PT-2021-17679 · Symbiote · Symbiote/Silverstripe-Queuedjobs

Michael Tsai

Published

2021-03-16

Updated

2021-03-24

CVE-2021-27938

CVSS v3.1

6.1

Medium

Vector

AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Name of the Vulnerable Software and Affected Versions: symbiote/silverstripe-queuedjobs module versions 3 through 4

Description: A Cross Site Scripting issue allows an attacker to inject an arbitrary payload in the CreateQueuedJobTask dev task via a specially crafted URL. This is achieved by exploiting the CreateQueuedJobTask dev task.

Recommendations: For versions 3 through 4, consider disabling the CreateQueuedJobTask dev task until a patch is available to prevent exploitation. Restrict access to the dev task to minimize the risk of arbitrary payload injection.

Exploit

Fix

XSS

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-79

Related Identifiers

CVE-2021-27938

GHSA-XGPF-P52J-PF7M

Affected Products

Symbiote/Silverstripe-Queuedjobs

PT-2021-17679 · Symbiote · Symbiote/Silverstripe-Queuedjobs

CVE-2021-27938

Weakness Enumeration

Related Identifiers

Affected Products

References · 8