Rules Updates: Changelog

Free Modsecurity rules - Comodo Web Application Fi
41

2015.11.12
Rules for: Apache, LiteSpeed, nginx
Version 1.53

  • CSRF vulnerability in Nibbleblog before 4.0.5 (CVE-2015-6966)
  • XSS vulnerabilities in Nibbleblog before 4.0.2 (CVE-2014-8996)
  • SQL injection vulnerability in LimeSurvey before 2.06+ Build 150618 (CVE-2015-4628)
  • SQL injection vulnerability in LimeSurvey 2.06+ (CVE-2015-5078)
  • False positive fix
  • Few rules improved
  • bl_domains update
42

2015.11.24
Rules for: Apache, LiteSpeed, nginx, IIS
Version 1.54

  • SQL injection vulnerabilities in the J2Store (com_j2store) extension before 3.1.7 for Joomla! (CVE-2015-6513)
  • XSS vulnerability in the googleSearch (CSE) (com_googlesearch_cse) component 3.0.2 for Joomla! (CVE-2015-6919)
  • SQL Injection vulnerabilities in the plugin CP Reservation Calendar plugin before 1.1.7 for WordPress (CVE-2015-7235)
  • SQL injection vulnerability in the All In One WP Security & Firewall plugin before 3.8.8 for WordPress (CVE-2015-0894)
  • CSRF vulnerability in the Banner Effect Header plugin 1.2.6 for WordPress (CVE-2015-0920)
  • SQL injection vulnerability in the Photo Gallery plugin 1.2.7 for WordPress (CVE-2015-1055)
  • XSS vulnerability in Nextend Facebook Connect plugin before 1.5.6 for WordPress (CVE-2015-4413)
  • XSS vulnerability in the NextGEN Gallery plugin before 1.5.2 for WordPress (CVE-2010-1186)
  • SQL Injection vulnerability in the wp-championship plugin 5.8 for WordPress (CVE-2015-5308)
  • XSS vulnerabilities in Welcart plugin before 1.4.18 for WordPress (CVE-2015-2973)
  • SQL injection vulnerability in the Cart66 Lite plugin before 1.5.4 for WordPress (CVE-2014-9442)
  • SQL Injection in FreiChat 9.6 (CVE-2015-6512)
  • Multiple XSS and SQL injection vulnerabilities in the admin panel in osCMax before 2.5.1 (CVE-2012-1664, CVE-2012-1665)
  • XSS vulnerability in Revive Adserver before 3.2.2 (CVE-2015-7365)
  • bl_domains update
43

2015.12.01
Rules for: Apache, LiteSpeed, nginx, IIS
Version 1.55

  • XSS vulnerability in WordPress before 4.1.2 (CVE-2015-3438)
  • CSRF & XSS vulnerability in the WP-ViperGB plugin before 1.3.11 for WordPress (CVE-2014-9460)
  • Multiple XSS vulnerabilities in the Rezgo Online Booking plugin before 1.8.2 for WordPress (CVE-2014-4547)
  • SQL Injection in FreiChat 9.6 (CVE-2015-6512)
  • SQL Injection vulnerability in cygnux.org sysPass 1.0.9 and earlier (CVE-2015-6516)
  • XSS and SQL Injection vulnerability in Piwigo before 2.7.4 (CVE-2015-2035)
  • bl_domains update
44

2015.12.08
Rules for: Apache, LiteSpeed, nginx, IIS
Version 1.56

  • phpMyAdmin FP fixed
  • XML-RPC protection improved
  • bl_domains update
45

2015.12.15
Rules for: Apache, LiteSpeed, nginx, IIS
Version 1.57

  • Multiple XSS vulnerabilities in the Rezgo Online Booking plugin before 1.8.2 for WordPress (CVE-2014-4547)
  • CSRF & XSS vulnerability in the Timed Popup (wp-timed-popup) plugin 1.3 for WordPress (CVE-2014-9525)
  • CSRF & XSS vulnerability in the Sliding Social Icons plugin 1.61 for WordPress (CVE-2014-9437)
  • CSRF & XSS vulnerability in the Simple Sticky Footer plugin before 1.3.3 for WordPress (CVE-2014-9454)
  • CSRF & XSS vulnerability in the IP Ban (simple-ip-ban) plugin 1.2.3 for WordPress (CVE-2014-9413)
  • SQL injection vulnerability in the Cart66 Lite plugin before 1.5.2 for WordPress (CVE-2014-9305)
  • userdata_wl_content_type added
  • userdata_bl_extensions added
  • userdata_bl_headers added
  • multiple SQLi FPs fixed
  • bl_domains update
46

2015.12.23
Rules for: Apache, LiteSpeed, nginx, IIS
Version 1.58

  • SQL injection vulnerability in the CP Multi View Event Calendar plugin 1.01 for WordPress (CVE-2014-8586)
  • XSS vulnerability in the Compfight plugin 1.4 for WordPress (CVE-2014-8622)
  • XSS vulnerability in the Custom Banners plugin 1.2.2.2 for WordPress (CVE-2014-4724)
  • XSS vulnerability in the Easy Banners plugin 1.4 for WordPress (CVE-2014-4723)
  • CSRF & XSS vulnerability in the CreativeMinds CM Downloads Manager plugin before 2.0.7 for WordPress (CVE-2014-9129)
  • Unrestricted file upload vulnerability in the WP EasyCart (aka WordPress Shopping Cart) plugin before 3.0.9 for WordPress (CVE-2014-9308)
  • XSS vulnerability in the Alipay plugin 3.6.0 and earlier for WordPress (CVE-2014-4514)
  • Multiple XSS vulnerabilities in cforms WordPress plugin 11.5 (CVE-2010-3977)
  • CSRF & XSS vulnerability in the Quick Page/Post Redirect plugin before 5.0.5 for WordPress (CVE-2014-2598)
  • XSS vulnerability in the Foliopress WYSIWYG plugin before 2.6.8.5 for WordPress (CVE-2014-1232)
  • CSRF & XSS vulnerability in the SimpleFlickr plugin 3.0.3 and earlier for WordPress (CVE-2014-9396)
  • XSS vulnerability in the Apptha WordPress Video Gallery (contus-video-gallery) plugin before 2.8 for WordPress (CVE-2015-2065)
  • XSS vulnerability in the WordPress plugin Shareaholic before 7.6.1.0 (CVE-2014-9311)
  • CSRF & XSS vulnerability in the Twitget plugin before 3.3.3 for WordPress (CVE-2014-2559)
  • SQL Injection vulnerability in openSIS 4.5 through 5.3 (CVE-2014-8366)
  • PHP object injection or arbitrary code execution attacks in the Joomla! 1.5.x, 2.x, and 3.x before 3.4.6 (CVE-2015-8562)
  • bl_domains update
47

2015.12.29
Rules for: Apache, LiteSpeed, nginx, IIS
Version 1.59

  • XSS vulnerability in the BuddyPress plugin before 1.9.2 for WordPress (CVE-2014-1888)
  • Arbitrary Code Execution in the Cool Video Gallery plugin 1.9 for WordPress (CVE-2015-7527)
  • XSS vulnerability in the church_admin plugin before 0.810 for WordPress (CVE-2015-4127)
  • SQL injection in the AdRotate plugin 3.6.6, and other versions before 3.6.8 (CVE-2011-4671)
  • XSS vulnerability in zTree 3.5.19.1 and possibly earlier (CVE-2015-7348)
  • SQL injection vulnerability in Cacti 0.8.8f and earlier (CVE-2015-8369)
  • Unrestricted file upload vulnerability in the Panel component in Bastian Allgeier Kirby before 2.1.2 (CVE-2015-7773)
  • new Ruby On Rails protection group
  • bl_domains update
48

2016.01.08
Rules for: Apache, LiteSpeed, nginx, IIS
Version 1.60

  • False positive in login procedure for WordPress v.4.4.1 fixed
  • bl_domain update
49

2016.01.12
Rules for: Apache, LiteSpeed, nginx, IIS
Version 1.61

  • Cross-site request forgery (CSRF) vulnerability in the com_templates component in Joomla! 3.2.0 through 3.3.x and 3.4.x before 3.4.6 (CVE-2015-8563)
  • SQL injection vulnerabilities in the Collne Welcart plugin before 1.5.3 for WordPress (CVE-2015-7791)
  • CSRF & XSS vulnerability in the SPNbabble plugin 1.4.1 and earlier for WordPress (CVE-2014-9339)
  • XSS vulnerability in Another Wordpress Classifieds Plugin 3.3.1 (CVE-2014-10012)
  • XSS vulnerability in the Web Reference Database (aka refbase) through 0.9.6 (CVE-2015-7383)
  • XSS vulnerabilities in in Revive Adserver before 3.2.2 (CVE-2015-7373)
  • Multiple cross-site scripting (XSS) vulnerabilities in GetSimple CMS before 3.3.6 (CVE-2015-5355)
  • Multiple cross-site scripting (XSS) vulnerabilities in GetSimple CMS before 3.3.6 (CVE-2015-5356)
  • bl_domains update
50

2016.01.19
Rules for: Apache, LiteSpeed, nginx, IIS
Version 1.62

  • Directory traversal vulnerability in the WordPress plugin zM Ajax Login & Register plugin before 1.1.0 (CVE-2015-4153)
  • Absolute path traversal vulnerability in the WordPress Rename plugin 1.0 for WordPress (CVE-2015-4703)
  • Directory traversal vulnerability in the Zip Attachments plugin before 1.5.1 for WordPress (CVE-2015-4694)
  • XSS vulnerability in October CMS build 271 and earlier (CVE-2015-5612)
  • SQL injection vulnerability in the Piwigo before 2.7.4 (CVE-2015-1517)
  • XSS vulnerability in the Piwigo before 2.7.4 (CVE-2015-2034)
  • bl_domains update
51

2016.01.26
Rules for: Apache, LiteSpeed, nginx, IIS
Version 1.63

  • XSS rules improvement (gained up to 33 times performance improvement in some cases, will reduce XML-RPC load)
  • XSS vulnerabilities in the NEX-Forms Lite plugin 2.1.0 for WordPress (CVE-2014-7151)
  • Absolute path traversal vulnerability in the Swim Team plugin 1.44.10777 for WordPress (CVE-2015-5471)
  • XSS vulnerability in the Titan Framework plugin before 1.6 for WordPress (CVE-2014-6444)
  • XSS vulnerability in the WordPress plugin zM Ajax Login & Register plugin before 1.1.0 (CVE-2015-4465)
  • XSS vulnerability in the Serendipity before 2.0.3 (CVE-2015-8603)
  • XSS vulnerability in OpenCart before 2.1.0.2 (CVE-2015-4671)
  • Multiple XSS vulnerabilities in Dolibarr ERP/CRM 3.8.3 (CVE-2016-1912)
  • Roundcube saving html signature FP fixed (rule id 212770)
  • Header β€œvia” removed in default configuration from userdata_bl_headers
  • bl_domains update
52

2016.02.02
Rules for: Apache, LiteSpeed, nginx, IIS
Version 1.64

  • Denial of service (invalid read and crash) in Privoxy before 3.0.24 (CVE-2016-1983)
  • XSS vulnerability in Free Counter plugin 1.1 (CVE-2015-4084)
  • Shell upload vulnerability in Gravity Forms 1.8.19 and earlier
  • Arbitrary File Upload and Arbitrary PHP Code Execution in the Infusionsoft Gravity Forms plugin 1.5.3 through 1.5.10 for WordPress (CVE-2014-6446)
  • XSS vulnerability in the Symphony CMS 2.6.3 (CVE-2015-8376)
  • XSS vulnerability in Nucleus CMS 3.65 (CVE-2015-5454)
  • XSS vulnerabilities in Dolibarr ERP/CRM 3.8.3 and earlier (CVE-2015-8685)
  • Stored XSS in Magento before Magento CE: 1.9,2.3, Magento EE: 1.14.2.3
  • CRLF injection vulnerability in CGit before 0.12 (CVE-2016-1899)
  • XSS injection vulnerability in the Beehive Forum 1.4.4 (CVE-2015-2198)
  • XSS vulnerability in the ocPortal before 9.0.17 (CVE-2015-2677)
  • XSS vulnerability in the Symphony CMS before 2.6.4 (CVE-2015-8766)
  • XSS vulnerability in the Symphony CMS 2.6.2 (CVE-2015-4661)
  • Unrestricted file upload vulnerability in ATutor before 2.2 (CVE-2014-9752)
  • bl_domains update
53

2016.02.03
Rules for: Apache, LiteSpeed, nginx, IIS
Version 1.65

General bug fixes

  • 217000 rule removed
  • LiteSpeed rules syntax fix
54

2016.02.09
Rules for: Apache, LiteSpeed, nginx, IIS
Version 1.66

  • Authenticated XSS vulnerability in WordPress 3.7 to 4.4 (CVE-2016-1564)
  • XSS & SQL injection vulnerability in my little forum before 2.3.4 (CVE-2015-1434)
  • XSS vulnerability in my little forum before 2.3.4 (CVE-2015-1435)
  • XSS vulnerability in my little forum 2.3.3, 2.2, and 1.7 (CVE-2015-1475)
  • SQL injection vulnerability in the Web Reference Database (aka refbase) through 0.9.6 (CVE-2015-7382)
  • bl_domains update

2016.02.16
Rules for: Apache, LiteSpeed, nginx, IIS
Version 1.67

  • XSS & SQL injection vulnerability in ZeroCMS 1.0 (CVE-2014-4195 / CVE-2014-4034)
  • Shell Upload Vulnerability in VtigerCRM 6.4.0 and earlier (CVE-2016-1713 / CVE-2015-6000)
  • XSS vulnerability in the Web Reference Database (aka refbase) through 0.9.6 (CVE-2015-6010)
  • XSS & SQL injection vulnerability in Pragyan CMS 3.0 (CVE-2015-1471)
  • XSS vulnerability in TYPO3 6.2.x before 6.2.16 and 7.x before 7.6.1 (CVE-2015-8759)
  • XSS & SQL injection vulnerability in ZeroCMS 1.3.3, 1.3.2, and earlier (CVE-2015-1442)
  • bl_domains update
55

2016.02.23
Rules for: Apache, LiteSpeed, nginx, IIS
Version 1.68

  • Integer overflow vulnerability in CGit before 0.12 (CVE-2016-1901)
  • XSS vulnerability in TYPO3 6.x before 6.2.15, 7.x before 7.4.0, 4.5.40, and earlier (CVE-2015-5956)
  • SQL injection vulnerability in the Piwigo before 2.5.6, 2.6.x before 2.6.5, and 2.7.x before 2.7.3 (CVE-2015-1441)
  • XSS & SQL injection vulnerabilities in Sefrengo before 1.6.1 (CVE-2015-0919)
  • XSS vulnerability in Sefrengo before 1.6.1 (CVE-2015-0918)
  • SQL injection vulnerability in Sefrengo before 1.6.2 (CVE-2015-1428)
  • Multiple XSS vulnerabilities in Saurus CMS 4.7.0 (CVE-2015-1562)
  • XSS vulnerabilities in Gecko CMS 2.2 and 2.3 (CVE-2015-1422)
  • SQL injection vulnerabilities in Gecko CMS 2.2 and 2.3 (CVE-2015-1423)
  • performance improvements
  • few false positives fixed
  • rule 211570 removed
  • bl_domains update
56

2016.03.07
Rules for: Apache, LiteSpeed, nginx, IIS
Version 1.69

  • Directory traversal vulnerability in Roundcube before 1.0.8 and 1.1.x before 1.1.4 (CVE-2015-8770)
  • SQL injection vulnerability in the CatBot 0.4.2 (CVE-2015-1367)
  • SQL injection vulnerability in xlinkerz ecommerceMajor (CVE-2015-1476)
  • SQL injection vulnerabilities in Fork CMS before 3.8.6 (CVE-2015-1467)
  • CSRF vulnerability in Moodle through 2.6.11, 2.7.x before 2.7.11, 2.8.x before 2.8.9, and 2.9.x before 2.9.3 (CVE-2015-5338)
  • XSS vulnerability in Moodle 2.8.x before 2.8.10, 2.9.x before 2.9.4, and 3.0.x before 3.0.2 (CVE-2016-0725)
  • Information Disclosure vulnerability in Magento before 1.9.2.3 (CVE-2016-2212)
  • XSS vulnerability in Moodle through 2.6.11, 2.7.x before 2.7.11, 2.8.x before 2.8.9, and 2.9.x before 2.9.3 (CVE-2015-5336)
  • CSRF vulnerability in Gecko CMS 2.2 and 2.3 (CVE-2015-1424)
  • CSRF vulnerability in Moodle through 2.6.11, 2.7.x before 2.7.11, 2.8.x before 2.8.9, and 2.9.x before 2.9.3 (CVE-2015-5335)
  • Remote PHP shell upload vulnerability in Custom Content Type Manager WordPress plugin version 0.9.8.8
  • bl_domains update
57

2016.03.15
Rules for: Apache, LiteSpeed, nginx, IIS
Version 1.70

  • PHP code injection Vulnerability in ATUTOR version 2.2 and prior versions (CVE-2015-7712)
  • Remote PHP shell upload vulnerability in Custom Content Type Manager WordPress plugin version 0.9.8.8 (CVE-2015-2679)
  • XSS vulnerability in Dotclear before version 2.8.2 (CVE-2015-8831)
  • XSS vulnerability in Roundcube before 1.0.6 and 1.1.x before 1.1.2 (CVE-2015-8793)
  • XSS injection vulnerability in Moodle 2.8.x before 2.8.2 (CVE-2015-0216)
  • CSRF vulnerability in Moodle through 2.5.9, 2.6.x before 2.6.7, 2.7.x before 2.7.4, and 2.8.x before 2.8.2 (CVE-2015-0213)
  • XSS vulnerabilities in BEdita before 3.6.0 (CVE-2015-6809)
  • XSS vulnerabilities in BEdita 3.4.0 (CVE-2015-1040)
  • Unrestricted File Upload vulnerability in Dotclear before version 2.8.2 (CVE-2015-8832)
  • XSS vulnerabilities in concrete5 before 5.7.4 (CVE-2015-2250)
  • XSS vulnerabilities in Dolibarr ERP/CRM 3.5 and 3.6 (CVE-2015-3935)
  • XSS vulnerabilities in concrete5 before 5.7.4 (CVE-2015-3989)
  • few false positives fixed
58

2016.03.22
Rules for: Apache, LiteSpeed, nginx, IIS
Version 1.71

  • XSS vulnerabilities in PivotX before 2.3.11 (CVE-2015-5456)
  • XSS vulnerabilities in Ultimate PHP Board (aka myUPB) 2.2.7 (CVE-2015-2217)
  • XSS vulnerabilities in WoltLab Community Gallery 2.0 before 2014-12-26 (CVE-2015-2275)
  • SQL injection vulnerability in ZeusCart 4 (CVE-2015-2183)
  • XSS vulnerabilities in ZeusCart 4 (CVE-2015-2182) & (CVE-2010-5322)
  • XSS vulnerabilities in Adminsystems CMS before 4.0.2 (CVE-2015-1603)
  • Unrestricted file upload vulnerability in Adminsystems CMS before 4.0.2 (CVE-2015-1604)
  • Absolute path traversal vulnerability in Roundcube before 1.0.6 and 1.1.x before 1.1.2 (CVE-2015-8794)
  • XSS vulnerability in osTicket before 1.9.5 (CVE-2015-1176)
  • SQL injection vulnerability in Cacti 0.8.8g and earlier (CVE-2016-3172)
59

2016.04.05
Rules for: Apache, LiteSpeed, nginx, IIS
Version 1.72

  • XSS vulnerability in the WordPress plugin connections v8.5.8 (CVE-2016-0770)
  • XSS vulnerabilities in Google Analyticator plugin before 6.4.9.6 for WordPress (CVE-2015-6238)
  • CSRF & XSS vulnerability in the Contact Form Generator plugin 2.0.1 and earlier for WordPress (CVE-2015-6965)
  • XSS vulnerabilities in e107 Bootstrap CMS 2.0.0 (CVE-2015-1057)
  • Arbitrary File Upload in X2Engine X2CRM before 5.0.9 (CVE-2015-5074)
  • XSS vulnerabilities in Croogo before 2.2.1 (CVE-2015-1053)
  • XSS vulnerabilities in Croogo before 2.1.0 (CVE-2014-8577)
  • XSS vulnerabilities in e107 1.0.4 (CVE-2015-1041)
  • Multiple XSS vulnerabilities in phpMyAdmin 4.0.x before 4.0.10.13, 4.4.x before 4.4.15.3, and 4.5.x before 4.5.4 (CVE-2016-2040)
  • XSS & SQL injection vulnerabilities in in WebsiteBaker 2.8.3 & 2.8.3 SP3 (CVE-2015-0553) & (CVE-2014-9242)
  • XSS vulnerabilities in WebsiteBaker 2.8.3 (CVE-2014-9243)
  • bl_domains update
60

2016.04.12
Rules for: Apache, LiteSpeed, nginx, IIS
Version 1.73

  • XSS vulnerabilities in Adsense-Click-Fraud-Monitoring 1.8.6 (CVE-2015-3398)
  • Remote file download vulnerability in WordPress plugin wp-ecommerce-shop-styling before v2.5 (CVE-2015-5468)
  • XSS vulnerabilities in the XCloner plugin 3.1.2 for WordPress (CVE-2015-4337)
  • Multiple XSS vulnerabilities in phpMyAdmin 4.0.x before 4.0.10.15, 4.4.x before 4.4.15.5, and 4.5.x before 4.5.5.1 (CVE-2016-2560)
  • XSS vulnerability in ProjectSend (formerly cFTP) r561 (CVE-2014-9580)
  • SQL injection vulnerability in ClipBucket 2.7 RC3 (2.7.0.4.v2929-rc3) (CVE-2015-2102)
  • XSS & SQL injection vulnerability in Persian Car CMS 1.0 (CVE-2015-4678)
  • SQL injection vulnerability in the pimcore before build 3473 (CVE-2015-4426)
  • Information Disclosure in phpMyAdmin 4.5.x before 4.5.4 (CVE-2016-2044)
  • SQL Injection Vulnerability in Cacti 0.8.8g and earlier (CVE-2016-3659)
  • SQL injection vulnerability in the Microweber CMS 0.95 before 20141209 (CVE-2014-9464)
  • bl_domains update