{"vulnerability": "CVE-2022-2211", "sightings": [{"uuid": "65b433b4-f309-4a77-8a19-bb9784c4383d", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2022-22115", "type": "seen", "source": "https://t.me/cibsecurity/35182", "content": "\u203c CVE-2022-22115 \u203c\n\nIn Teedy, versions v1.5 through v1.9 are vulnerable to Stored Cross-Site Scripting (XSS) in the name of a created Tag. Since the Tag name is not being sanitized properly in the edit tag page, a low privileged attacker can store malicious scripts in the name of the Tag. In the worst case, the victim who inadvertently triggers the attack is a highly privileged administrator. The injected scripts can extract the Session ID, which can lead to full Account Takeover of the administrator, and privileges escalation.\n\n\ud83d\udcd6 Read\n\nvia \"National Vulnerability Database\".", "creation_timestamp": "2022-01-10T18:14:51.000000Z"}, {"uuid": "2a9f1a13-5417-4eed-8d27-0ded3de14f33", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2022-22116", "type": "seen", "source": "https://t.me/cibsecurity/35177", "content": "\u203c CVE-2022-22116 \u203c\n\nIn Directus, versions 9.0.0-alpha.4 through 9.4.1 are vulnerable to stored Cross-Site Scripting (XSS) vulnerability via SVG file upload in media upload functionality. A low privileged attacker can inject arbitrary javascript code which will be executed in a victim\u00e2\u20ac\u2122s browser when they open the image URL.\n\n\ud83d\udcd6 Read\n\nvia \"National Vulnerability Database\".", "creation_timestamp": "2022-01-10T18:14:44.000000Z"}, {"uuid": "1736c780-1dac-4f0e-819b-2e563eec178c", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2022-22114", "type": "seen", "source": "https://t.me/cibsecurity/35192", "content": "\u203c CVE-2022-22114 \u203c\n\nIn Teedy, versions v1.5 through v1.9 are vulnerable to Reflected Cross-Site Scripting (XSS). The \u00e2\u20ac\u0153search term\" search functionality is not sufficiently sanitized while displaying the results of the search, which can be leveraged to inject arbitrary scripts. These scripts are executed in a victim\u00e2\u20ac\u2122s browser when they enter the crafted URL. In the worst case, the victim who inadvertently triggers the attack is a highly privileged administrator. The injected scripts can extract the Session ID, which can lead to full Account Takeover of the administrator, by an unauthenticated attacker.\n\n\ud83d\udcd6 Read\n\nvia \"National Vulnerability Database\".", "creation_timestamp": "2022-01-10T18:15:11.000000Z"}, {"uuid": "b9a3f93c-9aa0-4123-9aea-23e53e925b6f", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2022-22111", "type": "seen", "source": "https://t.me/cibsecurity/34986", "content": "\u203c CVE-2022-22111 \u203c\n\nIn DayByDay CRM, version 2.2.0 is vulnerable to missing authorization. Any application user in the application who has update user permission enabled is able to change the password of other users, including the administrator\u00e2\u20ac\u2122s. This allows the attacker to gain access to the highest privileged user in the application.\n\n\ud83d\udcd6 Read\n\nvia \"National Vulnerability Database\".", "creation_timestamp": "2022-01-05T18:40:18.000000Z"}, {"uuid": "974f118c-fbe4-4bd8-9d80-156501eec49b", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2022-22110", "type": "seen", "source": "https://t.me/cibsecurity/34984", "content": "\u203c CVE-2022-22110 \u203c\n\nIn Daybyday CRM, versions 1.1 through 2.2.0 enforce weak password requirements in the user update functionality. A user with privileges to update his password could change it to a weak password, such as those with a length of a single character. This may allow an attacker to brute-force users\u00e2\u20ac\u2122 passwords with minimal to no computational effort.\n\n\ud83d\udcd6 Read\n\nvia \"National Vulnerability Database\".", "creation_timestamp": "2022-01-05T18:40:13.000000Z"}]}