CVE-2021-4035 - Vulnerability Details - OpenCVE

A stored cross site scripting have been identified at the comments in the report creation due to an obsolote version of tinymce editor. In order to exploit this vulnerability, the attackers needs an account with enough privileges to view and edit reports.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required High

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact None

User Interaction Required

No CVSS v3.0

Access Vector Network

Access Complexity Medium

Authentication Single

Confidentiality Impact None

Integrity Impact Partial

Availability Impact None

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Wocu-monitoring	Wocu Monitoring

Configuration 1 [-]

cpe:2.3:a:wocu-monitoring:wocu_monitoring:*:*:*:*:*:*:*:*

No data.

References

Link	Providers
https://www.incibe.es/en/incibe-cert/notices/aviso/wocu-monitoring-stored-cross-site-scripting-xss

History

No history.

MITRE

Status: PUBLISHED

Assigner: INCIBE

Published: 2022-02-11T17:40:04.786449Z

Updated: 2024-09-16T16:38:39.868Z

Reserved: 2021-11-30T00:00:00

Link: CVE-2021-4035

Vulnrichment

No data.

NVD

Status : Modified

Published: 2022-02-11T18:15:10.787

Modified: 2024-11-21T06:36:46.190

Link: CVE-2021-4035

Redhat

No data.

{"containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "product": "Wocu Monitoring", "vendor": "A3Sec", "versions": [{"lessThan": "48.2", "status": "affected", "version": "0.27", "versionType": "custom"}]}], "credits": [{"lang": "en", "type": "finder", "user": "00000000-0000-4000-9000-000000000000", "value": "David C\u00e1mara Galindo"}], "datePublic": "2022-02-06T23:00:00.000Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "A stored cross site scripting have been identified at the comments in the report creation due to an obsolote version of tinymce editor. In order to exploit this vulnerability, the attackers needs an account with enough privileges to view and edit reports."}], "value": "A stored cross site scripting have been identified at the comments in the report creation due to an obsolote version of tinymce editor. In order to exploit this vulnerability, the attackers needs an account with enough privileges to view and edit reports."}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 3.5, "baseSeverity": "LOW", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:L/I:L/A:N", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-79", "description": "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "0cbda920-cd7f-484a-8e76-bf7f4b7f4516", "shortName": "INCIBE", "dateUpdated": "2023-11-22T10:24:03.682Z"}, "references": [{"tags": ["x_refsource_CONFIRM"], "url": "https://www.incibe.es/en/incibe-cert/notices/aviso/wocu-monitoring-stored-cross-site-scripting-xss"}], "solutions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "This vulnerability has been solved by A3Sec in the 48.2 version."}], "value": "This vulnerability has been solved by A3Sec in the 48.2 version."}], "source": {"advisory": "INCIBE-2022-0593", "discovery": "EXTERNAL"}, "title": "Wocu Monitoring stored Cross-Site Scripting (XSS)", "x_generator": {"engine": "Vulnogram 0.0.9"}, "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "cve-coordination@incibe.es", "DATE_PUBLIC": "2022-02-07T08:00:00.000Z", "ID": "CVE-2021-4035", "STATE": "PUBLIC", "TITLE": "Wocu Monitoring stored Cross-Site Scripting (XSS)"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "Wocu Monitoring", "version": {"version_data": [{"version_affected": ">=", "version_name": "0.27", "version_value": "0.27"}, {"version_affected": "<", "version_name": "48.2", "version_value": "48.2"}]}}]}, "vendor_name": "A3Sec"}]}}, "credit": [{"lang": "eng", "value": "David C\u00e1mara Galindo"}], "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "A stored cross site scripting have been identified at the comments in the report creation due to an obsolote version of tinymce editor. In order to exploit this vulnerability, the attackers needs an account with enough privileges to view and edit reports."}]}, "generator": {"engine": "Vulnogram 0.0.9"}, "impact": {"cvss": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 6.8, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:H", "version": "3.1"}}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"}]}]}, "references": {"reference_data": [{"name": "https://www.incibe-cert.es/en/early-warning/security-advisories/wocu-monitoring-stored-cross-site-scripting-xss", "refsource": "CONFIRM", "url": "https://www.incibe-cert.es/en/early-warning/security-advisories/wocu-monitoring-stored-cross-site-scripting-xss"}]}, "solution": [{"lang": "en", "value": "This vulnerability has been solved by A3Sec in the 48.2 version."}], "source": {"advisory": "INCIBE-2022-0593", "discovery": "EXTERNAL"}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-03T17:16:03.303Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://www.incibe.es/en/incibe-cert/notices/aviso/wocu-monitoring-stored-cross-site-scripting-xss"}]}]}, "cveMetadata": {"assignerOrgId": "0cbda920-cd7f-484a-8e76-bf7f4b7f4516", "assignerShortName": "INCIBE", "cveId": "CVE-2021-4035", "datePublished": "2022-02-11T17:40:04.786449Z", "dateReserved": "2021-11-30T00:00:00", "dateUpdated": "2024-09-16T16:38:39.868Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:wocu-monitoring:wocu_monitoring:*:*:*:*:*:*:*:*", "matchCriteriaId": "6F77BB00-9872-4B8D-B7EA-9593B1F502BD", "versionEndExcluding": "48.2", "versionStartIncluding": "0.27", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "A stored cross site scripting have been identified at the comments in the report creation due to an obsolote version of tinymce editor. In order to exploit this vulnerability, the attackers needs an account with enough privileges to view and edit reports."}, {"lang": "es", "value": "Se ha identificado una vulnerabilidad de tipo cross site scripting almacenado en los comentarios en la creaci\u00f3n de informes debido a una versi\u00f3n obsoleta del editor tinymce. Para explotar esta vulnerabilidad, los atacantes necesitan una cuenta con suficientes privilegios para visualizar y editar informes"}], "id": "CVE-2021-4035", "lastModified": "2024-11-21T06:36:46.190", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "LOW", "cvssData": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "SINGLE", "availabilityImpact": "NONE", "baseScore": 3.5, "confidentialityImpact": "NONE", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:M/Au:S/C:N/I:P/A:N", "version": "2.0"}, "exploitabilityScore": 6.8, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": true}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 3.5, "baseSeverity": "LOW", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 0.9, "impactScore": 2.5, "source": "cve-coordination@incibe.es", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.8, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "HIGH", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 1.7, "impactScore": 2.7, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2022-02-11T18:15:10.787", "references": [{"source": "cve-coordination@incibe.es", "url": "https://www.incibe.es/en/incibe-cert/notices/aviso/wocu-monitoring-stored-cross-site-scripting-xss"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://www.incibe.es/en/incibe-cert/notices/aviso/wocu-monitoring-stored-cross-site-scripting-xss"}], "sourceIdentifier": "cve-coordination@incibe.es", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "cve-coordination@incibe.es", "type": "Secondary"}, {"description": [{"lang": "en", "value": "CWE-79"}], "source": "nvd@nist.gov", "type": "Primary"}]}