PT-2021-23306 · Unknown · Concrete5-Legacy

Seongil-Wio

Published

2021-10-01

Updated

2021-10-04

CVE-2021-41463

CVSS v3.1

6.1

Medium

Vector

AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Name of the Vulnerable Software and Affected Versions concrete5-legacy versions 5.6.4.0 and below

Description The issue is a cross-site scripting (XSS) vulnerability that allows remote attackers to inject arbitrary web script or HTML. This is achieved via the cID parameter in the toos/permissions/dialogs/access/entity/types/group combination.php file.

Recommendations For concrete5-legacy versions 5.6.4.0 and below, consider disabling access to the group combination.php file until a patch is available. Restrict input for the cID parameter to prevent injection of malicious scripts.

Exploit

Fix

XSS

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-79

Related Identifiers

CVE-2021-41463

Affected Products

Concrete5-Legacy

PT-2021-23306 · Unknown · Concrete5-Legacy

CVE-2021-41463

Weakness Enumeration

Related Identifiers

Affected Products

References · 5