← Back to CVEs
CVE-2021-31930
MEDIUM6.1
Description
Persistent cross-site scripting (XSS) in the web interface of Concerto through 2.3.6 allows an unauthenticated remote attacker to introduce arbitrary JavaScript by injecting an XSS payload into the First Name or Last Name parameter upon registration. When a privileged user attempts to delete the account, the XSS payload will be executed.
CVE Details
CVSS v3.1 Score6.1
SeverityMEDIUM
CVSS VectorCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Attack VectorNETWORK
ComplexityLOW
Privileges RequiredNONE
User InteractionREQUIRED
Published5/19/2021
Last Modified11/21/2024
Sourcenvd
Honeypot Sightings0
Affected Products
concerto-signage:concerto
Weaknesses (CWE)
CWE-79
References
https://github.com/concerto/concerto/pull/1558(cve@mitre.org)
https://github.com/concerto/concerto/security/advisories(cve@mitre.org)
https://github.com/concerto/concerto/pull/1558(af854a3a-2127-422b-91ae-364da2661108)
https://github.com/concerto/concerto/security/advisories(af854a3a-2127-422b-91ae-364da2661108)
IOC Correlations
No correlations recorded
This product uses data from the NVD API but is not endorsed or certified by the NVD.