CVE-2021-3824Improper Neutralization of Encoded URI Schemes in a Web Page in Access Server

CWE-84Improper Neutralization of Encoded URI Schemes in a Web PageCWE-79Cross-site Scripting2 documents2 sources
Severity
6.1MEDIUMNVD
EPSS
0.3%
top 46.56%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
1
Openvpn Access Server
Timeline
PublishedSep 23
Latest updateMay 24

Description

OpenVPN Access Server 2.9.0 through 2.9.4 allow remote attackers to inject arbitrary web script or HTML via the web login page URL.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:NExploitability: 2.8 | Impact: 2.7

Affected Packages2 packages

NVDopenvpn/openvpn_access_server2.9.02.9.4
CVEListV5openvpn/openvpn_access_server2.9.0 through 2.9.4

🔴Vulnerability Details

1
GHSA
GHSA-hqrg-vp62-hmj7: OpenVPN Access Server 22022-05-24
CVE-2021-3824 — Openvpn Access Server vulnerability | cvebase