PT-2021-21297 · Unknown · Engineercms
Xfiftyone
·
Published
2021-07-27
·
Updated
2021-08-02
·
CVE-2021-36605
CVSS v3.1
5.4
Medium
| Vector | AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N |
Name of the Vulnerable Software and Affected Versions
engineercms version 1.03
Description
The issue concerns a lack of escaping in the
nickname field on the user list page, allowing for Cross Site Scripting (XSS) attacks. When this page is viewed, any JavaScript code entered into this field will be executed in the user's browser.Recommendations
For engineercms version 1.03, consider implementing proper escaping for the
nickname field to prevent XSS attacks. As a temporary workaround, restrict user input in the nickname field to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.Exploit
XSS
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Engineercms