{"vulnerability": "cve-2021-3988", "sightings": [{"uuid": "d98f8e30-c1e8-4bbb-80db-dfdda4b606e5", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2021-3988", "type": "seen", "source": "https://infosec.exchange/users/cve/statuses/113486656781563435", "content": "", "creation_timestamp": "2024-11-15T11:09:17.928508Z"}, {"uuid": "e74cd34a-83c8-43bd-9ce2-d62b9d1e068e", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2021-39885", "type": "seen", "source": "https://t.me/arpsyndicate/599", "content": "#ExploitObserverAlert\n\nCVE-2021-39885\n\nDESCRIPTION: Exploit Observer has 4 entries related to CVE-2021-39885. A Stored XSS in merge request creation page in all versions of Gitlab EE starting from 13.7 before 14.1.7, all versions starting from 14.2 before 14.2.5, and all versions starting from 14.3 before 14.3.1 allows an attacker to execute arbitrary JavaScript code on the victim's behalf via malicious approval rule names\n\nFIRST-EPSS: 0.000670000\nNVD-IS: 2.7\nNVD-ES: 2.3", "creation_timestamp": "2023-11-27T22:17:09.000000Z"}, {"uuid": "3d0794dd-7904-478d-930f-896f542262ad", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2021-3988", "type": "seen", "source": "https://t.me/cvedetector/11071", "content": "{\n \"Source\": \"CVE FEED\",\n \"Title\": \"CVE-2021-3988 - Calibre-Web JavaScript Code Injection XSS\", \n \"Content\": \"CVE ID : CVE-2021-3988 \nPublished : Nov. 15, 2024, 11:15 a.m. | 36\u00a0minutes ago \nDescription : A Cross-site Scripting (XSS) vulnerability exists in janeczku/calibre-web, specifically in the file `edit_books.js`. The vulnerability occurs when editing book properties, such as uploading a cover or a format. The affected code directly inserts user input into the DOM without proper sanitization, allowing attackers to execute arbitrary JavaScript code. This can lead to various attacks, including stealing cookies. The issue is present in the code handling the `#btn-upload-cover` change event. \nSeverity: 5.7 | MEDIUM \nVisit the link for more details, such as CVSS details, affected products, timeline, and more...\",\n \"Detection Date\": \"15 Nov 2024\",\n \"Type\": \"Vulnerability\"\n}\n\ud83d\udd39 t.me/cvedetector \ud83d\udd39", "creation_timestamp": "2024-11-15T13:15:50.000000Z"}, {"uuid": "c47af6af-6d8a-4307-b70a-ad5c306f3d0c", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2021-39882", "type": "seen", "source": "https://t.me/cibsecurity/29964", "content": "\u203c CVE-2021-39882 \u203c\n\nIn all versions of GitLab CE/EE, provided a user ID, anonymous users can use a few endpoints to retrieve information about any GitLab user.\n\n\ud83d\udcd6 Read\n\nvia \"National Vulnerability Database\".", "creation_timestamp": "2021-10-05T16:30:34.000000Z"}, {"uuid": "35d875e6-010f-4022-8576-b686fe56c518", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2021-39888", "type": "seen", "source": "https://t.me/cibsecurity/29961", "content": "\u203c CVE-2021-39888 \u203c\n\nIn all versions of GitLab EE since version 13.10, a specific API endpoint may reveal details about a private group and other sensitive info inside issue and merge request templates.\n\n\ud83d\udcd6 Read\n\nvia \"National Vulnerability Database\".", "creation_timestamp": "2021-10-05T16:30:31.000000Z"}, {"uuid": "dfeca722-180e-4ff7-8325-ee0fb0c8789b", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2021-39887", "type": "seen", "source": "https://t.me/cibsecurity/29963", "content": "\u203c CVE-2021-39887 \u203c\n\nA stored Cross-Site Scripting vulnerability in the GitLab Flavored Markdown in GitLab CE/EE version 8.4 and above allowed an attacker to execute arbitrary JavaScript code on the victim's behalf.\n\n\ud83d\udcd6 Read\n\nvia \"National Vulnerability Database\".", "creation_timestamp": "2021-10-05T16:30:33.000000Z"}, {"uuid": "d44d8d54-8285-40bc-b12f-3f06595a5b53", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2021-39886", "type": "seen", "source": "https://t.me/cibsecurity/29989", "content": "\u203c CVE-2021-39886 \u203c\n\nPermissions rules were not applied while issues were moved between projects of the same group in GitLab versions starting with 10.6 and up to 14.1.7 allowing users to read confidential Epic references.\n\n\ud83d\udcd6 Read\n\nvia \"National Vulnerability Database\".", "creation_timestamp": "2021-10-05T18:30:37.000000Z"}, {"uuid": "8a8b233c-4f3d-4f48-bc3d-c3244b0e1aaa", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2021-39880", "type": "seen", "source": "https://t.me/cibsecurity/29988", "content": "\u203c CVE-2021-39880 \u203c\n\nA Denial Of Service vulnerability in the apollo_upload_server Ruby gem in GitLab CE/EE version 11.11 and above allows an attacker to deny access to all users via specially crafted requests to the apollo_upload_server middleware.\n\n\ud83d\udcd6 Read\n\nvia \"National Vulnerability Database\".", "creation_timestamp": "2021-10-05T18:30:36.000000Z"}, {"uuid": "f8220bca-fbd0-41f8-baa1-d581aa0f0548", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2021-39881", "type": "seen", "source": "https://t.me/cibsecurity/29987", "content": "\u203c CVE-2021-39881 \u203c\n\nIn all versions of GitLab CE/EE since version 7.7, the application may let a malicious user create an OAuth client application with arbitrary scope names which may allow the malicious user to trick unsuspecting users to authorize the malicious client application using the spoofed scope name and description.\n\n\ud83d\udcd6 Read\n\nvia \"National Vulnerability Database\".", "creation_timestamp": "2021-10-05T18:30:35.000000Z"}, {"uuid": "0ed18e92-5fde-4c88-bd85-395748c4893e", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2021-39889", "type": "seen", "source": "https://t.me/cibsecurity/29986", "content": "\u203c CVE-2021-39889 \u203c\n\nIn all versions of GitLab EE since version 14.1, due to an insecure direct object reference vulnerability, an endpoint may reveal the protected branch name to a malicious user who makes a crafted API call with the ID of the protected branch.\n\n\ud83d\udcd6 Read\n\nvia \"National Vulnerability Database\".", "creation_timestamp": "2021-10-05T18:30:34.000000Z"}, {"uuid": "a2a064a1-7907-4188-9bca-b4d3dc14a602", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2021-39884", "type": "seen", "source": "https://t.me/cibsecurity/29970", "content": "\u203c CVE-2021-39884 \u203c\n\nIn all versions of GitLab EE since version 8.13, an endpoint discloses names of private groups that have access to a project to low privileged users that are part of that project.\n\n\ud83d\udcd6 Read\n\nvia \"National Vulnerability Database\".", "creation_timestamp": "2021-10-05T16:30:41.000000Z"}, {"uuid": "433b0852-ec8e-472b-8afe-db27e098d445", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2021-39883", "type": "seen", "source": "https://t.me/cibsecurity/29901", "content": "\u203c CVE-2021-39883 \u203c\n\nImproper authorization checks in GitLab EE > 13.11 allows subgroup members to see epics from all parent subgroups.\n\n\ud83d\udcd6 Read\n\nvia \"National Vulnerability Database\".", "creation_timestamp": "2021-10-04T20:23:48.000000Z"}]}