CVE-2021-31589
published 2022-01-05CVE-2021-31589: A cross-site scripting (XSS) vulnerability has been reported and confirmed for BeyondTrust Secure Remote Access Base Software version 6.0.1 and older, which…
PriorityP183medium6.1CVSS 3.1
AVNACLPRNUIRSCCLILAN
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
28.31%
97.9th percentile
A cross-site scripting (XSS) vulnerability has been reported and confirmed for BeyondTrust Secure Remote Access Base Software version 6.0.1 and older, which allows the injection of unauthenticated, specially-crafted web requests without proper sanitization.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| beyondtrust | appliance_base_software | <= 6.0.1 | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Fingerprint the target by checking HTTP response body for the case-insensitive string 'bomgar' and confirming HTTP 200 status code to identify vulnerable BeyondTrust Secure Remote Access instances
- →The vulnerability is exploitable by unauthenticated users via specially-crafted web requests; monitor for unsanitized input in web requests targeting BeyondTrust Secure Remote Access endpoints
- ·Detection template uses a case-insensitive body match for 'bomgar' combined with HTTP 200 status; this is a fingerprinting heuristic and may produce false positives on non-vulnerable or patched BeyondTrust/Bomgar instances
- ·Affected versions are 6.0.1 and older; ensure version confirmation is part of any detection or triage workflow to avoid false positives on patched systems
CVSS provenance
nvdv3.16.1MEDIUMCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
nvdv2.04.3MEDIUMAV:N/AC:M/Au:N/C:N/I:P/A:N
vulncheck6.1MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-fw8v-3m7h-4jwg: BeyondTrust Secure Remote Access Base Software through 6
ghsa_unreviewed·2022-02-08
CVE-2021-31589 [CRITICAL] CWE-352 GHSA-fw8v-3m7h-4jwg: BeyondTrust Secure Remote Access Base Software through 6
BeyondTrust Secure Remote Access Base Software through 6.0.1 allows an attacker to achieve full admin access to the appliance, by tricking the administrator into creating a new admin account through an XSS/CSRF attack involving a crafted request to the /appliance/users?action=edit endpoint. This cross-site-scripting (XSS) vulnerability occurs when it does not properly sanitize an unauthenticated crafted web request to the server
VulnCheck
beyondtrust appliance_base_software Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
vulncheck·2021·CVSS 6.1
CVE-2021-31589 [MEDIUM] beyondtrust appliance_base_software Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
beyondtrust appliance_base_software Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
A cross-site scripting (XSS) vulnerability has been reported and confirmed for BeyondTrust Secure Remote Access Base Software version 6.0.1 and older, which allows the injection of unauthenticated, specially-crafted web requests without proper sanitization.
Affected: beyondtrust appliance_base_software
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploitation References: https://unit42.paloaltonetworks.com/recent-exploits-network-security-trends/; https://www.f5.com/labs/articles/threat-intelligence/sensor-intel-series-top-cves-august-2024; https://www.f5.co
No detection rules found.
Nuclei
BeyondTrust Secure Remote Access Base <=6.0.1 - Cross-Site Scripting
nuclei·CVSS 6.1
CVE-2021-31589 [MEDIUM] BeyondTrust Secure Remote Access Base <=6.0.1 - Cross-Site Scripting
BeyondTrust Secure Remote Access Base '
- 'bomgar'
case-insensitive: true
condition: and
- type: status
status:
- 200
# digest: 490a00463044022036984993e3eb3e894045af09e6625a8965797dca17e5638e12bce42b95712cc002200f7d15a0530d65243dd15219bf79a0c454f8317ff5ffd28d4a942ebc978b31c7:922c64590222798bb761d5b6d8e72950
Unit42
Network Security Trends: Recent Exploits Observed in the Wild Include Remote Code Execution, Cross-Site Scripting and More
blogs_unit42·2022-08-19·CVSS 8.8
CVE-2021-20166 [HIGH] Network Security Trends: Recent Exploits Observed in the Wild Include Remote Code Execution, Cross-Site Scripting and More
Threat Research Center
Trend Reports
Vulnerabilities
## Network Security Trends: Recent Exploits Observed in the Wild Include Remote Code Execution, Cross-Site Scripting and More
Yue Guan
Published: August 19, 2022
Trend Reports
Vulnerabilities
Attack analysis
CVE-2021-20166
CVE-2021-20167
CVE-2021-21881
CVE-2021-24762
CVE-2021-28169
CVE-2021-31589
CVE-2021-39226
CVE-2021-4045
CVE-2021-43711
CVE-2022-21371
CVE-2022-21662
CVE-2022-22536
CVE-2022-22947
CVE-2022-22954
CVE-2022-22963
CVE-2022-22965
CVE-2022-24112
CVE-2022-24260
CVE-2022-25060
CVE-2022-25075
CVE-2022-25134
CVE-2022-27226
CVE-2022-29464
Exploit in the wild
Network security trends
## Executive Summary
Recent observations of exploits used in the wild reveal that attackers have been making use
Unit42
Network Security Trends: Recent Exploits Observed in the Wild Include Remote Code Execution, Cross-Site Scripting and More
blogs_unit42·2022-08-19
Network Security Trends: Recent Exploits Observed in the Wild Include Remote Code Execution, Cross-Site Scripting and More
## Executive Summary
Recent observations of exploits used in the wild reveal that attackers have been making use of newly published remote code execution vulnerabilities in VMware ONE Access and Identity Manager and Spring Cloud Function, Spring MVC and Spring Web Flux, among others. Attackers have also been taking advantage of a cross-site scripting vulnerability in WordPress core, and SQL injection vulnerabilities in VoIPmonitor GUI and other services. In our observations of network security trends, Unit 42 researchers select exploits of the latest published attacks that defenders should know based on the availability of proofs of concept (PoCs), the severity of the vulnerabilities the exploits are based on and the ease of exploitation.
Other insights that could assist defenders includ
Greynoiseio
NoiseLetter October 2025
blogs_greynoiseio
NoiseLetter October 2025
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Find out immediately if an asset communicates with a malicious IP address
Vulnerability Prioritization Get real-time insight into active exploitation trends to better understand risk and severity
SOC Efficiency Filter out noisy, low priority and false-positive alerts from mass internet scanners
Incident Investigation Add context to incidents to speed the determinations of scope and timelines
Threat Hunting Quickly identify anomalous behavior and enrich your threat hunting campaigns
Why GreyNoise
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Fin
http://packetstormsecurity.com/files/165408/BeyondTrust-Remote-Support-6.0-Cross-Site-Scripting.htmlhttps://cxsecurity.com/issue/WLB-2022010013https://www.beyondtrust.com/docs/release-notes/index.htmhttp://packetstormsecurity.com/files/165408/BeyondTrust-Remote-Support-6.0-Cross-Site-Scripting.htmlhttps://cxsecurity.com/issue/WLB-2022010013https://www.beyondtrust.com/docs/release-notes/index.htm
2022-01-05
Published
Exploited in the wild