CVE-2021-20845 - OpenCVE

Cross-site request forgery (CSRF) vulnerability in Unlimited Sitemap Generator versions prior to v8.2 allows a remote attacker to hijack the authentication of an administrator and conduct arbitrary operation via a specially crafted web page.

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction Required

No CVSS v3.0

Access Vector Network

Access Complexity Medium

Authentication None

Confidentiality Impact Partial

Integrity Impact Partial

Availability Impact Partial

AV:N/AC:M/Au:N/C:P/I:P/A:P

Vendors & Products
CPE Configurations

Vendors	Products
Xml-sitemaps	Unlimited Sitemap Generator

Configuration 1 [-]

cpe:2.3:a:xml-sitemaps:unlimited_sitemap_generator:*:*:*:*:*:*:*:*

References

Link	Resource
https://jvn.jp/en/jp/JVN58407606/index.html	Third Party Advisory
https://www.xml-sitemaps.com/news-20210831.html	Release Notes Vendor Advisory
https://www.xml-sitemaps.com/standalone-google-sitemap-generator.html	Product Vendor Advisory

History

No history.

MITRE Information

Status: PUBLISHED

Assigner: jpcert

Published: 2021-11-24T08:25:47

Updated: 2021-11-24T08:25:47

Reserved: 2020-12-17T00:00:00

Link: CVE-2021-20845

JSON object: View

NVD Information

Status : Analyzed

Published: 2021-11-24T16:15:13.330

Modified: 2021-11-27T04:02:16.743

Link: CVE-2021-20845

JSON object: View

Redhat Information

No data.

CWE

CWE-352

{"containers": {"cna": {"affected": [{"product": "Unlimited Sitemap Generator", "vendor": "XML-Sitemaps", "versions": [{"status": "affected", "version": "versions prior to v8.2"}]}], "descriptions": [{"lang": "en", "value": "Cross-site request forgery (CSRF) vulnerability in Unlimited Sitemap Generator versions prior to v8.2 allows a remote attacker to hijack the authentication of an administrator and conduct arbitrary operation via a specially crafted web page."}], "problemTypes": [{"descriptions": [{"description": "Cross-site request forgery", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2021-11-24T08:25:47", "orgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce", "shortName": "jpcert"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://www.xml-sitemaps.com/standalone-google-sitemap-generator.html"}, {"tags": ["x_refsource_MISC"], "url": "https://www.xml-sitemaps.com/news-20210831.html"}, {"tags": ["x_refsource_MISC"], "url": "https://jvn.jp/en/jp/JVN58407606/index.html"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "vultures@jpcert.or.jp", "ID": "CVE-2021-20845", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "Unlimited Sitemap Generator", "version": {"version_data": [{"version_value": "versions prior to v8.2"}]}}]}, "vendor_name": "XML-Sitemaps"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "Cross-site request forgery (CSRF) vulnerability in Unlimited Sitemap Generator versions prior to v8.2 allows a remote attacker to hijack the authentication of an administrator and conduct arbitrary operation via a specially crafted web page."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "Cross-site request forgery"}]}]}, "references": {"reference_data": [{"name": "https://www.xml-sitemaps.com/standalone-google-sitemap-generator.html", "refsource": "MISC", "url": "https://www.xml-sitemaps.com/standalone-google-sitemap-generator.html"}, {"name": "https://www.xml-sitemaps.com/news-20210831.html", "refsource": "MISC", "url": "https://www.xml-sitemaps.com/news-20210831.html"}, {"name": "https://jvn.jp/en/jp/JVN58407606/index.html", "refsource": "MISC", "url": "https://jvn.jp/en/jp/JVN58407606/index.html"}]}}}}, "cveMetadata": {"assignerOrgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce", "assignerShortName": "jpcert", "cveId": "CVE-2021-20845", "datePublished": "2021-11-24T08:25:47", "dateReserved": "2020-12-17T00:00:00", "dateUpdated": "2021-11-24T08:25:47", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.0"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:xml-sitemaps:unlimited_sitemap_generator:*:*:*:*:*:*:*:*", "matchCriteriaId": "8BD804F0-27C5-4F32-B16F-05AE33E94E0B", "versionEndExcluding": "8.2", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "Cross-site request forgery (CSRF) vulnerability in Unlimited Sitemap Generator versions prior to v8.2 allows a remote attacker to hijack the authentication of an administrator and conduct arbitrary operation via a specially crafted web page."}, {"lang": "es", "value": "Una vulnerabilidad de tipo Cross-site request forgery (CSRF) en Unlimited Sitemap Generator versiones anteriores a v8.2, permite a un atacante remoto secuestrar la autenticaci\u00f3n de un administrador y conducir una operaci\u00f3n arbitraria por medio de una p\u00e1gina web especialmente dise\u00f1ada"}], "id": "CVE-2021-20845", "lastModified": "2021-11-27T04:02:16.743", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 6.8, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 6.4, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": true}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2021-11-24T16:15:13.330", "references": [{"source": "vultures@jpcert.or.jp", "tags": ["Third Party Advisory"], "url": "https://jvn.jp/en/jp/JVN58407606/index.html"}, {"source": "vultures@jpcert.or.jp", "tags": ["Release Notes", "Vendor Advisory"], "url": "https://www.xml-sitemaps.com/news-20210831.html"}, {"source": "vultures@jpcert.or.jp", "tags": ["Product", "Vendor Advisory"], "url": "https://www.xml-sitemaps.com/standalone-google-sitemap-generator.html"}], "sourceIdentifier": "vultures@jpcert.or.jp", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-352"}], "source": "nvd@nist.gov", "type": "Primary"}]}