CVE-2021-32828

Published: Jan 5, 2023Modified: Nov 21, 2024

6.1

Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Exploitability: 2.8 / Impact: 2.7

Source: NVD

Description

The Nuxeo Platform is an open source content management platform for building business applications. In version 11.5.109, the `oauth2` REST API is vulnerable to Reflected Cross-Site Scripting (XSS). This XSS can be escalated to Remote Code Execution (RCE) by levering the automation API.

Affected (1)

Products: Hyland: Nuxeo

1 product

Configuration A

1 vulnerable

Vulnerable Software	Affected Versions
Hyland Nuxeo	Up to 11.5.109

Related CWEs

Deserialization of Untrusted Data

The product deserializes untrusted data without sufficiently verifying that the resulting data will be valid.

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

References (4)

https://github.com/nuxeo/nuxeo/blob/master/modules/platform/nuxeo-platform-oauth/src/main/java/org/nuxeo/ecm/webengine/oauth2/OAuth2Callback.java

Source: security-advisories@github.com

ExploitThird Party Advisory

https://securitylab.github.com/advisories/GHSL-2021-072-nuxeo

Source: security-advisories@github.com

ExploitThird Party Advisory

https://github.com/nuxeo/nuxeo/blob/master/modules/platform/nuxeo-platform-oauth/src/main/java/org/nuxeo/ecm/webengine/oauth2/OAuth2Callback.java

Source: af854a3a-2127-422b-91ae-364da2661108

ExploitThird Party Advisory

https://securitylab.github.com/advisories/GHSL-2021-072-nuxeo

Source: af854a3a-2127-422b-91ae-364da2661108

ExploitThird Party Advisory

Timeline

No history available yet.