{"vulnerability": "CVE-2021-3739", "sightings": [{"uuid": "016209b5-5010-4764-acc1-d1a976718019", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2021-37390", "type": "seen", "source": "https://t.me/cibsecurity/27095", "content": "\u203c CVE-2021-37390 \u203c\n\nA Chamilo LMS 1.11.14 reflected XSS vulnerability exists in main/social/search.php=q URI (social network search feature).\n\n\ud83d\udcd6 Read\n\nvia \"National Vulnerability Database\".", "creation_timestamp": "2021-08-11T00:37:33.000000Z"}, {"uuid": "cd4f626a-2c52-4dc8-a748-745303417abe", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2021-37391", "type": "seen", "source": "https://t.me/cibsecurity/27090", "content": "\u203c CVE-2021-37391 \u203c\n\nA user without privileges in Chamilo LMS 1.11.14 can send an invitation message to another user, e.g., the administrator, through main/social/search.php, main/inc/lib/social.lib.php and steal cookies or execute arbitrary code on the administration side via a stored XSS vulnerability via social network the send invitation feature.\n\n\ud83d\udcd6 Read\n\nvia \"National Vulnerability Database\".", "creation_timestamp": "2021-08-11T00:37:27.000000Z"}, {"uuid": "38bf309d-8716-451d-a998-f77699b3420a", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2021-37393", "type": "seen", "source": "https://t.me/cibsecurity/26510", "content": "\u203c CVE-2021-37393 \u203c\n\nIn RPCMS v1.8 and below, the \"nickname\" variable is not properly sanitized before being displayed on page. Attacker can use \"update password\" function to inject XSS payloads into nickname variable, and achieve stored XSS. Users who view the articles published by the injected user will trigger the XSS.\n\n\ud83d\udcd6 Read\n\nvia \"National Vulnerability Database\".", "creation_timestamp": "2021-07-26T22:11:39.000000Z"}, {"uuid": "ba8a75d6-2f7a-418d-9510-c1bff22394df", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2021-37392", "type": "seen", "source": "https://t.me/cibsecurity/26508", "content": "\u203c CVE-2021-37392 \u203c\n\nIn RPCMS v1.8 and below, the \"nickname\" variable is not properly sanitized before being displayed on page. When the API functions are enabled, the attacker can use API to update user nickname with XSS payload and achieve stored XSS. Users who view the articles published by the injected user will trigger the XSS.\n\n\ud83d\udcd6 Read\n\nvia \"National Vulnerability Database\".", "creation_timestamp": "2021-07-26T22:11:37.000000Z"}, {"uuid": "a135de2d-d5c0-45bc-9bd5-39833eec6da7", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2021-37394", "type": "seen", "source": "https://t.me/cibsecurity/26507", "content": "\u203c CVE-2021-37394 \u203c\n\nIn RPCMS v1.8 and below, attackers can interact with API and change variable \"role\" to \"admin\" to achieve admin user registration.\n\n\ud83d\udcd6 Read\n\nvia \"National Vulnerability Database\".", "creation_timestamp": "2021-07-26T22:11:36.000000Z"}]}