Vulnerability Details : CVE-2021-3313
Potential exploit
Plone CMS until version 5.2.4 has a stored Cross-Site Scripting (XSS) vulnerability in the user fullname property and the file upload functionality. The user's input data is not properly encoded when being echoed back to the user. This data can be interpreted as executable code by the browser and allows an attacker to execute JavaScript in the context of the victim's browser if the victim opens a vulnerable page containing an XSS payload.
Vulnerability category: Cross site scripting (XSS)
Products affected by CVE-2021-3313
- cpe:2.3:a:plone:plone:*:*:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2021-3313
0.44%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 62 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2021-3313
| Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
|---|---|---|---|---|---|---|
|
3.5
|
LOW | AV:N/AC:M/Au:S/C:N/I:P/A:N |
6.8
|
2.9
|
NIST | |
|
5.4
|
MEDIUM | CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N |
2.3
|
2.7
|
NIST |
CWE ids for CVE-2021-3313
-
The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.Assigned by: nvd@nist.gov (Primary)
References for CVE-2021-3313
-
https://www.compass-security.com/fileadmin/Research/Advisories/2021-07_CSNC-2021-013_XSS_in_Plone_CMS.txt
Exploit;Third Party Advisory
-
http://www.openwall.com/lists/oss-security/2021/05/22/1
oss-security - Re: Plone security hotfix 20210518Mailing List;Third Party Advisory
-
https://plone.org/security/hotfix/20210518
20210518 — Plone: Enterprise Level CMS - Free and OpenSource - Community Driven - SecureVendor Advisory
-
https://plone.org/download/releases/5.2.3
Plone 5.2.3 — Plone: Enterprise Level CMS - Free and OpenSource - Community Driven - SecureRelease Notes;Vendor Advisory
Jump to