PT-2021-16866 · Arangodb · Arangodb

Published

2021-05-24

Updated

2021-05-28

CVE-2021-25938

CVSS v3.1

6.1

Medium

Vector

AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Name of the Vulnerable Software and Affected Versions ArangoDB versions v2.2.6.2 through v3.7.10

Description The issue is related to Cross-Site Scripting (XSS) due to the lack of validation of the .zip file name and filtering of potential abusive characters in zip file names. Additionally, the absence of the X-Frame-Options Header makes it more susceptible to self XSS attacks by attackers.

Recommendations For ArangoDB versions v2.2.6.2 through v3.7.10, consider implementing validation of .zip file names and filtering of potential abusive characters to prevent XSS attacks. As a temporary workaround, restrict access to zip file uploads until a patch is available. Additionally, set the X-Frame-Options Header to prevent self XSS attacks.

Exploit

Fix

XSS

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-79

Related Identifiers

CVE-2021-25938

Affected Products

Arangodb

PT-2021-16866 · Arangodb · Arangodb

CVE-2021-25938

Weakness Enumeration

Related Identifiers

Affected Products

References · 5