Lucene search
K

4 matches found

NVD
NVD
added 2021/07/26 6:15 p.m.17 views

CVE-2021-37393

In RPCMS v1.8 and below, the "nickname" variable is not properly sanitized before being displayed on page. Attacker can use "update password" function to inject XSS payloads into nickname variable, and achieve stored XSS. Users who view the articles published by the injected user will trigger the...

5.4CVSS0.00527EPSS
Exploits1References2
Prion
Prion
added 2021/07/26 6:15 p.m.16 views

Cross site scripting

In RPCMS v1.8 and below, the "nickname" variable is not properly sanitized before being displayed on page. Attacker can use "update password" function to inject XSS payloads into nickname variable, and achieve stored XSS. Users who view the articles published by the injected user will trigger the...

3.5CVSS5.2AI score0.00527EPSS
Exploits1References2Affected Software1
Prion
Prion
added 2021/07/26 6:15 p.m.12 views

Design/Logic Flaw

In RPCMS v1.8 and below, attackers can interact with API and change variable "role" to "admin" to achieve admin user registration...

6CVSS8.6AI score0.01171EPSS
Exploits1References2Affected Software1
CVE
CVE
added 2021/07/26 5:7 p.m.51 views

CVE-2021-37394

RPCMS (v1.8 and earlier) contains an API-level flaw that allows attackers to alter the user role parameter to admin via the API, enabling admin account registration. The connected sources consistently describe this as a role-parameter manipulation vulnerability affecting RPCMS v1.8 and below, lea...

8.8CVSS8.6AI score0.01171EPSS
Exploits1References2Affected Software1
Rows per page
Query Builder