CVE-2021-22021

CWE-79 — Cross-site Scripting (XSS)4 documents4 sources

Severity

5.4MEDIUM

EPSS

0.2%

top 52.55%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Vmware Cloud Foundation Vmware Vrealize LOG Insight

Timeline

PublishedAug 30

Latest updateMay 24

Description

VMware vRealize Log Insight (8.x prior to 8.4) contains a Cross Site Scripting (XSS) vulnerability due to improper user input validation. An attacker with user privileges may be able to inject a malicious payload via the Log Insight UI which would be executed when the victim accesses the shared dashboard link.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:NExploitability: 2.3 | Impact: 2.7

Affected Packages3 packages

▶NVDvmware/vrealize_log_insight8.0.0 — 8.4+1

▶CVEListV5vmware_vrealize_log_insightVMware vRealize Log Insight (8.x prior to 8.4)

▶NVDvmware/cloud_foundation4.0 — 4.3

Patches

Patch: www.vmware.com ↗Patch: www.vmware.com ↗

🔴Vulnerability Details

GHSA

GHSA-mw4g-p3x5-fwh9: VMware vRealize Log Insight (8↗2022-05-24

▶

CVEList

CVE-2021-22021: VMware vRealize Log Insight (8↗2021-08-30

▶

📋Vendor Advisories

VMware

VMware vRealize Log Insight updates address Cross Site Scripting (XSS) vulnerability (CVE-2021-22021)↗2021-08-24

▶