CVE-2021-40926 — Cross-site Scripting in Getid3

CWE-79 — Cross-site Scripting6 documents5 sources

Severity

6.1MEDIUMNVD

EPSS

0.3%

top 48.20%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Getid3 James-heinrich Getid3

Timeline

PublishedOct 1

Latest updateOct 4

Description

Cross-site scripting (XSS) vulnerability in demos/demo.mysqli.php in getID3 1.X and v2.0.0-beta allows remote attackers to inject arbitrary web script or HTML via the showtagfiles parameter.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:NExploitability: 2.8 | Impact: 2.7

Affected Packages2 packages

▶NVDgetid3/getid31.9.0 — 2.0.0+1

▶Packagistjames-heinrich/getid31.0.0 — 1.9.21

🔴Vulnerability Details

OSV

Cross-site scripting in demos/demo.mysqli.php in getID3↗2021-10-04

▶

GHSA

Cross-site scripting in demos/demo.mysqli.php in getID3↗2021-10-04

▶

OSV

CVE-2021-40926: Cross-site scripting (XSS) vulnerability in demos/demo↗2021-10-01

▶

CVEList

CVE-2021-40926: Cross-site scripting (XSS) vulnerability in demos/demo↗2021-10-01

▶

📋Vendor Advisories

Debian

CVE-2021-40926: php-getid3 - Cross-site scripting (XSS) vulnerability in demos/demo.mysqli.php in getID3 1.X ...↗2021

▶