PT-2023-12175 · Nuxeo · Nuxeo Platform

Alvaro Muñoz

Publicado

2023-01-05

Atualizado

2023-01-11

CVE-2021-32828

CVSS v3.1

5.4

Média

Vetor

AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

Name of the Vulnerable Software and Affected Versions Nuxeo Platform version 11.5.109

Description The Nuxeo Platform is an open source content management platform for building business applications. In the affected version, the oauth2 REST API is vulnerable to Reflected Cross-Site Scripting (XSS), which can be escalated to Remote Code Execution (RCE) by leveraging the automation API.

Recommendations For version 11.5.109, consider disabling the oauth2 REST API until a patch is available to prevent exploitation. Restrict access to the automation API to minimize the risk of Remote Code Execution (RCE).

Exploit

Correção

Deserialization of Untrusted Data

XSS

Encontrou algum problema na descrição? Tem algo a acrescentar? Fique à vontade para nos escrever 👾

dbugs@ptsecurity.com

Enumeração de Fraquezas

CWE-502CWE-79

Identificadores relacionados

CVE-2021-32828

GHSA-X347-FC9W-W7C3

Produtos afetados

Nuxeo Platform

PT-2023-12175 · Nuxeo · Nuxeo Platform

CVE-2021-32828

Enumeração de Fraquezas

Identificadores relacionados

Produtos afetados

Referências · 7