Lucene search

MitreCVE-2021-37365

HistoryAug 10, 2021 - 5:15 p.m.

CVE-2021-37365

2021-08-1017:15:10

CWE-79

mitre

web.nvd.nist.gov

ctparental

4.45.03

cross-site scripting

xss

vulnerability

security

nvd

CVSS2

4.3

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:M/Au:N/C:N/I:P/A:N

CVSS3

6.1

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

EPSS

0.001

Percentile

29.3%

JSON

CTparental before 4.45.03 is vulnerable to cross-site scripting (XSS) in the CTparental admin panel. In bl_categires_help.php, the ‘categories’ variable is assigned with the content of the query string param ‘cat’ without sanitization or encoding, enabling an attacker to inject malicious code into the output webpage.

Affected configurations

Nvd

Node

ctparental_projectctparentalRange<4.45.03

VendorProductVersionCPE
ctparental_projectctparental*cpe:2.3:a:ctparental_project:ctparental:*:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
ctparental_project	ctparental	*	cpe:2.3:a:ctparental_project:ctparental::::::::

References

gist.github.com/securylight/092ba96a660e07ad76f2a380c2eaa75a

gitlab.com/marsat/CTparental/

Social References

CVSS2

4.3

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:M/Au:N/C:N/I:P/A:N

CVSS3

6.1

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

EPSS

0.001

Percentile

29.3%

JSON

Related for CVE-2021-37365