{"vulnerability": "CVE-2021-3281", "sightings": [{"uuid": "575e2185-23a7-43b5-8f4b-737f33619330", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2021-32814", "type": "seen", "source": "https://t.me/cibsecurity/26755", "content": "\u203c CVE-2021-32814 \u203c\n\nSkytable is a NoSQL database with automated snapshots and TLS. Versions prior to 0.5.1 are vulnerable to a a directory traversal attack enabling remotely connected clients to destroy and/or manipulate critical files on the host's file system. This security bug has been patched in version 0.5.1. There are no known workarounds aside from upgrading.\n\n\ud83d\udcd6 Read\n\nvia \"National Vulnerability Database\".", "creation_timestamp": "2021-08-03T20:28:43.000000Z"}, {"uuid": "dc91e1b1-a6ce-4013-be71-f6818a7aa63f", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2021-32810", "type": "seen", "source": "https://t.me/cibsecurity/26690", "content": "\u203c CVE-2021-32810 \u203c\n\ncrossbeam-deque is a package of work-stealing deques for building task schedulers when programming in Rust. In versions prior to 0.7.4 and 0.8.0, the result of the race condition is that one or more tasks in the worker queue can be popped twice instead of other tasks that are forgotten and never popped. If tasks are allocated on the heap, this can cause double free and a memory leak. If not, this still can cause a logical bug. Crates using `Stealer::steal`, `Stealer::steal_batch`, or `Stealer::steal_batch_and_pop` are affected by this issue. This has been fixed in crossbeam-deque 0.8.1 and 0.7.4.\n\n\ud83d\udcd6 Read\n\nvia \"National Vulnerability Database\".", "creation_timestamp": "2021-08-02T22:27:39.000000Z"}, {"uuid": "6fc748b2-b0b4-488e-9b49-cea8ba136318", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2021-32811", "type": "seen", "source": "https://t.me/cibsecurity/26719", "content": "\u203c CVE-2021-32811 \u203c\n\nZope is an open-source web application server. Zope versions prior to versions 4.6.3 and 5.3 have a remote code execution security issue. In order to be affected, one must use Python 3 for one's Zope deployment, run Zope 4 below version 4.6.3 or Zope 5 below version 5.3, and have the optional `Products.PythonScripts` add-on package installed. By default, one must have the admin-level Zope \"Manager\" role to add or edit Script (Python) objects through the web. Only sites that allow untrusted users to add/edit these scripts through the web are at risk. Zope releases 4.6.3 and 5.3 are not vulnerable. As a workaround, a site administrator can restrict adding/editing Script (Python) objects through the web using the standard Zope user/role permission mechanisms. Untrusted users should not be assigned the Zope Manager role and adding/editing these scripts through the web should be restricted to trusted users only. This is the default configuration in Zope.\n\n\ud83d\udcd6 Read\n\nvia \"National Vulnerability Database\".", "creation_timestamp": "2021-08-03T02:27:50.000000Z"}, {"uuid": "08557a8c-ad59-44c3-8a8f-e8ddbbbf1197", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2021-32812", "type": "seen", "source": "https://t.me/cibsecurity/26718", "content": "\u203c CVE-2021-32812 \u203c\n\nMonkshu is an enterprise application server for mobile apps (iOS and Android), responsive HTML 5 apps, and JSON API services. In version 2.90 and earlier, there is a reflected cross-site scripting vulnerability in frontend HTTP server. The attacker can send in a carefully crafted URL along with a known bug in the server which will cause a 500 error, and the response will then embed the URL provided by the hacker. The impact is moderate as the hacker must also be able to craft an HTTP request which should cause a 500 server error. None such requests are known as this point. The issue is patched in version 2.95. As a workaround, one may use a disk caching plugin.\n\n\ud83d\udcd6 Read\n\nvia \"National Vulnerability Database\".", "creation_timestamp": "2021-08-03T02:27:49.000000Z"}, {"uuid": "8418877a-64a4-4a3b-a881-c368eb69832a", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2021-3281", "type": "published-proof-of-concept", "source": "https://t.me/CyberSecurityTechnologies/3785", "content": "#exploit\nCVE-2021-3281:\nThere is a Directory Traversal vulnerability in django.utils.archive.py, lineno:171, in Class TarArchive\nhttps://github.com/lwzSoviet/CVE-2021-3281\n\nCVE-2020-7378:\nPassword Reset Vulnerability in OpenCRX (Unauthenticated Account Take Over)\nhttps://github.com/ruthvikvegunta/openCRX-CVE-2020-7378", "creation_timestamp": "2021-07-07T11:47:01.000000Z"}]}