Postbird 0.8.4 allows stored XSS via the onerror attribute of an IMG element in any PostgreSQL database table. This can result in reading local files via vectors involving XMLHttpRequest and open of a file:/// URL, or discovering PostgreSQL passwords via vectors involving Window.localStorage and savedConnections.
References
Configurations
History
21 Nov 2024, 06:09
Type | Values Removed | Values Added |
---|---|---|
References | () http://packetstormsecurity.com/files/162831/Postbird-0.8.4-Cross-Site-Scripting-Local-File-Inclusion.html - Exploit, Third Party Advisory, VDB Entry | |
References | () http://packetstormsecurity.com/files/162872/Postbird-0.8.4-XSS-LFI-Insecure-Data-Storage.html - Third Party Advisory, VDB Entry | |
References | () https://github.com/Paxa/postbird/issues/132 - Issue Tracking, Third Party Advisory | |
References | () https://github.com/Paxa/postbird/issues/133 - Issue Tracking, Third Party Advisory | |
References | () https://github.com/Paxa/postbird/issues/134 - Issue Tracking, Third Party Advisory | |
References | () https://github.com/Tridentsec-io/postbird - Exploit, Third Party Advisory | |
References | () https://tridentsec.io/blogs/postbird-cve-2021-33570/ - Broken Link, Third Party Advisory, URL Repurposed | |
References | () https://www.exploit-db.com/exploits/49910 - Exploit, Third Party Advisory, VDB Entry |
14 Feb 2024, 01:17
Type | Values Removed | Values Added |
---|---|---|
References | () https://tridentsec.io/blogs/postbird-cve-2021-33570/ - Broken Link, Third Party Advisory, URL Repurposed |
03 Jun 2022, 18:54
Type | Values Removed | Values Added |
---|---|---|
References | (MISC) http://packetstormsecurity.com/files/162872/Postbird-0.8.4-XSS-LFI-Insecure-Data-Storage.html - Third Party Advisory, VDB Entry | |
References | (MISC) https://www.exploit-db.com/exploits/49910 - Exploit, Third Party Advisory, VDB Entry | |
References | (MISC) https://tridentsec.io/blogs/postbird-cve-2021-33570/ - Broken Link, Third Party Advisory |
17 Jun 2021, 20:15
Type | Values Removed | Values Added |
---|---|---|
References |
|
01 Jun 2021, 17:15
Type | Values Removed | Values Added |
---|---|---|
References |
|
28 May 2021, 17:36
Type | Values Removed | Values Added |
---|---|---|
References | (MISC) http://packetstormsecurity.com/files/162831/Postbird-0.8.4-Cross-Site-Scripting-Local-File-Inclusion.html - Exploit, Third Party Advisory, VDB Entry | |
References | (MISC) https://github.com/Paxa/postbird/issues/132 - Issue Tracking, Third Party Advisory | |
References | (MISC) https://github.com/Paxa/postbird/issues/133 - Issue Tracking, Third Party Advisory | |
References | (MISC) https://github.com/Paxa/postbird/issues/134 - Issue Tracking, Third Party Advisory | |
References | (MISC) https://github.com/Tridentsec-io/postbird - Exploit, Third Party Advisory | |
CVSS |
v2 : v3 : |
v2 : 3.5
v3 : 5.4 |
CWE | CWE-79 | |
CPE | cpe:2.3:a:postbird_project:postbird:0.8.4:*:*:*:*:*:*:* |
27 May 2021, 16:15
Type | Values Removed | Values Added |
---|---|---|
References |
|
25 May 2021, 22:15
Type | Values Removed | Values Added |
---|---|---|
New CVE |
Information
Published : 2021-05-25 22:15
Updated : 2024-11-21 06:09
NVD link : CVE-2021-33570
Mitre link : CVE-2021-33570
CVE.ORG link : CVE-2021-33570
JSON object : View
Products Affected
postbird_project
- postbird
CWE
CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')