Lucene search
José AguileraWPEX-ID:AF7D62CA-09B3-41C8-B771-BE936CE8F6B2HistoryDec 20, 2021 - 12:00 a.m.
SEUR Oficial < 1.7.0 - Admin+ Stored Cross-Site Scripting
2021-12-2000:00:00
José Aguilera
77
0.001 Low
EPSS
Percentile
24.9%
The plugin does not sanitize and escape some of its settings allowing high privilege users to perform Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed
Put the following payload in one of the plugin's settings: "><script>alert('XSS');</script>
Affected files:
* seur\core\pages\setting-options\user-settings.php
The following fields are not escaped properly in the settings page: seur_nif_field, seur_empresa_field, seur_vianombre_field, seur_vianumero_field, seur_escalera_field, seur_piso_field, seur_puerta_field, seur_postal_field, seur_poblacion_field, seur_provincia_field, seur_telefono_field, seur_email_field, seur_contacto_nombre_field, seur_contacto_apellidos_field, seur_cit_codigo_field, seur_cit_usuario_field, seur_cit_contra_field, seur_ccc_field, seur_int_ccc_field, seur_franquicia_field, seur_seurcom_usuario_field, seur_seurcom_contra_field, seur_google_maps_api_field, seur_id_mercancia_field, seur_descripcion_fieldRelated
cve
cve
CVE-2021-25005
2022-01-17 13:15:07
cvelist
cvelist
CVE-2021-25005 SEUR Oficial < 1.7.0 - Admin+ Stored Cross-Site Scripting
2022-01-17 13:00:30
cnvd
cnvd
WordPress SEUR Oficial plugin cross-site scripting vulnerability
2022-01-18 00:00:00
nvd
nvd
CVE-2021-25005
2022-01-17 13:15:07
wpvulndb
wpvulndb
SEUR Oficial < 1.7.0 - Admin+ Stored Cross-Site Scripting
2021-12-20 00:00:00
patchstack
patchstack
prion
prion
Cross site scripting
2022-01-17 13:15:00