Lucene search

[email protected]NVD:CVE-2021-25988

HistoryDec 29, 2021 - 9:15 a.m.

CVE-2021-25988

2021-12-2909:15:09

CWE-79

[email protected]

web.nvd.nist.gov

ifme

stored xss

notifications

ally request

admin

CVSS2

3.5

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

SINGLE

Confidentiality Impact

NONE

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:M/Au:S/C:N/I:P/A:N

CVSS3

5.4

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

EPSS

0.001

Percentile

21.4%

JSON

In “ifme”, versions 1.0.0 to v7.31.4 are vulnerable against stored XSS vulnerability (notifications section) which can be directly triggered by sending an ally request to the admin.

Affected configurations

Nvd

Node

if-meifmeRange1.0.0–7.31.4

VendorProductVersionCPE
if-meifme*cpe:2.3:a:if-me:ifme:*:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
if-me	ifme	*	cpe:2.3:a:if-me:ifme::::::::

References

github.com/ifmeorg/ifme/commit/720a47015e46ad387b3219fed7ebfb14ec3c854c

www.whitesourcesoftware.com/vulnerability-database/CVE-2021-25988

CVSS2

3.5

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

SINGLE

Confidentiality Impact

NONE

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:M/Au:S/C:N/I:P/A:N

CVSS3

5.4

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

EPSS

0.001

Percentile

21.4%

JSON

Related for NVD:CVE-2021-25988

osv1 cvelist1 cnvd1 prion1 cve1