Summary of Releases v9.6.5, v9.6.6, v9.6.7 and v9.6.8
This month, we've released multiple versions of Nuclei Templates that bring numerous enhancements to Nuclei users.
Here are some highlighted stats from the combined releases:
🎉 316 New Templates added
🚀 14 First-time contributions
🔥 158 New CVEs added
Welcome to the October 2023 edition of Nuclei Templates Monthly Release. The cyber landscape continues to evolve with new, significant CVEs making waves in the community. This month, we're spotlighting a range of serious vulnerabilities including:
These CVEs have garnered substantial attention due to their potential impact on network security and data integrity. For instance, the unauthenticated RCE in F5 BIG-IP systems could provide attackers with unauthorized access to sensitive systems. The discoveries highlight the ever-urgent need for robust security measures and continuous vigilance in the face of evolving cyber threats. Our latest releases encapsulate these, along with other notable CVEs, furnishing the security community with vital tools to tackle these looming threats head-on.
We are excited to announce the addition of 255 new templates to the Nuclei Templates project. These templates cover a wide range of security checks, from trending CVEs to templates for newly supported protocols in Nuclei v3, empowering you to identify potential vulnerabilities efficiently. The contributions from our dedicated community have been immeasurably valuable in expanding the breadth of Nuclei's capabilities, and we extend our gratitude to all those involved.
This month we have added 158 🔥 new CVEs, ensuring you remain current with the latest security vulnerabilities. By including these CVEs in the Nuclei Templates, we aim to provide you with the necessary tools to detect and mitigate potential risks proactively.
This month we have done several bug fixes and implemented enhancements to improve the overall functionality of Nuclei Templates. The following contributions from our community members have been instrumental in making these improvements:
F5 BIG-IP is vulnerable to an unauthenticated remote code execution via AJP Smuggling which allows an attacker to execute arbitrary system commands.
Viessmann Vitogate 300 has a vulnerability where an unauthenticated attacker can bypass authentication and execute arbitrary commands.
Termed as "Citrix Bleed", this vulnerability in Citrix NetScaler ADC and NetScaler Gateway leads to information disclosure allowing an unauthenticated attacker to hijack an existing authenticated session.
JetBrains TeamCity before 2023.05.4 authentication bypass leading to RCE on TeamCity Server was possible
Multiple Sitecore products allow remote code execution. This affects Experience Manager, Experience Platform, and Experience Commerce through 10.3
Microsoft SharePoint Server Elevation of Privilege Vulnerability
This template highlights a misconfiguration vulnerability in ServiceNow Widget-Simple-List which can potentially lead to unauthorized access or data exposure.
Atlassian Confluence Data Center and Server contains a privilege escalation vulnerability that allows an attacker to create unauthorized Confluence administrator accounts and access Confluence.
Ninja Forms has a Cross-Site Scripting (XSS) vulnerability in versions before 3.6.26 which could allow attackers to inject malicious scripts into web pages viewed by other users.
Chaty has a Cross-Site Scripting (XSS) vulnerability in versions before 2.8.2 which could potentially allow attackers to inject malicious scripts.
Eclipse Mojarra has a vulnerability that allows local file read, potentially allowing attackers to read sensitive files on the server.
Cockpit has a Cross-Site Scripting (XSS) vulnerability which could potentially allow attackers to inject malicious scripts.
Honeywell PM43 Printers are vulnerable to a command injection attack, which could allow attackers to execute arbitrary commands.
EventON Lite has a vulnerability that allows arbitrary file download in versions before 2.1.2, which could potentially lead to information disclosure.
We express our sincere appreciation to the community members, including our first-time contributors for their contributions to the Nuclei Templates project.
We're thrilled to share that Nuclei v3 has been released, featuring new additions such as Code Protocol, Template Signing & Verification, JavaScript Protocol, Multi-Protocol Engine, Flow Template Engine, SDK-4-ALL (revamped GO SDK), and enhanced stability across different execution environments.
The Nuclei v3 release benefits template writers through its new Flow Template Engine, allowing for more complex workflows, and the Template Signing & Verification feature, ensuring the integrity and authenticity of templates. Additionally, the revamped SDK-4-ALL provides a more robust toolkit for template development. You can read more about it here.
Join the Nuclei Templates community on Discord, where you can actively participate, collaborate, and share valuable insights. Feel free to join the Discord server if you have any questions or suggestions for further improving Nuclei Templates.