{"vulnerability": "cve-2021-4015", "sightings": [{"uuid": "ebc8c05f-855c-4204-9b37-58dc75f60123", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "2a075640-a300-48a4-bb44-bc6130783b9b", "vulnerability": "CVE-2021-40153", "type": "seen", "source": "https://t.me/cibsecurity/28767", "content": "\u203c CVE-2021-41072 \u203c\n\nsquashfs_opendir in unsquash-2.c in Squashfs-Tools 4.5 allows Directory Traversal, a different vulnerability than CVE-2021-40153. A squashfs filesystem that has been crafted to include a symbolic link and then contents under the same filename in a filesystem can cause unsquashfs to first create the symbolic link pointing outside the expected directory, and then the subsequent write operation will cause the unsquashfs process to write through the symbolic link elsewhere in the filesystem.\n\n\ud83d\udcd6 Read\n\nvia \"National Vulnerability Database\".", "creation_timestamp": "2021-09-14T07:15:25.000000Z"}, {"uuid": "5fe08086-bc09-4c4e-8df8-b40938dedacc", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "2a075640-a300-48a4-bb44-bc6130783b9b", "vulnerability": "CVE-2021-40153", "type": "seen", "source": "https://t.me/arpsyndicate/2849", "content": "#ExploitObserverAlert\n\nCVE-2021-41072\n\nDESCRIPTION: Exploit Observer has 5 entries in 2 file formats related to CVE-2021-41072. squashfs_opendir in unsquash-2.c in Squashfs-Tools 4.5 allows Directory Traversal, a different vulnerability than CVE-2021-40153. A squashfs filesystem that has been crafted to include a symbolic link and then contents under the same filename in a filesystem can cause unsquashfs to first create the symbolic link pointing outside the expected directory, and then the subsequent write operation will cause the unsquashfs process to write through the symbolic link elsewhere in the filesystem.\n\nFIRST-EPSS: 0.002930000\nNVD-IS: 5.2\nNVD-ES: 2.8", "creation_timestamp": "2024-01-16T12:24:04.000000Z"}, {"uuid": "9124c7de-e4cd-4cfa-b6c4-388ba6928c09", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "2a075640-a300-48a4-bb44-bc6130783b9b", "vulnerability": "CVE-2021-40154", "type": "seen", "source": "https://t.me/cibsecurity/33206", "content": "\u203c CVE-2021-40154 \u203c\n\nNXP LPC55S69 devices before A3 have a buffer over-read via a crafted wlength value in a GET Descriptor Configuration request during use of USB In-System Programming (ISP) mode. This discloses protected flash memory.\n\n\ud83d\udcd6 Read\n\nvia \"National Vulnerability Database\".", "creation_timestamp": "2021-12-01T18:40:03.000000Z"}, {"uuid": "ca3b8648-a61f-48fd-a36a-8455a99d57e1", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "2a075640-a300-48a4-bb44-bc6130783b9b", "vulnerability": "CVE-2021-40157", "type": "seen", "source": "https://t.me/cibsecurity/28904", "content": "\u203c CVE-2021-40157 \u203c\n\nA user may be tricked into opening a malicious FBX file which may exploit an Untrusted Pointer Dereference vulnerability in FBX\u00e2\u20ac\u2122s Review version 1.5.0 and prior causing it to run arbitrary code on the system.\n\n\ud83d\udcd6 Read\n\nvia \"National Vulnerability Database\".", "creation_timestamp": "2021-09-15T18:22:27.000000Z"}, {"uuid": "2d405e2c-070d-4e27-b537-d5e0e68a1a4e", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "2a075640-a300-48a4-bb44-bc6130783b9b", "vulnerability": "CVE-2021-40155", "type": "seen", "source": "https://t.me/cibsecurity/28928", "content": "\u203c CVE-2021-40155 \u203c\n\nA maliciously crafted DWG file in Autodesk Navisworks 2019, 2020, 2021, 2022 can be forced to read beyond allocated boundaries when parsing the DWG files. This vulnerability can be exploited to execute arbitrary code.\n\n\ud83d\udcd6 Read\n\nvia \"National Vulnerability Database\".", "creation_timestamp": "2021-09-15T20:22:17.000000Z"}, {"uuid": "2a1117b9-531c-4378-ac37-c019a01a0c9f", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "2a075640-a300-48a4-bb44-bc6130783b9b", "vulnerability": "CVE-2021-40153", "type": "seen", "source": "https://t.me/cibsecurity/27947", "content": "\u203c CVE-2021-40153 \u203c\n\nsquashfs_opendir in unsquash-1.c in Squashfs-Tools 4.5 stores the filename in the directory entry; this is then used by unsquashfs to create the new file during the unsquash. The filename is not validated for traversal outside of the destination directory, and thus allows writing to locations outside of the destination.\n\n\ud83d\udcd6 Read\n\nvia \"National Vulnerability Database\".", "creation_timestamp": "2021-08-27T18:28:06.000000Z"}, {"uuid": "8c6086c8-9576-4cc6-9ba9-8df9ba63edf3", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "2a075640-a300-48a4-bb44-bc6130783b9b", "vulnerability": "CVE-2021-40150", "type": "seen", "source": "https://t.me/cibsecurity/46417", "content": "\u203c CVE-2021-40150 \u203c\n\nThe web server of the E1 Zoom camera through 3.0.0.716 discloses its configuration via the /conf/ directory that is mapped to a publicly accessible path. In this way an attacker can download the entire NGINX/FastCGI configurations by querying the /conf/nginx.conf or /conf/fastcgi.conf URI.\n\n\ud83d\udcd6 Read\n\nvia \"National Vulnerability Database\".", "creation_timestamp": "2022-07-18T02:33:33.000000Z"}, {"uuid": "b85a2aed-b59a-4372-b119-f655faa2c145", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "2a075640-a300-48a4-bb44-bc6130783b9b", "vulnerability": "CVE-2021-4015", "type": "seen", "source": "https://t.me/cibsecurity/33186", "content": "\u203c CVE-2021-4015 \u203c\n\nfirefly-iii is vulnerable to Cross-Site Request Forgery (CSRF)\n\n\ud83d\udcd6 Read\n\nvia \"National Vulnerability Database\".", "creation_timestamp": "2021-12-01T14:35:46.000000Z"}, {"uuid": "6e5ef5eb-0ff7-4bc7-8cd1-b4e862089f7c", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "2a075640-a300-48a4-bb44-bc6130783b9b", "vulnerability": "CVE-2021-40156", "type": "seen", "source": "https://t.me/cibsecurity/28924", "content": "\u203c CVE-2021-40156 \u203c\n\nA maliciously crafted DWG file in Autodesk Navisworks 2019, 2020, 2021, 2022 can be forced to write beyond allocated boundaries when parsing the DWG files. This vulnerability can be exploited to execute arbitrary code.\n\n\ud83d\udcd6 Read\n\nvia \"National Vulnerability Database\".", "creation_timestamp": "2021-09-15T20:22:12.000000Z"}]}