CVE-2021-21283

Опубликовано: 26 янв. 2021

Источник: nvd

CVSS3: 5.4

CVSS2: 3.5

EPSS Низкий

Описание

Flarum is an open source discussion platform for websites. The "Flarum Sticky" extension versions 0.1.0-beta.14 and 0.1.0-beta.15 has a cross-site scripting vulnerability. A change in release beta 14 of the Sticky extension caused the plain text content of the first post of a pinned discussion to be injected as HTML on the discussion list. The issue was discovered following an internal audit. Any HTML would be injected through the m.trust() helper. This resulted in an HTML injection where

Ссылки

https://discuss.flarum.org/d/26042-security-update-to-flarum-sticky-010-beta151%29
https://github.com/flarum/sticky/commit/7ebd30462bd405c4c0570b93a6d48710e6c3db19
Patch
Third Party Advisory
https://github.com/flarum/sticky/pull/24
Patch
Third Party Advisory
https://github.com/flarum/sticky/security/advisories/GHSA-h3gg-7wx2-cq3h
Third Party Advisory
https://discuss.flarum.org/d/26042-security-update-to-flarum-sticky-010-beta151%29
https://github.com/flarum/sticky/commit/7ebd30462bd405c4c0570b93a6d48710e6c3db19
Patch
Third Party Advisory
https://github.com/flarum/sticky/pull/24
Patch
Third Party Advisory
https://github.com/flarum/sticky/security/advisories/GHSA-h3gg-7wx2-cq3h
Third Party Advisory

Уязвимые конфигурации

Конфигурация 1

Одно из

cpe:2.3:a:flarum:sticky:0.1.0:beta14:*:*:*:*:*:*

cpe:2.3:a:flarum:sticky:0.1.0:beta15:*:*:*:*:*:*

EPSS

Процентиль: 57%

0.00347

Низкий

5.4 Medium

CVSS3

3.5 Low

CVSS2

Дефекты

CWE-79

Связанные уязвимости

GHSA-h3gg-7wx2-cq3h

github

около 5 лет назад

XSS in Flarum Sticky extension