CVE-2021-31330

{"id": "CVE-2021-31330", "metrics": {"cvssMetricV2": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"version": "2.0", "baseScore": 3.5, "accessVector": "NETWORK", "vectorString": "AV:N/AC:M/Au:S/C:N/I:P/A:N", "authentication": "SINGLE", "integrityImpact": "PARTIAL", "accessComplexity": "MEDIUM", "availabilityImpact": "NONE", "confidentialityImpact": "NONE"}, "acInsufInfo": false, "impactScore": 2.9, "baseSeverity": "LOW", "obtainAllPrivilege": false, "exploitabilityScore": 6.8, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": true}], "cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "CHANGED", "version": "3.1", "baseScore": 5.4, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "LOW"}, "impactScore": 2.7, "exploitabilityScore": 2.3}]}, "published": "2022-05-11T18:15:22.303", "references": [{"url": "https://mattschmidt.net/2021/04/14/review-board-xss-discovered/", "tags": ["Exploit", "Third Party Advisory"], "source": "cve@mitre.org"}, {"url": "https://www.reviewboard.org/docs/releasenotes/reviewboard/3.0.21/", "tags": ["Release Notes", "Vendor Advisory"], "source": "cve@mitre.org"}, {"url": "https://www.reviewboard.org/docs/releasenotes/reviewboard/4.0-rc-2/", "tags": ["Release Notes", "Vendor Advisory"], "source": "cve@mitre.org"}, {"url": "https://www.reviewboard.org/news/2021/04/14/review-board-3-0-21-and-4-0-rc-2-security-bug-fixes-and-docker/", "tags": ["Release Notes", "Vendor Advisory"], "source": "cve@mitre.org"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-79"}]}], "descriptions": [{"lang": "en", "value": "A Cross-Site Scripting (XSS) vulnerability exists within Review Board versions 3.0.20 and 4.0 RC1 and earlier. An authenticated attacker may inject malicious Javascript code when using Markdown editing within the application which remains persistent."}, {"lang": "es", "value": "Se presenta una vulnerabilidad de tipo cross-Site Scripting (XSS) en las versiones de Review Board 3.0.20 y 4.0 RC1 y anteriores. Un atacante autenticado puede inyectar c\u00f3digo Javascript malicioso cuando es usada la edici\u00f3n de Markdown dentro de la aplicaci\u00f3n, que permanece persistente"}], "lastModified": "2022-05-20T14:19:38.790", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:reviewboard:review_board:3.0.20:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "E05F0750-5ED6-498B-9D02-FB5E2923DDF0"}, {"criteria": "cpe:2.3:a:reviewboard:review_board:4.0:beta1:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "164701A1-0807-4CA7-8ACF-5FBB49D50BDB"}, {"criteria": "cpe:2.3:a:reviewboard:review_board:4.0:beta2:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "29484465-C988-4306-915C-FDEA3EA74466"}, {"criteria": "cpe:2.3:a:reviewboard:review_board:4.0:rc1:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "E580F564-2122-4C03-BFE9-6779562E57A8"}], "operator": "OR"}]}], "sourceIdentifier": "cve@mitre.org"}