CVE-2021-39268

Опубликовано: 18 авг. 2021

Источник: nvd

CVSS3: 6.1

CVSS2: 4.3

EPSS Низкий

Описание

Persistent cross-site scripting (XSS) in the web interface of SuiteCRM before 7.11.19 allows a remote attacker to introduce arbitrary JavaScript via malicious SVG files. This occurs because the clean_file_output protection mechanism can be bypassed.

Ссылки

https://docs.suitecrm.com/admin/releases/7.11.x/#_7_11_19
Release Notes
Vendor Advisory
https://github.com/salesagility/SuiteCRM
Product
Third Party Advisory
https://thanhlocpanda.wordpress.com/2021/07/31/stored-xss-via-svg-on-suitecrm/
Exploit
Third Party Advisory
https://docs.suitecrm.com/admin/releases/7.11.x/#_7_11_19
Release Notes
Vendor Advisory
https://github.com/salesagility/SuiteCRM
Product
Third Party Advisory
https://thanhlocpanda.wordpress.com/2021/07/31/stored-xss-via-svg-on-suitecrm/
Exploit
Third Party Advisory

Уязвимые конфигурации

Конфигурация 1

cpe:2.3:a:salesagility:suitecrm:*:*:*:*:*:*:*:*

Версия до 7.11.19 (исключая)

EPSS

Процентиль: 61%

0.00411

Низкий

6.1 Medium

CVSS3

4.3 Medium

CVSS2

Дефекты

CWE-79

Связанные уязвимости

GHSA-272r-gvjr-j5qh

github

около 3 лет назад