CVE-2021-25968

In “OpenCMS”, versions 10.5.0 to 11.0.2 are affected by a stored XSS vulnerability that allows low privileged application users to store malicious scripts in the Sitemap functionality. These scripts are executed in a victim’s browser when they open the page containing the vulnerable field.

CVSS v3 5.4 MEDIUM
CVSS v2.0 3.5 LOW

5.4^/10

CVSS v3 : MEDIUM

Vector :

Exploitability : 2.3 / Impact : 2.7

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction REQUIRED

Confidentiality Impact LOW

Integrity Impact LOW

Availability Impact NONE

Scope CHANGED

3.5^/10

CVSS v2.0 : LOW

Vector : AV:N/AC:M/Au:S/C:N/I:P/A:N

Exploitability : 6.8 / Impact : 2.9

Access Vector NETWORK

Access Complexity MEDIUM

Authentication SINGLE

Confidentiality Impact NONE

Integrity Impact PARTIAL

Availability Impact NONE

References

Link	Resource
https://github.com/alkacon/mercury-template/commit/800945f5d02346c633c7aef9f5d596d7dedc8fb5	Patch Third Party Advisory
https://www.whitesourcesoftware.com/vulnerability-database/CVE-2021-25968	Broken Link

Configurations

Configuration 1 (hide)

cpe:2.3:a:alkacon:opencms:*:*:*:*:*:*:*:*

History

No history.

Information

Published : 2021-10-19 09:15

Updated : 2024-02-28 18:48

NVD link : CVE-2021-25968

Mitre link : CVE-2021-25968

CVE.ORG link : CVE-2021-25968

JSON object : View

Products Affected

alkacon

opencms

CWE

CWE-79

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

{"id": "CVE-2021-25968", "metrics": {"cvssMetricV2": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"version": "2.0", "baseScore": 3.5, "accessVector": "NETWORK", "vectorString": "AV:N/AC:M/Au:S/C:N/I:P/A:N", "authentication": "SINGLE", "integrityImpact": "PARTIAL", "accessComplexity": "MEDIUM", "availabilityImpact": "NONE", "confidentialityImpact": "NONE"}, "acInsufInfo": false, "impactScore": 2.9, "baseSeverity": "LOW", "obtainAllPrivilege": false, "exploitabilityScore": 6.8, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": true}], "cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "CHANGED", "version": "3.1", "baseScore": 5.4, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "LOW"}, "impactScore": 2.7, "exploitabilityScore": 2.3}, {"type": "Secondary", "source": "vulnerabilitylab@mend.io", "cvssData": {"scope": "CHANGED", "version": "3.1", "baseScore": 5.4, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "LOW"}, "impactScore": 2.7, "exploitabilityScore": 2.3}]}, "published": "2021-10-19T09:15:07.853", "references": [{"url": "https://github.com/alkacon/mercury-template/commit/800945f5d02346c633c7aef9f5d596d7dedc8fb5", "tags": ["Patch", "Third Party Advisory"], "source": "vulnerabilitylab@mend.io"}, {"url": "https://www.whitesourcesoftware.com/vulnerability-database/CVE-2021-25968", "tags": ["Broken Link"], "source": "vulnerabilitylab@mend.io"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-79"}]}, {"type": "Secondary", "source": "vulnerabilitylab@mend.io", "description": [{"lang": "en", "value": "CWE-79"}]}], "descriptions": [{"lang": "en", "value": "In \u201cOpenCMS\u201d, versions 10.5.0 to 11.0.2 are affected by a stored XSS vulnerability that allows low privileged application users to store malicious scripts in the Sitemap functionality. These scripts are executed in a victim\u2019s browser when they open the page containing the vulnerable field."}, {"lang": "es", "value": "En \"OpenCMS\", versiones 10.5.0 a 11.0.2, est\u00e1n afectadas por una vulnerabilidad de tipo XSS almacenado que permite a usuarios de aplicaciones poco privilegiado almacenar scripts maliciosos en la funcionalidad Sitemap. Estos scripts se ejecutan en el navegador de la v\u00edctima cuando \u00e9sta abre la p\u00e1gina que contiene el campo vulnerable"}], "lastModified": "2021-10-21T23:39:03.337", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:alkacon:opencms:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "37423D9C-E622-4232-8262-4E23011B42E5", "versionEndExcluding": "11.0.2", "versionStartIncluding": "10.5.0"}], "operator": "OR"}]}], "sourceIdentifier": "vulnerabilitylab@mend.io"}