CVE-2021-29663 - OpenCVE

CourseMS (aka Course Registration Management System) 2.1 is affected by cross-site scripting (XSS). When an attacker with access to an Admin account creates a Job Title in the Site area (aka the admin/add_jobs.php name parameter), they can insert an XSS payload. This payload will execute whenever anyone visits the registration page.

Attack Vector Network

Attack Complexity Low

Privileges Required High

Scope Changed

Confidentiality Impact Low

Integrity Impact Low

Availability Impact None

User Interaction Required

No CVSS v3.0

Access Vector Network

Access Complexity Medium

Authentication Single

Confidentiality Impact None

Integrity Impact Partial

Availability Impact None

AV:N/AC:M/Au:S/C:N/I:P/A:N

Vendors & Products
CPE Configurations

Vendors	Products
Course Registration Management System Project	Course Registration Management System

Configuration 1 [-]

cpe:2.3:a:course_registration_management_system_project:course_registration_management_system:2.1:*:*:*:*:*:*:*

References

Link	Resource
http://sourceforge.net/projects/coursems	Product Third Party Advisory
https://github.com/cptsticky/A-0day-Per-Day-Keeps-The-Cope-Away/blob/main/CVE-2021-29663	Exploit Third Party Advisory

History

No history.

MITRE Information

Status: PUBLISHED

Assigner: mitre

Published: 2021-03-31T19:03:37

Updated: 2021-03-31T19:03:37

Reserved: 2021-03-31T00:00:00

Link: CVE-2021-29663

JSON object: View

NVD Information

Status : Analyzed

Published: 2021-03-31T20:15:14.207

Modified: 2021-04-06T13:25:39.837

Link: CVE-2021-29663

JSON object: View

Redhat Information

No data.

CWE

CWE-79

{"containers": {"cna": {"affected": [{"product": "n/a", "vendor": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "descriptions": [{"lang": "en", "value": "CourseMS (aka Course Registration Management System) 2.1 is affected by cross-site scripting (XSS). When an attacker with access to an Admin account creates a Job Title in the Site area (aka the admin/add_jobs.php name parameter), they can insert an XSS payload. This payload will execute whenever anyone visits the registration page."}], "problemTypes": [{"descriptions": [{"description": "n/a", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2021-03-31T19:03:37", "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre"}, "references": [{"tags": ["x_refsource_MISC"], "url": "http://sourceforge.net/projects/coursems"}, {"tags": ["x_refsource_MISC"], "url": "https://github.com/cptsticky/A-0day-Per-Day-Keeps-The-Cope-Away/blob/main/CVE-2021-29663"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "cve@mitre.org", "ID": "CVE-2021-29663", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "n/a", "version": {"version_data": [{"version_value": "n/a"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "CourseMS (aka Course Registration Management System) 2.1 is affected by cross-site scripting (XSS). When an attacker with access to an Admin account creates a Job Title in the Site area (aka the admin/add_jobs.php name parameter), they can insert an XSS payload. This payload will execute whenever anyone visits the registration page."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "n/a"}]}]}, "references": {"reference_data": [{"name": "http://sourceforge.net/projects/coursems", "refsource": "MISC", "url": "http://sourceforge.net/projects/coursems"}, {"name": "https://github.com/cptsticky/A-0day-Per-Day-Keeps-The-Cope-Away/blob/main/CVE-2021-29663", "refsource": "MISC", "url": "https://github.com/cptsticky/A-0day-Per-Day-Keeps-The-Cope-Away/blob/main/CVE-2021-29663"}]}}}}, "cveMetadata": {"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "cveId": "CVE-2021-29663", "datePublished": "2021-03-31T19:03:37", "dateReserved": "2021-03-31T00:00:00", "dateUpdated": "2021-03-31T19:03:37", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.0"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:course_registration_management_system_project:course_registration_management_system:2.1:*:*:*:*:*:*:*", "matchCriteriaId": "EFFF9DB8-313C-4AE0-9E8B-7A69968E3670", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "CourseMS (aka Course Registration Management System) 2.1 is affected by cross-site scripting (XSS). When an attacker with access to an Admin account creates a Job Title in the Site area (aka the admin/add_jobs.php name parameter), they can insert an XSS payload. This payload will execute whenever anyone visits the registration page."}, {"lang": "es", "value": "CourseMS (tambi\u00e9n se conoce como Course Registration Management System) versi\u00f3n 2.1 est\u00e1 afectado por un cross-site scripting (XSS). Cuando un atacante con acceso a una cuenta de administrador crea un puesto de trabajo en el \u00e1rea del Site (tambi\u00e9n se conoce como el par\u00e1metro name del archivo admin/add_jobs.php), puede insertar una carga \u00fatil XSS. Esta carga \u00fatil se ejecutar\u00e1 cada vez que alguien visite la p\u00e1gina de registro."}], "id": "CVE-2021-29663", "lastModified": "2021-04-06T13:25:39.837", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "LOW", "cvssData": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "SINGLE", "availabilityImpact": "NONE", "baseScore": 3.5, "confidentialityImpact": "NONE", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:M/Au:S/C:N/I:P/A:N", "version": "2.0"}, "exploitabilityScore": 6.8, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": true}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.8, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "HIGH", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 1.7, "impactScore": 2.7, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2021-03-31T20:15:14.207", "references": [{"source": "cve@mitre.org", "tags": ["Product", "Third Party Advisory"], "url": "http://sourceforge.net/projects/coursems"}, {"source": "cve@mitre.org", "tags": ["Exploit", "Third Party Advisory"], "url": "https://github.com/cptsticky/A-0day-Per-Day-Keeps-The-Cope-Away/blob/main/CVE-2021-29663"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "nvd@nist.gov", "type": "Primary"}]}