CVE-2021-31583

Sipwise C5 NGCP WWW Admin version 3.6.7 up to and including platform version NGCP CE 3.0 has multiple authenticated stored and reflected XSS vulnerabilities when input passed via several parameters to several scripts is not properly sanitized before being returned to the user: Stored XSS in callforward/time/set/save (POST tsetname); Reflected XSS in addressbook (GET filter); Stored XSS in addressbook/save (POST firstname, lastname, company); and Reflected XSS in statistics/versions (GET lang).
Configurations

Configuration 1 (hide)

cpe:2.3:a:sipwise:next_generation_communication_platform:3.6.7:*:*:*:ce:*:*:*

History

21 Nov 2024, 06:05

Type Values Removed Values Added
References () http://lists.sipwise.com/pipermail/spce-user_lists.sipwise.com/2021-September/014708.html - Exploit, Mailing List, Third Party Advisory () http://lists.sipwise.com/pipermail/spce-user_lists.sipwise.com/2021-September/014708.html - Exploit, Mailing List, Third Party Advisory
References () http://packetstormsecurity.com/files/162316/Sipwise-C5-NGCP-CSC-Cross-Site-Scripting.html - Exploit, Third Party Advisory, VDB Entry () http://packetstormsecurity.com/files/162316/Sipwise-C5-NGCP-CSC-Cross-Site-Scripting.html - Exploit, Third Party Advisory, VDB Entry
References () https://www.sipwise.com - Product () https://www.sipwise.com - Product
References () https://www.zeroscience.mk/en/vulnerabilities - Exploit, Third Party Advisory () https://www.zeroscience.mk/en/vulnerabilities - Exploit, Third Party Advisory
References () https://www.zeroscience.mk/en/vulnerabilities/ZSL-2021-5648.php - Exploit, Third Party Advisory () https://www.zeroscience.mk/en/vulnerabilities/ZSL-2021-5648.php - Exploit, Third Party Advisory

Information

Published : 2021-04-23 21:15

Updated : 2024-11-21 06:05


NVD link : CVE-2021-31583

Mitre link : CVE-2021-31583

CVE.ORG link : CVE-2021-31583


JSON object : View

Products Affected

sipwise

  • next_generation_communication_platform
CWE
CWE-79

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')