We found results for “”
CVE-2021-25983
Date: November 16, 2021
Overview
In Factor (App Framework & Headless CMS) forum plugin, versions v1.3.8 to v1.8.30, are vulnerable to reflected Cross-Site Scripting (XSS) at the “tags” and “category” parameters in the URL. An unauthenticated attacker can execute malicious JavaScript code and steal the session cookies.Details
Factor has reflected XSS vulnerability at “tags” and “category” parameters (in the URL) which allows an attacker to execute malicious JavaScript code and steal the session cookies.PoC Details
Access the application by going to http://localhost:3000. Reflected XSS occurs at 2 parameters: category and tags. Paste the given urls in the browser which will trigger the XSS.PoC Code
http://localhost:3000/?category=%3Cscript%3Ealert%2810%29%3C%2Fscript%3E
http://localhost:3000/?tag=%3Cscript%3Ealert(10)%3C%2Fscript%3E
Affected Environments
1.3.8 to 1.8.30Prevention
No fixLanguage: VUE
Good to know:
Base Score: |
|
---|---|
Attack Vector (AV): | Network |
Attack Complexity (AC): | Low |
Privileges Required (PR): | None |
User Interaction (UI): | Required |
Scope (S): | Changed |
Confidentiality (C): | Low |
Integrity (I): | Low |
Availability (A): | None |
Base Score: |
|
---|---|
Access Vector (AV): | Network |
Access Complexity (AC): | Medium |
Authentication (AU): | None |
Confidentiality (C): | None |
Integrity (I): | Partial |
Availability (A): | None |
Additional information: |