CVE-2021-25938

Опубликовано: 24 мая 2021

Источник: nvd

CVSS3: 6.1

CVSS2: 4.3

EPSS Низкий

Описание

In ArangoDB, versions v2.2.6.2 through v3.7.10 are vulnerable to Cross-Site Scripting (XSS), since there is no validation of the .zip file name and filtering of potential abusive characters which zip files can be named to. There is no X-Frame-Options Header set, which makes it more susceptible for leveraging self XSS by attackers.

Ссылки

https://github.com/arangodb/arangodb/commit/3e486b9bc33cc97e92645dd279899000e57f61f4
Patch
Third Party Advisory
https://www.whitesourcesoftware.com/vulnerability-database/CVE-2021-25938
Exploit
Third Party Advisory
https://github.com/arangodb/arangodb/commit/3e486b9bc33cc97e92645dd279899000e57f61f4
Patch
Third Party Advisory
https://www.whitesourcesoftware.com/vulnerability-database/CVE-2021-25938
Exploit
Third Party Advisory

Уязвимые конфигурации

Конфигурация 1

cpe:2.3:a:arangodb:arangodb:*:*:*:*:*:*:*:*

Версия от 2.2.6.2 (включая) до 3.7.10 (включая)

EPSS

Процентиль: 47%

0.0024

Низкий

6.1 Medium

CVSS3

4.3 Medium

CVSS2

Дефекты

CWE-79

Связанные уязвимости

CVE-2021-25938

CVSS3: 6.1

debian

больше 4 лет назад

In ArangoDB, versions v2.2.6.2 through v3.7.10 are vulnerable to Cross ...

GHSA-fm33-4p7j-3jhr

github

больше 3 лет назад