We found results for “”
CVE-2021-25982
Date: November 16, 2021
Overview
In Factor (App Framework & Headless CMS) forum plugin, versions 1.3.5 to 1.8.30, are vulnerable to reflected Cross-Site Scripting (XSS) at the “search” parameter in the URL. An unauthenticated attacker can execute malicious JavaScript code and steal the session cookies.Details
Factor has reflected XSS vulnerability at ‘search’ parameter (in the url) which allows an attacker to execute malicious JavaScript code and steal the session cookies.PoC Details
Access the application by going to http://localhost:3000. Reflected XSS occurs at the search parameter. Paste the given url in the browser which will trigger the XSS.PoC Code
http://localhost:3000/?search=%3Cscript%3Ealert(10)%3C/script%3E
Affected Environments
1.3.5 to 1.8.30Prevention
No fixLanguage: VUE
Good to know:
Base Score: |
|
---|---|
Attack Vector (AV): | Network |
Attack Complexity (AC): | Low |
Privileges Required (PR): | None |
User Interaction (UI): | Required |
Scope (S): | Changed |
Confidentiality (C): | Low |
Integrity (I): | Low |
Availability (A): | None |
Base Score: |
|
---|---|
Access Vector (AV): | Network |
Access Complexity (AC): | Medium |
Authentication (AU): | None |
Confidentiality (C): | None |
Integrity (I): | Partial |
Availability (A): | None |
Additional information: |