CVE-2021-25988

Published: Dec 29, 2021Modified: Nov 21, 2024

5.4

Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

Exploitability: 2.3 / Impact: 2.7

Source: NVD

Description

In “ifme”, versions 1.0.0 to v7.31.4 are vulnerable against stored XSS vulnerability (notifications section) which can be directly triggered by sending an ally request to the admin.

Affected (1)

Products: If Me: Ifme

If Me

1 product

Ifme

Configuration A

1 vulnerable

Vulnerable Software	Affected Versions
If Me Ifme	From 1.0.0 to 7.31.4

Related CWEs

CWE-79

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

References (4)

https://github.com/ifmeorg/ifme/commit/720a47015e46ad387b3219fed7ebfb14ec3c854c

Source: vulnerabilitylab@mend.io

PatchThird Party Advisory

https://www.whitesourcesoftware.com/vulnerability-database/CVE-2021-25988

Source: vulnerabilitylab@mend.io

ExploitThird Party Advisory

https://github.com/ifmeorg/ifme/commit/720a47015e46ad387b3219fed7ebfb14ec3c854c

Source: af854a3a-2127-422b-91ae-364da2661108

PatchThird Party Advisory

https://www.whitesourcesoftware.com/vulnerability-database/CVE-2021-25988

Source: af854a3a-2127-422b-91ae-364da2661108

ExploitThird Party Advisory

Timeline

No history available yet.