CVE-2021-25978: Apostrophe - XSS
First published: Sun Nov 07 2021(Updated: )
Apostrophe CMS versions between 2.63.0 to 3.3.1 are vulnerable to Stored XSS where an editor uploads an SVG file that contains malicious JavaScript onto the Images module, which triggers XSS once viewed.
Credit: vulnerabilitylab@mend.io
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Apostrophecms Apostrophecms | >=2.63.0<=3.3.1 |
Remedy
Upgrade to version 3.4.0
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
Frequently Asked Questions
What is CVE-2021-25978?
CVE-2021-25978 is a vulnerability in Apostrophe CMS versions between 2.63.0 to 3.3.1 that allows for Stored XSS attacks.
How does CVE-2021-25978 work?
CVE-2021-25978 occurs when an editor uploads an SVG file containing malicious JavaScript onto the Images module in Apostrophe CMS, which triggers XSS when viewed.
What is the severity of CVE-2021-25978?
The severity of CVE-2021-25978 is medium with a CVSS score of 5.4.
How can I fix CVE-2021-25978?
To fix CVE-2021-25978, update your Apostrophe CMS version to a version beyond 3.3.1.
Is there any reference for CVE-2021-25978?
Yes, you can find more information about CVE-2021-25978 and its fix in the official GitHub commit: [GitHub Commit](https://github.com/apostrophecms/apostrophe/commit/c8b94ee9c79468f1ce28e31966cb0e0839165e59)
- collector/nvd-index
- agent/type
- agent/softwarecombine
- collector/mitre-cve
- source/MITRE
- agent/last-modified-date
- agent/title
- agent/remedy
- agent/weakness
- agent/severity
- agent/references
- agent/author
- agent/event
- agent/description
- agent/first-publish-date
- agent/tags
- agent/source
- vendor/apostrophecms
- canonical/apostrophecms apostrophecms
- version/apostrophecms apostrophecms/2.63.0
- version/apostrophecms apostrophecms/3.3.1