CVE-2021-23838

{"id": "CVE-2021-23838", "metrics": {"cvssMetricV2": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"version": "2.0", "baseScore": 3.5, "accessVector": "NETWORK", "vectorString": "AV:N/AC:M/Au:S/C:N/I:P/A:N", "authentication": "SINGLE", "integrityImpact": "PARTIAL", "accessComplexity": "MEDIUM", "availabilityImpact": "NONE", "confidentialityImpact": "NONE"}, "acInsufInfo": false, "impactScore": 2.9, "baseSeverity": "LOW", "obtainAllPrivilege": false, "exploitabilityScore": 6.8, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": true}], "cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "CHANGED", "version": "3.1", "baseScore": 4.8, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "HIGH", "confidentialityImpact": "LOW"}, "impactScore": 2.7, "exploitabilityScore": 1.7}]}, "published": "2021-01-15T07:15:14.143", "references": [{"url": "http://packetstormsecurity.com/files/160936/flatCore-CMS-XSS-File-Disclosure-SQL-Injection.html", "tags": ["Exploit", "Third Party Advisory", "VDB Entry"], "source": "cve@mitre.org"}, {"url": "https://github.com/flatCore/flatCore-CMS", "tags": ["Product", "Third Party Advisory"], "source": "cve@mitre.org"}, {"url": "https://sec-consult.com/vulnerability-lab/", "tags": ["Third Party Advisory"], "source": "cve@mitre.org"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-79"}]}], "descriptions": [{"lang": "en", "value": "An issue was discovered in flatCore before 2.0.0 build 139. A reflected XSS vulnerability was identified in the media_filter HTTP request body parameter for the acp interface. The affected parameter accepts malicious client-side script without proper input sanitization. For example, a malicious user can leverage this vulnerability to steal cookies from a victim user and perform a session-hijacking attack, which may then lead to unauthorized access to the site."}, {"lang": "es", "value": "Se detect\u00f3 un problema en flatCore versiones anteriores a 2.0.0 build 139. Se identific\u00f3 una vulnerabilidad de tipo XSS reflejado en el par\u00e1metro del cuerpo de una petici\u00f3n HTTP media_filter para la interfaz acp. El par\u00e1metro afectado acepta scripts del lado del cliente malicioso sin un saneamiento de la entrada apropiado. Por ejemplo, un usuario malicioso puede aprovechar esta vulnerabilidad para robar cookies de un usuario v\u00edctima y llevar a cabo un ataque de secuestro de sesi\u00f3n, que luego puede conllevar a un acceso no autorizado al sitio"}], "lastModified": "2021-01-22T17:34:08.717", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:flatcore:flatcore:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "295D969A-0491-4679-8414-BDCCA13B7563", "versionEndIncluding": "2.0.0"}], "operator": "OR"}]}], "sourceIdentifier": "cve@mitre.org"}