PT-2021-18155 · Unknown · Sherlockim
Alexander Semenenko
·
Published
2021-03-29
·
Updated
2021-03-31
·
CVE-2021-29267
CVSS v3.1
6.1
Medium
| Vector | AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N |
Name of the Vulnerable Software and Affected Versions:
SherlockIM through 2021-03-29
Description:
The issue allows Cross Site Scripting (XSS) by leveraging the "api/Files/Attachment" URI to attack help-desk staff via the chatbot feature.
Recommendations:
For versions through 2021-03-29, consider disabling the chatbot feature that uses the "api/Files/Attachment" URI until a fix is available. Restrict access to this URI to minimize the risk of exploitation.
Exploit
Fix
XSS
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Sherlockim