CVE-2021-37365

CTparental before 4.45.03 is vulnerable to cross-site scripting (XSS) in the CTparental admin panel. In bl_categires_help.php, the 'categories' variable is assigned with the content of the query string param 'cat' without sanitization or encoding, enabling an attacker to inject malicious code into the output webpage.
Configurations

Configuration 1 (hide)

cpe:2.3:a:ctparental_project:ctparental:*:*:*:*:*:*:*:*

History

21 Nov 2024, 06:15

Type Values Removed Values Added
References () https://gist.github.com/securylight/092ba96a660e07ad76f2a380c2eaa75a - Third Party Advisory () https://gist.github.com/securylight/092ba96a660e07ad76f2a380c2eaa75a - Third Party Advisory
References () https://gitlab.com/marsat/CTparental/ - Third Party Advisory () https://gitlab.com/marsat/CTparental/ - Third Party Advisory

Information

Published : 2021-08-10 17:15

Updated : 2024-11-21 06:15


NVD link : CVE-2021-37365

Mitre link : CVE-2021-37365

CVE.ORG link : CVE-2021-37365


JSON object : View

Products Affected

ctparental_project

  • ctparental
CWE
CWE-79

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')