CVE-2021-42365 — Cross-site Scripting in Forum

CWE-79 — Cross-site Scripting3 documents3 sources

Severity

4.8MEDIUMNVD

EPSS

0.4%

top 37.81%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Asgaros Forum Asgaros Forums

Timeline

PublishedNov 29

Latest updateNov 30

Description

The Asgaros Forums WordPress plugin is vulnerable to Stored Cross-Site Scripting due to insufficient escaping via the name parameter found in the ~/admin/tables/admin-structure-table.php file which allowed attackers with administrative user access to inject arbitrary web scripts, in versions up to and including 1.15.13. This affects multi-site installations where unfiltered_html is disabled for administrators, and sites where unfiltered_html is disabled.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:NExploitability: 1.7 | Impact: 2.7

Affected Packages2 packages

▶CVEListV5asgaros_forums/asgaros_forums1.15.13 — 1.15.13

▶NVDasgaros/asgaros_forum< 1.15.14

Patches

Patch: plugins.trac.wordpress.org ↗Patch: plugins.trac.wordpress.org ↗

🔴Vulnerability Details

GHSA

GHSA-8h56-96mw-r96r: The Asgaros Forums WordPress plugin is vulnerable to Stored Cross-Site Scripting due to insufficient escaping via the name parameter found in the ~/ad↗2021-11-30

▶

CVEList

Asgaros Forums <= 1.15.13 Authenticated Stored XSS↗2021-11-29

▶