Overview for rules released by Trustwave SpiderLabs in November for ModSecurity Commercial Rules package. The rules are available for versions 2.9.x and 3.x of ModSecurity.
ModSecurity Commercial Rules detect attacks or classes of attacks on web applications and their components as well as provide virtual patches for public vulnerabilities.
Release Summary
- WordPress Plugins Post Grid < 2.0.73 & Team Showcase < 1.22.16 RCE
- WordPress multiply themes CSRF
- WordPress Plugin WPBakery Page Builder < 6.4.1 XSS
- WordPress Plugin Dynamic Content for Elementor < 1.9.6 RCE CVE-2020-26596
- WordPress Plugin PowerPress < 8.3.8 - Authenticated Arbitrary File Upload leading to RCE
- WordPress Plugin Child Theme Creator by Orbisius < 1.5.2 - CSRF
- WordPress Plugin Comment Press < 2.7.2 - CSRF
- WordPress Plugin Loginizer < 1.6.4 - SQLi CVE-2020-27615
- WordPress Plugin SuperStoreFinder Plugins - File-Upload
- Oracle Business Intelligence Enterprise Edition 5.5.0.0.0 / 12.2.1.3.0 / 12.2.1.4.0 - Directory Traversal/Local File Inclusion CVE-2020-14864
- WordPress Plugin Greenmart < 2.5.2 - XSS
- WordPress Plugin SW Ajax WooCommerce Search < 1.2.8 XSS
- WordPress Plugin SW Ajax WooCommerce Search < 1.2.8 CSRF
- WordPress Plugin Simple File List 4.2.2 Arbitrary File-Upload
- WordPress Plugin Augmented Reality <= 1.2.0 Authentication File Upload to RCE
- WordPress Plugin GDPR CCPA Compliance Support < 2.4 - RCE
- WordPress Plugin BA Book Everything < 1.3.25 XSS
- WordPress Plugin BA Book Everything < 1.3.25 CSRF
- WordPress Plugin Buddypress 6.2.0 - XSS
- WordPress Theme Love Travel 2.0-3.8 - XSS
- WordPress Theme Love Travel 2.0-3.8 - CSRF
- WordPress Theme Love Travel < 2.0 - XSS
- WordPress Theme Love Travel < 2.0 - CSRF
- WordPress Plugin AIT CSV Import / Export <= 3.0.3 Unauthenticated Arbitrary File Upload leads to RCE
Telerik UI for ASP.NET AJAX through 2019.3.1023 RCE CVE-2019-18935
- Atlassian Confluence Server < 6.6.12 (6.7.0-6.12.3, 6.13.0-6.13.3, 6.14.0-6.14.2) RCE CVE-2019-3396
- Atlassian Crowd and Crowd Data Center RCE CVE-2019-11580
- Gitlab 12.9.0 - Authenticated Path Traversal to Arbitrary File Access
- WordPress Plugin CM Download Manager < 2.8.0 - Authenticated XSS - CVE-2020-27344
- WordPress Plugin Greenmart < 2.4.3 - Reflected XSS - CVE-2020-16140
- WordPress Plugin Advanced Booking Calendar < 1.6.2 - Unauthenticated SQLi
- Nagios Log Server < 2.1.7 - Stored XSS
- WordPress Plugin Good LMS 2.1.4 - SQLi
How to Update
All the rules released this month are available for download and can be configured using the ModSecurity Dashboard. The rules are associated with the default profile and enabled for all licensed servers. To verify the rules were successfully downloaded by ModSecurity, log in to the ModSecurity Dashboard and verify the server "Last seen" date, which indicates the last successful download for the specified server.
