Rules Updates: Changelog

Serhyo · August 29, 2017, 3:29pm

2017.08.29
Rules for: Apache, LiteSpeed, Nginx, IIS
Version 1.136

XSS vulnerability in Etoile Ultimate Product Catalog plugin 4.2.11 for WordPress (CVE-2017-12200)
CSRF vulnerability in Clean Login plugin before 1.8 for WordPress (CVE-2017-8875)
Possible arbitrary code execution in Cacti before 1.1.16 (CVE-2017-12065)
CSRF vulnerability in the BigTree CMS through 4.2.18 (CVE-2017-9379)
XSS vulnerability in XOOPS Core 2.5.8 (CVE-2017-12139)
SQL injection vulnerability in Fiyo CMS 2.0.7 (CVE-2017-11412)
CSRF vulnerability in the BigTree CMS through 4.2.17 (CVE-2017-7881)
bl_domains update

Serhyo · September 5, 2017, 3:14pm

2017.09.05
Rules for: Apache, LiteSpeed, Nginx, IIS
Version 1.137

XSS vulnerability in Etoile Ultimate Product Catalog plugin 4.2.11 for WordPress (CVE-2017-12200)
XSS vulnerability in Easy Testimonials plugin 3.0.4 for WordPress (CVE-2017-12131)
CSRF vulnerability in WHIZZ plugin before 1.1.1 for WordPress (CVE-2017-8099)
SQL injection vulnerability in the Podlove Podcast Publisher plugin 2.5.3 for WordPress (CVE-2017-12949)
SQL injection vulnerability in Easy Modal plugin before 2.1.0 for WordPress (CVE-2017-12946,CVE-2017-12947)
SQL injection vulnerability in Web-Dorado Photo Gallery by WD - Responsive Photo Gallery plugin before 1.3.51 for WordPress (CVE-2017-12977)
XSS vulnerability in Cacti 1.1.17 (CVE-2017-12927)
SQL injection vulnerability in Fiyo CMS 2.0.7 (CVE-2017-11417)
bl_domains update

Serhyo · September 20, 2017, 3:52pm

2017.09.20
Rules for: Apache, LiteSpeed, Nginx, IIS
Version 1.138

XSS vulnerability in Participants Database plugin before 1.7.5.10 for WordPress (CVE-2017-14126)
XSS vulnerability in the Photocrati NextGEN Gallery plugin 2.1.15 for WordPress (CVE-2015-9229)
Unrestricted file upload vulnerability in the Photocrati NextGEN Gallery plugin 2.1.10 for WordPress (CVE-2015-9228)
SQLi vulnerability in Photocrati image-gallery-with-slideshow v1.5.2 plugin for WordPress (CVE-2017-1002012)
SQL injection vulnerability in Dolibarr ERP/CRM version 6.0.0 (CVE-2017-14242)
SQL injection vulnerability in Dolibarr ERP/CRM version 6.0.0 (CVE-2017-14238)
bl_domains update

Serhyo · September 26, 2017, 3:33pm

2017.09.26
Rules for: Apache, LiteSpeed, Nginx, IIS
Version 1.139

SQLi vulnerability in Photocrati image-gallery-with-slideshow v1.5.2 plugin for WordPress (CVE-2017-1002013)
SQLi vulnerability in Photocrati image-gallery-with-slideshow v1.5.2 plugin for WordPress (CVE-2017-1002015)
CSRF & XSS vulnerability in Crony Cronjob Manager plugin before 0.4.7 for WordPress (CVE-2017-14530)
SQL injection vulnerability in the eventr v1.02.2 for WordPress (CVE-2017-1002019,CVE-2017-1002018)
SQL injection vulnerability in the image-gallery-with-slideshow v1.5.2 for WordPress (CVE-2017-1002014)
SQL injection vulnerability in the Easy Team Manager v1.3.2 for WordPress (CVE-2017-1002023)
XSS vulnerabilities in the XCloner plugin 3.1.2 for WordPress (CVE-2015-4337)
bl_domains update

Serhyo · October 3, 2017, 3:54pm

2017.10.03
Rules for: Apache, LiteSpeed, Nginx, IIS
Version 1.140

Emergency DDoS bot protection
XSS vulnerability in Anti-Malware Security and Brute-Force Firewall v. 4.17.29 for WordPress
XSS vulnerability in WooCommerce PDF Invoices & Packing Slips 2.0.9 for WordPress
XSS vulnerability in Photocrati image-gallery-with-slideshow v1.5.2 plugin for WordPress (CVE-2017-1002011)
XSS vulnerability in Crelly Slider v1.2.2 for WordPress
XSS vulnerability in Booking Calendar for WordPress
XSS vulnerability in Google Pagespeed Insights plugin v3.0.0 for WordPress
bl_domains update

vadim · October 5, 2017, 8:57pm

2017.10.05
Rules for: Apache, LiteSpeed, Nginx, IIS
Version 1.141

Emergency disabled rules from 1.140 which caused the performance issue.

TDmitry · October 6, 2017, 8:22pm

2017.10.06
Rules for: Apache, LiteSpeed, Nginx, IIS
Version 1.142

Removed rules which were added in 1.140
bl_domain update

Serhyo · October 11, 2017, 3:47pm

2017.10.11
Rules for: Apache, LiteSpeed, Nginx, IIS
Version 1.143

SQLi vulnerability in Content Timeline plugin 4.4.2 for WordPress (CVE-2017-14507)
XSS vulnerability in 2kb Amazon Affiliates Store plugin before 2.1.1 for WordPress (CVE-2017-14622)
SQL injection vulnerability in the event-espresso-free v3.1.37.12.L for WordPress (CVE-2017-14760)
SQL injection vulnerability in Event Expresso Free v3.1.37.11.L plugin for WordPress (CVE-2017-1002026)
SQL injection vulnerability in Responsive Image Gallery plugin before 1.2.1 for WordPress (CVE-2017-14125)
SQL injection vulnerability in OpenText Document Sciences xPression (formerly EMC Document Sciences xPression) v4.5SP1 Patch 13 (CVE-2017-14757)
SQL injection vulnerability in OpenText Document Sciences xPression (formerly EMC Document Sciences xPression) v4.5SP1 Patch 13 (CVE-2017-14758)
XSS vulnerability in OpenText Document Sciences xPression (formerly EMC Document Sciences xPression) v4.5SP1 Patch 13 (CVE-2017-14755)
bl_domains update

Serhyo · November 2, 2017, 5:01pm

2017.11.02
Rules for: Apache, LiteSpeed, Nginx, IIS
Version 1.144

SQL injection vulnerability in WPHRM Human Resource Management System for WordPress 1.0 (CVE-2017-14848)
XSS vulnerability in gift-certificate-creator v1.0 plugin for WordPress (CVE-2017-1002017)
SQL injection vulnerability in wordpress plugin add-edit-delete-listing-for-member-module v1.0 (CVE-2017-1002025)
SQL injection vulnerability in Mojoomla WPAMS Apartment Management System for WordPress (CVE-2017-14847)
SQL injection vulnerability in the Mojoomla WPCHURCH Church Management System for WordPress (CVE-2017-14845)
SQL injection vulnerability in the rk-responsive-contact-form v1.0 for WordPress (CVE-2017-1002027)
Multiple XSS vulnerabilities in WpJobBoard v4.5.1 web-application for WordPress (CVE-2017-15375)
SQL injection vulnerability in Mojoomla Hospital Management System for WordPress (CVE-2017-14846)
XSS vulnerability in Flyspray before 1.0-rc6 (CVE-2017-15213)
CSRF vulnerability in Subrion CMS before 4.2.0 (CVE-2017-15063)
CSRF vulnerability in Subrion CMS 4.0.5 (CVE-2017-6068)
XSS vulnerability in GeniXCMS 1.1.4 (CVE-2017-14761)
SQL injection vulnerability in PHPSUGAR PHP Melody before 2.7.3 (CVE-2017-15578)
bl_domains update

Serhyo · November 9, 2017, 4:25pm

2017.11.09
Rules for: Apache, LiteSpeed, Nginx, IIS
Version 1.145

SQL injection vulnerability in Zh YandexMap (aka com_zhyandexmap) component 6.1.1.0 for Joomla (CVE-2017-15966)
XSS vulnerability in PopCash.Net Code Integration Tool plugin for WordPress (CVE-2017-15810)
XSS vulnerability in wp-noexternallinks plugin before 3.5.19 for WordPress (CVE-2017-15863)
XSS vulnerability in user-login-history plugin through 1.5.2 for WordPress (CVE-2017-15867)
XSS vulnerability in the Pootle Button plugin before 1.2.0 for WordPress for WordPress (CVE-2017-15811)
XSS vulnerability in GeniXCMS 1.1.4 (CVE-2017-14762 & CVE-2017-14765)
SQL injection vulnerability in GLPI before 9.1.5.1 (CVE-2017-11474)
SQL injection vulnerability in PHPSUGAR PHP Melody before 2.7.3 (CVE-2017-15579)
XSS vulnerability in the OpenEMR v5_0_0 (CVE-2017-6482)
XSS vulnerability in the E-Sic 1.0 (CVE-2017-15380)
SQL injection vulnerability in the E-Sic 1.0 (CVE-2017-15373)
XSS vulnerability in the BlackCat CMS 1.2 (CVE-2017-14049)
Unrestricted file upload vulnerability in OctoberCMS 1.0.425 (aka Build 425) (CVE-2017-15284)
bl_domains update

Serhyo · November 16, 2017, 5:20pm

2017.11.16
Rules for: Apache, LiteSpeed, Nginx, IIS
Version 1.146

XSS vulnerability in the Ultimate Instagram Feed plugin before 1.3 for WordPress (CVE-2017-16758)
XSS vulnerability in Mahara 15.04 before 15.04.15, 16.04 before 16.04.9, 16.10 before 16.10.6, and 17.04 before 17.04.4 (CVE-2017-15273)
Directory traversal vulnerability in b2evolution through 6.8.3 (CVE-2017-5480)
XSS vulnerability in Mahara 15.04 before 15.04.15, 16.04 before 16.04.9, 16.10 before 16.10.6, and 17.04 before 17.04.4 (CVE-2017-14752)
XSS vulnerability in Mahara 1.10 before 1.10.0 and 15.04 before 15.04.0 (CVE-2017-1000138)
XSS vulnerability in CMS Made Simple 2.2.3.1 (CVE-2017-16799)
XSS vulnerability in the AffiliateWp plugin before 2.0.9 for WordPress
FP fix
bl_domains update

Serhyo · November 23, 2017, 4:59pm

2017.11.23
Rules for: Apache, LiteSpeed, Nginx, IIS
Version 1.147

SQL injection vulnerability in Fiyo CMS 2.0.7 (CVE-2017-11413)
XSS vulnerability in WBCE v1.1.11 (CVE-2017-1000213)
XSS vulnerability in October CMS build 412 (CVE-2017-1000193)
Unrestricted file upload vulnerability in Perch Content Management System 3.0.3 (CVE-2017-15948)
CSRF vulnerability in YouTube plugin for WordPress (CVE-2017-1000224)
Unrestricted file upload vulnerability in WP Support Plus Responsive Ticket System before 8.0.7 for WordPress
Unauthenticated Directory traversal vulnerability in Javo Spot Premium Theme for WordPress
bl_domains update

Serhyo · November 30, 2017, 1:06pm

2017.11.30
Rules for: Apache, LiteSpeed, Nginx, IIS
Version 1.148

XSS vulnerability in SilverStripe CMS before 3.4.4 and 3.5.x before 3.5.2 (CVE-2017-5197)
CSRF vulnerability in Serendipity through 2.0.5 (CVE-2017-5476)
Directory traversal vulnerability in MetInfo 5.3.17 (CVE-2017-14513)
XSS vulnerability in the Revive Adserver before 4.0.1 (CVE-2017-5832)
XSS vulnerability in multiple BestWebSoft plugins for WordPress
XSS vulnerability in the Ultimate Addons For Visual Composer before 3.16.11 for WordPress
bl_domains update

Serhyo · December 7, 2017, 3:56pm

2017.12.07
Rules for: Apache, LiteSpeed, Nginx, IIS
Version 1.149

XSS vulnerability in InLinks plugin through 1.1 for WordPress (CVE-2017-16955)
SQL injection in ultimate-form-builder-lite plugin before 1.3.7 for WordPress (CVE-2017-15919)
SQL injection vulnerability in the BigTree CMS through 4.2.19 (CVE-2017-16961)
XSS vulnerability in Fiyo CMS 2.0.7 (CVE-2017-13778)
SQL injection vulnerability in Piwigo 2.9.2 (CVE-2017-16893)
Local file inclusion in Cacti 1.1.27 (CVE-2017-16661)
Unrestricted file upload vulnerability in b2evolution 6.8.8 (CVE-2017-6902)
bl_domains update

Serhyo · December 14, 2017, 4:32pm

2017.12.14
Rules for: Apache, LiteSpeed, Nginx, IIS
Version 1.150

Directory traversal vulnerability in b2evolution through 6.8.3 and 6.8.4-stable (CVE-2017-5539)
XSS & Directory traversal & Information-Disclosure vulnerability in WBCE v1.1.10 and earlier(CVE-2017-2118 & CVE-2017-2119)
SQL injection vulnerability in the Serendipity 2.0.5 (CVE-2017-5609)
XSS vulnerability in Dolibarr ERP/CRM 6.0.0 (CVE-2017-14241)
XSS vulnerability in the OSNEXUS QuantaStor v4 virtual appliance before 4.3.1 (CVE-2017-9979)
CSRF vulnerability in concrete5 8.1.0 (CVE-2017-8082)
Captcha Bypass vulnerability in Allen Disk 1.6 (CVE-2017-9090)
fp fix
bl_domains update

Serhyo · December 21, 2017, 2:00pm

2017.12.21
Rules for: Apache, LiteSpeed, Nginx, IIS
Version 1.151

XSS vulnerability in concrete5 before 5.6.3.4 (CVE-2017-6905)
XSS vulnerability in the MODX Revolution 2.5.7 and earlier (CVE-2017-1000223 & CVE-2017-11744)
Open redirect vulnerability in XOOPS Core 2.5.8 (CVE-2017-12138)
Arbitrary File Read vulnerability in Fiyo CMS 2.0.7 (CVE-2017-17104)
XSS vulnerability in the EyesOfNetwork web interface aka eonweb 5.0 (CVE-2017-6087)
XSS vulnerability in MetInfo 5.3.15 (CVE-2017-6878)
XSS vulnerability in ViMbAdmin 3.0.15 (CVE-2017-5870)
bl_domains update

Serhyo · December 27, 2017, 4:09pm

2017.12.27
Rules for: Apache, LiteSpeed, Nginx, IIS
Version 1.152

XSS vulnerability in custom-map plugin through 1.1 for WordPress (CVE-2017-17744)
CSRF vulnerability in admidio 3.2.8 (CVE-2017-8382)
SQL injection vulnerability in Dolibarr ERP/CRM version 6.0.4 (CVE-2017-17899)
SQL injection vulnerability in Dolibarr ERP/CRM version 6.0.4 (CVE-2017-17897)
SQL injection vulnerability in Dolibarr ERP/CRM version 6.0.4 (CVE-2017-17900)
XSS & SQL injection vulnerability in Piwigo 2.9.2 (CVE-2017-17823)
XSS vulnerability in Piwigo 2.9.2 (CVE-2017-17826)
CSRF vulnerability in the Piwigo through 2.9.2 (CVE-2017-17827)
bl_domains update

Serhyo · January 11, 2018, 4:45pm

2018.01.11
Rules for: Apache, LiteSpeed, Nginx, IIS
Version 1.153

SQL injection vulnerability in Joomla! Component JEXTN FAQ Pro 4.0.0 (CVE-2017-17875)
SQL injection vulnerability in JEXTN Video Gallery extension 3.0.5 for Joomla! (CVE-2017-17872)
SQL injection vulnerability in surveys v1.01.8 for WordPress (CVE-2017-1002020, CVE-2017-1002021, CVE-2017-1002022)
XSS vulnerability in wp-concours plugin through 1.1 for WordPress (CVE-2017-17719)
SQL Injection vulnerability in Oturia Smart Google Code Inserter plugin before 3.5 for WordPress (CVE-2018-3811)
XSS vulnerability in Z-URL Preview plugin 1.6.1 for WordPress (CVE-2017-18012)
XSS and Directory Traversal vulnerability in GD Rating System plugin 2.3 for WordPress (CVE-2018-5286, CVE-2018-5287, CVE-2018-5288, CVE-2018-5289, CVE-2018-5290, CVE-2018-5291, CVE-2018-5292, CVE-2018-5293)
SQL Injection vulnerability in Piwigo 2.9.2 (CVE-2017-17822)
XSS vulnerability in Piwigo 2.9.2 (CVE-2017-17825)
XSS vulnerability in NetWin SurgeFTP version 23f2 (CVE-2017-17933)
bl_domains update

Serhyo · February 1, 2018, 4:24pm

2018.02.01
Rules for: Apache, LiteSpeed, Nginx, IIS
Version 1.154

SQL injection vulnerability in JBuildozer extension 1.4.1 for Joomla (CVE-2017-17870)
SQL injection vulnerability in NS Download Shop (aka com_ns_downloadshop) component 2.2.6 for Joomla! (CVE-2017-15965)
XSS vulnerability in esb-csv-import-export plugin through 1.1 for WordPress (CVE-2017-17753)
XSS vulnerability in Oturia Smart Google Code Inserter plugin before 3.5 for WordPress (CVE-2018-3810)
XSS vulnerability in the Add Link to Facebook plugin through 2.3 for WordPress(CVE-2018-5214)
CSRF & XSS vulnerability in Responsive-coming-soon-page plugin 1.1.18 for WordPress (CVE-2018-5657, CVE-2018-5658, CVE-2018-5659, CVE-2018-5660, CVE-2018-5661, CVE-2018-5662, CVE-2018-5663, CVE-2018-5664, CVE-2018-5665 and CVE-2018-5666)
CSRF & XSS vulnerability in Booking-calendar plugin 2.1.7 for WordPress (CVE-2018-5670, CVE-2018-5671, CVE-2018-5672 and CVE-2018-5673)
XSS vulnerability in the Simple Download Monitor plugin before 3.5.4 for WordPress(CVE-2018-5213,CVE-2018-5212)
CSRF & XSS vulnerability in Weblizar-pinterest-feeds plugin 1.1.1 for WordPress (CVE-2018-5667, CVE-2018-5668 and CVE-2018-5669)
CSRF & XSS vulnerability in Weblizar-pinterest-feeds plugin 1.1.1 for WordPress (CVE-2018-5653, CVE-2018-5654 , CVE-2018-5655 and CVE-2018-5656)
Directory Traversal vulnerability in Media from FTP plugin 9.85 for WordPress (CVE-2018-5310)
CSRF & XSS vulnerability in ImageInject plugin 1.15 for WordPress (CVE-2018-5284 and CVE-2018-5285)
XSS vulnerability in Shibboleth plugin before 1.8 for WordPress (CVE-2017-14313)
bl_domains update

Serhyo · February 12, 2018, 5:20pm

2018.02.12
Rules for: Apache, LiteSpeed, Nginx, IIS
Version 1.155

COMODO WAF: XSS vulnerability in Download-manager plugin before 2.9.52 for WordPress (CVE-2017-18032)
COMODO WAF: SQL Injection vulnerability in Dbox 3D Slider Lite plugin through 1.2.2 for WordPress (CVE-2018-5374)
COMODO WAF: SQL Injection vulnerability in Testimonial Slider plugin through 1.2.4 for WordPress (CVE-2018-5372)
COMODO WAF: CSRF & XSS vulnerability in WPGlobus plugin 1.9.6 for WordPress (CVE-2018-5361,CVE-2018-5362, CVE-2018-5363, CVE-2018-5364, CVE-2018-5365, CVE-2018-5366 and CVE-2018-5367)
COMODO WAF: CSRF & XSS vulnerability in SrbTransLatin plugin 1.46 for WordPress (CVE-2018-5368 and CVE-2018-5369)
COMODO WAF: SQL Injection vulnerability in Piwigo 2.9.2 (CVE-2017-17824)
COMODO WAF: CSRF & XSS vulnerability in the Piwigo through 2.9.2 (CVE-2017-17774 and CVE-2017-17775)
COMODO WAF: XSS vulnerability in Piwigo 2.8.2 (CVE-2018-5692)
bl_domains update