{"vulnerability": "cve-2021-4335", "sightings": [{"uuid": "c9a35050-d9a4-4c55-af7d-5d6c9ea79a60", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "2a075640-a300-48a4-bb44-bc6130783b9b", "vulnerability": "CVE-2021-43355", "type": "seen", "source": "https://t.me/DarkWebInformer_CVEAlerts/12099", "content": "\ud83d\udd17 DarkWebInformer.com - Cyber Threat Intelligence\n\ud83d\udccc CVE ID: CVE-2021-43355\n\ud83d\udd25 CVSS Score: 7.3 (cvssV3_1, Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L)\n\ud83d\udd39 Description: Fresenius Kabi Vigilant Software Suite (Mastermed Dashboard) version 2.0.1.3 allows user input to be validated on the client side without authentication by the server. The server should not rely on the correctness of the data because users might not support or block JavaScript or intentionally bypass the client-side checks. An attacker with knowledge of the service user could circumvent the client-side control and login with service privileges.\n\ud83d\udccf Published: 2022-01-21T18:17:44.000Z\n\ud83d\udccf Modified: 2025-04-16T16:46:31.988Z\n\ud83d\udd17 References:\n1. https://www.cisa.gov/uscert/ics/advisories/icsma-21-355-01", "creation_timestamp": "2025-04-16T16:56:12.000000Z"}, {"uuid": "c59feec8-4dbb-4708-b9d1-b2540d69aa5f", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "2a075640-a300-48a4-bb44-bc6130783b9b", "vulnerability": "CVE-2021-4335", "type": "seen", "source": "https://t.me/cibsecurity/72648", "content": "\u203c CVE-2021-4335 \u203c\n\nThe Fancy Product Designer plugin for WordPress is vulnerable to unauthorized access to data and modification of plugin settings due to a missing capability check on multiple AJAX functions in versions up to, and including, 4.6.9. This makes it possible for authenticated attackers with subscriber-level permissions to modify plugin settings, including retrieving arbitrary order information or creating/updating/deleting products, orders, or other sensitive information not associated with their own account.\n\n\ud83d\udcd6 Read\n\nvia \"National Vulnerability Database\".", "creation_timestamp": "2023-10-20T12:35:05.000000Z"}, {"uuid": "c7f83607-29a8-441c-80ea-0cc23e45fdad", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "2a075640-a300-48a4-bb44-bc6130783b9b", "vulnerability": "CVE-2021-43353", "type": "seen", "source": "https://t.me/cibsecurity/35733", "content": "\u203c CVE-2021-43353 \u203c\n\nThe Crisp Live Chat WordPress plugin is vulnerable to Cross-Site Request Forgery due to missing nonce validation via the crisp_plugin_settings_page function found in the ~/crisp.php file, which made it possible for attackers to inject arbitrary web scripts in versions up to, and including 0.31.\n\n\ud83d\udcd6 Read\n\nvia \"National Vulnerability Database\".", "creation_timestamp": "2022-01-18T20:25:10.000000Z"}, {"uuid": "2b141770-6e61-4e06-8cd0-52d562cc579f", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "2a075640-a300-48a4-bb44-bc6130783b9b", "vulnerability": "CVE-2021-43359", "type": "seen", "source": "https://t.me/cibsecurity/33173", "content": "\u203c CVE-2021-43359 \u203c\n\nSunnet eHRD has broken access control vulnerability, which allows a remote attacker to access account management page after being authenticated as a general user, then perform privilege escalation to execute arbitrary code and control the system or interrupt services.\n\n\ud83d\udcd6 Read\n\nvia \"National Vulnerability Database\".", "creation_timestamp": "2021-12-01T07:35:24.000000Z"}, {"uuid": "62a8344e-0222-4733-ab3a-253520648dad", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "2a075640-a300-48a4-bb44-bc6130783b9b", "vulnerability": "CVE-2021-43358", "type": "seen", "source": "https://t.me/cibsecurity/33161", "content": "\u203c CVE-2021-43358 \u203c\n\nSunnet eHRD has inadequate filtering for special characters in URLs, which allows a remote attacker to perform path traversal attacks without authentication, access restricted paths and download system files.\n\n\ud83d\udcd6 Read\n\nvia \"National Vulnerability Database\".", "creation_timestamp": "2021-12-01T07:35:09.000000Z"}, {"uuid": "a95744f0-d6ac-434e-b174-1ccbcc479eaf", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "2a075640-a300-48a4-bb44-bc6130783b9b", "vulnerability": "CVE-2021-43350", "type": "seen", "source": "https://t.me/cibsecurity/32242", "content": "\u203c CVE-2021-43350 \u203c\n\nAn unauthenticated Apache Traffic Control Traffic Ops user can send a request with a specially-crafted username to the POST /login endpoint of any API version to inject unsanitized content into the LDAP filter.\n\n\ud83d\udcd6 Read\n\nvia \"National Vulnerability Database\".", "creation_timestamp": "2021-11-11T16:37:39.000000Z"}]}