CVE-2021-41236

Published: Jan 4, 2022Modified: Nov 21, 2024

4.8

Vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N

Exploitability: 1.7 / Impact: 2.7

Source: NVD

Description

OroPlatform is a PHP Business Application Platform. In affected versions the email template preview is vulnerable to XSS payload added to email template content. An attacker must have permission to create or edit an email template. For successful payload, execution the attacked user must preview a vulnerable email template. There are no workarounds that address this vulnerability. Users are advised to upgrade as soon as is possible.

Affected (3)

Products: Oroinc: Oroplatform

1 product

Configuration A

3 vulnerable

Vulnerable Software	Affected Versions
Oroinc Oroplatform	From 3.1.0 to 3.1.21
Oroinc Oroplatform	From 4.1.0 to 4.1.14
Oroinc Oroplatform	From 4.2.0 to 4.2.8

Related CWEs

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

References (4)

https://github.com/oroinc/platform/commit/2a089c971fc70bc63baf8770d29ee515ce5a415a

Source: security-advisories@github.com

PatchThird Party Advisory

https://github.com/oroinc/platform/security/advisories/GHSA-qv7g-j98v-8pp7

Source: security-advisories@github.com

Third Party Advisory

https://github.com/oroinc/platform/commit/2a089c971fc70bc63baf8770d29ee515ce5a415a

Source: af854a3a-2127-422b-91ae-364da2661108

PatchThird Party Advisory

https://github.com/oroinc/platform/security/advisories/GHSA-qv7g-j98v-8pp7

Source: af854a3a-2127-422b-91ae-364da2661108

Third Party Advisory

Timeline

No history available yet.