26, 2017, 11:33:26 AM »

2017.09.26
Rules for: Apache, LiteSpeed, Nginx, IIS
Version 1.139

- SQLi vulnerability in Photocrati image-gallery-with-slideshow v1.5.2 plugin for WordPress (CVE-2017-1002013)
- SQLi vulnerability in Photocrati image-gallery-with-slideshow v1.5.2 plugin for WordPress (CVE-2017-1002015)
- CSRF & XSS vulnerability in Crony Cronjob Manager plugin before 0.4.7 for WordPress (CVE-2017-14530)
- SQL injection vulnerability in the eventr v1.02.2 for WordPress (CVE-2017-1002019,CVE-2017-1002018)
- SQL injection vulnerability in the image-gallery-with-slideshow v1.5.2 for WordPress (CVE-2017-1002014)
- SQL injection vulnerability in the Easy Team Manager v1.3.2 for WordPress (CVE-2017-1002023)
- XSS vulnerabilities in the XCloner plugin 3.1.2 for WordPress (CVE-2015-4337)
- bl_domains update

Cwaf_Team · « **Reply #124 on:** October 03, 2017, 11:54:11 AM »

2017.10.03
Rules for: Apache, LiteSpeed, Nginx, IIS
Version 1.140

- Emergency DDoS bot protection
- XSS vulnerability in Anti-Malware Security and Brute-Force Firewall v. 4.17.29 for WordPress
- XSS vulnerability in WooCommerce PDF Invoices & Packing Slips 2.0.9 for WordPress
- XSS vulnerability in Photocrati image-gallery-with-slideshow v1.5.2 plugin for WordPress (CVE-2017-1002011)
- XSS vulnerability in Crelly Slider v1.2.2 for WordPress
- XSS vulnerability in Booking Calendar for WordPress
- XSS vulnerability in Google Pagespeed Insights plugin v3.0.0 for WordPress
- bl_domains update

vadim · « **Reply #125 on:** October 05, 2017, 04:57:13 PM »

2017.10.05
Rules for: Apache, LiteSpeed, Nginx, IIS
Version 1.141

Emergency disabled rules from 1.140 which caused the performance issue.

TDmitry · « **Reply #126 on:** October 06, 2017, 04:22:15 PM »

2017.10.06
Rules for: Apache, LiteSpeed, Nginx, IIS
Version 1.142

- Removed rules which were added in 1.140
- bl_domain update

Cwaf_Team · « **Reply #127 on:** October 11, 2017, 11:47:59 AM »

2017.10.11
Rules for: Apache, LiteSpeed, Nginx, IIS
Version 1.143

- SQLi vulnerability in Content Timeline plugin 4.4.2 for WordPress (CVE-2017-14507)
- XSS vulnerability in 2kb Amazon Affiliates Store plugin before 2.1.1 for WordPress (CVE-2017-14622)
- SQL injection vulnerability in the event-espresso-free v3.1.37.12.L for WordPress (CVE-2017-14760)
- SQL injection vulnerability in Event Expresso Free v3.1.37.11.L plugin for WordPress (CVE-2017-1002026)
- SQL injection vulnerability in Responsive Image Gallery plugin before 1.2.1 for WordPress (CVE-2017-14125)
- SQL injection vulnerability in OpenText Document Sciences xPression (formerly EMC Document Sciences xPression) v4.5SP1 Patch 13 (CVE-2017-14757)
- SQL injection vulnerability in OpenText Document Sciences xPression (formerly EMC Document Sciences xPression) v4.5SP1 Patch 13 (CVE-2017-14758)
- XSS vulnerability in OpenText Document Sciences xPression (formerly EMC Document Sciences xPression) v4.5SP1 Patch 13 (CVE-2017-14755)
- bl_domains update

Cwaf_Team · « **Reply #128 on:** November 02, 2017, 12:01:03 PM »

2017.11.02
Rules for: Apache, LiteSpeed, Nginx, IIS
Version 1.144

- SQL injection vulnerability in WPHRM Human Resource Management System for WordPress 1.0 (CVE-2017-14848)
- XSS vulnerability in gift-certificate-creator v1.0 plugin for WordPress (CVE-2017-1002017)
- SQL injection vulnerability in wordpress plugin add-edit-delete-listing-for-member-module v1.0 (CVE-2017-1002025)
- SQL injection vulnerability in Mojoomla WPAMS Apartment Management System for WordPress (CVE-2017-14847)
- SQL injection vulnerability in the Mojoomla WPCHURCH Church Management System for WordPress (CVE-2017-14845)
- SQL injection vulnerability in the rk-responsive-contact-form v1.0 for WordPress (CVE-2017-1002027)
- Multiple XSS vulnerabilities in WpJobBoard v4.5.1 web-application for WordPress (CVE-2017-15375)
- SQL injection vulnerability in Mojoomla Hospital Management System for WordPress (CVE-2017-14846)
- XSS vulnerability in Flyspray before 1.0-rc6 (CVE-2017-15213)
- CSRF vulnerability in Subrion CMS before 4.2.0 (CVE-2017-15063)
- CSRF vulnerability in Subrion CMS 4.0.5 (CVE-2017-6068)
- XSS vulnerability in GeniXCMS 1.1.4 (CVE-2017-14761)
- SQL injection vulnerability in PHPSUGAR PHP Melody before 2.7.3 (CVE-2017-15578)
- bl_domains update

Cwaf_Team · « **Reply #129 on:** November 09, 2017, 11:25:50 AM »

2017.11.09
Rules for: Apache, LiteSpeed, Nginx, IIS
Version 1.145

- SQL injection vulnerability in Zh YandexMap (aka com_zhyandexmap) component 6.1.1.0 for Joomla (CVE-2017-15966)
- XSS vulnerability in PopCash.Net Code Integration Tool plugin for WordPress (CVE-2017-15810)
- XSS vulnerability in wp-noexternallinks plugin before 3.5.19 for WordPress (CVE-2017-15863)
- XSS vulnerability in user-login-history plugin through 1.5.2 for WordPress (CVE-2017-15867)
- XSS vulnerability in the Pootle Button plugin before 1.2.0 for WordPress for WordPress (CVE-2017-15811)
- XSS vulnerability in GeniXCMS 1.1.4 (CVE-2017-14762 & CVE-2017-14765)
- SQL injection vulnerability in GLPI before 9.1.5.1 (CVE-2017-11474)
- SQL injection vulnerability in PHPSUGAR PHP Melody before 2.7.3 (CVE-2017-15579)
- XSS vulnerability in the OpenEMR v5_0_0 (CVE-2017-6482)
- XSS vulnerability in the E-Sic 1.0 (CVE-2017-15380)
- SQL injection vulnerability in the E-Sic 1.0 (CVE-2017-15373)
- XSS vulnerability in the BlackCat CMS 1.2 (CVE-2017-14049)
- Unrestricted file upload vulnerability in OctoberCMS 1.0.425 (aka Build 425) (CVE-2017-15284)
- bl_domains update

Cwaf_Team · « **Reply #130 on:** November 16, 2017, 12:20:31 PM »

2017.11.16
Rules for: Apache, LiteSpeed, Nginx, IIS
Version 1.146

- XSS vulnerability in the Ultimate Instagram Feed plugin before 1.3 for WordPress (CVE-2017-16758)
- XSS vulnerability in Mahara 15.04 before 15.04.15, 16.04 before 16.04.9, 16.10 before 16.10.6, and 17.04 before 17.04.4 (CVE-2017-15273)
- Directory traversal vulnerability in b2evolution through 6.8.3 (CVE-2017-5480)
- XSS vulnerability in Mahara 15.04 before 15.04.15, 16.04 before 16.04.9, 16.10 before 16.10.6, and 17.04 before 17.04.4 (CVE-2017-14752)
- XSS vulnerability in Mahara 1.10 before 1.10.0 and 15.04 before 15.04.0 (CVE-2017-1000138)
- XSS vulnerability in CMS Made Simple 2.2.3.1 (CVE-2017-16799)
- XSS vulnerability in the AffiliateWp plugin before 2.0.9 for WordPress
- FP fix
- bl_domains update

Cwaf_Team · « **Reply #131 on:** November 23, 2017, 11:59:29 AM »

2017.11.23
Rules for: Apache, LiteSpeed, Nginx, IIS
Version 1.147

- SQL injection vulnerability in Fiyo CMS 2.0.7 (CVE-2017-11413)
- XSS vulnerability in WBCE v1.1.11 (CVE-2017-1000213)
- XSS vulnerability in October CMS build 412 (CVE-2017-1000193)
- Unrestricted file upload vulnerability in Perch Content Management System 3.0.3 (CVE-2017-15948)
- CSRF vulnerability in YouTube plugin for WordPress (CVE-2017-1000224)
- Unrestricted file upload vulnerability in WP Support Plus Responsive Ticket System before 8.0.7 for WordPress
- Unauthenticated Directory traversal vulnerability in Javo Spot Premium Theme for WordPress
- bl_domains update

Cwaf_Team · « **Reply #132 on:** November 30, 2017, 08:06:06 AM »

2017.11.30
Rules for: Apache, LiteSpeed, Nginx, IIS
Version 1.148

- XSS vulnerability in SilverStripe CMS before 3.4.4 and 3.5.x before 3.5.2 (CVE-2017-5197)
- CSRF vulnerability in Serendipity through 2.0.5 (CVE-2017-5476)
- Directory traversal vulnerability in MetInfo 5.3.17 (CVE-2017-14513)
- XSS vulnerability in the Revive Adserver before 4.0.1 (CVE-2017-5832)
- XSS vulnerability in multiple BestWebSoft plugins for WordPress
- XSS vulnerability in the Ultimate Addons For Visual Composer before 3.16.11 for WordPress
- bl_domains update

Cwaf_Team · « **Reply #133 on:** December 07, 2017, 10:56:30 AM »

2017.12.07
Rules for: Apache, LiteSpeed, Nginx, IIS
Version 1.149

- XSS vulnerability in InLinks plugin through 1.1 for WordPress (CVE-2017-16955)
- SQL injection in ultimate-form-builder-lite plugin before 1.3.7 for WordPress (CVE-2017-15919)
- SQL injection vulnerability in the BigTree CMS through 4.2.19 (CVE-2017-16961)
- XSS vulnerability in Fiyo CMS 2.0.7 (CVE-2017-13778)
- SQL injection vulnerability in Piwigo 2.9.2 (CVE-2017-16893)
- Local file inclusion in Cacti 1.1.27 (CVE-2017-16661)
- Unrestricted file upload vulnerability in b2evolution 6.8.8 (CVE-2017-6902)
- bl_domains update

Cwaf_Team · « **Reply #134 on:** December 14, 2017, 11:32:18 AM »

2017.12.14
Rules for: Apache, LiteSpeed, Nginx, IIS
Version 1.150

- Directory traversal vulnerability in b2evolution through 6.8.3 and 6.8.4-stable (CVE-2017-5539)
- XSS & Directory traversal & Information-Disclosure vulnerability in WBCE v1.1.10 and earlier(CVE-2017-2118 & CVE-2017-2119)
- SQL injection vulnerability in the Serendipity 2.0.5 (CVE-2017-5609)
- XSS vulnerability in Dolibarr ERP/CRM 6.0.0 (CVE-2017-14241)
- XSS vulnerability in the OSNEXUS QuantaStor v4 virtual appliance before 4.3.1 (CVE-2017-9979)
- CSRF vulnerability in concrete5 8.1.0 (CVE-2017-8082)
- Captcha Bypass vulnerability in Allen Disk 1.6 (CVE-2017-9090)
- fp fix
- bl_domains update

Author Topic: Rules Updates: Changelog (Read 110329 times)

Cwaf_Team

Re: Rules Updates: Changelog

Cwaf_Team

Re: Rules Updates: Changelog

Cwaf_Team

Re: Rules Updates: Changelog

Cwaf_Team

Re: Rules Updates: Changelog

Cwaf_Team

Re: Rules Updates: Changelog

vadim

Re: Rules Updates: Changelog

TDmitry

Re: Rules Updates: Changelog

Cwaf_Team

Re: Rules Updates: Changelog

Cwaf_Team

Re: Rules Updates: Changelog

Cwaf_Team

Re: Rules Updates: Changelog

Cwaf_Team

Re: Rules Updates: Changelog

Cwaf_Team

Re: Rules Updates: Changelog

Cwaf_Team

Re: Rules Updates: Changelog

Cwaf_Team

Re: Rules Updates: Changelog

Cwaf_Team

Re: Rules Updates: Changelog