{"vulnerability": "CVE-2021-2297", "sightings": [{"uuid": "c677b8c7-e08e-4f97-8896-760bd2401a7c", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2021-22978", "type": "seen", "source": "https://t.me/cibsecurity/23569", "content": "\u203c CVE-2021-22978 \u203c\n\nOn BIG-IP version 16.0.x before 16.0.1, 15.1.x before 15.1.1, 14.1.x before 14.1.3.1, 13.1.x before 13.1.3.5, and all 12.1.x and 11.6.x versions, undisclosed endpoints in iControl REST allow for a reflected XSS attack, which could lead to a complete compromise of BIG-IP if the victim user is granted the admin role. Note: Software versions which have reached End of Software Development (EoSD) are not evaluated.\n\n\ud83d\udcd6 Read\n\nvia \"National Vulnerability Database\".", "creation_timestamp": "2021-02-12T22:43:53.000000Z"}, {"uuid": "7db3d829-6826-4aa7-95fa-c137ba67a30c", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2021-22975", "type": "seen", "source": "https://t.me/cibsecurity/23549", "content": "\u203c CVE-2021-22975 \u203c\n\nOn BIG-IP version 16.0.x before 16.0.1.1, 15.1.x before 15.1.2.1, and 14.1.x before 14.1.3.1, under some circumstances, Traffic Management Microkernel (TMM) may restart on the BIG-IP system while passing large bursts of traffic. Note: Software versions which have reached End of Software Development (EoSD) are not evaluated.\n\n\ud83d\udcd6 Read\n\nvia \"National Vulnerability Database\".", "creation_timestamp": "2021-02-12T20:43:47.000000Z"}, {"uuid": "223add58-b0f6-4b1a-b759-bd7efbd2b89b", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2021-22974", "type": "seen", "source": "https://t.me/cibsecurity/23548", "content": "\u203c CVE-2021-22974 \u203c\n\nOn BIG-IP version 16.0.x before 16.0.1.1, 15.1.x before 15.1.2, 14.1.x before 14.1.3.1, and 13.1.x before 13.1.3.6 and all versions of BIG-IQ 7.x and 6.x, an authenticated attacker with access to iControl REST over the control plane may be able to take advantage of a race condition to execute commands with an elevated privilege level. This vulnerability is due to an incomplete fix for CVE-2017-6167. Note: Software versions which have reached End of Software Development (EoSD) are not evaluated.\n\n\ud83d\udcd6 Read\n\nvia \"National Vulnerability Database\".", "creation_timestamp": "2021-02-12T20:43:46.000000Z"}, {"uuid": "ec8d137f-e4b5-4322-8ba0-0bc500c97f04", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2021-22976", "type": "seen", "source": "https://t.me/cibsecurity/23545", "content": "\u203c CVE-2021-22976 \u203c\n\nOn BIG-IP Advanced WAF and ASM version 16.0.x before 16.0.1.1, 15.1.x before 15.1.2, 14.1.x before 14.1.3.1, 13.1.x before 13.1.3.6, and all 12.1.x versions, when the BIG-IP ASM system processes WebSocket requests with JSON payloads, an unusually large number of parameters can cause excessive CPU usage in the BIG-IP ASM bd process. Note: Software versions which have reached End of Software Development (EoSD) are not evaluated.\n\n\ud83d\udcd6 Read\n\nvia \"National Vulnerability Database\".", "creation_timestamp": "2021-02-12T20:43:42.000000Z"}, {"uuid": "aa40cf3b-d781-4ab1-a65e-14252a20e0c5", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2021-22979", "type": "seen", "source": "https://t.me/cibsecurity/23544", "content": "\u203c CVE-2021-22979 \u203c\n\nOn BIG-IP version 16.0.x before 16.0.1, 15.1.x before 15.1.1, 14.1.x before 14.1.2.8, 13.1.x before 13.1.3.5, and all 12.1.x versions, a reflected Cross-Site Scripting (XSS) vulnerability exists in an undisclosed page of the BIG-IP Configuration utility when Fraud Protection Service is provisioned and allows an attacker to execute JavaScript in the context of the current logged-in user. Note: Software versions which have reached End of Software Development (EoSD) are not evaluated.\n\n\ud83d\udcd6 Read\n\nvia \"National Vulnerability Database\".", "creation_timestamp": "2021-02-12T20:43:41.000000Z"}, {"uuid": "c20e959c-c7b1-4c30-b04e-83bf469ecf70", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2021-22970", "type": "published-proof-of-concept", "source": "https://t.me/cibsecurity/32744", "content": "\u203c CVE-2021-22970 \u203c\n\nConcrete CMS (formerly concrete5) versions 8.5.6 and below and version 9.0.0 allow local IP importing causing the system to be vulnerable toa. SSRF attacks on the private LAN servers by reading files from the local LAN. An attacker can pivot in the private LAN and exploit local network appsandb. SSRF Mitigation Bypass through DNS RebindingConcrete CMS security team gave this a CVSS score of 3.5 AV:N/AC:H/PR:L/UI:N/S:C/C:L/I:N/A:NConcrete CMS is maintaining Concrete version 8.5.x until 1 May 2022 for security fixes.This CVE is shared with HackerOne Reports https://hackerone.com/reports/1364797 and https://hackerone.com/reports/1360016Reporters: Adrian Tiron from FORTBRIDGE (https://www.fortbridge.co.uk/ ) and Bipul Jaiswal\n\n\ud83d\udcd6 Read\n\nvia \"National Vulnerability Database\".", "creation_timestamp": "2021-11-19T22:17:19.000000Z"}, {"uuid": "bd972c14-0b25-41fa-bc75-d92f84220dd1", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2021-22977", "type": "seen", "source": "https://t.me/cibsecurity/23564", "content": "\u203c CVE-2021-22977 \u203c\n\nOn BIG-IP version 16.0.0-16.0.1 and 14.1.2.4-14.1.3, cooperation between malicious HTTP client code and a malicious server may cause TMM to restart and generate a core file. Note: Software versions which have reached End of Software Development (EoSD) are not evaluated.\n\n\ud83d\udcd6 Read\n\nvia \"National Vulnerability Database\".", "creation_timestamp": "2021-02-12T22:43:45.000000Z"}, {"uuid": "1b604651-8a00-421b-ad98-6c37e3c9fba9", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2021-22973", "type": "seen", "source": "https://t.me/cibsecurity/23559", "content": "\u203c CVE-2021-22973 \u203c\n\nOn BIG-IP version 16.0.x before 16.0.1.1, 15.1.x before 15.1.2, 14.1.x before 14.1.3.1, 13.1.x before 13.1.3.5, and all 12.1.x versions, JSON parser function does not protect against out-of-bounds memory accesses or writes. Note: Software versions which have reached End of Software Development (EoSD) are not evaluated.\n\n\ud83d\udcd6 Read\n\nvia \"National Vulnerability Database\".", "creation_timestamp": "2021-02-12T20:43:59.000000Z"}]}