Overview for rules released by Trustwave SpiderLabs in July for ModSecurity Commercial Rules package. The rules are available for versions 2.9.x and 3.x of ModSecurity.
ModSecurity Commercial Rules detect attacks or classes of attacks on web applications and their components as well as provide virtual patches for public vulnerabilities.
Release Summary
WordPress Plugin Adning Advertising < 1.5.6 Arbitrary File Delete via Directory Traversal
WordPress Plugin Adning Advertising < 1.5.6 Arbitrary File Upload to RCE
WordPress Theme Careerfy < 4.1.0 - Unauthenticated XSS
Joomla! J2 Jobs 1.3.0 Authenticated SQLi
WordPress Plugin ACF to REST API < 3.3.0 Unauthenticated Arbitrary wp_options Disclosure CVE-2020-13700
WordPress Theme Nexos-Real Estate < 1.8 - Unauthenticated XSS CVE-2020-15364
WordPress Theme Nexos-Real Estate < 1.8 - Unauthenticated SQLi CVE-2020-15363
WordPress Plugin TC Custom JavaScript < 1.2.2 Unauthenticated Stored XSS CVE-2020-14063
WordPress Theme Workup < 2.1.6 Unauthenticated Reflected XSS
WordPress Plugin SRS Simple Hits Counter <= 1.0.4 Unauthenticated Blind SQLi CVE-2020-5766
SAP LM Configuration Wizard Authentication Bypass CVE-2020-6287
SAP LM Configuration Wizard Directory Traversal CVE-2020-6286
WordPress Plugin Coming Soon Page < 5.1.2 Authenticated Stored XSS CVE-2020-15038
Nagios XI 5.6.12 - export-rrd.php start,end arguments RCE
Nagios XI 5.6.12 - export-rrd.php step argument RCE
How to Update
All the rules released this month are available for download and can be configured using the ModSecurity Dashboard. The rules are associated with the default profile and enabled for all licensed servers. To verify the rules were successfully downloaded by ModSecurity, log in to the ModSecurity Dashboard and verify the server "Last seen" date, which indicates the last successful download for the specified server.
