PT-2021-16913 · Ifme · Ifme
Published
2021-12-29
·
Updated
2022-01-06
·
CVE-2021-25990
CVSS v3.1
5.4
Medium
| Vector | AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N |
Name of the Vulnerable Software and Affected Versions
ifme versions v7.22.0 through v7.31.4
Description
The issue concerns self-stored XSS in the contacts field, allowing the loading of XSS payloads fetched via an iframe.
Recommendations
For versions v7.22.0 through v7.31.4, consider disabling the contacts field until a patch is available to prevent the loading of XSS payloads.
Restrict access to the iframe feature in the contacts field to minimize the risk of exploitation.
Avoid using the contacts field in a way that could lead to the execution of malicious scripts until the issue is resolved.
At the moment, there is no information about a newer version that contains a fix for this vulnerability.
Exploit
XSS
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Ifme