CVE-2021-42118

Опубликовано: 30 нояб. 2021

Источник: nvd

CVSS3: 8.1

CVSS3: 5.4

CVSS2: 3.5

EPSS Низкий

Описание

Persistent Cross Site Scripting in Web Applications operating on Business-DNA Solutions GmbH’s TopEase® Platform Version <= 7.1.27 via the Structure Component allows an authenticated remote attacker with Object Modification privileges to inject arbitrary HTML and JavaScript code in an object attribute, which is then rendered in the Structure Component, to alter the intended functionality and steal cookies, the latter allowing for account takeover.

Ссылки

https://confluence.topease.ch/confluence/display/DOC/Release+Notes
Release Notes
Vendor Advisory
https://confluence.topease.ch/confluence/display/DOC/Release+Notes
Release Notes
Vendor Advisory

Уязвимые конфигурации

Конфигурация 1

cpe:2.3:a:businessdnasolutions:topease:*:*:*:*:*:*:*:*

Версия до 7.1.27 (включая)

EPSS

Процентиль: 49%

0.00255

Низкий

8.1 High

CVSS3

5.4 Medium

CVSS3

3.5 Low

CVSS2

Дефекты

CWE-79

Связанные уязвимости

GHSA-qjch-qr2h-mw52

github

около 4 лет назад

Persistent Cross Site Scripting in Web Applications operating on Business-DNA Solutions GmbHâ€™s TopEaseÂ® Platform Version <= 7.1.27 via the Structure Component allows an authenticated remote attacker with Object Modification privileges to inject arbitrary HTML and JavaScript code in an object attribute, which is then rendered in the Structure Component, to alter the intended functionality and steal cookies, the latter allowing for account takeover.

EPSS

Процентиль: 49%

0.00255

Низкий

8.1 High

CVSS3

5.4 Medium

CVSS3

3.5 Low

CVSS2

Дефекты

CWE-79