Lucene search

MendCVELIST:CVE-2021-25968

HistoryOct 19, 2021 - 8:15 a.m.

CVE-2021-25968 OpenCMS - Stored Cross-Site Scripting (XSS) in Sitemap

2021-10-1908:15:12

CWE-79

Mend

www.cve.org

opencms

stored xss

sitemap

cve-2021-25968

CVSS3

5.4

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

EPSS

0.001

Percentile

22.7%

JSON

In “OpenCMS”, versions 10.5.0 to 11.0.2 are affected by a stored XSS vulnerability that allows low privileged application users to store malicious scripts in the Sitemap functionality. These scripts are executed in a victim’s browser when they open the page containing the vulnerable field.

CNA Affected

[
  {
    "product": "opencms-core",
    "vendor": "org.opencms",
    "versions": [
      {
        "lessThan": "unspecified",
        "status": "affected",
        "version": "10.5.0",
        "versionType": "custom"
      },
      {
        "lessThanOrEqual": "11.0.2",
        "status": "affected",
        "version": "unspecified",
        "versionType": "custom"
      }
    ]
  }
]

References

github.com/alkacon/mercury-template/commit/800945f5d02346c633c7aef9f5d596d7dedc8fb5

www.whitesourcesoftware.com/vulnerability-database/CVE-2021-25968