CVE-2021-31930

2021-05-1915:15:08

Google

osv.dev

5.5 Medium

AI Score

Confidence

High

0.001 Low

EPSS

Percentile

39.4%

JSON

Persistent cross-site scripting (XSS) in the web interface of Concerto through 2.3.6 allows an unauthenticated remote attacker to introduce arbitrary JavaScript by injecting an XSS payload into the First Name or Last Name parameter upon registration. When a privileged user attempts to delete the account, the XSS payload will be executed.

CPENameOperatorVersion
concertoeq2.3.5
concertoeq2.2.7
concertoeq0.0.0.b
concertoeq2.2.2
concertoeq0.3.2.echoinchworm
concertoeq0.6.0.hotelhummingbird
concertoeq0.7.0.indiaibex
concertoeq2.1.0
concertoeq2.2.1
concertoeq0.1.0.charliehorse

Name	Operator	Version
concerto	eq	2.3.5
concerto	eq	2.2.7
concerto	eq	0.0.0.b
concerto	eq	2.2.2
concerto	eq	0.3.2.echoinchworm
concerto	eq	0.6.0.hotelhummingbird
concerto	eq	0.7.0.indiaibex
concerto	eq	2.1.0
concerto	eq	2.2.1
concerto	eq	0.1.0.charliehorse