CVE-2021-34243

{"id": "CVE-2021-34243", "metrics": {"cvssMetricV2": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"version": "2.0", "baseScore": 3.5, "accessVector": "NETWORK", "vectorString": "AV:N/AC:M/Au:S/C:N/I:P/A:N", "authentication": "SINGLE", "integrityImpact": "PARTIAL", "accessComplexity": "MEDIUM", "availabilityImpact": "NONE", "confidentialityImpact": "NONE"}, "acInsufInfo": false, "impactScore": 2.9, "baseSeverity": "LOW", "obtainAllPrivilege": false, "exploitabilityScore": 6.8, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": true}], "cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "CHANGED", "version": "3.1", "baseScore": 5.4, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "LOW"}, "impactScore": 2.7, "exploitabilityScore": 2.3}]}, "published": "2021-06-22T14:15:08.893", "references": [{"url": "https://github.com/xoffense/POC/blob/main/Stored%20XSS%20via%20malicious%20file%20upload%20in%20ICE%20Hrm%20Version%2029.0.0.OS.md", "tags": ["Exploit", "Third Party Advisory"], "source": "cve@mitre.org"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-79"}]}], "descriptions": [{"lang": "en", "value": "A stored cross site scripting (XSS) vulnerability was discovered in Ice Hrm 29.0.0.OS which allows attackers to execute arbitrary web scripts or HTML via a crafted file uploaded into the Document Management tab. The exploit is triggered when a user visits the upload location of the crafted file."}, {"lang": "es", "value": "Una vulnerabilidad de tipo cross site scripting (XSS) almacenada se detect\u00f3 en Ice Hrm versi\u00f3n 29.0.0.OS que permite a atacantes ejecutar scripts web o HTML arbitrarios por medio de un archivo dise\u00f1ado cargado en la pesta\u00f1a de administraci\u00f3n de documentos. La explotaci\u00f3n es desencadenada cuando un usuario visita la ubicaci\u00f3n de carga del archivo dise\u00f1ado"}], "lastModified": "2021-06-25T16:14:03.020", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:icehrm:icehrm:29.0.0.os:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "AC14A732-21A1-4770-9D0F-BA10AFDDC660"}], "operator": "OR"}]}], "sourceIdentifier": "cve@mitre.org"}