CVE-2021-24157

CWE-79 — Cross-site Scripting (XSS)3 documents3 sources

Severity

5.4MEDIUM

EPSS

0.2%

top 60.35%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Unknown Orbit FOX BY Themeisle Themeisle Orbit FOX

Timeline

PublishedApr 5

Latest updateMay 24

Description

Orbit Fox by ThemeIsle has a feature to add custom scripts to the header and footer of a page or post. There were no checks to verify that a user had the unfiltered_html capability prior to saving the script tags, thus allowing lower-level users to inject scripts that could potentially be malicious.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:NExploitability: 2.3 | Impact: 2.7

Affected Packages2 packages

▶NVDthemeisle/orbit_fox< 2.10.3

▶CVEListV5unknown/orbit_fox_by_themeisle2.10.3 — 2.10.3

🔴Vulnerability Details

GHSA

GHSA-7gpg-h2jg-p789: Orbit Fox by ThemeIsle has a feature to add custom scripts to the header and footer of a page or post↗2022-05-24

▶

CVEList

Orbit Fox by ThemeIsle < 2.10.3 - Authenticated Stored Cross Site Scripting↗2021-04-05

▶