{"vulnerability": "CVE-2021-2334", "sightings": [{"uuid": "fbe16700-d7e9-4025-8024-00075cf7faeb", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2021-23342", "type": "seen", "source": "https://t.me/cibsecurity/23878", "content": "\u203c CVE-2021-23342 \u203c\n\nThis affects the package docsify before 4.12.0. It is possible to bypass the remediation done by CVE-2020-7680 and execute malicious JavaScript through the following methods 1) When parsing HTML from remote URLs, the HTML code on the main page is sanitized, but this sanitization is not taking place in the sidebar. 2) The isURL external check can be bypassed by inserting more \u00e2\u20acœ////\u00e2\u20ac\ufffd characters\n\n\ud83d\udcd6 Read\n\nvia \"National Vulnerability Database\".", "creation_timestamp": "2021-02-19T20:51:32.000000Z"}, {"uuid": "f4797c0d-5d50-4bbb-a36e-6f2608ad5a43", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2021-23345", "type": "seen", "source": "https://t.me/cibsecurity/24237", "content": "\u203c CVE-2021-23345 \u203c\n\nAll versions of package github.com/thecodingmachine/gotenberg are vulnerable to Server-side Request Forgery (SSRF) via the /convert/html endpoint when the src attribute of an HTML element refers to an internal system file, such as .\n\n\ud83d\udcd6 Read\n\nvia \"National Vulnerability Database\".", "creation_timestamp": "2021-02-26T20:39:21.000000Z"}, {"uuid": "39a751e5-4158-4681-8805-26b7afbdd221", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2021-23340", "type": "seen", "source": "https://t.me/cibsecurity/23812", "content": "\u203c CVE-2021-23340 \u203c\n\nThis affects the package pimcore/pimcore before 6.8.8. A Local FIle Inclusion vulnerability exists in the downloadCsvAction function of the CustomReportController class (bundles/AdminBundle/Controller/Reports/CustomReportController.php). An authenticated user can reach this function with a GET request at the following endpoint: /admin/reports/custom-report/download-csv?exportFile=&91;filename]. Since exportFile variable is not sanitized, an attacker can exploit a local file inclusion vulnerability.\n\n\ud83d\udcd6 Read\n\nvia \"National Vulnerability Database\".", "creation_timestamp": "2021-02-18T18:50:23.000000Z"}, {"uuid": "986f49e8-c34f-498b-b852-9a83c787482d", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2021-23341", "type": "seen", "source": "https://t.me/cibsecurity/23804", "content": "\u203c CVE-2021-23341 \u203c\n\nThe package prismjs before 1.23.0 are vulnerable to Regular Expression Denial of Service (ReDoS) via the prism-asciidoc, prism-rest, prism-tap and prism-eiffel components.\n\n\ud83d\udcd6 Read\n\nvia \"National Vulnerability Database\".", "creation_timestamp": "2021-02-18T18:50:15.000000Z"}]}