exploitDog

CVE-2021-31930

Опубликовано: 19 мая 2021

Источник: nvd

CVSS3: 6.1

CVSS2: 4.3

EPSS Низкий

Описание

Persistent cross-site scripting (XSS) in the web interface of Concerto through 2.3.6 allows an unauthenticated remote attacker to introduce arbitrary JavaScript by injecting an XSS payload into the First Name or Last Name parameter upon registration. When a privileged user attempts to delete the account, the XSS payload will be executed.

Ссылки

https://github.com/concerto/concerto/pull/1558
Third Party Advisory
https://github.com/concerto/concerto/security/advisories
Third Party Advisory
https://github.com/concerto/concerto/pull/1558
Third Party Advisory
https://github.com/concerto/concerto/security/advisories
Third Party Advisory

Уязвимые конфигурации

Конфигурация 1

cpe:2.3:a:concerto-signage:concerto:*:*:*:*:*:*:*:*

Версия до 2.3.6 (включая)

EPSS

Процентиль: 77%

0.01056

Низкий

6.1 Medium

CVSS3

4.3 Medium

CVSS2

Дефекты

CWE-79

Связанные уязвимости

GHSA-6x7c-5jc6-7qc6

github

больше 3 лет назад

Persistent cross-site scripting (XSS) in the web interface of Concerto through 2.3.6 allows an unauthenticated remote attacker to introduce arbitrary JavaScript by injecting an XSS payload into the First Name or Last Name parameter upon registration. When a privileged user attempts to delete the account, the XSS payload will be executed.

EPSS

Процентиль: 77%

0.01056

Низкий

6.1 Medium

CVSS3

4.3 Medium

CVSS2

Дефекты

CWE-79