Lucene search

TwcertCVELIST:CVE-2021-30170

HistoryMay 07, 2021 - 9:30 a.m.

CVE-2021-30170 Jun-He Technology Ltd. ERP POS - Stored XSS-1

2021-05-0709:30:24

CWE-79

twcert

www.cve.org

cve-2021-30170

jun-he technology ltd.

stored xss

remote authenticated attackers

customer's information

CVSS3

4.6

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N

AI Score

5.3

Confidence

High

EPSS

0.001

Percentile

29.2%

JSON

Special characters of ERP POS customer profile page are not filtered in users’ input, which allow remote authenticated attackers can inject malicious JavaScript and carry out stored XSS (Stored Cross-site scripting) attacks, additionally access and manipulate customer’s information.

CNA Affected

[
  {
    "product": "ERP POS",
    "vendor": "Jun-He Technology Ltd.",
    "versions": [
      {
        "status": "affected",
        "version": "2013.10"
      }
    ]
  }
]

References

www.twcert.org.tw/tw/cp-132-4707-9c87e-1.html