CVE-2021-32852

Countly, a product analytics solution, is vulnerable to cross-site scripting prior to version 21.11 of the community edition. The victim must follow a malicious link or be redirected there from malicious web site. The attacker must have an account or be able to create one. This issue is patched in version 21.11.

CVSS v3 9.0 CRITICAL

9.0^/10

CVSS v3 : CRITICAL

Vector :

Exploitability : 2.3 / Impact : 6.0

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction REQUIRED

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope CHANGED

References

Link	Resource
https://github.com/Countly/countly-server/blob/6b90bb775e747cabe46fe197c6a6989acc6c3417/frontend/express/app.js#L1112	Third Party Advisory
https://github.com/Countly/countly-server/blob/6b90bb775e747cabe46fe197c6a6989acc6c3417/frontend/express/views/reset.html#L95	Third Party Advisory
https://github.com/Countly/countly-server/releases/tag/v21.11	Release Notes
https://securitylab.github.com/advisories/GHSL-2021-104-countly-server/	Exploit Third Party Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:count:countly_server:*:*:*:*:community:*:*:*

History

No history.

Information

Published : 2023-02-20 22:15

Updated : 2024-02-28 19:51

NVD link : CVE-2021-32852

Mitre link : CVE-2021-32852

CVE.ORG link : CVE-2021-32852

JSON object : View

Products Affected

count

countly_server

CWE

CWE-79

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

{"id": "CVE-2021-32852", "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "CHANGED", "version": "3.1", "baseScore": 9.0, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "impactScore": 6.0, "exploitabilityScore": 2.3}, {"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"scope": "CHANGED", "version": "3.1", "baseScore": 5.4, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "LOW"}, "impactScore": 2.7, "exploitabilityScore": 2.3}]}, "published": "2023-02-20T22:15:11.160", "references": [{"url": "https://github.com/Countly/countly-server/blob/6b90bb775e747cabe46fe197c6a6989acc6c3417/frontend/express/app.js#L1112", "tags": ["Third Party Advisory"], "source": "security-advisories@github.com"}, {"url": "https://github.com/Countly/countly-server/blob/6b90bb775e747cabe46fe197c6a6989acc6c3417/frontend/express/views/reset.html#L95", "tags": ["Third Party Advisory"], "source": "security-advisories@github.com"}, {"url": "https://github.com/Countly/countly-server/releases/tag/v21.11", "tags": ["Release Notes"], "source": "security-advisories@github.com"}, {"url": "https://securitylab.github.com/advisories/GHSL-2021-104-countly-server/", "tags": ["Exploit", "Third Party Advisory"], "source": "security-advisories@github.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-79"}]}, {"type": "Secondary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-79"}]}], "descriptions": [{"lang": "en", "value": "Countly, a product analytics solution, is vulnerable to cross-site scripting prior to version 21.11 of the community edition. The victim must follow a malicious link or be redirected there from malicious web site. The attacker must have an account or be able to create one. This issue is patched in version 21.11."}], "lastModified": "2023-03-06T04:35:57.473", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:count:countly_server:*:*:*:*:community:*:*:*", "vulnerable": true, "matchCriteriaId": "1FC5F2A1-43CA-4C06-937E-344941F61016", "versionEndExcluding": "21.11"}], "operator": "OR"}]}], "sourceIdentifier": "security-advisories@github.com"}