CVE-2021-38138

2021-08-06T00:00:00
ID AKB:52F87A95-98DF-4C49-8A5C-C779282AA910
Type attackerkb
Reporter AttackerKB
Modified 2021-08-06T00:00:00

Description

OneNav beta 0.9.12 allows XSS via the Add Link feature. PWNED by using remote execution script, automated for this vulnerability. NOTE: the vendor’s position is that there intentionally is not any XSS protection at present, because the attack risk is largely limited to a compromised account; however, XSS protection is planned for a future release.

Proof:

<https://streamable.com/ubtzio>

Recent assessments:

nu11secur1ty at August 06, 2021 5:37pm UTC reported:

OneNav beta 0.9.12 allows XSS via the Add Link feature. PWNED by using remote execution script, automated for this vulnerability. NOTE: the vendor’s position is that there intentionally is not any XSS protection at present, because the attack risk is largely limited to a compromised account; however, XSS protection is planned for a future release.

More:

<https://github.com/nu11secur1ty/CVE-mitre/tree/main/CVE-2021-38138>

Proof:

<https://streamable.com/ubtzio>

Assessed Attacker Value: 3
Assessed Attacker Value: 3Assessed Attacker Value: 5