Lucene search

TwcertCVELIST:CVE-2021-30172

HistoryMay 07, 2021 - 9:30 a.m.

CVE-2021-30172 Jun-He Technology Ltd. Quan-Fang-Wei-Tong-Xun system - Reflected XSS

2021-05-0709:30:25

CWE-79

twcert

www.cve.org

cve-2021-30172

jun-he technology ltd.

quan-fang-wei-tong-xun

reflected xss

cross-site scripting

special characters

picture preview

remote authenticated attackers

malicious javascript

customer’s information

CVSS3

4.6

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N

AI Score

5.4

Confidence

High

EPSS

0.001

Percentile

29.2%

JSON

Special characters of picture preview page in the Quan-Fang-Wei-Tong-Xun system are not filtered in users’ input, which allow remote authenticated attackers can inject malicious JavaScript and carry out Reflected XSS (Cross-site scripting) attacks, additionally access and manipulate customer’s information.

CNA Affected

[
  {
    "product": "Quan-Fang-Wei-Tong-Xun system",
    "vendor": "Jun-He Technology Ltd.",
    "versions": [
      {
        "status": "affected",
        "version": "2007.1901"
      }
    ]
  }
]

References

www.twcert.org.tw/tw/cp-132-4711-04469-1.html