CVE-2021-4035 - OpenCVE

A stored cross site scripting have been identified at the comments in the report creation due to an obsolote version of tinymce editor. In order to exploit this vulnerability, the attackers needs an account with enough privileges to view and edit reports.

Attack Vector Network

Attack Complexity Low

Privileges Required High

Scope Changed

Confidentiality Impact Low

Integrity Impact Low

Availability Impact None

User Interaction Required

No CVSS v3.0

Access Vector Network

Access Complexity Medium

Authentication Single

Confidentiality Impact None

Integrity Impact Partial

Availability Impact None

AV:N/AC:M/Au:S/C:N/I:P/A:N

Vendors & Products
CPE Configurations

Vendors	Products
Wocu-monitoring	Wocu Monitoring

Configuration 1 [-]

cpe:2.3:a:wocu-monitoring:wocu_monitoring:*:*:*:*:*:*:*:*

References

Link	Resource
https://www.incibe.es/en/incibe-cert/notices/aviso/wocu-monitoring-stored-cross-site-scripting-xss

History

No history.

MITRE Information

Status: PUBLISHED

Assigner: INCIBE

Published: 2022-02-07T00:00:00

Updated: 2023-11-22T10:24:03.682Z

Reserved: 2021-11-30T00:00:00

Link: CVE-2021-4035

JSON object: View

NVD Information

Status : Modified

Published: 2022-02-11T18:15:10.787

Modified: 2023-11-22T11:15:07.533

Link: CVE-2021-4035

JSON object: View

Redhat Information

No data.

CWE

CWE-79

{"containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "product": "Wocu Monitoring", "vendor": "A3Sec ", "versions": [{"lessThan": "48.2", "status": "affected", "version": "0.27", "versionType": "custom"}]}], "credits": [{"lang": "en", "type": "finder", "user": "00000000-0000-4000-9000-000000000000", "value": "David C\u00e1mara Galindo"}], "datePublic": "2022-02-06T23:00:00.000Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "A stored cross site scripting have been identified at the comments in the report creation due to an obsolote version of tinymce editor. In order to exploit this vulnerability, the attackers needs an account with enough privileges to view and edit reports."}], "value": "A stored cross site scripting have been identified at the comments in the report creation due to an obsolote version of tinymce editor. In order to exploit this vulnerability, the attackers needs an account with enough privileges to view and edit reports."}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 3.5, "baseSeverity": "LOW", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:L/I:L/A:N", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-79", "description": "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "0cbda920-cd7f-484a-8e76-bf7f4b7f4516", "shortName": "INCIBE", "dateUpdated": "2023-11-22T10:24:03.682Z"}, "references": [{"tags": ["x_refsource_CONFIRM"], "url": "https://www.incibe.es/en/incibe-cert/notices/aviso/wocu-monitoring-stored-cross-site-scripting-xss"}], "solutions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "This vulnerability has been solved by A3Sec in the 48.2 version."}], "value": "This vulnerability has been solved by A3Sec in the 48.2 version."}], "source": {"advisory": "INCIBE-2022-0593", "discovery": "EXTERNAL"}, "title": "Wocu Monitoring stored Cross-Site Scripting (XSS)", "x_generator": {"engine": "Vulnogram 0.0.9"}, "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "cve-coordination@incibe.es", "DATE_PUBLIC": "2022-02-07T08:00:00.000Z", "ID": "CVE-2021-4035", "STATE": "PUBLIC", "TITLE": "Wocu Monitoring stored Cross-Site Scripting (XSS)"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "Wocu Monitoring", "version": {"version_data": [{"version_affected": ">=", "version_name": "0.27", "version_value": "0.27"}, {"version_affected": "<", "version_name": "48.2", "version_value": "48.2"}]}}]}, "vendor_name": "A3Sec "}]}}, "credit": [{"lang": "eng", "value": "David C\u00e1mara Galindo"}], "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "A stored cross site scripting have been identified at the comments in the report creation due to an obsolote version of tinymce editor. In order to exploit this vulnerability, the attackers needs an account with enough privileges to view and edit reports."}]}, "generator": {"engine": "Vulnogram 0.0.9"}, "impact": {"cvss": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 6.8, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:H", "version": "3.1"}}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"}]}]}, "references": {"reference_data": [{"name": "https://www.incibe-cert.es/en/early-warning/security-advisories/wocu-monitoring-stored-cross-site-scripting-xss", "refsource": "CONFIRM", "url": "https://www.incibe-cert.es/en/early-warning/security-advisories/wocu-monitoring-stored-cross-site-scripting-xss"}]}, "solution": [{"lang": "en", "value": "This vulnerability has been solved by A3Sec in the 48.2 version."}], "source": {"advisory": "INCIBE-2022-0593", "discovery": "EXTERNAL"}}}}, "cveMetadata": {"assignerOrgId": "0cbda920-cd7f-484a-8e76-bf7f4b7f4516", "assignerShortName": "INCIBE", "cveId": "CVE-2021-4035", "datePublished": "2022-02-07T00:00:00", "dateReserved": "2021-11-30T00:00:00", "dateUpdated": "2023-11-22T10:24:03.682Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.0"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:wocu-monitoring:wocu_monitoring:*:*:*:*:*:*:*:*", "matchCriteriaId": "6F77BB00-9872-4B8D-B7EA-9593B1F502BD", "versionEndExcluding": "48.2", "versionStartIncluding": "0.27", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "A stored cross site scripting have been identified at the comments in the report creation due to an obsolote version of tinymce editor. In order to exploit this vulnerability, the attackers needs an account with enough privileges to view and edit reports."}, {"lang": "es", "value": "Se ha identificado una vulnerabilidad de tipo cross site scripting almacenado en los comentarios en la creaci\u00f3n de informes debido a una versi\u00f3n obsoleta del editor tinymce. Para explotar esta vulnerabilidad, los atacantes necesitan una cuenta con suficientes privilegios para visualizar y editar informes"}], "id": "CVE-2021-4035", "lastModified": "2023-11-22T11:15:07.533", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "LOW", "cvssData": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "SINGLE", "availabilityImpact": "NONE", "baseScore": 3.5, "confidentialityImpact": "NONE", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:M/Au:S/C:N/I:P/A:N", "version": "2.0"}, "exploitabilityScore": 6.8, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": true}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.8, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "HIGH", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 1.7, "impactScore": 2.7, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 3.5, "baseSeverity": "LOW", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 0.9, "impactScore": 2.5, "source": "cve-coordination@incibe.es", "type": "Secondary"}]}, "published": "2022-02-11T18:15:10.787", "references": [{"source": "cve-coordination@incibe.es", "url": "https://www.incibe.es/en/incibe-cert/notices/aviso/wocu-monitoring-stored-cross-site-scripting-xss"}], "sourceIdentifier": "cve-coordination@incibe.es", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-79"}], "source": "cve-coordination@incibe.es", "type": "Secondary"}]}