CVE-2021-37393

Published: Jul 26, 2021Modified: Jun 17, 2026

5.4

Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

Exploitability: 2.3 / Impact: 2.7

Source: NVD

Description

In RPCMS v1.8 and below, the "nickname" variable is not properly sanitized before being displayed on page. Attacker can use "update password" function to inject XSS payloads into nickname variable, and achieve stored XSS. Users who view the articles published by the injected user will trigger the XSS.

Affected (1)

Products: Rpcms: Rpcms

1 product

Configuration A

1 vulnerable

Vulnerable Software	Affected Versions
Rpcms Rpcms	Up to 1.8

Related CWEs

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

References (4)

https://gist.github.com/victomteng1997/bfa1e0e07dd22f7e0b13256eda79626f

Source: cve@mitre.org

ExploitThird Party Advisory

https://github.com/ralap-z/RPCMS/

Source: cve@mitre.org

Product

https://gist.github.com/victomteng1997/bfa1e0e07dd22f7e0b13256eda79626f

Source: af854a3a-2127-422b-91ae-364da2661108

ExploitThird Party Advisory

https://github.com/ralap-z/RPCMS/

Source: af854a3a-2127-422b-91ae-364da2661108

Product

Timeline

No history available yet.