PT-2021-20005 · Unknown · Collabtive
Deha Berkin Bir
·
Published
2021-01-29
·
Updated
2021-01-29
·
CVE-2021-3298
CVSS v3.1
5.4
Medium
| Vector | AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N |
Name of the Vulnerable Software and Affected Versions
Collabtive version 3.1
Description
The issue allows for XSS when an authenticated user enters an XSS payload into the address section of the profile edit page. Specifically, this occurs through the
address1 parameter in the manageuser.php?action=edit endpoint.Recommendations
For Collabtive version 3.1, consider restricting access to the
manageuser.php?action=edit endpoint until a patch is available, and avoid using the address1 parameter in this endpoint to minimize the risk of exploitation.Exploit
Fix
XSS
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Collabtive