Vulnerability CVE-2021-38143


Published: 2021-08-31

Description:
An issue was discovered in Form Tools through 3.0.20. When an administrator creates a customer account, it is possible for the customer to log in and proceed with a change of name and last name. However, these fields are vulnerable to XSS payload insertion, being triggered in the admin panel when the admin tries to see the client list. This type of XSS (stored) can lead to the extraction of the PHPSESSID cookie belonging to the admin.

Type:

CWE-79

(Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting'))

CVSS2 => (AV:N/AC:M/Au:N/C:N/I:P/A:N)

CVSS Base Score
Impact Subscore
Exploitability Subscore
4.3/10
2.9/10
8.6/10
Exploit range
Attack complexity
Authentication
Remote
Medium
No required
Confidentiality impact
Integrity impact
Availability impact
None
Partial
None
Affected software
Formtools -> CORE 

 References:
https://bernardofsr.github.io/blog/2021/form-tools/
https://github.com/formtools/core
https://www.formtools.org/
https://github.com/bernardofsr/CVEs-With-PoC/blob/main/PoCs/Form%20Tools/README.md

Copyright 2024, cxsecurity.com

 

Back to Top