Public exploit available

Public proof-of-concept or exploit code exists (ExploitDB / Metasploit / Nuclei).

CVE-2021-3298 — Cross-site Scripting in Collabtive

CWE-79 — Cross-site Scripting4 documents4 sources

Severity

5.4MEDIUMNVD

EPSS

0.2%

top 55.56%

CISA KEV

Not in KEV

Exploit

PoC available

Public exploit / PoC exists

Affected products

O-dyn Collabtive

Timeline

PublishedJan 29

Latest updateMay 24

Description

Collabtive 3.1 allows XSS when an authenticated user enters an XSS payload into the address section of the profile edit page, aka the manageuser.php?action=edit address1 parameter.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:NExploitability: 2.3 | Impact: 2.7

Affected Packages1 packages

▶NVDo-dyn/collabtive3.1

🔴Vulnerability Details

GHSA

GHSA-4qgw-rh8c-x346: Collabtive 3↗2022-05-24

▶

OSV

CVE-2021-3298: Collabtive 3↗2021-01-29

▶

💥Exploits & PoCs

Exploit-DB

Collabtive 3.1 - 'address' Persistent Cross-Site Scripting↗2021-01-25

▶