PT-2021-17707 · Unknown · Textpattern Cms
Published
2021-08-19
·
Updated
2021-08-23
·
CVE-2021-28001
CVSS v3.1
5.4
Medium
| Vector | AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N |
Name of the Vulnerable Software and Affected Versions:
Textpattern CMS version 4.8.4
Description:
A cross-site scripting issue was discovered in the
Comments parameter, allowing remote attackers to execute arbitrary code via a crafted payload entered into the URL field. The issue is triggered by users visiting the "https://site.com/articles/welcome-to-your-site#comments-head" API endpoint.Recommendations:
For Textpattern CMS version 4.8.4, as a temporary workaround, consider restricting access to the
Comments parameter until a patch is available. Avoid using the Comments parameter in the affected API endpoint until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.Exploit
RCE
XSS
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Textpattern Cms