cbcvebase.
CVE-2021-37573
published 2021-08-09

CVE-2021-37573: A reflected cross-site scripting (XSS) vulnerability in the web server TTiny Java Web Server and Servlet Container (TJWS) <=1.115 allows an adversary to inject…

PriorityP339medium6.1CVSS 3.1
AVNACLPRNUIRSCCLILAN
EXPLOIT
EPSS
3.40%
87.3th percentile
A reflected cross-site scripting (XSS) vulnerability in the web server TTiny Java Web Server and Servlet Container (TJWS) <=1.115 allows an adversary to inject malicious code on the server's "404 Page not Found" error page

Affected

1 ranges
VendorProductVersion rangeFixed in
tiny_java_web_server_projecttiny_java_web_server<= 1.115

Detection & IOCsextracted from sources · hover to see the quote

  • Trigger the vulnerability by requesting a non-existent path; look for reflected XSS payload in the 404 error page response with Content-Type text/html
  • Detection rule matches on HTTP response header containing 'text/html' combined with a 404 status code to identify vulnerable TJWS instances
  • Nuclei template digest for CVE-2021-37573 TJWS XSS detection rule can be used to verify template integrity
  • ·Vulnerability affects TJWS versions up to and including 1.115; versions above this threshold are not confirmed vulnerable

CVSS provenance

nvdv3.16.1MEDIUMCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
nvdv2.04.3MEDIUMAV:N/AC:M/Au:N/C:N/I:P/A:N
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.