.github | disable py3.12 tests until pycodestyle is compatible | 2023-05-26 16:53:53 |
---|---|---|
freewvsdb | update for wordpress-acf | 2023-09-11 09:58:03 |
tests | avoid bad data in the safe variable, multiple versions need to go into old_safe | 2023-03-11 07:33:42 |
.gitignore | avoid committing pycache and python objects | 2019-12-12 18:28:04 |
CONTRIBUTIONS.md | put security in separate file to make github security policy happy | 2020-06-19 20:08:45 |
COPYING | remove copyright year | 2023-02-28 10:46:56 |
ISSUES | initial commit | 2007-11-01 16:35:50 |
README.md | make link clickable | 2022-08-20 10:17:43 |
SECURITY.md | put security in separate file to make github security policy happy | 2020-06-19 20:08:45 |
freewvs | change license to 0BSD due to controversy around CC0, all contributors agreed | 2022-08-17 20:07:02 |
setup.py | change license to 0BSD due to controversy around CC0, all contributors agreed | 2022-08-17 20:07:02 |
update-freewvsdb | Use explicit filter for tarfile extraction if available | 2023-05-26 09:37:08 |
A local web vulnerability scanner.
freewvs is a tool to search webroots for know vulnerable versions of web applications.
Install
You can install freewvs via pip:
pip install freewvs
Alternatively you can run freewvs directly from the git source.
If you install via pip you need to update the freewvs database first:
update-freewvsdb
Just run freewvs with a path, e.g.:
freewvs /var/www
The output will be something like this:
Joomla 3.9.11 (3.9.14) CVE-2019-19846 /var/www/example.org
nextcloud 14.0.1 (14.0.5) CVE-2019-5449 /var/www/cloud.example.org
MediaWiki 1.31.1 (1.31.6) CVE-2019-19709 /var/www/wiki.example.org
It scans your webroot for known vulnerable versions of popular web applications.
Output looks like this:
Joomla-3 3.9.11 (3.9.13) CVE-2019-18674 /home/joe/websites/joessite/
This says that in /home/joe/websites/joessite/, there's a Joomla installation of version 3.9.11. This version is vulnerable to CVE-2019-18674 and you should update to version 3.9.13.
No, as freewvs only checks for the latest vulnerabilities. There may be other vulnerabilities in your version not listed by freewvs. The only way to be sure is to check the upstream changelog.
It means your web application has not released a security update. Often this means the software is no longer developed.
See CONTRIBUTIONS.md.
freewvs was developed by schokokeks.org hosting.
It's licensed under the 0BSD license.