CVE-2021-38143

2021-08-3105:15:06

Google

osv.dev

6 Medium

AI Score

Confidence

High

0.002 Low

EPSS

Percentile

51.9%

JSON

An issue was discovered in Form Tools through 3.0.20. When an administrator creates a customer account, it is possible for the customer to log in and proceed with a change of name and last name. However, these fields are vulnerable to XSS payload insertion, being triggered in the admin panel when the admin tries to see the client list. This type of XSS (stored) can lead to the extraction of the PHPSESSID cookie belonging to the admin.

CPENameOperatorVersion
coreeq2.0.0-beta-20090428
coreeq2.1.0-beta-20110807
coreeq2.0.0-beta-20091113
coreeq2.1.6
coreeq3.0.0-alpha-20171014
coreeq2.0.0-beta-20090131
coreeq3.0.0-alpha-20171128
coreeq3.0.0-beta-20180206
coreeq2.0.0-beta-20081223
coreeq2.0.0-beta-20090808

Name	Operator	Version
core	eq	2.0.0-beta-20090428
core	eq	2.1.0-beta-20110807
core	eq	2.0.0-beta-20091113
core	eq	2.1.6
core	eq	3.0.0-alpha-20171014
core	eq	2.0.0-beta-20090131
core	eq	3.0.0-alpha-20171128
core	eq	3.0.0-beta-20180206
core	eq	2.0.0-beta-20081223
core	eq	2.0.0-beta-20090808