CVE-2021-37365

Published: Aug 10, 2021Modified: Jun 17, 2026

6.1

Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Exploitability: 2.8 / Impact: 2.7

Source: NVD

Description

CTparental before 4.45.03 is vulnerable to cross-site scripting (XSS) in the CTparental admin panel. In bl_categires_help.php, the 'categories' variable is assigned with the content of the query string param 'cat' without sanitization or encoding, enabling an attacker to inject malicious code into the output webpage.

Affected (1)

Products: Ctparental Project: Ctparental

Ctparental Project

1 product

Configuration A

1 vulnerable

Vulnerable Software	Affected Versions
Ctparental Project Ctparental	Before 4.45.03

Related CWEs

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

References (4)

https://gist.github.com/securylight/092ba96a660e07ad76f2a380c2eaa75a

Source: cve@mitre.org

Third Party Advisory

https://gitlab.com/marsat/CTparental/

Source: cve@mitre.org

Third Party Advisory

https://gist.github.com/securylight/092ba96a660e07ad76f2a380c2eaa75a

Source: af854a3a-2127-422b-91ae-364da2661108

Third Party Advisory

https://gitlab.com/marsat/CTparental/

Source: af854a3a-2127-422b-91ae-364da2661108

Third Party Advisory

Timeline

No history available yet.