Vulnerabilities
Projects
Vulnerability Disclosure
About Us
Contact Us
Mend.io Vulnerability Database
What is a CVE vulnerability ID? 
What is a WS vulnerability ID?
What is an MSC vulnerability ID?
New vulnerability? Tell us about it!
What is a WS vulnerability ID?
What is an MSC vulnerability ID?
We found results for “”
CVE-2021-25982
Date: November 16, 2021
Overview
In Factor (App Framework & Headless CMS) forum plugin, versions 1.3.5 to 1.8.30, are vulnerable to reflected Cross-Site Scripting (XSS) at the “search” parameter in the URL. An unauthenticated attacker can execute malicious JavaScript code and steal the session cookies.Details
Factor has reflected XSS vulnerability at ‘search’ parameter (in the url) which allows an attacker to execute malicious JavaScript code and steal the session cookies.PoC Details
Access the application by going to http://localhost:3000. Reflected XSS occurs at the search parameter. Paste the given url in the browser which will trigger the XSS.PoC Code
http://localhost:3000/?search=%3Cscript%3Ealert(10)%3C/script%3EAffected Environments
1.3.5 to 1.8.30Prevention
No fixLanguage: VUE
Good to know:
| Base Score: |
|
|---|---|
| Attack Vector (AV): | Network |
| Attack Complexity (AC): | Low |
| Privileges Required (PR): | None |
| User Interaction (UI): | Required |
| Scope (S): | Changed |
| Confidentiality (C): | Low |
| Integrity (I): | Low |
| Availability (A): | None |
| Base Score: |
|
|---|---|
| Access Vector (AV): | Network |
| Access Complexity (AC): | Medium |
| Authentication (AU): | None |
| Confidentiality (C): | None |
| Integrity (I): | Partial |
| Availability (A): | None |
| Additional information: |