CVE-2021-23260: Stored XSS Vulnerability in File Name of the File Upload function
First published: Thu Dec 02 2021(Updated: )
Authenticated users with Site roles may inject XSS scripts via file names that will execute in the browser for this and other users of the same site.
Credit: security@craftersoftware.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Craftercms Crafter Cms | >=3.1.0<3.1.12 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Frequently Asked Questions
What is CVE-2021-23260?
CVE-2021-23260 is a vulnerability that allows authenticated users with Site roles to inject XSS scripts via file names, which can be executed in the browser for this user and other users of the same site.
How does CVE-2021-23260 affect Crafter CMS?
CVE-2021-23260 affects Crafter CMS versions between 3.1.0 and 3.1.12 where authenticated users with Site roles can inject XSS scripts using file names.
What is the severity of CVE-2021-23260?
The severity of CVE-2021-23260 is medium (CVSS score 5.4).
How can I fix CVE-2021-23260?
To fix CVE-2021-23260, it is recommended to upgrade Crafter CMS to a version higher than 3.1.12.
What is CWE-79?
CWE-79 is a Common Weakness Enumeration category for Cross-Site Scripting (XSS) vulnerabilities.
- collector/nvd-index
- agent/type
- agent/softwarecombine
- collector/mitre-cve
- source/MITRE
- agent/severity
- agent/references
- agent/last-modified-date
- agent/weakness
- agent/author
- agent/tags
- agent/description
- agent/first-publish-date
- agent/title
- agent/event
- vendor/craftercms
- canonical/craftercms crafter cms
- version/craftercms crafter cms/3.1.0