← Back to CVEs
CVE-2021-25982
MEDIUM6.1
Description
In Factor (App Framework & Headless CMS) forum plugin, versions 1.3.5 to 1.8.30, are vulnerable to reflected Cross-Site Scripting (XSS) at the “search” parameter in the URL. An unauthenticated attacker can execute malicious JavaScript code and steal the session cookies.
CVE Details
CVSS v3.1 Score6.1
SeverityMEDIUM
CVSS VectorCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Attack VectorNETWORK
ComplexityLOW
Privileges RequiredNONE
User InteractionREQUIRED
Published11/16/2021
Last Modified11/21/2024
Sourcenvd
Honeypot Sightings0
Affected Products
darwin:factor
Weaknesses (CWE)
CWE-79CWE-79
References
https://github.com/FactorJS/factor/blob/v1.8.30/%40plugins/plugin-forum/topic-list.vue#L139(vulnerabilitylab@mend.io)
https://www.whitesourcesoftware.com/vulnerability-database/CVE-2021-25982(vulnerabilitylab@mend.io)
https://github.com/FactorJS/factor/blob/v1.8.30/%40plugins/plugin-forum/topic-list.vue#L139(af854a3a-2127-422b-91ae-364da2661108)
https://www.whitesourcesoftware.com/vulnerability-database/CVE-2021-25982(af854a3a-2127-422b-91ae-364da2661108)
IOC Correlations
No correlations recorded
This product uses data from the NVD API but is not endorsed or certified by the NVD.