CVE-2021-37573
published 2021-08-09CVE-2021-37573: A reflected cross-site scripting (XSS) vulnerability in the web server TTiny Java Web Server and Servlet Container (TJWS) <=1.115 allows an adversary to inject…
PriorityP339medium6.1CVSS 3.1
AVNACLPRNUIRSCCLILAN
EXPLOIT
EPSS
3.40%
87.3th percentile
A reflected cross-site scripting (XSS) vulnerability in the web server TTiny Java Web Server and Servlet Container (TJWS) <=1.115 allows an adversary to inject malicious code on the server's "404 Page not Found" error page
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| tiny_java_web_server_project | tiny_java_web_server | <= 1.115 | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Trigger the vulnerability by requesting a non-existent path; look for reflected XSS payload in the 404 error page response with Content-Type text/html ↗
- →Detection rule matches on HTTP response header containing 'text/html' combined with a 404 status code to identify vulnerable TJWS instances
- →Nuclei template digest for CVE-2021-37573 TJWS XSS detection rule can be used to verify template integrity
- ·Vulnerability affects TJWS versions up to and including 1.115; versions above this threshold are not confirmed vulnerable ↗
CVSS provenance
nvdv3.16.1MEDIUMCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
nvdv2.04.3MEDIUMAV:N/AC:M/Au:N/C:N/I:P/A:N
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Nuclei
Tiny Java Web Server - Cross-Site Scripting
nuclei·CVSS 6.1
CVE-2021-37573 [MEDIUM] Tiny Java Web Server - Cross-Site Scripting
Tiny Java Web Server - Cross-Site Scripting
A reflected cross-site scripting vulnerability in the web server TTiny Java Web Server and Servlet Container (TJWS) 404 test not found"
- type: word
part: header
words:
- text/html
- type: status
status:
- 404
# digest: 4b0a004830460221008296fe1e5a3bbb76b84bb618a11de9bb9628f630dab39e98817f14d1719bfa75022100cc4810377f46af27fc48a743dcecd9e563b90a7cd8b95d4ff53b4acf53087568:922c64590222798bb761d5b6d8e72950
No writeups or analysis indexed.
http://packetstormsecurity.com/files/163825/Tiny-Java-Web-Server-1.115-Cross-Site-Scripting.htmlhttp://seclists.org/fulldisclosure/2021/Aug/13https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2021-042.txthttp://packetstormsecurity.com/files/163825/Tiny-Java-Web-Server-1.115-Cross-Site-Scripting.htmlhttp://seclists.org/fulldisclosure/2021/Aug/13https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2021-042.txt
2021-08-09
Published