CVE-2021-42118

Published: Nov 30, 2021Modified: Nov 21, 2024

5.4

Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

Exploitability: 2.3 / Impact: 2.7

Source: NVD

Description

Persistent Cross Site Scripting in Web Applications operating on Business-DNA Solutions GmbH’s TopEase® Platform Version <= 7.1.27 via the Structure Component allows an authenticated remote attacker with Object Modification privileges to inject arbitrary HTML and JavaScript code in an object attribute, which is then rendered in the Structure Component, to alter the intended functionality and steal cookies, the latter allowing for account takeover.

Affected (1)

Products: Businessdnasolutions: Topease

Businessdnasolutions

1 product

Configuration A

1 vulnerable

Vulnerable Software	Affected Versions
Businessdnasolutions Topease	Up to 7.1.27

Related CWEs

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

References (2)

https://confluence.topease.ch/confluence/display/DOC/Release+Notes

Source: vulnerability@ncsc.ch

Release NotesVendor Advisory

https://confluence.topease.ch/confluence/display/DOC/Release+Notes

Source: af854a3a-2127-422b-91ae-364da2661108

Release NotesVendor Advisory

Timeline

No history available yet.