PT-2021-22443 · Unknown · Globalnewfiles

Majavah

Published

2021-09-01

Updated

2021-09-10

CVE-2021-39186

CVSS v3.1

6.1

Medium

Vector

AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Name of the Vulnerable Software and Affected Versions GlobalNewFiles versions prior to commit cee254e1b158cdb0ddbea716b1d3edc31fa4fb5d

Description The GlobalNewFiles special page is vulnerable to a stored XSS due to the lack of proper input validation in the username column. This issue can be exploited by inserting malicious HTML or JavaScript code into account names. As a workaround, disallowing certain characters such as < and > from being used in account names can prevent the XSS.

Recommendations For versions prior to commit cee254e1b158cdb0ddbea716b1d3edc31fa4fb5d, update to a version that includes the patch from commit cee254e1b158cdb0ddbea716b1d3edc31fa4fb5d to resolve the issue. As a temporary workaround, consider disallowing <, > (or other characters required to insert html/js) from being used in account names to prevent the XSS.

Exploit

Fix

RCE

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-20

Related Identifiers

CVE-2021-39186

GHSA-57P5-HQJQ-H7VG

Affected Products

Globalnewfiles

PT-2021-22443 · Unknown · Globalnewfiles

CVE-2021-39186

Weakness Enumeration

Related Identifiers

Affected Products

References · 6