DATABASE RESOURCES PRICING ABOUT US

{"id": "CVE-2021-25955", "vendorId": null, "type": "cve", "bulletinFamily": "NVD", "title": "CVE-2021-25955", "description": "In \u201cDolibarr ERP CRM\u201d, WYSIWYG Editor module, v2.8.1 to v13.0.2 are affected by a stored XSS vulnerability that allows low privileged application users to store malicious scripts in the \u201cPrivate Note\u201d field at \u201c/adherents/note.php?id=1\u201d endpoint. These scripts are executed in a victim\u2019s browser when they open the page containing the vulnerable field. In the worst case, the victim who inadvertently triggers the attack is a highly privileged administrator. The injected scripts can extract the Session ID, which can lead to full Account takeover of the admin and due to other vulnerability (Improper Access Control on Private notes) a low privileged user can update the private notes which could lead to privilege escalation.", "published": "2021-08-15T21:15:00", "modified": "2022-08-01T12:27:00", "epss": [{"cve": "CVE-2021-25955", "epss": 0.00104, "percentile": 0.42048, "modified": "2023-12-03"}], "cvss": {"score": 3.5, "vector": "AV:N/AC:M/Au:S/C:N/I:P/A:N"}, "cvss2": {"cvssV2": {"version": "2.0", "vectorString": "AV:N/AC:M/Au:S/C:N/I:P/A:N", "accessVector": "NETWORK", "accessComplexity": "MEDIUM", "authentication": "SINGLE", "confidentialityImpact": "NONE", "integrityImpact": "PARTIAL", "availabilityImpact": "NONE", "baseScore": 3.5}, "severity": "LOW", "exploitabilityScore": 6.8, "impactScore": 2.9, "acInsufInfo": false, "obtainAllPrivilege": false, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": true}, "cvss3": {"cvssV3": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "REQUIRED", "scope": "CHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH", "baseScore": 9.0, "baseSeverity": "CRITICAL"}, "exploitabilityScore": 2.3, "impactScore": 6.0}, "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-25955", "reporter": "vulnerabilitylab@mend.io", "references": ["https://github.com/Dolibarr/dolibarr/commit/796b2d201acb9938b903fb2afa297db289ecc93e", "https://www.whitesourcesoftware.com/vulnerability-database/CVE-2021-25955"], "cvelist": ["CVE-2021-25955"], "immutableFields": [], "lastseen": "2023-12-03T14:54:32", "viewCount": 60, "enchantments": {"dependencies": {"references": [{"type": "cnvd", "idList": ["CNVD-2021-71264"]}, {"type": "github", "idList": ["GHSA-CPV8-6XGR-RMF6"]}, {"type": "osv", "idList": ["OSV:GHSA-CPV8-6XGR-RMF6"]}, {"type": "prion", "idList": ["PRION:CVE-2021-25955"]}, {"type": "ubuntucve", "idList": ["UB:CVE-2021-25955"]}, {"type": "veracode", "idList": ["VERACODE:31672"]}]}, "score": {"value": 8.4, "uncertanity": 0.4, "vector": "NONE"}, "twitter": {"counter": 3, "tweets": [{"link": "https://twitter.com/SecRiskRptSME/status/1427171636382404613", "text": "RT:\n\nCVE-2021-25955 In \u201cDolibarr ERP CRM\u201d, WYSIWYG Editor module, v2.8.1 to v13.0.2 are affected by a stored XSS vulnerability that allows low privileged application users to store malicious scripts in the \u201cPrivate Note\u201d field at \u201c/adherents/note.php?id=1... \u2026"}, {"link": "https://twitter.com/threatintelctr/status/1554085357637042182", "text": " NEW: CVE-2021-25955 In \u201cDolibarr ERP CRM\u201d, WYSIWYG Editor module, v2.8.1 to v13.0.2 are affected by a stored XSS vulnerability that allows low privileged application users to store malicious scripts in the \u201cPri... (click for more) Severity: CRITICAL https://t.co/mBmlUqpxWB", "author": "threatintelctr", "author_photo": "https://pbs.twimg.com/profile_images/904224973987840000/dMy1x9Ho_400x400.jpg"}]}, "backreferences": {"references": [{"type": "github", "idList": ["GHSA-CPV8-6XGR-RMF6"]}, {"type": "ubuntucve", "idList": ["UB:CVE-2021-25955"]}]}, "exploitation": null, "affected_software": {"major_version": [{"name": "dolibarr", "version": 13}]}, "epss": [{"cve": "CVE-2021-25955", "epss": 0.00104, "percentile": 0.41193, "modified": "2023-05-08"}], "short_description": " \"Dolibarr ERP CRM v2.8.1-v13.0.2 WYSIWYG Editor module stored XSS vulnerability allows script execution via the Private Note field.", "tags": ["cve-2021-25955", "dolibarr erp crm", "wysiwyg editor", "stored xss", "vulnerability", "privilege escalation", "nvd"], "vulnersScore": 8.4}, "_state": {"dependencies": 1701620963, "twitter": 0, "score": 1701616418, "affected_software_major_version": 0, "epss": 0, "chatgpt": 0}, "_internal": {"score_hash": "9e54a3a08db4e39a8b2592ebf58355b5", "chatgpt": "bcd8b0c2eb1fce714eab6cef0d771acc"}, "cna_cvss": {"cna": "Mend", "cvss": {"3": {"vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H", "score": 9.0}}}, "cpe": ["cpe:/a:dolibarr:dolibarr:13.0.2"], "cpe23": ["cpe:2.3:a:dolibarr:dolibarr:13.0.2:*:*:*:*:*:*:*"], "cwe": ["CWE-79"], "affectedSoftware": [{"cpeName": "dolibarr:dolibarr", "version": "13.0.2", "operator": "le", "name": "dolibarr"}], "affectedConfiguration": [], "cpeConfiguration": {"CVE_data_version": "4.0", "nodes": [{"operator": "OR", "children": [], "cpe_match": [{"vulnerable": true, "cpe23Uri": "cpe:2.3:a:dolibarr:dolibarr:13.0.2:*:*:*:*:*:*:*", "versionStartIncluding": "2.8.1", "versionEndIncluding": "13.0.2", "cpe_name": []}]}]}, "extraReferences": [{"url": "https://github.com/Dolibarr/dolibarr/commit/796b2d201acb9938b903fb2afa297db289ecc93e", "name": "https://github.com/Dolibarr/dolibarr/commit/796b2d201acb9938b903fb2afa297db289ecc93e", "refsource": "MISC", "tags": ["Patch", "Third Party Advisory"]}, {"url": "https://www.whitesourcesoftware.com/vulnerability-database/CVE-2021-25955", "name": "https://www.whitesourcesoftware.com/vulnerability-database/CVE-2021-25955", "refsource": "MISC", "tags": ["Third Party Advisory"]}], "product_info": [{"vendor": "Dolibarr", "product": "dolibarr"}], "solutions": [{"lang": "en", "value": "Update to 14.0.0"}], "workarounds": [], "impacts": [], "problemTypes": [{"descriptions": [{"cweId": "CWE-79", "description": " CWE-79", "lang": "en", "type": "CWE"}]}], "exploits": [], "assigned": "2021-01-22T00:00:00"}

{"prion": [{"lastseen": "2023-11-22T00:42:25", "description": "In \u201cDolibarr ERP CRM\u201d, WYSIWYG Editor module, v2.8.1 to v13.0.2 are affected by a stored XSS vulnerability that allows low privileged application users to store malicious scripts in the \u201cPrivate Note\u201d field at \u201c/adherents/note.php?id=1\u201d endpoint. These scripts are executed in a victim\u2019s browser when they open the page containing the vulnerable field. In the worst case, the victim who inadvertently triggers the attack is a highly privileged administrator. The injected scripts can extract the Session ID, which can lead to full Account takeover of the admin and due to other vulnerability (Improper Access Control on Private notes) a low privileged user can update the private notes which could lead to privilege escalation.", "cvss3": {"exploitabilityScore": 2.3, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 9.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 6.0}, "published": "2021-08-15T21:15:00", "type": "prion", "title": "Improper access control", "bulletinFamily": "NVD", "cvss2": {"severity": "LOW", "exploitabilityScore": 6.8, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 3.5, "vectorString": "AV:N/AC:M/Au:S/C:N/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-25955"], "modified": "2022-08-01T12:27:00", "id": "PRION:CVE-2021-25955", "href": "https://www.prio-n.com/kb/vulnerability/CVE-2021-25955", "cvss": {"score": 3.5, "vector": "AV:N/AC:M/Au:S/C:N/I:P/A:N"}}], "cnvd": [{"lastseen": "2022-11-05T09:41:16", "description": "Dolibarr is an application. A modern software package that helps manage your organization's activities, Dolibarr ERP CRM versions 2.8.1 through 13.0.2 are vulnerable to a cross-site scripting vulnerability caused by a lack of validation of user-submitted data by the editor module in the software leading to a stored cross-site scripting vulnerability. A low privilege attacker can store malicious script in the private notes field via \\\"/adherents/note.php?id=1\\\".", "cvss3": {"exploitabilityScore": 2.3, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 9.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 6.0}, "published": "2021-08-17T00:00:00", "type": "cnvd", "title": "Dolibarr Cross-Site Scripting Vulnerability (CNVD-2021-71264)", "bulletinFamily": "cnvd", "cvss2": {"severity": "LOW", "exploitabilityScore": 6.8, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 3.5, "vectorString": "AV:N/AC:M/Au:S/C:N/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-25955"], "modified": "2021-09-15T00:00:00", "id": "CNVD-2021-71264", "href": "https://www.cnvd.org.cn/flaw/show/CNVD-2021-71264", "cvss": {"score": 3.5, "vector": "AV:N/AC:M/Au:S/C:N/I:P/A:N"}}], "ubuntucve": [{"lastseen": "2023-12-03T13:47:19", "description": "In \u201cDolibarr ERP CRM\u201d, WYSIWYG Editor module, v2.8.1 to v13.0.2 are\naffected by a stored XSS vulnerability that allows low privileged\napplication users to store malicious scripts in the \u201cPrivate Note\u201d field at\n\u201c/adherents/note.php?id=1\u201d endpoint. These scripts are executed in a\nvictim\u2019s browser when they open the page containing the vulnerable field.\nIn the worst case, the victim who inadvertently triggers the attack is a\nhighly privileged administrator. The injected scripts can extract the\nSession ID, which can lead to full Account takeover of the admin and due to\nother vulnerability (Improper Access Control on Private notes) a low\nprivileged user can update the private notes which could lead to privilege\nescalation.", "cvss3": {"exploitabilityScore": 2.3, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 9.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 6.0}, "published": "2021-08-15T00:00:00", "type": "ubuntucve", "title": "CVE-2021-25955", "bulletinFamily": "info", "cvss2": {"severity": "LOW", "exploitabilityScore": 6.8, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 3.5, "vectorString": "AV:N/AC:M/Au:S/C:N/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-25955"], "modified": "2021-08-15T00:00:00", "id": "UB:CVE-2021-25955", "href": "https://ubuntu.com/security/CVE-2021-25955", "cvss": {"score": 3.5, "vector": "AV:N/AC:M/Au:S/C:N/I:P/A:N"}}], "osv": [{"lastseen": "2023-03-28T05:41:19", "description": "In `Dolibarr ERP CRM`, WYSIWYG Editor module, v2.8.1 to v13.0.2 are affected by a stored XSS vulnerability that allows low privileged application users to store malicious scripts in the `Private Note` field at `/adherents/note.php?id=1` endpoint. These scripts are executed in a victim\u2019s browser when they open the page containing the vulnerable field. In the worst case, the victim who inadvertently triggers the attack is a highly privileged administrator. The injected scripts can extract the Session ID, which can lead to full Account takeover of the admin and due to other vulnerability (Improper Access Control on Private notes) a low privileged user can update the private notes which could lead to privilege escalation.", "cvss3": {"exploitabilityScore": 2.3, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 9.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 6.0}, "published": "2021-08-30T16:22:46", "type": "osv", "title": "Dolibarr Cross-site Scripting vulnerability", "bulletinFamily": "software", "cvss2": {"severity": "LOW", "exploitabilityScore": 6.8, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 3.5, "vectorString": "AV:N/AC:M/Au:S/C:N/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-25955"], "modified": "2023-03-28T05:41:10", "id": "OSV:GHSA-CPV8-6XGR-RMF6", "href": "https://osv.dev/vulnerability/GHSA-cpv8-6xgr-rmf6", "cvss": {"score": 3.5, "vector": "AV:N/AC:M/Au:S/C:N/I:P/A:N"}}], "veracode": [{"lastseen": "2022-06-10T17:04:08", "description": "dolibarr is vulnerable to cross site scripting (XSS). An attacker is able to exploit the vulnerability by storing malicious scripts in the \u201cPrivate Note\u201d field at \u201c/adherents/note.php?id=1\u201d endpoint which are executed in a victim\u2019s browser.\n", "cvss3": {"exploitabilityScore": 2.3, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 9.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 6.0}, "published": "2021-08-16T02:03:59", "type": "veracode", "title": "Cross-site Scripting (XSS)", "bulletinFamily": "software", "cvss2": {"severity": "LOW", "exploitabilityScore": 6.8, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 3.5, "vectorString": "AV:N/AC:M/Au:S/C:N/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-25955"], "modified": "2022-01-21T16:47:56", "id": "VERACODE:31672", "href": "https://sca.analysiscenter.veracode.com/vulnerability-database/security/1/1/sid-31672/summary", "cvss": {"score": 3.5, "vector": "AV:N/AC:M/Au:S/C:N/I:P/A:N"}}], "github": [{"lastseen": "2023-12-03T17:28:42", "description": "In `Dolibarr ERP CRM`, WYSIWYG Editor module, v2.8.1 to v13.0.2 are affected by a stored XSS vulnerability that allows low privileged application users to store malicious scripts in the `Private Note` field at `/adherents/note.php?id=1` endpoint. These scripts are executed in a victim\u2019s browser when they open the page containing the vulnerable field. In the worst case, the victim who inadvertently triggers the attack is a highly privileged administrator. The injected scripts can extract the Session ID, which can lead to full Account takeover of the admin and due to other vulnerability (Improper Access Control on Private notes) a low privileged user can update the private notes which could lead to privilege escalation.", "cvss3": {"exploitabilityScore": 2.3, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 9.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 6.0}, "published": "2021-08-30T16:22:46", "type": "github", "title": "Dolibarr Cross-site Scripting vulnerability", "bulletinFamily": "software", "cvss2": {"severity": "LOW", "exploitabilityScore": 6.8, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 3.5, "vectorString": "AV:N/AC:M/Au:S/C:N/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-25955"], "modified": "2023-01-29T05:02:39", "id": "GHSA-CPV8-6XGR-RMF6", "href": "https://github.com/advisories/GHSA-cpv8-6xgr-rmf6", "cvss": {"score": 3.5, "vector": "AV:N/AC:M/Au:S/C:N/I:P/A:N"}}]}